Is my mac hacked? Found weird things
I apologize for posting in length, but I thought being complete would be of more value:
20120822, my browser was not resolving a domain so I went into my terminal to check and lo-and-behold! I find these crazy commands remnant:
mac-mini$ su Password:
sh-3.2# sudo /Applications/TextEdit.app/Contents/MacOS/TextEdit /etc/hosts
Mar 22 23:07:08 my-Mac-mini.local TextEdit[88957] <Error>: kCGErrorIllegalArgument: _CGSFindSharedWindow: WID -1
Mar 22 23:07:08 my-Mac-mini.local TextEdit[88957] <Error>: kCGErrorFailure: Set a breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.
Mar 22 23:07:08 my-Mac-mini.local TextEdit[88957] <Error>: kCGErrorIllegalArgument: CGSSetWindowShadowAndRimParametersWithStretch: Invalid window 0xffffffff
2012-03-22 23:07:19.202 TextEdit[88957:7207] PersistentUI: LSSharedFileListInsertItemURL() failed at inserting URL file://localhost/etc/hosts
To make matters worse, I discovered there had been a copy of "logmein" that was deleted. Here is some history:
20 /Library/Application\ Support/LogMeIn/uninstaller.command ; exit;
21 killall Toolkit
22 "/Library/Application Support/LogMeIn/bin/LogMeIn.app/Contents/Resources/logmeinserverctl" stop
23 launchctl stop /Library/LaunchDaemons/com.logmein.logmeinserver.plist
24 launchctl unload /Library/LaunchDaemons/com.logmein.logmeinserver.plist
25 launchctl unload /Library/LaunchAgents/com.logmein.LMILaunchAgentFixer.plist
26 launchctl unload /Library/LaunchAgents/com.logmein.logmeingui.plist
27 launchctl unload /Library/LaunchAgents/com.logmein.logmeinguiagent.plist
28 rm -rf /Library/LaunchAgents/com.logmein.LMILaunchAgentFixer.plist
29 rm -rf /Library/LaunchAgents/com.logmein.logmeingui.plist
30 rm -rf /Library/LaunchAgents/com.logmein.logmeinguiagent.plist
31 rm -rf /Library/LaunchDaemons/com.logmein.logmeinserver.plist
32 rm -rf "/Library/Application Support/LogMeIn/"
33 rm -rf /Library/Logs/LogMeIn/
34 rm -rf /Library/Receipts/LogMeIn\ Server\ Installer.pkg/
35 rm -rf /Library/Receipts/LogMeIn\ Installer.pkg/
36 rm -rf /Library/Printers/LogMeIn
37 rm -rf /usr/libexec/cups/backend/LogMeInBackend
38 rm -rf /usr/libexec/cups/filter/LogMeInFilter
39 rm -rf /usr/libexec/cups/filter/commandtoLogMeIn
40 rm -rf "/Applications/LogMeIn/LogMeInUninstaller.app"
41 rm -rf "/Applications/LogMeIn/StartLogMeIn.app"
42 rm -rf "/Applications/LogMeIn/Toolkit.app"
43 if [ -e "/Applications/LogMeIn/LogMeInPluginUninstaller.app" ];
then echo not removing LogMeIn directory; else rm -rf "/Applications/LogMeIn/"; fi
44 rm -rf "/Library/Receipts/LogMeIn Installer.pkg"
45 rm -rf "/Library/Receipts/logmein.pkg"
46 rm -rf "/private/var/db/receipts/com.logmein.logmeinserverinstaller.bom"
47 rm -rf "/private/var/db/receipts/com.logmein.logmeinserverinstaller.plist"
48 dscl . -delete /users/LogMeInRemoteUser
49 killall LMILaunchAgentFixer
I then go in and look for this logmein, but other than the uninstaller, it doesn't exist. The files show an older timestamp from about March, but still just making me nervous..
I check more history as su and find:
5 sudo /Applications/TextEdit.app/Contents/MacOS/TextEdit /etc/hosts
6 stty -onlcr -echo echonl
7 /usr/bin/atos -p "1" -printHeader
8 /usr/bin/atos -p "10" -printHeader
9 /usr/bin/atos -p "11" -printHeader
10 /usr/bin/atos -p "12" -printHeader
11 /usr/bin/atos -p "13" -printHeader
12 /usr/bin/atos -p "14" -printHeader
13 /usr/bin/atos -p "15" -printHeader
14 /usr/bin/atos -p "16" -printHeader
15 /usr/bin/atos -p "17" -printHeader
16 /usr/bin/atos -p "18" -printHeader
17 /usr/bin/atos -p "19" -printHeader
18 /usr/bin/atos -p "21" -printHeader
19 /usr/bin/atos -p "24" -printHeader
20 /usr/bin/atos -p "25" -printHeader
21 /usr/bin/atos -p "27" -printHeader
22 /usr/bin/atos -p "29" -printHeader
23 /usr/bin/atos -p "30" -printHeader
24 /usr/bin/atos -p "33" -printHeader
25 /usr/bin/atos -p "35" -printHeader
26 /usr/bin/atos -p "39" -printHeader
27 /usr/bin/atos -p "40" -printHeader
28 /usr/bin/atos -p "42" -printHeader
29 /usr/bin/atos -p "44" -printHeader
30 /usr/bin/atos -p "46" -printHeader
31 /usr/bin/atos -p "48" -printHeader
32 /usr/bin/atos -p "53" -printHeader
33 /usr/bin/atos -p "90" -printHeader
34 /usr/bin/atos -p "91" -printHeader
35 /usr/bin/atos -p "96" -printHeader
36 /usr/bin/atos -p "108" -printHeader
37 /usr/bin/atos -p "110" -printHeader
38 /usr/bin/atos -p "119" -printHeader
39 /usr/bin/atos -p "122" -printHeader
40 /usr/bin/atos -p "123" -printHeader
41 /usr/bin/atos -p "128" -printHeader
42 /usr/bin/atos -p "129" -printHeader
43 /usr/bin/atos -p "131" -printHeader
44 /usr/bin/atos -p "132" -printHeader
45 /usr/bin/atos -p "133" -printHeader
46 /usr/bin/atos -p "134" -printHeader
47 /usr/bin/atos -p "139" -printHeader
48 /usr/bin/atos -p "141" -printHeader
49 /usr/bin/atos -p "144" -printHeader
50 /usr/bin/atos -p "149" -printHeader
51 /usr/bin/atos -p "154" -printHeader
52 /usr/bin/atos -p "160" -printHeader
53 /usr/bin/atos -p "161" -printHeader
54 /usr/bin/atos -p "164" -printHeader
55 /usr/bin/atos -p "197" -printHeader
56 /usr/bin/atos -p "209" -printHeader
57 /usr/bin/atos -p "212" -printHeader
58 /usr/bin/atos -p "1593" -printHeader
59 /usr/bin/atos -p "1594" -printHeader
60 /usr/bin/atos -p "17892" -printHeader
61 /usr/bin/atos -p "82995" -printHeader
62 /usr/bin/atos -p "82996" -printHeader
63 /usr/bin/atos -p "82997" -printHeader
64 /usr/bin/atos -p "BezelUIServer" -printHeader
65 /usr/bin/atos -p "83003" -printHeader
66 /usr/bin/atos -p "taskgated" -printHeader
67 /usr/bin/atos -p "83006" -printHeader
68 /usr/bin/atos -p "83007" -printHeader
69 /usr/bin/atos -p "83010" -printHeader
70 /usr/bin/atos -p "com.apple.hiserv" -printHeader
71 /usr/bin/atos -p "83014" -printHeader
72 /usr/bin/atos -p "83015" -printHeader
Now maybe I was drunk when all this happened, but I am pretty sure I didn't run all of these commands.
From the first line, I can see they are looking at the hosts file so I cat that and find:
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost
Well, I've changed my su passed and regular passed and I've erased the hosts and hope this will deter further contamination?
Or am I simply fooling myself and should just reformat my whole computer?
illyabbi
Carl B2 Answers
The line
stty -onlcr -echo echonl
and the repeated
/usr/bin/atos -p "XXX" -printHeader
comes from the stackshot program that is used to produce a stack dump for all running processes.
I found same entries in my log and got really suspicious, but after some googling around I found out that pressing Control-Option-Command-Shift-Period (at the same time) starts stackshot, which to my surprise actually produces these entries in /var/root/.sh_history.
I would appreciate if someone who knows more about OS X could explain why a shell script performing in the background does this.
For me this must have been happening when I (stupidly enough) decided to clean my keyboard while the Mac was running. :)
Joppe
RaystafarianIt does indeed sound like someone has been messing with your Mac. Unless you have an ssh server running to allow remote access it does sound like it is someone who had physical access to your computer. It was probably a good idea to change your passwords, you should also make sure the computer is locked when you are not around so other people don't have access to it. Also, keep in mind every machine is hack-able with the right skills, so your best bet is to regularly check for strange things that don't look right. I think you did a great job catching it.
ThatGuy2748User contributions licensed under CC BY-SA 3.0