You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Entered password, concerned about hacking

Dear all,


When I recently had a messageboard site open, the Software Update dialog box opened (of its own accord) and asked that I enter my user password so that it could make changes. As I have Software Update run automatically, I didn't think much of it, and entered my administrator password -- only to realize that Software Update was in fact not open, and when I opened it manually confirmed that it had last run 48 hours before.


Naturally I'm concerned that someone on the messageboard site had remotely connected to my computer and I had entered my password for him/her. I immediately changed my OS X password and restarted my computer, but about 10 minutes after restarting a "shade" covered my screen and text appeared, in several languages, telling me that my computer needed to be restarted.


I restarted the computer manually and sent an error report to Apple as prompted, but am still extremely worried that someone has access to my computer.


Has anyone had similar experiences? Does anyone know what might be going on (if anything's going on)? Thank you very, very much.

MacBook Pro, Mac OS X (10.6.8)

Posted on Apr 1, 2012 7:24 AM

Reply
Question marked as Top-ranking reply

Posted on Apr 1, 2012 7:37 AM

JKapDRC wrote:


When I recently had a messageboard site open

Which one?

the Software Update dialog box opened (of its own accord) and asked that I enter my user password so that it could make changes.

That sounds very much like the Flashback Trojan. See


<http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml>


In addition to what is described there, would you also run


ls -al ~/.rserv


and check if Java (not JavaScript) is enabled in your browser?

19 replies
Question marked as Top-ranking reply

Apr 1, 2012 7:37 AM in response to JKapDRC

JKapDRC wrote:


When I recently had a messageboard site open

Which one?

the Software Update dialog box opened (of its own accord) and asked that I enter my user password so that it could make changes.

That sounds very much like the Flashback Trojan. See


<http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml>


In addition to what is described there, would you also run


ls -al ~/.rserv


and check if Java (not JavaScript) is enabled in your browser?

Apr 1, 2012 7:33 AM in response to JKapDRC

Naturally I'm concerned that someone on the messageboard site had remotely connected to my computer and I had entered my password for him/her.


If by "messageboard" you mean a web forum like this one, then that's not possible. It is possible that you installed some kind of malware that could steal your password or any other data.


...a "shade" covered my screen and text appeared, in several languages, telling me that my computer needed to be restarted.


That's a kernel panic -- an operating system crash. If recurrent, it needs to be diagnosed.

Apr 1, 2012 7:49 AM in response to fane_j

Hi,


Thanks much for the quick response. I ran the Terminal protocols until I got both "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist" and "The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist" for the appropriate prompts.


When entering ls -al ~/.rserv , I got the following (with MyUserName as a placeholder for my actual user name):

-rwxrwxrwx@ 1 MyUserName staff 59848 Apr 1 09:42 /Users/MyUserName/.rserv

my-usernames-macbook-pro:~ MyUserName$


And I noted that Java was enabled in Safari, and disabled it.


What should I do next? Thanks so much.

Apr 1, 2012 8:27 AM in response to JKapDRC

If you installed a trojan, which it sounds like you did, and you know exactly when it happened, then I suggest you boot from your installation disc and do a full-system restore from the last Time Machine snapshot taken before that time. After doing that, you can restore any data such as mail that has changed since then from a more recent snapshot.

Apr 1, 2012 10:06 AM in response to JKapDRC

Disable Java in the browser again, if that setting was reverted.


The most important thing you need to do is to change all your Internet passwords and check your financial accounts for unauthorized transactions. You also need to educate yourself about safe computing. You were infected with a trojan because you entered your administrator password without knowing why you were doing it. Never do that again.

Apr 1, 2012 3:28 PM in response to JKapDRC

JKapDRC wrote:


And also, should I install a (free) malware/anti-virus scanner? If so, which one?

You've been infected by what appears to be the latest strain of the Flashback Trojan Horse, although the question is not settled yet. See this thread


<https://discussions.apple.com/thread/3844172>


which seems to have been the first mention of this strain. In addition to <~/.rserv>, you probably also have <~/Library/LaunchAgents/com.adobe.reader.plist>, which is the launch agent periodically running .rserv.


Regarding clean-up, so far, none of the A/V people seem to have picked up on it, so installing any A/V utility at this point may not do you any good. Until they are updated to deal with this strain, you cannot be sure that they will detect it or clean it properly. WRT Flashback, I would not trust any A/V utility. IMHO, the only safe solution is, as recommended by Linc Davis, to erase the hard disk and re-install from backup—if you have a backup which you are absolutely sure pre-dates the date of infection. Otherwise, I'd install the OS anew, re-install from the original installers, and restore from backup documents only; no apps and no preferences or configuration files.


Further, any password used since the infection must be considered compromised, and that could be your bank account, Gmail, or this forum. As soon as you've cleared the infection, go immediately to any account you've accessed (this forum included) and change the password.


As precautionary measure, disable Java in all your browsers, not just Safari; and consider whether or not un-installing it altogether might not be a bad idea.


There are a few additional things which you might be interested in doing before erasing everything (disconnect from the network while doing it).


Take .rserv and com.adobe.reader.plist (it has nothing to do with Adobe Reader, btw), zip 'em together, and save the archive to submit it to A/V sites, like ClamAV or VirusTotal.


Check you browser history and log messages (in Console). See how trungson did it here


<https://discussions.apple.com/thread/3844172?answerId=18010355022#18010355022>


It might give you an idea of when the infection occurred. The primary vector seems to be hacked or infected Wordpress blogs, but no-one seems to know for sure if there are others. That's why I asked what message board you were on—it would be useful to check what software it's running on and if it has been hacked.

Apr 1, 2012 3:47 PM in response to fane_j

Thanks. I reinstalled from a Time Machine back up and immediately changed all my passwords (any that I'd used since the infection as well as important ones that I hadn't) after reinstallation. Safari's the only browser on my computer, and Java is disabled in it.


I have a question, however: does following the re-installation instructions in the Utilities menu of the OS X installer DVD automatically erase the hard disk? I don't recall ever explicitly selecting "erase the hard disk" during reinstallation.


As for where I came across this lovely creation, it was on the web forums at http://canesinsight.com/forum.php .

Entered password, concerned about hacking

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.