What actions should I take after seeing this script running @ startup today? "ARDAgent\" to do shell script \"say quack\"'"
STEPS TAKEN:
- Logged into Mac for first time today.
- Noticed a new individual file in Directory Library ".a.text". (Settings disply hidden system file/folders)
- File contained only the text "--purge".
- Meta data on file directed source to bash process run @ startup.
- Attached History command output.
- Disabled ARD for now.
SETTINGS:
- All Sharing was Off.
- Firewall was set to Block All Incoming Connections.
- Home network with no other active users at time.
- Upgraded to Mavs 10.9.2 last night.
- Do not use any file sharing or remote access into Mac.
- The SSH host attempts were my old Amazon EC2 instances.
- Appears to start bitcoin app and few databases.
- Worth noting I've been having tons of various issues last few months.
Thanks.
<POB> My CommandLine prompts. XXXX on locals.
XXXXXX:~ Administrator$ export HISTTIMEFORMAT='%F %T '
XXXXXX:~ Administrator$ history
<POB> OUTPUT
1 2014-02-27 17:23:35 rm -rf ~/.Trash/*
2 2014-02-27 17:23:35 cd
3 2014-02-27 17:23:35 .
4 2014-02-27 17:23:35 ./
5 2014-02-27 17:23:35 cd
6 2014-02-27 17:23:35 lib
7 2014-02-27 17:23:35 cd/
8 2014-02-27 17:23:35
9 2014-02-27 17:23:35 ls
10 2014-02-27 17:23:35 cd downloads
11 2014-02-27 17:23:35 ls downloads
12 2014-02-27 17:23:35 ls Downloads
13 2014-02-27 17:23:35 find / -nouser -ls
14 2014-02-27 17:23:35 find /~nouser -ls
15 2014-02-27 17:23:35 ls
16 2014-02-27 17:23:35 ls /library
17 2014-02-27 17:23:35 /LaunchAgents
18 2014-02-27 17:23:35 ls /LaunchAgents
19 2014-02-27 17:23:35 ls /Automator
20 2014-02-27 17:23:35 ls /KeyChains
21 2014-02-27 17:23:35 sha
22 2014-02-27 17:23:35 toop
23 2014-02-27 17:23:35 top
24 2014-02-27 17:23:35 dscl . -list /Users UniqueID
25 2014-02-27 17:23:35 $ dscl -plist . readall /users
26 2014-02-27 17:23:35 $ dscl . readall /users
27 2014-02-27 17:23:35 $ dscl . readall /503
28 2014-02-27 17:23:35 ls/Users
29 2014-02-27 17:23:35 - dscacheutil -q group
30 2014-02-27 17:23:35 cd
31 2014-02-27 17:23:35 cd.
32 2014-02-27 17:23:35 cd .
33 2014-02-27 17:23:35 ls
34 2014-02-27 17:23:35 ifconfig
35 2014-02-27 17:23:35 ifconfig
36 2014-02-27 17:23:35 ifconfig
37 2014-02-27 17:23:35 config helper
38 2014-02-27 17:23:35 config
39 2014-02-27 17:23:35 ls
40 2014-02-27 17:23:35 ssh awsXXXX
41 2014-02-27 17:23:35 defaults write com.google.Keystone.Agent checkInterval 0
42 2014-02-27 17:23:35 exit
43 2014-02-27 17:23:35 exit
44 2014-02-27 17:23:35 /var/log/secure.log
45 2014-02-27 17:23:35 ssh awsXXXXXX
46 2014-02-27 17:23:35 exit
47 2014-02-27 17:23:35 kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'
48 2014-02-27 17:23:35 sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'
49 2014-02-27 17:23:35 launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'
50 2014-02-27 17:23:35 ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null
51 2014-02-27 17:23:35 osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null
52 2014-02-27 17:23:35 top
53 2014-02-27 17:23:35 ps
54 2014-02-27 17:23:35 top
55 2014-02-27 17:23:35 top
56 2014-02-27 17:23:35 top
57 2014-02-27 17:23:35 sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/k ickstart -agent -stop
58 2014-02-27 17:23:35 man who
59 2014-02-27 17:23:35 who
60 2014-02-27 17:23:35 whoami
61 2014-02-27 17:23:35 ps -aux
62 2014-02-27 17:23:35 ps
63 2014-02-27 17:23:35 top
64 2014-02-27 17:23:35 ps -eo pid,etime
65 2014-02-27 17:23:35 top
66 ??ps aux | less
67 2014-02-27 17:23:35 pstree
68 2014-02-27 17:23:35 ps -eo euser,ruser,suser,fuser,f,comm,label
69 2014-02-27 17:23:35 pgrep
70 2014-02-27 17:23:35 pgrep remote
71 2014-02-27 17:23:35 apt-get install htop
72 2014-02-27 17:23:35 htop
73 2014-02-27 17:23:35 netstat -tulpn | grep :80
74 2014-02-27 17:23:35 ls -l /proc/635/exe
75 2014-02-27 17:23:35 swapon -a
76 2014-02-27 17:23:35 ma ps
77 2014-02-27 17:23:35 man ps
78 2014-02-27 17:23:35 man ps
79 2014-02-27 17:23:35 ps -a
80 2014-02-27 17:23:35 ps -A
81 2014-02-27 17:23:35 whoami
82 2014-02-27 17:23:35 ps -f
83 2014-02-27 17:23:35 ps -G
84 2014-02-27 17:23:35 ps -g
85 2014-02-27 17:23:35 ps -T
86 2014-02-27 17:23:35 ps-t
87 2014-02-27 17:23:35 ps -v
88 2014-02-27 17:23:35 ps start
89 2014-02-27 17:23:35 top
90 2014-02-27 17:23:35 ps
91 2014-02-27 17:23:35 users
92 2014-02-27 17:23:35 last
93 2014-02-27 17:23:35 ls /var/log/wtmp*
94 2014-02-27 17:23:35 last -f /var/log/wtmp.1
95 2014-02-27 17:23:35 last -f /var/log/wtmp.0
96 2014-02-27 17:23:35 ~/.bash_history
97 2014-02-27 17:23:35 cat ~/.bash_history
98 2014-02-27 17:23:35 ls /Automator
99 2014-02-27 17:23:35 cat Automator
100 2014-02-27 17:23:35 open ~/.bash_history
101 2014-02-27 17:23:35 dscl . readall /users
102 2014-02-27 17:23:35 ls/library
103 2014-02-27 17:23:35 cd/library
104 2014-02-27 17:23:35 cd..
105 2014-02-27 17:23:35 cd
106 2014-02-27 17:23:35 ls
107 2014-02-27 17:23:35 cd Library
108 2014-02-27 17:23:35 cd/Library
109 2014-02-27 17:23:35 ls/Automator
110 2014-02-27 17:23:35 toop
111 2014-02-27 17:23:35 top
112 2014-02-27 17:23:35 ifconfig
113 2014-02-27 17:23:35 config helper
114 2014-02-27 17:23:35 config
115 2014-02-27 17:23:35 top
116 2014-02-27 17:23:35 ps -a
117 2014-02-27 17:23:35 ps -A
118 2014-02-27 17:23:35 ps -aux
119 2014-02-27 17:23:35 ps
120 2014-02-27 17:23:35 getprocessforpid(677)
121 2014-02-27 17:23:35 man ps
122 2014-02-27 17:23:35 ps -U
123 2014-02-27 17:23:35 ps -u
124 2014-02-27 17:23:35 GetProcessPID(494)
125 2014-02-27 17:23:35 GetProcessPID() q
126 2014-02-27 17:23:35 GetProcessPID494
127 2014-02-27 17:23:35 GetProcessPID 494
128 2014-02-27 17:23:35 netstat -b
129 2014-02-27 17:23:35 top
130 2014-02-27 17:23:35 top
131 2014-02-27 17:23:35 top
132 2014-02-27 17:23:35 netstat -a
133 2014-02-27 17:23:35 netstat -a | grep vnc | grep ESTABLISHED
134 2014-02-27 17:23:35 top
135 2014-02-27 17:23:35 netstat -a
136 2014-02-27 17:23:35 top
137 2014-02-27 17:23:35 top
138 2014-02-27 17:23:35 netstat -a
139 2014-02-27 17:23:35 ps -aux
140 2014-02-27 17:23:35 netstat -a | grep vnc | grep ESTABLISHED
141 2014-02-27 17:23:35 ps -aux
142 2014-02-27 17:23:35 ps -A
143 2014-02-27 17:23:35 ps -A
144 2014-02-27 17:23:35 netstat -a | grep vnc | grep ESTABLISHED
145 2014-02-27 17:23:35 netstat -a
146 2014-02-27 17:23:35 top
147 2014-02-27 17:23:35 top
148 2014-02-27 17:23:35 netstat -a
149 2014-02-27 17:23:35 netstat -a
150 2014-02-27 17:23:35 netstat -a
151 2014-02-27 17:23:35 q
152 2014-02-27 17:23:35 top
153 2014-02-27 17:23:35 top
154 2014-02-27 17:23:35 sudo tmutil disablelocal
155 2014-02-27 17:23:35 exit
156 2014-02-27 17:23:35 top
157 2014-02-27 17:23:35 top
158 2014-02-27 17:23:35 top
159 2014-02-27 17:23:35 top
160 2014-02-27 17:23:35 top
161 2014-02-27 17:23:35 top
162 2014-02-27 17:23:35 neststat -n
163 2014-02-27 17:23:35 netstat -n
164 2014-02-27 17:23:35 netstat -n
165 2014-02-27 17:23:35 ls
166 2014-02-27 17:23:35 lsaf
167 2014-02-27 17:23:35 cd ..
168 2014-02-27 17:23:35 cd ..
169 2014-02-27 17:23:35 cd ..
170 2014-02-27 17:23:35 cd ..
171 2014-02-27 17:23:35 ls
172 2014-02-27 17:23:35 top
173 2014-02-27 17:23:35 netstat
174 2014-02-27 17:23:35 dscl . list/users
175 2014-02-27 17:23:35 cd ~
176 2014-02-27 17:23:35 dscl . list/users
177 2014-02-27 17:23:35 dscl . list /users
178 2014-02-27 17:23:35 dscl . list /groups
179 2014-02-27 17:23:35 dscl . readall /users
180 2014-02-27 17:23:35 netstat
181 2014-02-27 17:23:35 netstat
182 2014-02-27 17:23:35 whoami
183 2014-02-27 17:23:35 ls
184 2014-02-27 17:23:35 cd ..
185 2014-02-27 17:23:35 cd ..
186 2014-02-27 17:23:35 cd .
187 2014-02-27 17:23:35 cd ..
188 2014-02-27 17:23:35 ls
189 2014-02-27 17:23:35 tree
190 2014-02-27 17:23:35 cd Users
191 2014-02-27 17:23:35 ls
192 2014-02-27 17:23:35 cd Administrator
193 2014-02-27 17:23:35 ls
194 2014-02-27 17:23:35 cd ..
195 2014-02-27 17:23:35 cd ..
196 2014-02-27 17:23:35 cd ..
197 2014-02-27 17:23:35 ls
198 2014-02-27 17:23:35 cd Users
199 2014-02-27 17:23:35 ls
200 2014-02-27 17:23:35 cd Adminstrator
201 2014-02-27 17:23:35 cd Administrator
202 2014-02-27 17:23:35 ls
203 2014-02-27 17:23:35 cd Downloads
204 2014-02-27 17:23:35 ls
205 2014-02-27 17:23:35 exit
206 2014-02-27 17:23:35 whoami
207 2014-02-27 17:23:35 ls
208 2014-02-27 17:23:35 ls
209 2014-02-27 17:23:35 cd Library
210 2014-02-27 17:23:35 ls
211 2014-02-27 17:23:35 cd Application Support
212 2014-02-27 17:23:35 ls
213 2014-02-27 17:23:35 cd ..
214 2014-02-27 17:23:35 ls
215 2014-02-27 17:23:35 cd ..
216 2014-02-27 17:23:35 ls
217 2014-02-27 17:23:35 cd pXXXXXXXX
218 2014-02-27 17:23:35 ls
219 2014-02-27 17:23:35 cd Library
220 2014-02-27 17:23:35 whoami
221 2014-02-27 17:23:35 sudo - Adminsitrator
222 2014-02-27 17:23:35 ls
223 2014-02-27 17:23:35 ls
224 2014-02-27 17:23:35 sudo -
225 2014-02-27 17:23:35 more /etc/hosts
226 2014-02-27 17:23:35 scc ver
227 2014-02-27 17:23:35 scc numprofiles
228 2014-02-27 17:23:35 netstat -an |find /i "listening"
229 2014-02-27 17:23:35 netstat
230 2014-02-27 17:23:35 top
231 2014-02-27 17:23:35 kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'
232 2014-02-27 17:23:35 sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'
233 2014-02-27 17:23:35 launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'
234 2014-02-27 17:23:35 ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null
235 2014-02-27 17:23:35 osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null
236 2014-02-27 17:23:35 osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null
237 2014-02-27 17:23:35 top
238 2014-02-27 17:23:35 dscacheutil -flushcache
239 2014-02-27 17:23:35 sudo killall -HUP mDNSResponder
240 2014-02-27 17:23:35 top
241 2014-02-27 17:23:35 ./bitcoin-qt
242 2014-02-27 17:23:35 cd $home
243 2014-02-27 17:23:35 ls
244 2014-02-27 17:23:35 cd ..
245 2014-02-27 17:23:35 cd ..
246 2014-02-27 17:23:35 cd ..
247 2014-02-27 17:23:35 ls
248 2014-02-27 17:23:35 cd Applications
249 2014-02-27 17:23:35 ls
250 2014-02-27 17:23:35 ./bitcoin-qt.app
251 2014-02-27 17:23:35 top
252 2014-02-27 17:23:35 ps -420
253 2014-02-27 17:23:35 ps -9541
254 2014-02-27 17:23:35 top
255 2014-02-27 17:23:35 /Applications/Postgres93.app/Contents/MacOS/bin/psql ; exit;
256 2014-02-27 17:23:35 /Applications/Postgres93.app/Contents/MacOS/bin/psql ; exit;
257 2014-02-27 17:23:35 top
258 2014-02-27 17:23:35 ps -a (2077)
259 2014-02-27 17:23:35 ps -a2077
260 2014-02-27 17:23:35 sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist
261 2014-02-27 17:23:35 top
262 2014-02-27 17:23:35 on run
263 2014-02-27 17:23:35 do shell script "osascript -e 'tell app \"ARDAgent\" to do shell script \"say quack\"'"
264 2014-02-27 17:23:35 end run
265 2014-02-27 17:23:35 ls -ls /System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp 2
266 2014-02-27 17:23:35 sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist
<POB> END
MacBook Pro, OS X Mavericks (10.9.2), Potential ARD virus/rogue