Entered password, concerned about hacking

JKapDRC wrote:

When I recently had a messageboard site open

Which one?

the Software Update dialog box opened (of its own accord) and asked that I enter my user password so that it could make changes.

That sounds very much like the Flashback Trojan. See

<http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml>

In addition to what is described there, would you also run

ls -al ~/.rserv

and check if Java (not JavaScript) is enabled in your browser?

Naturally I'm concerned that someone on the messageboard site had remotely connected to my computer and I had entered my password for him/her.

If by "messageboard" you mean a web forum like this one, then that's not possible. It is possible that you installed some kind of malware that could steal your password or any other data.

...a "shade" covered my screen and text appeared, in several languages, telling me that my computer needed to be restarted.

That's a kernel panic -- an operating system crash. If recurrent, it needs to be diagnosed.

Do you back up with Time Machine?

If you installed a trojan, which it sounds like you did, and you know exactly when it happened, then I suggest you boot from your installation disc and do a full-system restore from the last Time Machine snapshot taken before that time. After doing that, you can restore any data such as mail that has changed since then from a more recent snapshot.

And also, should I install a (free) malware/anti-virus scanner?

I doubt it would help in this situation, but if it makes you feel better, you can install ClamXav. Nothing else.

Disable Java in the browser again, if that setting was reverted.

The most important thing you need to do is to change all your Internet passwords and check your financial accounts for unauthorized transactions. You also need to educate yourself about safe computing. You were infected with a trojan because you entered your administrator password without knowing why you were doing it. Never do that again.

JKapDRC wrote:

And also, should I install a (free) malware/anti-virus scanner? If so, which one?

You've been infected by what appears to be the latest strain of the Flashback Trojan Horse, although the question is not settled yet. See this thread

<https://discussions.apple.com/thread/3844172>

which seems to have been the first mention of this strain. In addition to <~/.rserv>, you probably also have <~/Library/LaunchAgents/com.adobe.reader.plist>, which is the launch agent periodically running .rserv.

Regarding clean-up, so far, none of the A/V people seem to have picked up on it, so installing any A/V utility at this point may not do you any good. Until they are updated to deal with this strain, you cannot be sure that they will detect it or clean it properly. WRT Flashback, I would not trust any A/V utility. IMHO, the only safe solution is, as recommended by Linc Davis, to erase the hard disk and re-install from backup—if you have a backup which you are absolutely sure pre-dates the date of infection. Otherwise, I'd install the OS anew, re-install from the original installers, and restore from backup documents only; no apps and no preferences or configuration files.

Further, any password used since the infection must be considered compromised, and that could be your bank account, Gmail, or this forum. As soon as you've cleared the infection, go immediately to any account you've accessed (this forum included) and change the password.

As precautionary measure, disable Java in all your browsers, not just Safari; and consider whether or not un-installing it altogether might not be a bad idea.

There are a few additional things which you might be interested in doing before erasing everything (disconnect from the network while doing it).

Take .rserv and com.adobe.reader.plist (it has nothing to do with Adobe Reader, btw), zip 'em together, and save the archive to submit it to A/V sites, like ClamAV or VirusTotal.

Check you browser history and log messages (in Console). See how trungson did it here

<https://discussions.apple.com/thread/3844172?answerId=18010355022#18010355022>

It might give you an idea of when the infection occurred. The primary vector seems to be hacked or infected Wordpress blogs, but no-one seems to know for sure if there are others. That's why I asked what message board you were on—it would be useful to check what software it's running on and if it has been hacked.

fane_j wrote:

JKapDRC wrote:

When I recently had a messageboard site open

Which one?

@JKapDRC,

Glad you were able to repair in short order.

I didn't see an answer to this. It might help to know that from a Community standpoint.