Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Topolinux
Topolinux Author
User level: Level 1
22 points

Intrusion?

Hi. i found today, casually, an unknown folder in \Users\ , named "jmoar", containing only the "Documents" folder and one file inside it named "InstallerTest.rtf".

I opened it from terminal with nano and it doesn't appear suspicious, it only contains a string "installer test". i've searched for unusual users via dscl but i have not found any "jmoar". It seems that the folder has been created 03-27-2012. i'm worrying about which program or who could have created it. what should i do more than delete the folder?

thanks

MacBook Pro, Mac OS X (10.6.8)

Posted on Jun 16, 2012 7:33 AM

Reply
Question marked as Best reply
User profile for user: noondaywitch
noondaywitch
User level: Level 6
8,167 points

Posted on Jun 16, 2012 9:27 AM

I would consider it highly suspect.

The only thing I'm aware of in recent months (and that March creation date would tally) that placed files in /Users/ is the Flashback malware. I don't recognise the filename from that episode, but others have tested it more thoroughly than I, so may be able to offer an opinion.


Until one of the Terminal whizzes comes along to give you the commands to check for other components, be sure that your software security updates are up-to-date, especially update 8 which removes Flashback components, and turn off Java in your browsers (not JavaScript; you need that).

Ideally, go to Applications > Utilities > Java Prefences and uncheck the two boxes for Java SE6.


If you were seriously compromised, I think you would probably have had problems with Safari freezing or crashing, but better to be safe and do the checks.


<aside>

We don't use \ in file paths on Mac, it's /. \ is used as an escape character in Terminal commands etc.

</aside>

View in context
5 replies
Question marked as Best reply
User profile for user: noondaywitch
noondaywitch
User level: Level 6
8,167 points

Jun 16, 2012 9:27 AM in response to Topolinux

I would consider it highly suspect.

The only thing I'm aware of in recent months (and that March creation date would tally) that placed files in /Users/ is the Flashback malware. I don't recognise the filename from that episode, but others have tested it more thoroughly than I, so may be able to offer an opinion.


Until one of the Terminal whizzes comes along to give you the commands to check for other components, be sure that your software security updates are up-to-date, especially update 8 which removes Flashback components, and turn off Java in your browsers (not JavaScript; you need that).

Ideally, go to Applications > Utilities > Java Prefences and uncheck the two boxes for Java SE6.


If you were seriously compromised, I think you would probably have had problems with Safari freezing or crashing, but better to be safe and do the checks.


<aside>

We don't use \ in file paths on Mac, it's /. \ is used as an escape character in Terminal commands etc.

</aside>

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,221 points

Jun 16, 2012 6:37 PM in response to Topolinux

Topolinux wrote:


Hi. i found today, casually, an unknown folder in \Users\ , named "jmoar", containing only the "Documents" folder and one file inside it named "InstallerTest.rtf".

I opened it from terminal with nano and it doesn't appear suspicious, it only contains a string "installer test". i've searched for unusual users via dscl but i have not found any "jmoar". It seems that the folder has been created 03-27-2012. i'm worrying about which program or who could have created it. what should i do more than delete the folder?

Although I agree with noondaywitch that it looks suspicious, it doesn't match any known variant of Flashback that I'm aware of. Only the System (root) should be able to create such a folder in /Users/ as Admin's don't have write access to it. Flashback was able to create invisible files in /Users/Shared/ which is open to all.


Do you have any sharing options turned on? Are you on a WiFi network with less than WPA2 password access? Could anyone have had physical access to your computer? Is your Firewall enabled with Stealth Mode on? If Firewall logging is turned on check your appfirewall.log for anything suspicious on that date.

Reply
User profile for user: X423424X
X423424X
User level: Level 6
14,265 points

Jun 16, 2012 9:44 PM in response to Topolinux

Uses the finder's Find (command-F) command to search for kind filename or use Find Any File for the following strings (one at a time):


jmoar

InstallerTest


I woudn't worry about it. Nothing is certainly going to be harmed by a warard rtf file and installers have been know to "accidentially" leave crap lying around from the authors testing. That's where I think that stuff came from.

Reply

Intrusion?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up