Thursday 26 April 2018

mac mini - Is my mac hacked? Found weird things

I apologize for posting in length, but I thought being complete would be of more value:


20120822, my browser was not resolving a domain so I went into my terminal to check and lo-and-behold! I find these crazy commands remnant:


mac-mini$ su Password:
sh-3.2# sudo /Applications/TextEdit.app/Contents/MacOS/TextEdit /etc/hosts
Mar 22 23:07:08 my-Mac-mini.local TextEdit[88957] : kCGErrorIllegalArgument: _CGSFindSharedWindow: WID -1
Mar 22 23:07:08 my-Mac-mini.local TextEdit[88957] : kCGErrorFailure: Set a     breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.
Mar 22 23:07:08 my-Mac-mini.local TextEdit[88957] : kCGErrorIllegalArgument:     CGSSetWindowShadowAndRimParametersWithStretch: Invalid window 0xffffffff
2012-03-22 23:07:19.202 TextEdit[88957:7207] PersistentUI: LSSharedFileListInsertItemURL() failed at inserting URL file://localhost/etc/hosts

To make matters worse, I discovered there had been a copy of "logmein" that was deleted. Here is some history:


20  /Library/Application\ Support/LogMeIn/uninstaller.command ; exit;    
21  killall Toolkit    
22  "/Library/Application Support/LogMeIn/bin/LogMeIn.app/Contents/Resources/logmeinserverctl" stop    
23  launchctl stop /Library/LaunchDaemons/com.logmein.logmeinserver.plist    
24  launchctl unload /Library/LaunchDaemons/com.logmein.logmeinserver.plist    
25  launchctl unload /Library/LaunchAgents/com.logmein.LMILaunchAgentFixer.plist    
26  launchctl unload /Library/LaunchAgents/com.logmein.logmeingui.plist    
27  launchctl unload /Library/LaunchAgents/com.logmein.logmeinguiagent.plist    
28  rm -rf /Library/LaunchAgents/com.logmein.LMILaunchAgentFixer.plist    
29  rm -rf /Library/LaunchAgents/com.logmein.logmeingui.plist    
30  rm -rf /Library/LaunchAgents/com.logmein.logmeinguiagent.plist    
31  rm -rf /Library/LaunchDaemons/com.logmein.logmeinserver.plist    
32  rm -rf "/Library/Application Support/LogMeIn/"    
33  rm -rf /Library/Logs/LogMeIn/    
34  rm -rf /Library/Receipts/LogMeIn\ Server\ Installer.pkg/    
35  rm -rf /Library/Receipts/LogMeIn\ Installer.pkg/    
36  rm -rf /Library/Printers/LogMeIn    
37  rm -rf /usr/libexec/cups/backend/LogMeInBackend    
38  rm -rf /usr/libexec/cups/filter/LogMeInFilter    
39  rm -rf /usr/libexec/cups/filter/commandtoLogMeIn    
40  rm -rf "/Applications/LogMeIn/LogMeInUninstaller.app"    
41  rm -rf "/Applications/LogMeIn/StartLogMeIn.app"    
42  rm -rf "/Applications/LogMeIn/Toolkit.app"    
43  if [ -e "/Applications/LogMeIn/LogMeInPluginUninstaller.app" ]; 
    then echo not removing LogMeIn directory; else rm -rf "/Applications/LogMeIn/"; fi  
44  rm -rf "/Library/Receipts/LogMeIn Installer.pkg"     
45  rm -rf "/Library/Receipts/logmein.pkg"     
46  rm -rf "/private/var/db/receipts/com.logmein.logmeinserverinstaller.bom"    
47  rm -rf "/private/var/db/receipts/com.logmein.logmeinserverinstaller.plist"   
48  dscl . -delete /users/LogMeInRemoteUser    
49  killall LMILaunchAgentFixer

I then go in and look for this logmein, but other than the uninstaller, it doesn't exist. The files show an older timestamp from about March, but still just making me nervous..


I check more history as su and find:


5  sudo /Applications/TextEdit.app/Contents/MacOS/TextEdit /etc/hosts            
6  stty -onlcr -echo echonl
7  /usr/bin/atos -p "1" -printHeader 
8  /usr/bin/atos -p "10" -printHeader 
9  /usr/bin/atos -p "11" -printHeader     
10  /usr/bin/atos -p "12" -printHeader     
11  /usr/bin/atos -p "13" -printHeader     
12  /usr/bin/atos -p "14" -printHeader     
13  /usr/bin/atos -p "15" -printHeader     
14  /usr/bin/atos -p "16" -printHeader     
15  /usr/bin/atos -p "17" -printHeader     
16  /usr/bin/atos -p "18" -printHeader     
17  /usr/bin/atos -p "19" -printHeader     
18  /usr/bin/atos -p "21" -printHeader     
19  /usr/bin/atos -p "24" -printHeader     
20  /usr/bin/atos -p "25" -printHeader     
21  /usr/bin/atos -p "27" -printHeader     
22  /usr/bin/atos -p "29" -printHeader     
23  /usr/bin/atos -p "30" -printHeader     
24  /usr/bin/atos -p "33" -printHeader     
25  /usr/bin/atos -p "35" -printHeader     
26  /usr/bin/atos -p "39" -printHeader     
27  /usr/bin/atos -p "40" -printHeader     
28  /usr/bin/atos -p "42" -printHeader     
29  /usr/bin/atos -p "44" -printHeader     
30  /usr/bin/atos -p "46" -printHeader     
31  /usr/bin/atos -p "48" -printHeader     
32  /usr/bin/atos -p "53" -printHeader     
33  /usr/bin/atos -p "90" -printHeader     
34  /usr/bin/atos -p "91" -printHeader     
35  /usr/bin/atos -p "96" -printHeader     
36  /usr/bin/atos -p "108" -printHeader     
37  /usr/bin/atos -p "110" -printHeader     
38  /usr/bin/atos -p "119" -printHeader     
39  /usr/bin/atos -p "122" -printHeader     
40  /usr/bin/atos -p "123" -printHeader     
41  /usr/bin/atos -p "128" -printHeader     
42  /usr/bin/atos -p "129" -printHeader     
43  /usr/bin/atos -p "131" -printHeader     
44  /usr/bin/atos -p "132" -printHeader     
45  /usr/bin/atos -p "133" -printHeader     
46  /usr/bin/atos -p "134" -printHeader     
47  /usr/bin/atos -p "139" -printHeader     
48  /usr/bin/atos -p "141" -printHeader     
49  /usr/bin/atos -p "144" -printHeader     
50  /usr/bin/atos -p "149" -printHeader     
51  /usr/bin/atos -p "154" -printHeader     
52  /usr/bin/atos -p "160" -printHeader     
53  /usr/bin/atos -p "161" -printHeader     
54  /usr/bin/atos -p "164" -printHeader     
55  /usr/bin/atos -p "197" -printHeader     
56  /usr/bin/atos -p "209" -printHeader     
57  /usr/bin/atos -p "212" -printHeader     
58  /usr/bin/atos -p "1593" -printHeader     
59  /usr/bin/atos -p "1594" -printHeader     
60  /usr/bin/atos -p "17892" -printHeader     
61  /usr/bin/atos -p "82995" -printHeader     
62  /usr/bin/atos -p "82996" -printHeader     
63  /usr/bin/atos -p "82997" -printHeader     
64  /usr/bin/atos -p "BezelUIServer" -printHeader     
65  /usr/bin/atos -p "83003" -printHeader     
66  /usr/bin/atos -p "taskgated" -printHeader     
67  /usr/bin/atos -p "83006" -printHeader     
68  /usr/bin/atos -p "83007" -printHeader     
69  /usr/bin/atos -p "83010" -printHeader     
70  /usr/bin/atos -p "com.apple.hiserv" -printHeader     
71  /usr/bin/atos -p "83014" -printHeader     
72  /usr/bin/atos -p "83015" -printHeader

Now maybe I was drunk when all this happened, but I am pretty sure I didn't run all of these commands.


From the first line, I can see they are looking at the hosts file so I cat that and find:


127.0.0.1          localhost
255.255.255.255    broadcasthost
::1                localhost
fe80::1%lo0        localhost

Well, I've changed my su passed and regular passed and I've erased the hosts and hope this will deter further contamination?


Or am I simply fooling myself and should just reformat my whole computer?

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...