JABL76MBA

Q: System hacked - found terminal application open...

I opened up one of my OS X laptops today and found a terminal window randomly opened with a ping running in the background for over 12000 lines.

 

Running a command history list this is what was outputted.  I'm pretty sure I didn't run anything when it starts looking under my Library directory?

Can any of you piece together what they were trying to do, and whether they took anything -- more importantly how can I secure my computer going forward?

I already have Firewalls and Stealth mode already on, but this happened anyway??

 

Command History:

traceroute <my old website edited out>

traceroute 205.188.91.95

traceroute 121.122.194.9

sudo rm /usr/local/mysql

sudo rm -rf /usr/local/mysql*

sudo rm -rf /Library/StartupItems/MySQLCOM

sudo rm -rf /Library/PreferencePanes/My*

sudo rm -rf ~/Library/PreferencePanes/My*

sudo rm -rf /Library/Receipts/mysql*

sudo rm -rf /Library/Receipts/MySQL*

cd /

pico etc/hostconfig

pico etc/hostconfig

cd /etc

ls

ls -al

ls -al hostconfig

chmod 777 hostconfig

su

su

sudo chmod 777 hostconfig

pico hostconfig

sudo chmod 644 hostconfig

ls -al hostconfig

exit

cd /

ls

cd Library               <---  This is where I think the rogue commands/terminal started??

ls

cd Mail

cd /

ls

cd Users

ls

cd Lumaerinor

ls

cd Library

ls

cd Mail

ls

cd V2

ls

ls -al

du -sh *

ls -al

du -sh *

cd

ls

cd Library

cd Application Support

ls

cd "Application Support"

ls

cd iCal

ls

cd iCloud

ls

cd Accounts

ls

cd <my email address edited out>

ls -al

cd ..

ls

cd ..

ls

cd ..

ls

cd Calendars

ls

ls -al

du -sh *

exit

sudo apachectl stop

man kdc

cd ~/Library/Application Support/

ls

cd

cd ~/Library/

ls

cd "Application Support"

ls

cd Firefox

ls

cd Profiles

ls

cd ..

ls

cd ..

ls

cd Mozilla

ls

cd Extensions

ls

cd {*

ls

rm *

cd 2*

ls

rm *

cd ..

ls

cd 2*

ls

clear

ls

cd chrome

ls

ls

cd ..

ls

cd ..

ls

cd ..

ls

cd ..

ls

cd ..

ls

cd /usr/lib/

ls

ls libimckit

ls libimckit*

ls libim*

exit

ls -al /var/log/*.out

cd /var/log

ls

ls *.out

cat daily.out

ls *.out

ls -al *.out

cd ~/

ls

cd Library/Safari/Extensions

ls

ls -al

cat Extensions.plist

pico Extensions.plist

cat Extensions.plist

exit                                             <-- This is where I closed the session immediately after I found it then started scrolling commands backward and deleting ext?

cat Extensions.plist

ls libimckit*

ls libimckit* -al

ls libimckit* -a

ls libimckit* -r

ls *libimckit* -r

ls *libimckit* -R

ls *libimckit* -A

ls *libimckit* -a

ls -a

ls

cat Extensions.plist

ls -al

rm KeithyFun.safariextz          <--  I don't run any extensions in safari at all so I deleted these two

rm Searchme.safariextz

ls

ls -al

cd ..

ls

cd ..

ls

cd ..

ls

exit

finger

exit

MacBook Air (11-inch Mid 2011), OS X Yosemite (10.10)

Posted on Aug 12, 2015 1:36 PM

Close

Q: System hacked - found terminal application open...

  • All replies
  • Helpful answers

Page 1 of 3 last Next
  • by JABL76MBA,

    JABL76MBA JABL76MBA Aug 12, 2015 1:41 PM in response to JABL76MBA
    Level 1 (0 points)
    Aug 12, 2015 1:41 PM in response to JABL76MBA

    This is the contents of my extensions.plist file -- I want to clean it up but not sure if it will prevent safari from working?

    Like I said in the prior msg I already deleted the KeithyFun file...

     

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

      <key>Available Updates</key>

      <dict>

      <key>Last Update Check Time</key>

      <real>418586019.14372599</real>

      <key>Updates List</key>

      <array/>

      </dict>

      <key>Installed Extensions</key>

      <array>

      <dict>

      <key>Added Non-Default Toolbar Items</key>

      <array/>

      <key>Archive File Name</key>

      <string>KeithyFun.safariextz</string>

      <key>Bundle Directory Name</key>

      <string>KeithyFun.safariextension</string>

      <key>Enabled</key>

      <true/>

      <key>Hidden Bars</key>

      <array/>

      <key>Removed Default Toolbar Items</key>

      <array/>

      </dict>

      </array>

      <key>Version</key>

      <integer>1</integer>

    </dict>

    </plist>

  • by OSX Enthusiast,

    OSX Enthusiast OSX Enthusiast Aug 12, 2015 3:42 PM in response to JABL76MBA
    Level 2 (176 points)
    Aug 12, 2015 3:42 PM in response to JABL76MBA

    Restore from a backup before you were hacked (if you have one): OS X Yosemite: Recover your entire system

     

    Change your computer's password and your iCloud password. Make it a secure password meaning at least eight characters long, does not have your real name, has uppercase letters, lowercase letters, and numbers, etc.

     

    Here are some more Apple support articles that may help secure your Mac:

     

    Use a firmware password on your Mac - Apple Support

     

    Optionally: OS X Yosemite: About FileVault encryption

  • by JABL76MBA,

    JABL76MBA JABL76MBA Aug 12, 2015 3:49 PM in response to OSX Enthusiast
    Level 1 (0 points)
    Aug 12, 2015 3:49 PM in response to OSX Enthusiast

    Thanks, I am going to do a clean reinstall of OS X, but I wanted to make sure how they got in in the first place if I have firewall up and stealth mode on.  I've never heard of someone loading up terminal on OS X from a possible web site visit?

  • by cdhw,

    cdhw cdhw Aug 12, 2015 5:42 PM in response to JABL76MBA
    Level 4 (2,653 points)
    Servers Enterprise
    Aug 12, 2015 5:42 PM in response to JABL76MBA

    Strange kind of hacker. They appear to have been trying to remove the "Genieo' malware from your machine for you.

     

    C.

  • by JABL76MBA,

    JABL76MBA JABL76MBA Aug 12, 2015 5:46 PM in response to cdhw
    Level 1 (0 points)
    Aug 12, 2015 5:46 PM in response to cdhw

    Is that what he did under Firefox?

     

    Any idea what libimckit is and what daily.out does by any chance? 

  • by OSX Enthusiast,Helpful

    OSX Enthusiast OSX Enthusiast Aug 13, 2015 6:15 AM in response to JABL76MBA
    Level 2 (176 points)
    Aug 13, 2015 6:15 AM in response to JABL76MBA

    The daily.out file (as far as I know) is a maintenance script executed daily by your computer.

  • by JimmyCMPIT,

    JimmyCMPIT JimmyCMPIT Aug 13, 2015 6:48 AM in response to JABL76MBA
    Level 5 (7,491 points)
    Mac OS X
    Aug 13, 2015 6:48 AM in response to JABL76MBA

    I've not encountered or heard of any website that allows a hacker to gain entry to your mac, possibly in a lab but not in the wild. I've heard unsubstantiated rumors of it but nothing to say it's been accomplished by anyone outside of a test environment or theoretical.

    a more likely possibility is

    a) you ran something locally, it opened terminal.

    b) someone else has been on your computer by either a terminal client (ARD, VNC, Teamviewer, Log-Me-In, etc.) that is enabled on the host machine, or they waked up and sat down at your keyboard.

    c) you have some form of narcolepsy that you're not aware of.

     

    If not you I'm going with option b) so is there another person who would have access to your computer while it's on?

  • by Barney-15E,

    Barney-15E Barney-15E Aug 13, 2015 7:08 AM in response to JABL76MBA
    Level 9 (50,082 points)
    Mac OS X
    Aug 13, 2015 7:08 AM in response to JABL76MBA

    In addition to Jimmy's theories, if someone actually "hacked" into your Mac from the Internet, there would be no need to open the Terminal to do what they did.

    I agree it is more likely someone sat down at your Mac and did what they did.

     

    I have no idea where libimckit lives, but it must be some form of folder as the "hacker" was trying to list the contents of it.

    ls is List to show the contents of a directory.

     

    From the name, it is likely some Library supporting Instant Messaging

  • by cdhw,

    cdhw cdhw Aug 13, 2015 7:39 AM in response to Barney-15E
    Level 4 (2,653 points)
    Servers Enterprise
    Aug 13, 2015 7:39 AM in response to Barney-15E

    /usr/lib/libimckit is not a standard part of OS X and should not be present; some variants of Genio install it, which is what whoever typed those commands at the console was checking for.


         http://www.macissues.com/2014/04/23/how-to-detect-and-remove-genieo-for-mac/


    You will note that they are checking the size of the mail folders, and are working through the usual suspects for 'my Mac is slow' problems. They found something in Extensions.plist that they didn't like the look of, edited it, then checked the results. I'm not sure why they didn't remove KeithyFun, perhaps they didn't recognise it:


         http://malware-tips.com/keithy-fun-safari-removal/

     

    Anyway, the sample of commands highlighted is of someone attempting a manual clean-up of adware and/or malware.

     

    C.

  • by JABL76MBA,

    JABL76MBA JABL76MBA Aug 13, 2015 11:55 AM in response to JimmyCMPIT
    Level 1 (0 points)
    Aug 13, 2015 11:55 AM in response to JimmyCMPIT

    I recognize the commands run at the beginning and at the very end, but I'm not the most unix-fluent person out there.  I know for a fact I didn't run "du" and I certainly have never used chrome so I would never look for that.

     

    I think they added Keithyfun and the search based on the use of pico, since like I said, I never use extensions.  That's part of the reason I switched to a pure mac environment was b/c I was tired of having to maintain Internet Explorer constant security holes. 

     

    I haven't enabled Remote Desktop on my Macbook Air so I'm still at a loss on how to prevent this from happening again in the future.

    I only use this Air for resume's and media/itunes playback, it's not my primary machine.

  • by JABL76MBA,

    JABL76MBA JABL76MBA Aug 13, 2015 11:56 AM in response to cdhw
    Level 1 (0 points)
    Aug 13, 2015 11:56 AM in response to cdhw

    Does EtreCheck do anything like this automatically?  I thought it only analyzes the current state of an OS X system, but it doesn't take any action?

    That's the only tool I can think of that I have installed that may have run something like this...

  • by OSX Enthusiast,

    OSX Enthusiast OSX Enthusiast Aug 13, 2015 12:26 PM in response to JABL76MBA
    Level 2 (176 points)
    Aug 13, 2015 12:26 PM in response to JABL76MBA

    For more security, make sure that you have these settings in the Security and Privacy preference pane:

     

    1. Disabled automatic login

    2. Require your password immediately after sleep begins

    3. Have your Firewall enabled

     

    Also note that anyone with time and physical access to your computer can reset your password via Recovery HD if you do not have a firmware password set.

     

    EtreCheck is not malicious software, but make sure you got it from etresoft's official website (http://www.etresoft.com/).

  • by JABL76MBA,

    JABL76MBA JABL76MBA Aug 13, 2015 3:44 PM in response to OSX Enthusiast
    Level 1 (0 points)
    Aug 13, 2015 3:44 PM in response to OSX Enthusiast

    I have all of those enabled by default, including Firevault, which is why this is even more confusing.

     

    My primary concern is clarifying all possible ways this could have happened so I can prevent it in the future.

    My WiFi password is b/w 32-64 characters long, and now I'm wondering if I should apply the same with OS X.

     

    It sounds extremely unlikely it could have been remotely triggered via a website, but not 100% certain.  It's doubtful that someone did this on my laptop unless they broke into my home and there's no evidence that someone would do that just to edit a few laptop cfg files.  My reading of what the person did line by line seems to be poking around and checking what apps were on the drive (chrome, etc) but only possibly editing the extensions directory of Safari after finding no other apps he could exploit?

  • by JABL76MBA,

    JABL76MBA JABL76MBA Aug 13, 2015 3:45 PM in response to OSX Enthusiast
    Level 1 (0 points)
    Aug 13, 2015 3:45 PM in response to OSX Enthusiast

    And yeah, I got etresoft directly from their website...

Page 1 of 3 last Next