You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

JKapDRC Author

Level 1

0 points

Entered password, concerned about hacking

Dear all,

When I recently had a messageboard site open, the Software Update dialog box opened (of its own accord) and asked that I enter my user password so that it could make changes. As I have Software Update run automatically, I didn't think much of it, and entered my administrator password -- only to realize that Software Update was in fact not open, and when I opened it manually confirmed that it had last run 48 hours before.

Naturally I'm concerned that someone on the messageboard site had remotely connected to my computer and I had entered my password for him/her. I immediately changed my OS X password and restarted my computer, but about 10 minutes after restarting a "shade" covered my screen and text appeared, in several languages, telling me that my computer needed to be restarted.

I restarted the computer manually and sent an error report to Apple as prompted, but am still extremely worried that someone has access to my computer.

Has anyone had similar experiences? Does anyone know what might be going on (if anything's going on)? Thank you very, very much.

MacBook Pro, Mac OS X (10.6.8)

Posted on Apr 1, 2012 7:24 AM

Top-ranking reply

fane_j

Level 4

3,703 points

Posted on Apr 1, 2012 7:37 AM

JKapDRC wrote:

When I recently had a messageboard site open

Which one?

the Software Update dialog box opened (of its own accord) and asked that I enter my user password so that it could make changes.

That sounds very much like the Flashback Trojan. See

<http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml>

In addition to what is described there, would you also run

ls -al ~/.rserv

and check if Java (not JavaScript) is enabled in your browser?

View in context

19 replies

JKapDRC Author

Level 1

0 points

Apr 1, 2012 4:22 PM in response to MadMacs0

Okay, so upon further research (sorry, I'm a novice, bear with me) I've determined that archive-and-install is the default setting for Snow Leopard, so that, rather than erase-and-install, is likely what I did. Using the Terminal protocols I still get the "... does not exist" setting for both prompts. (See below.)

[I ran the Terminal protocols until I got both "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist" and "The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist" for the appropriate prompts.]

Should I erase-and-install, or was the initial re-installation (which, again, I think but am not positive was an archive-and-install) sufficient? Thanks much.

fane_j

Level 4

3,703 points

Apr 1, 2012 8:04 PM in response to JKapDRC

JKapDRC wrote:

does not exist

This strain (if it is a strain of Flashback, and not a different type) does not seem to use that method.

Should I erase-and-install

It's up to you, but I would definitely go for the erase. I think that's the only way to be positive all of it is gone.

I had a quick peek at the site you mentioned; it seems to be based on vBulletin. I didn't see anything suspicious, but I'm not an expert. It's not impossible that the malware came from a site visited earlier. Check your history for any WordPress sites you may have visited the same day, before the password request.

JKapDRC Author

Level 1

0 points

Apr 2, 2012 3:41 AM in response to fane_j

Thanks. Would it have to been (or been overwhelmingly likely to be) the same day? Based on my history, the last WordPress site that I visited was about 36 hours before the password request, and my computer had been turned on and off (and connected and disconnected from the internet) at least twice between visting the WordPress site and receiving the password request.

fane_j

Level 4

3,703 points

Apr 2, 2012 4:43 AM in response to JKapDRC

JKapDRC wrote:

the last WordPress site that I visited was about 36 hours before the password request

That does seem like a lot.

Just in case, it may be a good idea to contact the webmaster or admin of the Canes Insight forum and explain the problem. They may wish to double check their forum software to make sure it hasn't been hacked.

Entered password, concerned about hacking