JKapDRC
Level 1 (0 points)

Q: Entered password, concerned about hacking

Dear all,

 

When I recently had a messageboard site open, the Software Update dialog box opened (of its own accord) and asked that I enter my user password so that it could make changes.  As I have Software Update run automatically, I didn't think much of it, and entered my administrator password -- only to realize that Software Update was in fact not open, and when I opened it manually confirmed that it had last run 48 hours before.

 

Naturally I'm concerned that someone on the messageboard site had remotely connected to my computer and I had entered my password for him/her.  I immediately changed my OS X password and restarted my computer, but about 10 minutes after restarting a "shade" covered my screen and text appeared, in several languages, telling me that my computer needed to be restarted.

 

I restarted the computer manually and sent an error report to Apple as prompted, but am still extremely worried that someone has access to my computer.

 

Has anyone had similar experiences?  Does anyone know what might be going on (if anything's going on)?  Thank you very, very much.

MacBook Pro, Mac OS X (10.6.8)

Posted on Apr 1, 2012 7:24 AM

by Linc Davis,Solvedanswer
Linc Davis Linc Davis
Level 10 (208,037 points)
Applications
A:

Disable Java in the browser again, if that setting was reverted.

 

The most important thing you need to do is to change all your Internet passwords and check your financial accounts for unauthorized transactions. You also need to educate yourself about safe computing. You were infected with a trojan because you entered your administrator password without knowing why you were doing it. Never do that again.

Posted on Apr 1, 2012 10:06 AM

Close
JKapDRC

Q: Entered password, concerned about hacking

  • All replies
  • Helpful answers

Previous Page 2

  • by JKapDRC,

    JKapDRC JKapDRC Apr 1, 2012 3:47 PM in response to fane_j
    Level 1 (0 points)
    Apr 1, 2012 3:47 PM in response to fane_j

    Thanks.  I reinstalled from a Time Machine back up and immediately changed all my passwords (any that I'd used since the infection as well as important ones that I hadn't) after reinstallation.  Safari's the only browser on my computer, and Java is disabled in it.

     

    I have a question, however: does following the re-installation instructions in the Utilities menu of the OS X installer DVD automatically erase the hard disk?  I don't recall ever explicitly selecting "erase the hard disk" during reinstallation.

     

    As for where I came across this lovely creation, it was on the web forums at http://canesinsight.com/forum.php .

  • by JKapDRC,

    JKapDRC JKapDRC Apr 1, 2012 4:22 PM in response to MadMacs0
    Level 1 (0 points)
    Apr 1, 2012 4:22 PM in response to MadMacs0

    Okay, so upon further research (sorry, I'm a novice, bear with me) I've determined that archive-and-install is the default setting for Snow Leopard, so that, rather than erase-and-install, is likely what I did.  Using the Terminal protocols I still get the "... does not exist" setting for both prompts.  (See below.)

     

    [I ran the Terminal protocols until I got both "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist" and "The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist" for the appropriate prompts.]

     

    Should I erase-and-install, or was the initial re-installation (which, again, I think but am not positive was an archive-and-install) sufficient?  Thanks much.

  • by fane_j,

    fane_j fane_j Apr 1, 2012 8:04 PM in response to JKapDRC
    Level 4 (3,677 points)
    Apr 1, 2012 8:04 PM in response to JKapDRC

    JKapDRC wrote:

     

    does not exist

    This strain (if it is a strain of Flashback, and not a different type) does not seem to use that method.

    Should I erase-and-install

    It's up to you, but I would definitely go for the erase. I think that's the only way to be positive all of it is gone. 

     

    I had a quick peek at the site you mentioned; it seems to be based on vBulletin. I didn't see anything suspicious, but I'm not an expert. It's not impossible that the malware came from a site visited earlier. Check your history for any WordPress sites you may have visited the same day, before the password request.

  • by JKapDRC,

    JKapDRC JKapDRC Apr 2, 2012 3:41 AM in response to fane_j
    Level 1 (0 points)
    Apr 2, 2012 3:41 AM in response to fane_j

    Thanks.  Would it have to been (or been overwhelmingly likely to be) the same day?  Based on my history, the last WordPress site that I visited was about 36 hours before the password request, and my computer had been turned on and off (and connected and disconnected from the internet) at least twice between visting the WordPress site and receiving the password request.

  • by fane_j,

    fane_j fane_j Apr 2, 2012 4:43 AM in response to JKapDRC
    Level 4 (3,677 points)
    Apr 2, 2012 4:43 AM in response to JKapDRC

    JKapDRC wrote:

     

    the last WordPress site that I visited was about 36 hours before the password request

    That does seem like a lot.

     

    Just in case, it may be a good idea to contact the webmaster or admin of the Canes Insight forum and explain the problem. They may wish to double check their forum software to make sure it hasn't been hacked.

Previous Page 2