What actions should I take after seeing this script running @ startup today? "ARDAgent\" to do shell script \"say quack\"'"

Question

peterob@ Author

Level 1

0 points

What actions should I take after seeing this script running @ startup today? "ARDAgent\" to do shell script \"say quack\"'"

STEPS TAKEN:

Logged into Mac for first time today.
Noticed a new individual file in Directory Library ".a.text". (Settings disply hidden system file/folders)
File contained only the text "--purge".
Meta data on file directed source to bash process run @ startup.
Attached History command output.
Disabled ARD for now.

SETTINGS:

All Sharing was Off.
Firewall was set to Block All Incoming Connections.
Home network with no other active users at time.
Upgraded to Mavs 10.9.2 last night.
Do not use any file sharing or remote access into Mac.
The SSH host attempts were my old Amazon EC2 instances.
Appears to start bitcoin app and few databases.
Worth noting I've been having tons of various issues last few months.

Thanks.

<POB> My CommandLine prompts. XXXX on locals.

XXXXXX:~ Administrator$ export HISTTIMEFORMAT='%F %T '

XXXXXX:~ Administrator$ history

<POB> OUTPUT

1 2014-02-27 17:23:35 rm -rf ~/.Trash/*

2 2014-02-27 17:23:35 cd

3 2014-02-27 17:23:35 .

4 2014-02-27 17:23:35 ./

5 2014-02-27 17:23:35 cd

6 2014-02-27 17:23:35 lib

7 2014-02-27 17:23:35 cd/

8 2014-02-27 17:23:35

9 2014-02-27 17:23:35 ls

10 2014-02-27 17:23:35 cd downloads

11 2014-02-27 17:23:35 ls downloads

12 2014-02-27 17:23:35 ls Downloads

13 2014-02-27 17:23:35 find / -nouser -ls

14 2014-02-27 17:23:35 find /~nouser -ls

15 2014-02-27 17:23:35 ls

16 2014-02-27 17:23:35 ls /library

17 2014-02-27 17:23:35 /LaunchAgents

18 2014-02-27 17:23:35 ls /LaunchAgents

19 2014-02-27 17:23:35 ls /Automator

20 2014-02-27 17:23:35 ls /KeyChains

21 2014-02-27 17:23:35 sha

22 2014-02-27 17:23:35 toop

23 2014-02-27 17:23:35 top

24 2014-02-27 17:23:35 dscl . -list /Users UniqueID

25 2014-02-27 17:23:35 $ dscl -plist . readall /users

26 2014-02-27 17:23:35 $ dscl . readall /users

27 2014-02-27 17:23:35 $ dscl . readall /503

28 2014-02-27 17:23:35 ls/Users

29 2014-02-27 17:23:35 - dscacheutil -q group

30 2014-02-27 17:23:35 cd

31 2014-02-27 17:23:35 cd.

32 2014-02-27 17:23:35 cd .

33 2014-02-27 17:23:35 ls

34 2014-02-27 17:23:35 ifconfig

35 2014-02-27 17:23:35 ifconfig

36 2014-02-27 17:23:35 ifconfig

37 2014-02-27 17:23:35 config helper

38 2014-02-27 17:23:35 config

39 2014-02-27 17:23:35 ls

40 2014-02-27 17:23:35 ssh awsXXXX

41 2014-02-27 17:23:35 defaults write com.google.Keystone.Agent checkInterval 0

42 2014-02-27 17:23:35 exit

43 2014-02-27 17:23:35 exit

44 2014-02-27 17:23:35 /var/log/secure.log

45 2014-02-27 17:23:35 ssh awsXXXXXX

46 2014-02-27 17:23:35 exit

47 2014-02-27 17:23:35 kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

48 2014-02-27 17:23:35 sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

49 2014-02-27 17:23:35 launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

50 2014-02-27 17:23:35 ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

51 2014-02-27 17:23:35 osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

52 2014-02-27 17:23:35 top

53 2014-02-27 17:23:35 ps

54 2014-02-27 17:23:35 top

55 2014-02-27 17:23:35 top

56 2014-02-27 17:23:35 top

57 2014-02-27 17:23:35 sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/k ickstart -agent -stop

58 2014-02-27 17:23:35 man who

59 2014-02-27 17:23:35 who

60 2014-02-27 17:23:35 whoami

61 2014-02-27 17:23:35 ps -aux

62 2014-02-27 17:23:35 ps

63 2014-02-27 17:23:35 top

64 2014-02-27 17:23:35 ps -eo pid,etime

65 2014-02-27 17:23:35 top

66 ??ps aux | less

67 2014-02-27 17:23:35 pstree

68 2014-02-27 17:23:35 ps -eo euser,ruser,suser,fuser,f,comm,label

69 2014-02-27 17:23:35 pgrep

70 2014-02-27 17:23:35 pgrep remote

71 2014-02-27 17:23:35 apt-get install htop

72 2014-02-27 17:23:35 htop

73 2014-02-27 17:23:35 netstat -tulpn | grep :80

74 2014-02-27 17:23:35 ls -l /proc/635/exe

75 2014-02-27 17:23:35 swapon -a

76 2014-02-27 17:23:35 ma ps

77 2014-02-27 17:23:35 man ps

78 2014-02-27 17:23:35 man ps

79 2014-02-27 17:23:35 ps -a

80 2014-02-27 17:23:35 ps -A

81 2014-02-27 17:23:35 whoami

82 2014-02-27 17:23:35 ps -f

83 2014-02-27 17:23:35 ps -G

84 2014-02-27 17:23:35 ps -g

85 2014-02-27 17:23:35 ps -T

86 2014-02-27 17:23:35 ps-t

87 2014-02-27 17:23:35 ps -v

88 2014-02-27 17:23:35 ps start

89 2014-02-27 17:23:35 top

90 2014-02-27 17:23:35 ps

91 2014-02-27 17:23:35 users

92 2014-02-27 17:23:35 last

93 2014-02-27 17:23:35 ls /var/log/wtmp*

94 2014-02-27 17:23:35 last -f /var/log/wtmp.1

95 2014-02-27 17:23:35 last -f /var/log/wtmp.0

96 2014-02-27 17:23:35 ~/.bash_history

97 2014-02-27 17:23:35 cat ~/.bash_history

98 2014-02-27 17:23:35 ls /Automator

99 2014-02-27 17:23:35 cat Automator

100 2014-02-27 17:23:35 open ~/.bash_history

101 2014-02-27 17:23:35 dscl . readall /users

102 2014-02-27 17:23:35 ls/library

103 2014-02-27 17:23:35 cd/library

104 2014-02-27 17:23:35 cd..

105 2014-02-27 17:23:35 cd

106 2014-02-27 17:23:35 ls

107 2014-02-27 17:23:35 cd Library

108 2014-02-27 17:23:35 cd/Library

109 2014-02-27 17:23:35 ls/Automator

110 2014-02-27 17:23:35 toop

111 2014-02-27 17:23:35 top

112 2014-02-27 17:23:35 ifconfig

113 2014-02-27 17:23:35 config helper

114 2014-02-27 17:23:35 config

115 2014-02-27 17:23:35 top

116 2014-02-27 17:23:35 ps -a

117 2014-02-27 17:23:35 ps -A

118 2014-02-27 17:23:35 ps -aux

119 2014-02-27 17:23:35 ps

120 2014-02-27 17:23:35 getprocessforpid(677)

121 2014-02-27 17:23:35 man ps

122 2014-02-27 17:23:35 ps -U

123 2014-02-27 17:23:35 ps -u

124 2014-02-27 17:23:35 GetProcessPID(494)

125 2014-02-27 17:23:35 GetProcessPID() q

126 2014-02-27 17:23:35 GetProcessPID494

127 2014-02-27 17:23:35 GetProcessPID 494

128 2014-02-27 17:23:35 netstat -b

129 2014-02-27 17:23:35 top

130 2014-02-27 17:23:35 top

131 2014-02-27 17:23:35 top

132 2014-02-27 17:23:35 netstat -a

133 2014-02-27 17:23:35 netstat -a | grep vnc | grep ESTABLISHED

134 2014-02-27 17:23:35 top

135 2014-02-27 17:23:35 netstat -a

136 2014-02-27 17:23:35 top

137 2014-02-27 17:23:35 top

138 2014-02-27 17:23:35 netstat -a

139 2014-02-27 17:23:35 ps -aux

140 2014-02-27 17:23:35 netstat -a | grep vnc | grep ESTABLISHED

141 2014-02-27 17:23:35 ps -aux

142 2014-02-27 17:23:35 ps -A

143 2014-02-27 17:23:35 ps -A

144 2014-02-27 17:23:35 netstat -a | grep vnc | grep ESTABLISHED

145 2014-02-27 17:23:35 netstat -a

146 2014-02-27 17:23:35 top

147 2014-02-27 17:23:35 top

148 2014-02-27 17:23:35 netstat -a

149 2014-02-27 17:23:35 netstat -a

150 2014-02-27 17:23:35 netstat -a

151 2014-02-27 17:23:35 q

152 2014-02-27 17:23:35 top

153 2014-02-27 17:23:35 top

154 2014-02-27 17:23:35 sudo tmutil disablelocal

155 2014-02-27 17:23:35 exit

156 2014-02-27 17:23:35 top

157 2014-02-27 17:23:35 top

158 2014-02-27 17:23:35 top

159 2014-02-27 17:23:35 top

160 2014-02-27 17:23:35 top

161 2014-02-27 17:23:35 top

162 2014-02-27 17:23:35 neststat -n

163 2014-02-27 17:23:35 netstat -n

164 2014-02-27 17:23:35 netstat -n

165 2014-02-27 17:23:35 ls

166 2014-02-27 17:23:35 lsaf

167 2014-02-27 17:23:35 cd ..

168 2014-02-27 17:23:35 cd ..

169 2014-02-27 17:23:35 cd ..

170 2014-02-27 17:23:35 cd ..

171 2014-02-27 17:23:35 ls

172 2014-02-27 17:23:35 top

173 2014-02-27 17:23:35 netstat

174 2014-02-27 17:23:35 dscl . list/users

175 2014-02-27 17:23:35 cd ~

176 2014-02-27 17:23:35 dscl . list/users

177 2014-02-27 17:23:35 dscl . list /users

178 2014-02-27 17:23:35 dscl . list /groups

179 2014-02-27 17:23:35 dscl . readall /users

180 2014-02-27 17:23:35 netstat

181 2014-02-27 17:23:35 netstat

182 2014-02-27 17:23:35 whoami

183 2014-02-27 17:23:35 ls

184 2014-02-27 17:23:35 cd ..

185 2014-02-27 17:23:35 cd ..

186 2014-02-27 17:23:35 cd .

187 2014-02-27 17:23:35 cd ..

188 2014-02-27 17:23:35 ls

189 2014-02-27 17:23:35 tree

190 2014-02-27 17:23:35 cd Users

191 2014-02-27 17:23:35 ls

192 2014-02-27 17:23:35 cd Administrator

193 2014-02-27 17:23:35 ls

194 2014-02-27 17:23:35 cd ..

195 2014-02-27 17:23:35 cd ..

196 2014-02-27 17:23:35 cd ..

197 2014-02-27 17:23:35 ls

198 2014-02-27 17:23:35 cd Users

199 2014-02-27 17:23:35 ls

200 2014-02-27 17:23:35 cd Adminstrator

201 2014-02-27 17:23:35 cd Administrator

202 2014-02-27 17:23:35 ls

203 2014-02-27 17:23:35 cd Downloads

204 2014-02-27 17:23:35 ls

205 2014-02-27 17:23:35 exit

206 2014-02-27 17:23:35 whoami

207 2014-02-27 17:23:35 ls

208 2014-02-27 17:23:35 ls

209 2014-02-27 17:23:35 cd Library

210 2014-02-27 17:23:35 ls

211 2014-02-27 17:23:35 cd Application Support

212 2014-02-27 17:23:35 ls

213 2014-02-27 17:23:35 cd ..

214 2014-02-27 17:23:35 ls

215 2014-02-27 17:23:35 cd ..

216 2014-02-27 17:23:35 ls

217 2014-02-27 17:23:35 cd pXXXXXXXX

218 2014-02-27 17:23:35 ls

219 2014-02-27 17:23:35 cd Library

220 2014-02-27 17:23:35 whoami

221 2014-02-27 17:23:35 sudo - Adminsitrator

222 2014-02-27 17:23:35 ls

223 2014-02-27 17:23:35 ls

224 2014-02-27 17:23:35 sudo -

225 2014-02-27 17:23:35 more /etc/hosts

226 2014-02-27 17:23:35 scc ver

227 2014-02-27 17:23:35 scc numprofiles

228 2014-02-27 17:23:35 netstat -an |find /i "listening"

229 2014-02-27 17:23:35 netstat

230 2014-02-27 17:23:35 top

231 2014-02-27 17:23:35 kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

232 2014-02-27 17:23:35 sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

233 2014-02-27 17:23:35 launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

234 2014-02-27 17:23:35 ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

235 2014-02-27 17:23:35 osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

236 2014-02-27 17:23:35 osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

237 2014-02-27 17:23:35 top

238 2014-02-27 17:23:35 dscacheutil -flushcache

239 2014-02-27 17:23:35 sudo killall -HUP mDNSResponder

240 2014-02-27 17:23:35 top

241 2014-02-27 17:23:35 ./bitcoin-qt

242 2014-02-27 17:23:35 cd $home

243 2014-02-27 17:23:35 ls

244 2014-02-27 17:23:35 cd ..

245 2014-02-27 17:23:35 cd ..

246 2014-02-27 17:23:35 cd ..

247 2014-02-27 17:23:35 ls

248 2014-02-27 17:23:35 cd Applications

249 2014-02-27 17:23:35 ls

250 2014-02-27 17:23:35 ./bitcoin-qt.app

251 2014-02-27 17:23:35 top

252 2014-02-27 17:23:35 ps -420

253 2014-02-27 17:23:35 ps -9541

254 2014-02-27 17:23:35 top

255 2014-02-27 17:23:35 /Applications/Postgres93.app/Contents/MacOS/bin/psql ; exit;

256 2014-02-27 17:23:35 /Applications/Postgres93.app/Contents/MacOS/bin/psql ; exit;

257 2014-02-27 17:23:35 top

258 2014-02-27 17:23:35 ps -a (2077)

259 2014-02-27 17:23:35 ps -a2077

260 2014-02-27 17:23:35 sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist

261 2014-02-27 17:23:35 top

262 2014-02-27 17:23:35 on run

263 2014-02-27 17:23:35 do shell script "osascript -e 'tell app \"ARDAgent\" to do shell script \"say quack\"'"

264 2014-02-27 17:23:35 end run

265 2014-02-27 17:23:35 ls -ls /System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp 2

266 2014-02-27 17:23:35 sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist

<POB> END

MacBook Pro, OS X Mavericks (10.9.2), Potential ARD virus/rogue

Posted on Feb 27, 2014 6:04 PM

Reply

Answer 1

peterob@ Author

Level 1

0 points

Feb 27, 2014 9:39 PM in response to peterob@

Post which suggests disabling SUID as interim solution

http://forums.macrumors.com/showthread.php?t=502684

Reply

Answer 2

thomas_r.

Level 7

32,001 points

Feb 28, 2014 12:03 PM in response to peterob@

I'm extremely unclear on exactly what's happening. You mention something about a script running at startup in your subject, but then never mention that again. What's going on there? Where are you finding that script?

That script would suggest someone playing a joke on you, by making your computer say "quack" every time you start up. That's not indicative of malware.

On the other hand, a hidden file as you describe is a common malware trick, though I'm not sure why it would only contain "--purge" - that isn't a complete command, as far as I know, and the purge command isn't likely to be used for malicious purposes anyway.

Still, you do have some indication that you're using Bitcoin-related apps, and there has been some Bitcoin malware that has appeared recently. See:

New CoinThief malware discovered

Note that the post on MacRumors that you refer to in your second post is almost six years old, and references a vulnerability that was closed later in 2008. It's completely irrelevant to any modern system.

Reply