Mac – Need help understanding script running at startup? “osascript -e ‘tell app \”ARDAgent\“ to do shell script \”say quack\“’”

chrome-extensionsmacremote controlremote desktopssh

STEPS TAKEN

Logged into Mac this morning
Noticed activity and files generated I did not initiate
Ran bash history. Attached output below

SETTINGS

All Sharing was Off
Do not use any file sharing or remote access
Firewall was set to Block All Incoming Connections
Home network with no other active users at time
Upgraded to Mavs 10.9.2 yesterday

Per this posting; disabled SUID in ARDAgent with;

sudo chmod u-s \
    /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

Need help determining if it's a rogue process, ignorable, or something which requires more actions on my end


    Administrator$ history
    1 rm -rf ~/.Trash/*
    2  cd
    3  .
    4  ./
    5  cd 
    6  lib
    7  cd/
    8    
    9  ls
   10  cd downloads
   11  ls downloads
   12  ls Downloads
   13  find / -nouser -ls
   14  find /~nouser -ls
   15  ls
   16  ls /library
   17  /LaunchAgents
   18  ls /LaunchAgents
   19  ls /Automator
   20  ls /KeyChains
   21  sha
   22  toop
   23  top
   24  dscl . -list /Users UniqueID
   25  $ dscl -plist . readall /users
   26  $ dscl . readall /users
   27  $ dscl . readall /503
   28  ls/Users
   29  - dscacheutil -q group
   30  cd
   31  cd.
   32  cd .
   33  ls
   34  ifconfig
   35  ifconfig
   36  ifconfig
   37  config helper
   38  config
   39  ls
   40  ssh XXXXXX
   41  defaults write com.google.Keystone.Agent checkInterval 0
   42  exit
   43  exit
   44  /var/log/secure.log
   45  ssh XXXXXX
   46  exit
   47  kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'
   48  sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}'
   49  launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'
   50  ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null
   51  osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null
   52  top
   53  ps
   54  top
   55  top
   56  top
   57  sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -agent -stop
   58  man who
   59  who
   60  whoami
   61  ps -aux
   62  ps
   63  top
   64  ps -eo pid,etime
   65  top
   66  ps aux | less
   67  pstree
   68  ps -eo euser,ruser,suser,fuser,f,comm,label
   69  pgrep
   70  pgrep remote
   71  apt-get install htop
   72  htop
   73  netstat -tulpn | grep :80
   74  ls -l /proc/635/exe
   75  swapon  -a
   76  ma ps
   77  man ps
   78  man ps
   79  ps -a
   80  ps -A
   81  whoami
   82  ps -f
   83  ps -G
   84  ps -g
   85  ps -T
   86  ps-t
   87  ps -v
   88  ps start
   89  top
   90  ps
   91  users
   92  last
   93  ls /var/log/wtmp*
   94  last -f /var/log/wtmp.1
   95  last -f /var/log/wtmp.0
   96  ~/.bash_history
   97  cat ~/.bash_history
   98  ls /Automator
   99  cat Automator
  100  open ~/.bash_history
  101  dscl . readall /users
  102  ls/library
  103  cd/library
  104  cd..
  105  cd
  106  ls
  107  cd Library
  108  cd/Library
  109  ls/Automator
  110  toop
  111  top
  112  ifconfig
  113  config helper
  114  config
  115  top
  116  ps -a
  117  ps -A
  118  ps -aux
  119  ps
  120  getprocessforpid(677)
  121  man ps
  122  ps -U
  123  ps -u
  124  GetProcessPID(494)
  125  GetProcessPID() q
  126  GetProcessPID494
  127  GetProcessPID 494
  128  netstat -b
  129  top
  130  top
  131  top
  132  netstat -a
  133  netstat -a | grep vnc | grep ESTABLISHED
  134  top
  135  netstat -a
  136  top
  137  top
  138  netstat -a
  139  ps -aux
  140  netstat -a | grep vnc | grep ESTABLISHED
  141  ps -aux
  142  ps -A
  143  ps -A
  144  netstat -a | grep vnc | grep ESTABLISHED
  145  netstat -a
  146  top
  147  top
  148  netstat -a
  149  netstat -a
  150  netstat -a
  151  q
  152  top
  153  top
  154  sudo tmutil disablelocal
  155  exit
  156  top
  157  top
  158  top
  159  top
  160  top
  161  top
  162  neststat -n
  163  netstat -n
  164  netstat -n
  165  ls
  166  lsaf
  167  cd ..
  168  cd ..
  169  cd ..
  170  cd ..
  171  ls
  172  top
  173  netstat
  174  dscl . list/users
  175  cd ~
  176  dscl . list/users
  177  dscl . list /users
  178  dscl . list /groups
  179  dscl . readall /users
  180  netstat
  181  netstat
  182  whoami
  183  ls
  184  cd ..
  185  cd ..
  186  cd .
  187  cd ..
  188  ls
  189  tree
  190  cd Users
  191  ls
  192  cd Administrator
  193  ls
  194  cd ..
  195  cd ..
  196  cd ..
  197  ls
  198  cd Users
  199  ls
  200  cd Adminstrator
  201  cd Administrator
  202  ls
  203  cd Downloads
  204  ls
  205  exit
  206  whoami
  207  ls
  208  ls
  209  cd Library
  210  ls
  211  cd Application Support
  212  ls
  213  cd ..
  214  ls
  215  cd ..
  216  ls
  217  cd peterobrien
  218  ls
  219  cd Library
  220  whoami
  221  sudo - Adminsitrator
  222  ls
  223  ls
  224  sudo -
  225  more /etc/hosts
  226  scc ver
  227  scc numprofiles
  228  netstat -an |find /i "listening"
  229  netstat
  230  top
  231  kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'
  232  sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}'
  233  launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'
  234  ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null
  235  osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null
  236  osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null
  237  top
  238  dscacheutil -flushcache
  239  sudo killall -HUP mDNSResponder
  240  top
  241  ./bitcoin-qt
  242  cd $home
  243  ls
  244  cd ..
  245  cd ..
  246  cd ..
  247  ls
  248  cd Applications
  249  ls
  250  ./bitcoin-qt.app
  251  top
  252  ps -420
  253  ps -9541
  254  top
  255  /Applications/Postgres93.app/Contents/MacOS/bin/psql ; exit;
  256  /Applications/Postgres93.app/Contents/MacOS/bin/psql ; exit;
  257  top
  258  ps -a (2077)
  259  ps -a2077
  260  sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist
  261  top
  262  on run
  263  do shell script "osascript -e 'tell app \"ARDAgent\" to do shell script \"say quack\"'"
  264  end run
  265  ls -ls /System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp 2
  266  sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist

END

Best Answer

It seems your Mac has been compromised (at the time of your writing) in order to mine bitcoins (./bitcoin-qt.app) probably by using ARDAgent exploit or similar. The posted commands are quite advanced, however plenty of them are copy&paste commands which indicates some pseudo-hacker (with actually little knowledge) who is trying to install trojan on your system.

Find the explanation for history commands below:

1: It removing files from Trash. Maybe clearing some evidence after downloading something.
2-12: Accessing Downloads folder with a bit of trouble. Half of these commands are mis-typed, so maybe the person was in hurry or stressed out.
13-14: Finding all files which belong to an unknown user (for unknown reason).
15-20: Struggling to access your passwords in KeyChains, but most of the commands are mis-typed. This indicates very little knowledge how to use the basic shell commands. It seems he tries to access folders such as /Library/LaunchAgents, /Library/Automator, /Library/Keychains, but fails.
21: There is no command sha.
22-23: Struggling to see your processes.
24-29: Struggling to check all the system users, however present shell prompt in 25-27 indicates that these commands were copy and pasted from some hack tutorial.
34-39: Checking network configuration.
41: Disabling auto updates for Google apps.
40, 45: Log-in to remote host.
47: Checking your non-Apple kernel extensions.
48-49: Checking your non-Apple loaded jobs. Repeating the same command without sudo could indicate that the user didn't have root access.
51: Checking startup items.
57: Disabling remote desktop agent. Why?
71-72: How he managed to install htop using apt-get on OS X? I don't know.
73-164: Checking processes, what's listening on port 80 and the history of last logins.
165-225: Checking your users and files again.
228: Indicates the person is from Windows background, as the parameter /i is invalid.
226-237: Repeating the same things over and over again.
238-480: Clearing DNS caches.
241-259: Running Bitcoin client.
263-264: Pasting code into wrong window. It should be actually:
```
osascript -e 'tell app "ARDAgent" to do shell script "say quack"'
```
Which basically on successful run of ARDAgent would run command say quack which basically say loudly "quack". This suppose to test if ARDAgent is vulnerable to the attacks, but testing by using Speech Synthesis it's the worse what hacker can do, because the user will hear that and figure it out that something is wrong.
265: Testing if check_afp is vulnerable by having SUID flag.

Your action were correct by disabling SUID for ARDAgent. When you run Disk Utility and Repair Permission, it will automatically restore the right permissions (including ARDAgent), unless it has been modified. The other thing it to keep your system up-to-date and monitor logs and history more frequently.