HostMod-A removal?, HostMod-A removal?

quickasfoxe wrote:

Wasn't able to find anything via the insall.log file (no installations on 3/30/12). This came up for find my file, however.

If your install.log didn't go back as far as 3/30, try install.log.n.bz2 where n is 0-5.

And it looks like your Find Any File was for 2011 instead of 2012.

Results of ls -@l | grep host:

-rw-r--r-- 1 root wheel 87 Jul 20 2011 hostconfig

-rw-r--rw- 1 root wheel 2501 Jul 14 20:19 hosts

-rw-r--r-- 1 root wheel 2501 Mar 30 11:18 hosts.ac

-rw-r--r-- 1 root wheel 0 Jun 18 2011 hosts.equiv

The only items that I have in that directory that match that search are:

-rw-r--r-- 1 root wheel 87 Jul 20 2011 hostconfig -rw-r--r-- 1 root wheel 283 Jun 7 2011 hosts -rw-r--r-- 1 root wheel 0 Jun 18 2011 hosts.equiv -rw-r--r-- 1 root wheel 236 Jul 20 2011 hosts~orig

The ssh items are probably nothing to worry about, if you have generated those ssh keys yourself. They predate the infection anyway.

As MadMacs0 points out, your hosts file is too big, so your problem can't be fixed yet, and the presence of a hosts.ac file of the same size is suspicious. There must be some process that keeps replacing the contents of the hosts file with the contents of hosts.ac. The trick will be figuring out what that process is.

There have been a number of cases lately of malware installing LaunchAgents, which are scripts that run code at certain times. In the Terminal, enter:

ls -al ~/Library/LaunchAgents/

What are the results of that command?

No, hosts.ac is part of Cisco Any Connect and the user must be or must have used cisco anyconnect at somepoint to connect to work. (VPN)

Part of cisco any connects operation is to have the hosts.ac overwrite the hosts on rebot. That is how it works, not a trojan.

Make the changes above to the hosts.ac but before you do read below, it is important that you contact the organization that wanted you to use cisco anyconnet. Universities use Cisco ANYConnet such as Carnegie Mellon. You can confirm with your organization what the hosts.ac file should look like and should promply get in touch with whoever you are connecting to via cisco. Also make sure to update cisco anyconnect.

Check this fourm out if you are using Sophos and Anyconnect.

VERY IMPORTANT

Make sure to contact your incident team at the company that you are using any connect with, if that hosts file is compromised they may have a serious internal problem or may have specificly set your host file to behave in a manner. Make sure that you are allowed to alter te hosts.ac file and inform them about the changes.

THIS IS THE BEST COURSE OF ACTION.

Playing with this in the APPLE FOURM may not result in a successful solution, contact the organization you contect to via anyconnect.

Sorry, I think apple took the Sophos link off http://community.sophos.com/t5/Sophos-Endpoint-Protection/Cisco-Anyconnect-and-S ophos-Endpoint-Security-9-7/td-p/19779

After some discussion elsewhere, it was pointed out that Cisco AnyConnect has some remote code execution vulnerabilities. If you're running that software (which the hosts.ac file apparently indicates that you are), you need to update it, and as drStrangeP0rk has indicated, you need to contact the company providing that software to you.

There's a bunch of information about the vulnerabilities here:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20 120620-ac

It's very dense and difficult-to-read information, though.

I have looked at install.log.n.bz2 and still don't see anything for 3/30.

In terms of Find My Files for 3/30/12, there were 404 files created. Since I can't take a screenshot, is there a way for me to export that list to post? Here is a screenshot specific to 11:18AM.

It appears there was a embed.divxstage.edu folder created, as well as odcast.com, divxstage.swf, and wwuplocoadccom0u7metw9rt1justif# folder. Anything else that I might use to guide what could be considered suspicious?

And while I am at a new university that I do not use Cisco AnyConnect through, I will notify my former university's IT department to the situation.

quickasfoxe wrote:

I have looked at install.log.n.bz2 and still don't see anything for 3/30.

I think we can probably assume at this point that it was installed the last time you installed AnyConnect, so that date time may be meaningless.

In terms of Find My Files for 3/30/12, there were 404 files created. Since I can't take a screenshot, is there a way for me to export that list to post? Here is a screenshot specific to 11:18AM.

Note that the times listed are the Date Modified which is often, but not always the Date Created. Again, I think we can assume at this point that the AnyConnect installation was probably the culpret.

It appears there was a embed.divxstage.edu folder created, as well as odcast.com, divxstage.swf, and wwuplocoadccom0u7metw9rt1justif# folder. Anything else that I might use to guide what could be considered suspicious?

I'm guessing those are part of a DivX installation of some sort, DivXStage? and associated with school (.edu). Not certain about that.

And while I am at a new university that I do not use Cisco AnyConnect through, I will notify my former university's IT department to the situation

That's clearly the next step. If they can confirm that they provided you with an infected hosts.ac file, then that should wrap things up. If not and they think it became infected after it was installed on your machine, then we're back to square one.

So, if they confirm that they were the source, your next step would be to completely uninstall AnyConnect. According to this document "Uninstalling the Cisco AnyConnect VPN Client" you need to do the following:

Launch the Terminal app (found in /Applications/Utilities/), copy and paste the following after the "$ " prompt:

sudo /opt/cisco/vpn/bin/vpn_uninstall.sh

followed by the return key. Enter your admin password when asked for (you will not see any typing) and hit return. I have no idea whether you will get any feedback.

Again, don't remove it until you get the goahead from your former university IT folks.

Good luck.