Two days ago, somehow, my Mac running OS X Yosemite 10.10.5 got infected by malware and it deleted almost all my files from my home directory. I have no idea how it happened (it wasn't because clicked on some ad, I wasn't even browsing the web when it happened and I also run Adblock on my Safari, Chrome, and Firefox browsers). Suddenly at 10 PM, an xterm window showed up with tons of lines running by with filenames and "permission denied" messages. I panicked and shut down the computer.
I then restarted it and then when I open the Terminal, the xterm came up and started with similar "permission denied" messages (I figured it auto launched when I opened the Terminal). I shut down again and it did not appear to shut down completely. Then after a few minutes I tried to start it up and it did not start for the next 5 or 10 minutes or so. Then when it did start up, the OS X settings were all fresh (for example, my Dock was moved from left to the bottom center etc, as it would be if it were a fresh install). Then I looked at my home directory and almost all the files were deleted, strangely except some (I guess these must have different permissions).
I lost all my photos and files I was working on. I have a Time Machine backup that is 70 days old.
I looked at the console and this is what I found.
Can someone please tell me what this is, how it happened and how I can eliminate it from my system?
The console log is below.
2015-08-14 10:00:23.702 PMFinder[240]CreateWithFileInfo failed to create URL with FSRef, falling back to blank icon.
2015-08-14 10:00:24.620 PMbird[267]someone ripped the database from under our feet
LIMITS ------------------------------------------------------------------------
RLIMIT_CORE 0 infinity
RLIMIT_CPU infinity infinity
RLIMIT_DATA infinity infinity
RLIMIT_FSIZE infinity infinity
RLIMIT_MEMLOCK infinity infinity
RLIMIT_NOFILE 16384 16384
RLIMIT_NPROC 709 1064
RLIMIT_RSS infinity infinity
DISK (/Users/userx/Library/Mobile Documents)--------------------------------
NSFileSystemNodes 121846308
NSFileSystemSize 499082485760
NSFileSystemFreeSize 220219854848
NSFileSystemFreeNodes 53764613
NSFileSystemNumber 16777220
2015-08-14 10:00:24.637 PMcom.apple.xpc.launchd[1](com.apple.ReportCrash[21508]) Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.ReportCrash
2015-08-14 10:00:24.807 PMcom.apple.SecurityServer[85]Killing auth hosts
2015-08-14 10:00:24.807 PMcom.apple.SecurityServer[85]Session 100122 destroyed
2015-08-14 10:00:28.333 PMcom.apple.xpc.launchd[1](com.apple.bird[267]) Service exited due to signal: Abort trap: 6
2015-08-14 10:00:28.392 PMReportCrash[21508]Saved crash report for bird[267] version 321.9 to /Users/userx/Library/Logs/DiagnosticReports/bird_2015-08-14-220028_OLM-userx.cr ash
2015-08-14 10:00:31.108 PMcloudphotosd[519]Failed to open '/Users/userx/Library/Containers/com.apple.cloudphotosd/Data/Library/Preference s/com.apple.cloudphotosd.plist' for events
2015-08-14 10:01:07.911 PMsharingd[254]Could not replace account with identifier: _local
2015-08-14 10:01:07.913 PMcom.apple.internetaccounts[262]Could not replace account with identifier: _local
2015-08-14 10:01:07.915 PMsoagent[268]Could not replace account with identifier: _local
Best Answer
After some deep investigations we come to the preliminary conclusion that the culprit wasn't any malware but an unhappy coincidence involving org.macosforge.xquartz.startx.plist, .bashrc and an
xrd --merge ~/.Xdefaultscommand. Since all those files were deleted, we don't have hard evidence though.Said .bashrc is derived from a (Linux-)precursor. It was heavily adapted to work with OS X.
The XQuartz service started to delete files with
rmin the root folder after reading in the ~/.bashrc triggered by the xrd command. Most rms weren't successful because of missing user permissions. Most of the user data was deleted though.After creating a recovery thumb drive with Data Rescue 4 (the Bootwell feature) a deep scan found a lot of deleted files. The most important files couldn't be recovered.