/Library Framework Folder? Have I Been Hacked??

Question

/Library Framework Folder? Have I Been Hacked??

My computer has been acting extremely weird the last year. I'm not a developer with a computer science degree, so its been very difficult to diagnose what's right and what's wrong.

I've done a lot of research and I think there is a horrible Trojan that's been hidden in common files. I'll send you some examples from console after I install Microsoft Office.

I just took a look in my /library/framework folder. My computer has just been wiped and reformatted. I was wondering if all of these frameworks should be here by default.

Posted on Mar 29, 2015 2:23 PM

Reply

Answer 1

dmg15

Level 1

10 points

Dec 2, 2017 8:53 PM in response to Kurt Lang

Incorrect Kurt.

Sounds to me like this system has a surveillance trojan which persists after a format and reinstall by having malicious code which resides in the NVRAM and executes on every boot. It creates a windows based uefi container which is hidden at the start of your drive MBR by way of offsetting the start of what you know to be your primary GPT header.

Some methods to confirm this...

Boot to single user mode and use the ‘ps’ command to view currently running processes. Then do ‘ps -u 0’ and ‘ps -u 501’ to see if theres actually a lot more processes running in an alternate ‘per user’ environment.

Check /usr/share/sandbox and see if theres a whole lot of plist files in there with the file extension changed to ‘.sb’. At first glance they appear to be normal system processes, but infact they each contain malicious code which is infecting the system processes theyre named after..

To confirm, have activity monitor open to watch for changes in the processes you can see running, then in terminal run..

sudo launchctl -w /usr/share/sandbox/*.sb

Activity monitor should have loads more visible processes now, as one of those .sb files com.apple.sandbox.plist or com.apple.apsd.plist had run those processes outside of a container that your user profile existed inside of before you unloaded it.

This is just the tip of the iceburg so to the original poster, if you need more info let me know but im sure by now you would have discovered who was surveilling your system. Maybe you havent realised yet that your iOS devices are likely compromised too, and you were dead right about the keylogger, but unfortunately thats probably the least of your problems if you have infact been infected.

Reply

Answer 2

Mar 29, 2015 2:24 PM in response to HackedUser123

Is there anywhere I can look quickly to tell if my computer's been compromised?

Reply

Answer 3

greg sahli

Level 7

25,508 points

Mar 29, 2015 2:38 PM in response to HackedUser123

As far as I can tell, those are all normal parts of OS X.

You haven't told us anything about which Mac it is, and what problems you're having.

Reply

Answer 4

Mar 29, 2015 2:40 PM in response to HackedUser123

Please download and install EtreCheck from http://www.etresoft.com/etrecheck

Run it and post the report here

Reply

Answer 5

Linc Davis

Level 10

209,739 points

Mar 29, 2015 3:23 PM in response to HackedUser123

It's best to describe the problem in as much relevant detail as possible, rather than what you think is causing it or how you think it should be solved.

Reply

Answer 6

Jeff Shenk

Level 4

3,005 points

Mar 29, 2015 3:32 PM in response to HackedUser123

Those frameworks are in the System Library on my system; if they are actually in the Computer Library, as you indicated, that might indicate a problem.

Reply

Answer 7

Kurt Lang

Level 9

69,246 points

Mar 29, 2015 4:40 PM in response to HackedUser123

Since you just wiped the drive and reinstalled the OS, there can't possibly be anything there that wasn't installed with OS X. You're worrying about nothing.

Unless, that is, you installed a copy of Yosemite obtained from somewhere other than Apple?

Reply

Answer 8

Mar 29, 2015 9:32 PM in response to Allan Eckert

EtreCheck version: 2.1.8 (121)

Report generated March 29, 2015 at 10:27:11 PM MDT

Download EtreCheck from http://etresoft.com/etrecheck

Click the [Click for support] links for help with non-Apple products.

Click the [Click for details] links for more information about that line.

Hardware Information: ℹ️

MacBook Pro (Retina, 15-inch, Mid 2014) (Technical Specifications)

MacBook Pro - model: MacBookPro11,2

1 2.2 GHz Intel Core i7 CPU: 4-core

16 GB RAM Not upgradeable

BANK 0/DIMM0

8 GB DDR3 1600 MHz ok

BANK 1/DIMM0

8 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n/ac

Battery Health: Normal - Cycle count 91

Video Information: ℹ️

Intel Iris Pro

Color LCD spdisplays_2880x1800Retina

System Software: ℹ️

OS X 10.10.2 (14C109) - Time since boot: 1:21:58

Disk Information: ℹ️

APPLE SSD SM0256F disk0 : (251 GB)

EFI (disk0s1) <not mounted> : 210 MB

Macintosh HD (disk0s2) / : 250.14 GB (233.12 GB free)

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

USB Information: ℹ️

Apple Internal Memory Card Reader

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller

Apple Inc. Apple Internal Keyboard / Trackpad

Thunderbolt Information: ℹ️

Apple Inc. thunderbolt_bus

Gatekeeper: ℹ️

Mac App Store and identified developers

Kernel Extensions: ℹ️

/Library/Extensions

[loaded] com.sophos.kext.sav (9.2.50 - SDK 10.8) [Click for support]

[loaded] com.sophos.nke.swi (9.2.50 - SDK 10.8) [Click for support]

Launch Agents: ℹ️

[running] com.sophos.uiserver.plist [Click for support]

Launch Daemons: ℹ️

[loaded] com.microsoft.office.licensing.helper.plist [Click for support]

[running] com.sophos.common.servicemanager.plist [Click for support]

User Login Items: ℹ️

iTunesHelper Application (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

Internet Plug-ins: ℹ️

Default Browser: Version: 600 - SDK 10.10

QuickTime Plugin: Version: 7.7.3

SharePointBrowserPlugin: Version: 14.4.8 - SDK 10.6 [Click for support]

3rd Party Preference Panes: ℹ️

None

Time Machine: ℹ️

Time Machine not configured!

Top Processes by CPU: ℹ️

11% WindowServer

4% Safari

2% com.apple.WebKit.Networking

2% hidd

1% airportd

Top Processes by Memory: ℹ️

893 MB com.apple.SpeechRecognitionCore.speechrecognitiond

773 MB iTunes

189 MB SophosScanD

189 MB WindowServer

172 MB InterCheck

Virtual Memory Information: ℹ️

5.79 GB Free RAM

6.65 GB Active RAM

3.26 GB Inactive RAM

1.46 GB Wired RAM

3.49 GB Page-ins

0 B Page-outs

Diagnostics Information: ℹ️

Mar 29, 2015, 09:04:24 PM Self test - passed

Reply

Answer 9

Mar 29, 2015 9:36 PM in response to Allan Eckert

Let me know if this looks right. I was also suspicious of the following when looking at the startup boot volume

Jons-MacBook-Pro:~ dude$ nvram -p

efi-boot-device-data %02%01%0c%00%d0A%03%0a%00%00%00%00%01%01%06%00%04%1c%01%01%06%00%00%00%03%12%0a %00%00%00%00%00%00%00%04%01*%00%02%00%00%00(@%06%00%00%00%00%000#.%1d%00%00%00%0 0%db%1a%e0xs;%f3N%99)b%c7%18%a5F%0d%02%02%7f%ff%04%00

BootCampProcessorPstates %0f%00

fmm-computer-name Jon%e2%80%99s MacBook Pro

backlight-level %bf%00

bluetoothInternalControllerInfo %89%82%ac%05%00%00%83%14l@%08%98%84%01

prev-lang:kbd en:0

SystemAudioVolumeDB %ef

efi-boot-device <array><dict><key>IOMatch</key><dict><key>IOProviderClass</key><string>IOMedia< /string><key>IOPropertyMatch</key><dict><key>UUID</key><string>78E01ADB-3B73-4EF 3-9929-62C718A5460D</string></dict></dict><key>BLLastBSDName</key><string>disk0s 2</string></dict></array>%00

bluetoothActiveControllerInfo %89%82%ac%05%00%00%00%00%83%14l@%08%98%84%01

ALS_Data %04%96

Test_ALS_Data %01%00

SystemAudioVolume ]

LocationServicesEnabled %01

Jons-MacBook-Pro:~ dude$

Reply

Answer 10

greg sahli

Level 7

25,508 points

Mar 30, 2015 4:24 AM in response to HackedUser123

Sorry to sound like a broken record...

What problems are you having?

The only problem I see is that you installed Sophos - a completely useless drain on your otherwise clean system.

Reply

Answer 11

Eric Root

Level 10

685,299 points

Mar 30, 2015 12:29 PM in response to HackedUser123

Sophos Un-install

Reply

Answer 12

Mar 30, 2015 6:19 PM in response to Allan Eckert

Allan, will you please take a look at this.

Greg, we've had malicious code added to both our corporate and our clients' websites. We believe there is some kind of key logger or something in the startup volume of our computers.

Reply

Answer 13

Kurt Lang

Level 9

69,246 points

Mar 30, 2015 6:26 PM in response to HackedUser123

Since you erased the drive, it's now impossible for that Mac to have a keylogger on it. They have to be insalled. Unless of course you reinstall the software they keylogger is in.

Reply