_mdnsresponder Overloading Memory?? Hacked?

Question

Level 1

9 points

_mdnsresponder Overloading Memory?? Hacked?

Has anyone experienced _mdnsresponder suddenly going nuts and using 5GB+ of Memory?

I'm trying to determine if I've been hacked. I went to a web site I normally visit and got a pop-up window requiring me to click ok to install some garbage to continue and so I shut down Safari immediately instead.

Next time I put my MBP to sleep, and then when I woke it up, _mdnsresponder was eating up more than 5GB+ of memory and slowing my entire system to a crawl. It finally finished reduced back to 5GB+ of memory at which point I restarted my machine and it went back to a normal 60mb. But I'm worried about what my machine was susceptible to when it was asleep. It wasn't slowing down at all when it was awake before I put it to sleep.

Anyone know if there are known hacks that manipulate _mdnsresponder??

Thanks!!

MacBook Pro with Retina display, OS X Yosemite (10.10.1)

Posted on Jan 31, 2015 10:29 AM

Reply

Answer 1

Kurt Lang

Level 9

58,008 points

Jan 31, 2015 10:39 AM in response to jablocanas

That particular process is part of OS X. However, you very likely installed something you shouldn't have. Any site that insists you need to install a codec, a fake Flash Player, or anything else that comes directly from that site is a virtual certainty to be malware of some sort. Less dangerously, adware.

It's hard to say what may be running. It could be a keylogger, a back door - who knows.

Download and run EtreCheck. This software is written by user etresoft, who is a member of these forums. Only download it directly from his site, which is where my link goes. Run the software, and then copy/paste the results into a new post.

Reply

Answer 2

jablocanas Author

Level 1

9 points

Jan 31, 2015 11:35 AM in response to Kurt Lang

Thanks. Is it possible to still get the malware if I didn't click the ok button? That's why I quit Safari immediately. Still, here is the output of Entresoft. Like I said, since I restarted, there seems to be no misbehavior, but just want to make sure there's nothing running in the background...

---

EtreCheck version: 2.1.7 (114)

Report generated January 31, 2015 at 11:31:41 AM PST

Download EtreCheck from http://etresoft.com/etrecheck

Click the [Support] links for help with non-Apple products.

Click the [Details] links for more information about that line.

Click the [Adware] links for help removing adware.

Hardware Information: ℹ️

MacBook Pro (Retina, 15-inch, Late 2013) (Technical Specifications)

MacBook Pro - model: MacBookPro11,2

1 2 GHz Intel Core i7 CPU: 4-core

8 GB RAM Not upgradeable

BANK 0/DIMM0

4 GB DDR3 1600 MHz ok

BANK 1/DIMM0

4 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n/ac

Battery Health: Normal - Cycle count 32

Video Information: ℹ️

Intel Iris Pro

Color LCD spdisplays_2880x1800Retina

System Software: ℹ️

OS X 10.10.1 (14B25) - Time since boot: 1:42:0

Disk Information: ℹ️

APPLE SSD SM0256F disk0 : (251 GB)

EFI (disk0s1) <not mounted> : 210 MB

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

OSX - ZYGUR (disk1) / : 249.80 GB (99.33 GB free)

Encrypted AES-XTS Unlocked

Core Storage: disk0s2 250.14 GB Online

USB Information: ℹ️

Apple Internal Memory Card Reader

Apple Inc. Apple Internal Keyboard / Trackpad

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller

Thunderbolt Information: ℹ️

Apple Inc. thunderbolt_bus

Gatekeeper: ℹ️

Mac App Store and identified developers

Kernel Extensions: ℹ️

/Applications/Parallels Desktop.app

[not loaded] com.parallels.kext.hidhook (9.0 24251.1052177) [Support]

[not loaded] com.parallels.kext.hypervisor (9.0 24251.1052177) [Support]

[not loaded] com.parallels.kext.netbridge (9.0 24251.1052177) [Support]

[not loaded] com.parallels.kext.usbconnect (9.0 24251.1052177) [Support]

[not loaded] com.parallels.kext.vnic (9.0 24251.1052177) [Support]

Startup Items: ℹ️

HP IO: Path: /Library/StartupItems/HP IO

Startup items are obsolete in OS X Yosemite

Problem System Launch Agents: ℹ️

[killed] com.apple.AirPlayUIAgent.plist

[killed] com.apple.bird.plist

[killed] com.apple.CallHistoryPluginHelper.plist

[killed] com.apple.CallHistorySyncHelper.plist

[killed] com.apple.cmfsyncagent.plist

[killed] com.apple.coreservices.appleid.authentication.plist

[killed] com.apple.icloud.fmfd.plist

[killed] com.apple.pluginkit.pkd.plist

[killed] com.apple.printtool.agent.plist

[killed] com.apple.recentsd.plist

[killed] com.apple.sbd.plist

[killed] com.apple.scopedbookmarkagent.xpc.plist

[killed] com.apple.security.cloudkeychainproxy.plist

[killed] com.apple.spindump_agent.plist

[killed] com.apple.telephonyutilities.callservicesd.plist

15 processes killed due to memory pressure

Problem System Launch Daemons: ℹ️

[killed] com.apple.awdd.plist

[killed] com.apple.ctkd.plist

[killed] com.apple.icloud.findmydeviced.plist

[killed] com.apple.ifdreader.plist

[killed] com.apple.nehelper.plist

[killed] com.apple.softwareupdated.plist

[killed] com.apple.spindump.plist

[killed] com.apple.tccd.system.plist

[killed] com.apple.wdhelper.plist

9 processes killed due to memory pressure

Launch Daemons: ℹ️

[loaded] com.adobe.fpsaud.plist [Support]

User Launch Agents: ℹ️

[loaded] com.google.keystone.agent.plist [Support]

[loaded] com.valvesoftware.steamclean.plist [Support]

User Login Items: ℹ️

Steam Application (/Applications/Steam.app)

iTunesHelper Application (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

Internet Plug-ins: ℹ️

FlashPlayer-10.6: Version: 16.0.0.296 - SDK 10.6 [Support]

Flash Player: Version: 16.0.0.296 - SDK 10.6 [Support]

QuickTime Plugin: Version: 7.7.3

JavaAppletPlugin: Version: 15.0.0 - SDK 10.10 Check version

Default Browser: Version: 600 - SDK 10.10

User internet Plug-ins: ℹ️

WebEx64: Version: 1.0 - SDK 10.6 [Support]

Safari Extensions: ℹ️

OpenIE [Installed]

3rd Party Preference Panes: ℹ️

Flash Player [Support]

Time Machine: ℹ️

Auto backup: YES

Volumes being backed up:

OSX - ZYGUR: Disk size: 249.80 GB Disk used: 150.48 GB

Destinations:

Data [Network]

Total size: 2.00 TB

Total number of backups: 64

Oldest backup: 2014-04-07 02:42:40 +0000

Last backup: 2015-01-30 20:54:51 +0000

Size of backup disk: Excellent

Backup size 2.00 TB > (Disk size 249.80 GB X 3)

Top Processes by CPU: ℹ️

11% WindowServer

11% com.apple.WebKit.Plugin.64

3% Activity Monitor

2% Safari

2% sysmond

Top Processes by Memory: ℹ️

146 MB Safari

77 MB Microsoft Excel

77 MB com.apple.WebKit.Plugin.64

77 MB WindowServer

52 MB Dock

Virtual Memory Information: ℹ️

74 MB Free RAM

2.12 GB Active RAM

2.06 GB Inactive RAM

1.30 GB Wired RAM

7.95 GB Page-ins

1.37 GB Page-outs

Diagnostics Information: ℹ️

Jan 31, 2015, 10:03:26 AM /Library/Logs/DiagnosticReports/Microsoft Word_2015-01-31-100326_[redacted].hang

Jan 31, 2015, 09:50:16 AM Self test - passed

Reply

Answer 3

Kurt Lang

Level 9

58,008 points

Jan 31, 2015 12:14 PM in response to jablocanas

Even without clicking Okay, you ran across a site which installed the Flashback Trojan. It's the only known drive-by infection that can happen to a Mac, and that requires having Java (not JavaScript) enabled in the web browser.

So two things.

1) Open the System Preferences and click on the Java icon. I'm assuming you have Oracle's Java 7 or 8 installed. Click on the Security tab and uncheck the box for enabling Java content in your browser. Never turn it back on unless you need Java running for a particular, trusted web site. In such a case, turn Java on right before entering the site, and then immediately turning it back off when done.

2) Download Apple's tool for removing Flashback.

Reply

Answer 4

jablocanas Author

Level 1

9 points

Jan 31, 2015 12:16 PM in response to Kurt Lang

Thanks!! Just out of curiosity - which line item said I had the flashback virus?

Reply

Answer 5

Kurt Lang

Level 9

58,008 points

Jan 31, 2015 12:21 PM in response to jablocanas

This is a component of Flashback:

com.valvesoftware.steamclean.plist

I'm rather surprised Yosemite didn't stop it from installing.

Reply

Answer 6

jablocanas Author

Level 1

9 points

Jan 31, 2015 12:21 PM in response to jablocanas

Also, I don't think I have Java installed? There's a directory under Library but it has no contents, and there's no panel under System Preferences...

Reply

Answer 7

jablocanas Author

Level 1

9 points

Jan 31, 2015 12:22 PM in response to Kurt Lang

Oh. I figured that was part of Steam, Valve gaming software's launch tool?

Reply

Answer 8

Kurt Lang

Level 9

58,008 points

Jan 31, 2015 12:23 PM in response to jablocanas

Is this item in the main /Library/Internet Plug-Ins/ folder?

JavaAppletPlugin.plugin

Reply

Answer 9

Kurt Lang

Level 9

58,008 points

Jan 31, 2015 12:29 PM in response to jablocanas

Hmm, that's possible. Looking up that particular file name, it appears in Google searches as both a component of Flashback, and for the game you mentioned.

It's mentioned as being part of Flashback here. But that's just in one of the responses, and still may not be correct.

Reply

Answer 10

jablocanas Author

Level 1

9 points

Jan 31, 2015 12:25 PM in response to Kurt Lang

Found it, thanks -- can I just delete that file w/o any harm to the system or do I have to disable it somehow

Reply

Answer 11

Kurt Lang

Level 9

58,008 points

Jan 31, 2015 12:28 PM in response to jablocanas

I would use the removal tool I linked to. Just the one item is unlikely to uninstall it entirely.

Reply

Answer 12

jablocanas Author

Level 1

9 points

Jan 31, 2015 12:29 PM in response to Kurt Lang

I downloaded and ran it, thanks! But still not sure how to disable Java manually, I wasn't even aware it was installed on my system...

Reply

Answer 13

Kurt Lang

Level 9

58,008 points

Jan 31, 2015 12:33 PM in response to jablocanas

Java likely isn't installed, then. Did the tool say it found anything? If not, then the more I read on valvesoftware.steamclean, the less I think it has anything to do with Flashback. Especially since Apple patched the OS against it over two years ago. It shouldn't even be able to install.

Other than that, you seem to be running a very clean system compared to many other EtreCheck reports we see here where the user has every crummy third party plug-in available on their Mac.

Have you tried simply restarting the Mac? It could just be a runaway process.

Reply

Answer 14

jablocanas Author

Level 1

9 points

Jan 31, 2015 12:34 PM in response to jablocanas

Thanks again, I just checked if I had Java installed using Sudo via the link below and it says no runtime available. Still, weird that it has the plugin there...

http://www.macstrategy.com/article.php?3

Reply

Answer 15

jablocanas Author

Level 1

9 points

Jan 31, 2015 12:37 PM in response to Kurt Lang

Yeah, I restarted and since then it's been back to a normal 65MB worth of memory. But I'm keeping the Activity Monitor open for a while to make sure if it spikes again. I run a pretty clean system on this machine, like you said, but that happening right after the pop-up was enough of a weird occurrence for me to double check everything.

Thanks again for your help!

Reply