Apple Intelligence is now available on iPhone, iPad, and Mac!

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

What actions should I take after seeing this script running @ startup today? "ARDAgent\" to do shell script \"say quack\"'"

STEPS TAKEN:

  • Logged into Mac for first time today.
  • Noticed a new individual file in Directory Library ".a.text". (Settings disply hidden system file/folders)
  • File contained only the text "--purge".
  • Meta data on file directed source to bash process run @ startup.
  • Attached History command output.
  • Disabled ARD for now.


SETTINGS:

  • All Sharing was Off.
  • Firewall was set to Block All Incoming Connections.
  • Home network with no other active users at time.
  • Upgraded to Mavs 10.9.2 last night.
  • Do not use any file sharing or remote access into Mac.
  • The SSH host attempts were my old Amazon EC2 instances.
  • Appears to start bitcoin app and few databases.
  • Worth noting I've been having tons of various issues last few months.

Thanks.




<POB> My CommandLine prompts. XXXX on locals.

XXXXXX:~ Administrator$ export HISTTIMEFORMAT='%F %T '

XXXXXX:~ Administrator$ history


<POB> OUTPUT

1 2014-02-27 17:23:35 rm -rf ~/.Trash/*

2 2014-02-27 17:23:35 cd

3 2014-02-27 17:23:35 .

4 2014-02-27 17:23:35 ./

5 2014-02-27 17:23:35 cd

6 2014-02-27 17:23:35 lib

7 2014-02-27 17:23:35 cd/

8 2014-02-27 17:23:35

9 2014-02-27 17:23:35 ls

10 2014-02-27 17:23:35 cd downloads

11 2014-02-27 17:23:35 ls downloads

12 2014-02-27 17:23:35 ls Downloads

13 2014-02-27 17:23:35 find / -nouser -ls

14 2014-02-27 17:23:35 find /~nouser -ls

15 2014-02-27 17:23:35 ls

16 2014-02-27 17:23:35 ls /library

17 2014-02-27 17:23:35 /LaunchAgents

18 2014-02-27 17:23:35 ls /LaunchAgents

19 2014-02-27 17:23:35 ls /Automator

20 2014-02-27 17:23:35 ls /KeyChains

21 2014-02-27 17:23:35 sha

22 2014-02-27 17:23:35 toop

23 2014-02-27 17:23:35 top

24 2014-02-27 17:23:35 dscl . -list /Users UniqueID

25 2014-02-27 17:23:35 $ dscl -plist . readall /users

26 2014-02-27 17:23:35 $ dscl . readall /users

27 2014-02-27 17:23:35 $ dscl . readall /503

28 2014-02-27 17:23:35 ls/Users

29 2014-02-27 17:23:35 - dscacheutil -q group

30 2014-02-27 17:23:35 cd

31 2014-02-27 17:23:35 cd.

32 2014-02-27 17:23:35 cd .

33 2014-02-27 17:23:35 ls

34 2014-02-27 17:23:35 ifconfig

35 2014-02-27 17:23:35 ifconfig

36 2014-02-27 17:23:35 ifconfig

37 2014-02-27 17:23:35 config helper

38 2014-02-27 17:23:35 config

39 2014-02-27 17:23:35 ls

40 2014-02-27 17:23:35 ssh awsXXXX

41 2014-02-27 17:23:35 defaults write com.google.Keystone.Agent checkInterval 0

42 2014-02-27 17:23:35 exit

43 2014-02-27 17:23:35 exit

44 2014-02-27 17:23:35 /var/log/secure.log

45 2014-02-27 17:23:35 ssh awsXXXXXX

46 2014-02-27 17:23:35 exit

47 2014-02-27 17:23:35 kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

48 2014-02-27 17:23:35 sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

49 2014-02-27 17:23:35 launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

50 2014-02-27 17:23:35 ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

51 2014-02-27 17:23:35 osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

52 2014-02-27 17:23:35 top

53 2014-02-27 17:23:35 ps

54 2014-02-27 17:23:35 top

55 2014-02-27 17:23:35 top

56 2014-02-27 17:23:35 top

57 2014-02-27 17:23:35 sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/k ickstart -agent -stop

58 2014-02-27 17:23:35 man who

59 2014-02-27 17:23:35 who

60 2014-02-27 17:23:35 whoami

61 2014-02-27 17:23:35 ps -aux

62 2014-02-27 17:23:35 ps

63 2014-02-27 17:23:35 top

64 2014-02-27 17:23:35 ps -eo pid,etime

65 2014-02-27 17:23:35 top

66 ??ps aux | less

67 2014-02-27 17:23:35 pstree

68 2014-02-27 17:23:35 ps -eo euser,ruser,suser,fuser,f,comm,label

69 2014-02-27 17:23:35 pgrep

70 2014-02-27 17:23:35 pgrep remote

71 2014-02-27 17:23:35 apt-get install htop

72 2014-02-27 17:23:35 htop

73 2014-02-27 17:23:35 netstat -tulpn | grep :80

74 2014-02-27 17:23:35 ls -l /proc/635/exe

75 2014-02-27 17:23:35 swapon -a

76 2014-02-27 17:23:35 ma ps

77 2014-02-27 17:23:35 man ps

78 2014-02-27 17:23:35 man ps

79 2014-02-27 17:23:35 ps -a

80 2014-02-27 17:23:35 ps -A

81 2014-02-27 17:23:35 whoami

82 2014-02-27 17:23:35 ps -f

83 2014-02-27 17:23:35 ps -G

84 2014-02-27 17:23:35 ps -g

85 2014-02-27 17:23:35 ps -T

86 2014-02-27 17:23:35 ps-t

87 2014-02-27 17:23:35 ps -v

88 2014-02-27 17:23:35 ps start

89 2014-02-27 17:23:35 top

90 2014-02-27 17:23:35 ps

91 2014-02-27 17:23:35 users

92 2014-02-27 17:23:35 last

93 2014-02-27 17:23:35 ls /var/log/wtmp*

94 2014-02-27 17:23:35 last -f /var/log/wtmp.1

95 2014-02-27 17:23:35 last -f /var/log/wtmp.0

96 2014-02-27 17:23:35 ~/.bash_history

97 2014-02-27 17:23:35 cat ~/.bash_history

98 2014-02-27 17:23:35 ls /Automator

99 2014-02-27 17:23:35 cat Automator

100 2014-02-27 17:23:35 open ~/.bash_history

101 2014-02-27 17:23:35 dscl . readall /users

102 2014-02-27 17:23:35 ls/library

103 2014-02-27 17:23:35 cd/library

104 2014-02-27 17:23:35 cd..

105 2014-02-27 17:23:35 cd

106 2014-02-27 17:23:35 ls

107 2014-02-27 17:23:35 cd Library

108 2014-02-27 17:23:35 cd/Library

109 2014-02-27 17:23:35 ls/Automator

110 2014-02-27 17:23:35 toop

111 2014-02-27 17:23:35 top

112 2014-02-27 17:23:35 ifconfig

113 2014-02-27 17:23:35 config helper

114 2014-02-27 17:23:35 config

115 2014-02-27 17:23:35 top

116 2014-02-27 17:23:35 ps -a

117 2014-02-27 17:23:35 ps -A

118 2014-02-27 17:23:35 ps -aux

119 2014-02-27 17:23:35 ps

120 2014-02-27 17:23:35 getprocessforpid(677)

121 2014-02-27 17:23:35 man ps

122 2014-02-27 17:23:35 ps -U

123 2014-02-27 17:23:35 ps -u

124 2014-02-27 17:23:35 GetProcessPID(494)

125 2014-02-27 17:23:35 GetProcessPID() q

126 2014-02-27 17:23:35 GetProcessPID494

127 2014-02-27 17:23:35 GetProcessPID 494

128 2014-02-27 17:23:35 netstat -b

129 2014-02-27 17:23:35 top

130 2014-02-27 17:23:35 top

131 2014-02-27 17:23:35 top

132 2014-02-27 17:23:35 netstat -a

133 2014-02-27 17:23:35 netstat -a | grep vnc | grep ESTABLISHED

134 2014-02-27 17:23:35 top

135 2014-02-27 17:23:35 netstat -a

136 2014-02-27 17:23:35 top

137 2014-02-27 17:23:35 top

138 2014-02-27 17:23:35 netstat -a

139 2014-02-27 17:23:35 ps -aux

140 2014-02-27 17:23:35 netstat -a | grep vnc | grep ESTABLISHED

141 2014-02-27 17:23:35 ps -aux

142 2014-02-27 17:23:35 ps -A

143 2014-02-27 17:23:35 ps -A

144 2014-02-27 17:23:35 netstat -a | grep vnc | grep ESTABLISHED

145 2014-02-27 17:23:35 netstat -a

146 2014-02-27 17:23:35 top

147 2014-02-27 17:23:35 top

148 2014-02-27 17:23:35 netstat -a

149 2014-02-27 17:23:35 netstat -a

150 2014-02-27 17:23:35 netstat -a

151 2014-02-27 17:23:35 q

152 2014-02-27 17:23:35 top

153 2014-02-27 17:23:35 top

154 2014-02-27 17:23:35 sudo tmutil disablelocal

155 2014-02-27 17:23:35 exit

156 2014-02-27 17:23:35 top

157 2014-02-27 17:23:35 top

158 2014-02-27 17:23:35 top

159 2014-02-27 17:23:35 top

160 2014-02-27 17:23:35 top

161 2014-02-27 17:23:35 top

162 2014-02-27 17:23:35 neststat -n

163 2014-02-27 17:23:35 netstat -n

164 2014-02-27 17:23:35 netstat -n

165 2014-02-27 17:23:35 ls

166 2014-02-27 17:23:35 lsaf

167 2014-02-27 17:23:35 cd ..

168 2014-02-27 17:23:35 cd ..

169 2014-02-27 17:23:35 cd ..

170 2014-02-27 17:23:35 cd ..

171 2014-02-27 17:23:35 ls

172 2014-02-27 17:23:35 top

173 2014-02-27 17:23:35 netstat

174 2014-02-27 17:23:35 dscl . list/users

175 2014-02-27 17:23:35 cd ~

176 2014-02-27 17:23:35 dscl . list/users

177 2014-02-27 17:23:35 dscl . list /users

178 2014-02-27 17:23:35 dscl . list /groups

179 2014-02-27 17:23:35 dscl . readall /users

180 2014-02-27 17:23:35 netstat

181 2014-02-27 17:23:35 netstat

182 2014-02-27 17:23:35 whoami

183 2014-02-27 17:23:35 ls

184 2014-02-27 17:23:35 cd ..

185 2014-02-27 17:23:35 cd ..

186 2014-02-27 17:23:35 cd .

187 2014-02-27 17:23:35 cd ..

188 2014-02-27 17:23:35 ls

189 2014-02-27 17:23:35 tree

190 2014-02-27 17:23:35 cd Users

191 2014-02-27 17:23:35 ls

192 2014-02-27 17:23:35 cd Administrator

193 2014-02-27 17:23:35 ls

194 2014-02-27 17:23:35 cd ..

195 2014-02-27 17:23:35 cd ..

196 2014-02-27 17:23:35 cd ..

197 2014-02-27 17:23:35 ls

198 2014-02-27 17:23:35 cd Users

199 2014-02-27 17:23:35 ls

200 2014-02-27 17:23:35 cd Adminstrator

201 2014-02-27 17:23:35 cd Administrator

202 2014-02-27 17:23:35 ls

203 2014-02-27 17:23:35 cd Downloads

204 2014-02-27 17:23:35 ls

205 2014-02-27 17:23:35 exit

206 2014-02-27 17:23:35 whoami

207 2014-02-27 17:23:35 ls

208 2014-02-27 17:23:35 ls

209 2014-02-27 17:23:35 cd Library

210 2014-02-27 17:23:35 ls

211 2014-02-27 17:23:35 cd Application Support

212 2014-02-27 17:23:35 ls

213 2014-02-27 17:23:35 cd ..

214 2014-02-27 17:23:35 ls

215 2014-02-27 17:23:35 cd ..

216 2014-02-27 17:23:35 ls

217 2014-02-27 17:23:35 cd pXXXXXXXX

218 2014-02-27 17:23:35 ls

219 2014-02-27 17:23:35 cd Library

220 2014-02-27 17:23:35 whoami

221 2014-02-27 17:23:35 sudo - Adminsitrator

222 2014-02-27 17:23:35 ls

223 2014-02-27 17:23:35 ls

224 2014-02-27 17:23:35 sudo -

225 2014-02-27 17:23:35 more /etc/hosts

226 2014-02-27 17:23:35 scc ver

227 2014-02-27 17:23:35 scc numprofiles

228 2014-02-27 17:23:35 netstat -an |find /i "listening"

229 2014-02-27 17:23:35 netstat

230 2014-02-27 17:23:35 top

231 2014-02-27 17:23:35 kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

232 2014-02-27 17:23:35 sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

233 2014-02-27 17:23:35 launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

234 2014-02-27 17:23:35 ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

235 2014-02-27 17:23:35 osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

236 2014-02-27 17:23:35 osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

237 2014-02-27 17:23:35 top

238 2014-02-27 17:23:35 dscacheutil -flushcache

239 2014-02-27 17:23:35 sudo killall -HUP mDNSResponder

240 2014-02-27 17:23:35 top

241 2014-02-27 17:23:35 ./bitcoin-qt

242 2014-02-27 17:23:35 cd $home

243 2014-02-27 17:23:35 ls

244 2014-02-27 17:23:35 cd ..

245 2014-02-27 17:23:35 cd ..

246 2014-02-27 17:23:35 cd ..

247 2014-02-27 17:23:35 ls

248 2014-02-27 17:23:35 cd Applications

249 2014-02-27 17:23:35 ls

250 2014-02-27 17:23:35 ./bitcoin-qt.app

251 2014-02-27 17:23:35 top

252 2014-02-27 17:23:35 ps -420

253 2014-02-27 17:23:35 ps -9541

254 2014-02-27 17:23:35 top

255 2014-02-27 17:23:35 /Applications/Postgres93.app/Contents/MacOS/bin/psql ; exit;

256 2014-02-27 17:23:35 /Applications/Postgres93.app/Contents/MacOS/bin/psql ; exit;

257 2014-02-27 17:23:35 top

258 2014-02-27 17:23:35 ps -a (2077)

259 2014-02-27 17:23:35 ps -a2077

260 2014-02-27 17:23:35 sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist

261 2014-02-27 17:23:35 top

262 2014-02-27 17:23:35 on run

263 2014-02-27 17:23:35 do shell script "osascript -e 'tell app \"ARDAgent\" to do shell script \"say quack\"'"

264 2014-02-27 17:23:35 end run

265 2014-02-27 17:23:35 ls -ls /System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp 2

266 2014-02-27 17:23:35 sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist



<POB> END

MacBook Pro, OS X Mavericks (10.9.2), Potential ARD virus/rogue

Posted on Feb 27, 2014 6:04 PM

Reply
2 replies

Feb 28, 2014 12:03 PM in response to peterob@

I'm extremely unclear on exactly what's happening. You mention something about a script running at startup in your subject, but then never mention that again. What's going on there? Where are you finding that script?


That script would suggest someone playing a joke on you, by making your computer say "quack" every time you start up. That's not indicative of malware.


On the other hand, a hidden file as you describe is a common malware trick, though I'm not sure why it would only contain "--purge" - that isn't a complete command, as far as I know, and the purge command isn't likely to be used for malicious purposes anyway.


Still, you do have some indication that you're using Bitcoin-related apps, and there has been some Bitcoin malware that has appeared recently. See:


New CoinThief malware discovered


Note that the post on MacRumors that you refer to in your second post is almost six years old, and references a vulnerability that was closed later in 2008. It's completely irrelevant to any modern system.

What actions should I take after seeing this script running @ startup today? "ARDAgent\" to do shell script \"say quack\"'"

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.