STEPS TAKEN
- Logged into Mac this morning
- Noticed activity and files generated I did not initiate
- Ran bash history. Attached output below
SETTINGS
- All Sharing was Off
- Do not use any file sharing or remote access
- Firewall was set to Block All Incoming Connections
- Home network with no other active users at time
- Upgraded to Mavs 10.9.2 yesterday
Per this posting; disabled SUID in ARDAgent with;
sudo chmod u-s \
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
Need help determining if it's a rogue process, ignorable, or something which requires more actions on my end
Administrator$ history 1 rm -rf ~/.Trash/* 2 cd 3 . 4 ./ 5 cd 6 lib 7 cd/ 8 9 ls 10 cd downloads 11 ls downloads 12 ls Downloads 13 find / -nouser -ls 14 find /~nouser -ls 15 ls 16 ls /library 17 /LaunchAgents 18 ls /LaunchAgents 19 ls /Automator 20 ls /KeyChains 21 sha 22 toop 23 top 24 dscl . -list /Users UniqueID 25 $ dscl -plist . readall /users 26 $ dscl . readall /users 27 $ dscl . readall /503 28 ls/Users 29 - dscacheutil -q group 30 cd 31 cd. 32 cd . 33 ls 34 ifconfig 35 ifconfig 36 ifconfig 37 config helper 38 config 39 ls 40 ssh XXXXXX 41 defaults write com.google.Keystone.Agent checkInterval 0 42 exit 43 exit 44 /var/log/secure.log 45 ssh XXXXXX 46 exit 47 kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}' 48 sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}' 49 launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}' 50 ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null 51 osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null 52 top 53 ps 54 top 55 top 56 top 57 sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -agent -stop 58 man who 59 who 60 whoami 61 ps -aux 62 ps 63 top 64 ps -eo pid,etime 65 top 66 ps aux | less 67 pstree 68 ps -eo euser,ruser,suser,fuser,f,comm,label 69 pgrep 70 pgrep remote 71 apt-get install htop 72 htop 73 netstat -tulpn | grep :80 74 ls -l /proc/635/exe 75 swapon -a 76 ma ps 77 man ps 78 man ps 79 ps -a 80 ps -A 81 whoami 82 ps -f 83 ps -G 84 ps -g 85 ps -T 86 ps-t 87 ps -v 88 ps start 89 top 90 ps 91 users 92 last 93 ls /var/log/wtmp* 94 last -f /var/log/wtmp.1 95 last -f /var/log/wtmp.0 96 ~/.bash_history 97 cat ~/.bash_history 98 ls /Automator 99 cat Automator 100 open ~/.bash_history 101 dscl . readall /users 102 ls/library 103 cd/library 104 cd.. 105 cd 106 ls 107 cd Library 108 cd/Library 109 ls/Automator 110 toop 111 top 112 ifconfig 113 config helper 114 config 115 top 116 ps -a 117 ps -A 118 ps -aux 119 ps 120 getprocessforpid(677) 121 man ps 122 ps -U 123 ps -u 124 GetProcessPID(494) 125 GetProcessPID() q 126 GetProcessPID494 127 GetProcessPID 494 128 netstat -b 129 top 130 top 131 top 132 netstat -a 133 netstat -a | grep vnc | grep ESTABLISHED 134 top 135 netstat -a 136 top 137 top 138 netstat -a 139 ps -aux 140 netstat -a | grep vnc | grep ESTABLISHED 141 ps -aux 142 ps -A 143 ps -A 144 netstat -a | grep vnc | grep ESTABLISHED 145 netstat -a 146 top 147 top 148 netstat -a 149 netstat -a 150 netstat -a 151 q 152 top 153 top 154 sudo tmutil disablelocal 155 exit 156 top 157 top 158 top 159 top 160 top 161 top 162 neststat -n 163 netstat -n 164 netstat -n 165 ls 166 lsaf 167 cd .. 168 cd .. 169 cd .. 170 cd .. 171 ls 172 top 173 netstat 174 dscl . list/users 175 cd ~ 176 dscl . list/users 177 dscl . list /users 178 dscl . list /groups 179 dscl . readall /users 180 netstat 181 netstat 182 whoami 183 ls 184 cd .. 185 cd .. 186 cd . 187 cd .. 188 ls 189 tree 190 cd Users 191 ls 192 cd Administrator 193 ls 194 cd .. 195 cd .. 196 cd .. 197 ls 198 cd Users 199 ls 200 cd Adminstrator 201 cd Administrator 202 ls 203 cd Downloads 204 ls 205 exit 206 whoami 207 ls 208 ls 209 cd Library 210 ls 211 cd Application Support 212 ls 213 cd .. 214 ls 215 cd .. 216 ls 217 cd peterobrien 218 ls 219 cd Library 220 whoami 221 sudo - Adminsitrator 222 ls 223 ls 224 sudo - 225 more /etc/hosts 226 scc ver 227 scc numprofiles 228 netstat -an |find /i "listening" 229 netstat 230 top 231 kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}' 232 sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}' 233 launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}' 234 ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null 235 osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null 236 osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null 237 top 238 dscacheutil -flushcache 239 sudo killall -HUP mDNSResponder 240 top 241 ./bitcoin-qt 242 cd $home 243 ls 244 cd .. 245 cd .. 246 cd .. 247 ls 248 cd Applications 249 ls 250 ./bitcoin-qt.app 251 top 252 ps -420 253 ps -9541 254 top 255 /Applications/Postgres93.app/Contents/MacOS/bin/psql ; exit; 256 /Applications/Postgres93.app/Contents/MacOS/bin/psql ; exit; 257 top 258 ps -a (2077) 259 ps -a2077 260 sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist 261 top 262 on run 263 do shell script "osascript -e 'tell app \"ARDAgent\" to do shell script \"say quack\"'" 264 end run 265 ls -ls /System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp 2 266 sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist
END
Best Answer
It seems your Mac has been compromised (at the time of your writing) in order to mine bitcoins (
./bitcoin-qt.app
) probably by using ARDAgent exploit or similar. The posted commands are quite advanced, however plenty of them are copy&paste commands which indicates some pseudo-hacker (with actually little knowledge) who is trying to install trojan on your system.Find the explanation for history commands below:
1
: It removing files from Trash. Maybe clearing some evidence after downloading something.2-12
: Accessing Downloads folder with a bit of trouble. Half of these commands are mis-typed, so maybe the person was in hurry or stressed out.13-14
: Finding all files which belong to an unknown user (for unknown reason).15-20
: Struggling to access your passwords in KeyChains, but most of the commands are mis-typed. This indicates very little knowledge how to use the basic shell commands. It seems he tries to access folders such as/Library/LaunchAgents
,/Library/Automator
,/Library/Keychains
, but fails.21
: There is no commandsha
.22-23
: Struggling to see your processes.24-29
: Struggling to check all the system users, however present shell prompt in 25-27 indicates that these commands were copy and pasted from some hack tutorial.34-39
: Checking network configuration.41
: Disabling auto updates for Google apps.40
,45
: Log-in to remote host.47
: Checking your non-Apple kernel extensions.48-49
: Checking your non-Apple loaded jobs. Repeating the same command withoutsudo
could indicate that the user didn't have root access.51
: Checking startup items.57
: Disabling remote desktop agent. Why?71-72
: How he managed to installhtop
usingapt-get
on OS X? I don't know.73-164
: Checking processes, what's listening on port 80 and the history of last logins.165-225
: Checking your users and files again.228
: Indicates the person is from Windows background, as the parameter/i
is invalid.226-237
: Repeating the same things over and over again.238-480
: Clearing DNS caches.241-259
: Running Bitcoin client.263-264
: Pasting code into wrong window. It should be actually:Which basically on successful run of
ARDAgent
would run commandsay quack
which basically say loudly "quack". This suppose to test ifARDAgent
is vulnerable to the attacks, but testing by using Speech Synthesis it's the worse what hacker can do, because the user will hear that and figure it out that something is wrong.265
: Testing ifcheck_afp
is vulnerable by having SUID flag.Your action were correct by disabling SUID for
ARDAgent
. When you run Disk Utility and Repair Permission, it will automatically restore the right permissions (includingARDAgent
), unless it has been modified. The other thing it to keep your system up-to-date and monitor logs and history more frequently.