Is This A Virus??? Help!!!
 

The machinery: 1 x Dual G5 2.5, 1 x 12" Powerbook (belonging to my mother) and a G4 eMac (my sister's). My Mom and I share a wireless network (WPA) consisting of an Airport Express and an Extreme base station. My sister has a separate DSL account for her wired eMac. All of us run Tiger (10.4.1). I have turned the Apple firewall on (no UDP) on my mother and sister's machines.

The symptoms: Disappearing files, slow performance on my G5 (even though I use TechTool4), and the frequent whirring of accessed files on all machines. None of us share files, by email or otherwise.

There are empty logs, NetBarrier quit a few days ago even though the configuration is locked. I have typed lsof -i and done netstat -a -n (if that is remotely correct) and there are often many connections by iPulse.ics. I have iPulse but haven't used it for ages. When I transferred a couple of files I thought were odd to my desktop, I later found a vim.info file with a jump "something" line in my home folder.

I am very suspicious, I managed to save a couple of files. What is stranger still is that if I do ls -al -F, files which shouldn't be are executable. I have ._.DS-Store and .DS-Store in my home folder, and /Library/StartupItems folders. Also, if I transfer them to my iDisk and do ls -la -F, the invisibles are still executable. As a complete, non-techie am I thinking right when I suspect I have a Trojan virus. If it can be stored on Apple's servers? Should an RTF, for example, ever be executable? I do not use OS 9.

One other thing, I was in the terminal looking at /var/logs and they were curiously empty, typed the command again and saw odd .swp files at the root of the directory. What are they? Someone caught in the act? When I look at my machine sockets I have open ports and SYN packets, whatever they are. A sniffer?

Anyway, someone please let me know if I am going mad and why are there open ports on my machine.

One last thing, I was creating a PGP key the other day and PGP "quits" suddenly. When I relaunch it the key is gone. Too many coincidences?

We all have these strange executables appearing. I checked for Opener. Nada. Also have VirusBarrier installed.

Help!

It's not a virus, but there is a small chance that your machine has been compromised by a cracker.

Please tell us
1. What services do you have turned on in System Preferences > Sharing > Services? Why do you have those services on?
2. Why you don't have the firewall on for your computer?
3. What configuration you have on your router--both the state of NAT and a firewall, what ports are forwarded to your computer, if you have a DMZ switched on and for what computer, etc.?
4. When your most recent backup is? If recent, can you wipe your hard drive and reinstall OS X?

Trevor

The first step should be to restart your machine.
Then use "Activity Monitor" (under the /Applications/Utilities folder) to look to see if iPulse is running.

Note that the file ".viminfo" in your home folder is used by 'vi' or 'vim' to store a sort of history of editing operations.
Do you use (or have you used) 'vi' or 'vim' to edit (or just to view) text files?

Sometimes files that should not normally be executable, get that way through a misplaced 'chmod' command or the equivalent by a well-meaning program.

Some types of RTF "files" are actually folders (containing the data files) and thus it would be normal for these to have the "execute" bit on since that is usual for folders/directories.

If you still have some suspicions about particular files/folders, it would be best if you showed us the results of 'ls -lao' on those files/folders.

I assume you mean "/var/log" (without any 's'). Which logs were empty?
Note that it is easier to look at log files using the "Console" utility (under the /Applications/Utilities folder).

The ".swp" files are temporary files created by 'vi' or 'vim'. They normally exist only while you are editing a file using 'vi' or 'vim'.
If you aren't using 'vi' or 'vim', that would indeed be suspicious.

The 'sudo lsof -i' command shows you the names of the programs that have the sockets open (in the first column of output). Which programs have open sockets? Quit all application programs and try again.

Hey, guys, thanks for the response!

OK ... Trevor, in answer to ur questions. I have no services running, I was running NetBarrier X3 Firewall till it started to crash on me. I have NAT on the router on and the built-in firewall to block all inbound traffic. My most recent backup was not recent enough, I fear. I erased a bunch of backups cos they we getting too big and started again. :(

Hayne, this is what I've done. I have already restarted and reformatted my drive. I saved what evidence I could. Only problem is I have 300GB of files (backups, pix, docs) on an external drive which I am uncertain whether I should access or not.

I don't use vi ... i'm lightweight so when I use the Terminal, I use pico.

I've just checked my iDisk. Most of the files seem to be executable. I just downloaded a text clipping as an unprivileged user and tried opening it. It opens okay.

Another thing. I just remembered, for a period of about a week, I was having problems with my mouse. I use a Logitech gamer's mouse which does cause jumpiness very occasionally. Every time I logged in I'd get a string of dots as is if my password had been typed in wrong ... I figured it was my mouse sending erroneous USB data or something ... then I was also having problems controlling my mouse (like it had a will of its own) so I changed the mouse.

I have a Retrospect backup which was done, sadly, after the problems started to appear but maybe it will give a clear snapshot for forensics? Just an idea? Do I have cause for concern? What is my next step?

Thanks again!

If your system was compromised by an attacker, you can't trust any of the executables (including the core OS) that are on the disk. You have said that you have erased and reinstalled from the original DVD - that is good, it will give you a known good system again. The data on the external disk is probably still good and there is no problem in accessing it. But don't use any of the applications (if there are any) on that external disk.

This makes the existence of the vi-related files extremely suspicious (see my comments in previous post) - this is perhaps the strongest evidence for an intruder as there is no other way those files could get there.

You could look through the log files that you saved from the old (compromised) system to see if you see anything suspicious. But the actual break-in might have been many weeks or even months ago. Still it would be worth reading over the logs (e.g. system.log, ftp.log, netinfo.log, secure.log)

Just a few observations... certain file transfer operations performed over the network can set the executable bit on the transferred files. For example, any file added via afp to a folder with "write only" permissions (eg. a user's "Drop Box") automatically gains rwxrwxrwx permissions. Files transferred using SMB seem to acquire u+x permissions.

The existence of "._AppleDouble" files also suggests SMB was involved. These files are usually used as a workaround for storing resource fork data and file "attributes" (eg. "type" and "creator" codes, invisibility bit settings, etc.) when copying to non-HFS based filesystems, but for whatever reason, they are created even when writing to another Mac over SMB. In fact, the existence of these files on your computer points toward it having been a Mac to Mac transfer. A file doesn't necessarily have to have a resource fork for an AppleDouble file to be created for it.

The existence of a "._DS_Store" file in a folder suggests that the entire folder was transferred over SMB - the .DS_Store files created by "Finder" by opening a folder and changing some setting on an SMB mounted volume doesn't seem to acquire an AppleDouble counterpart. The "._DS_Store" files only seem to be created when an existing ".DS_Store" file is copied over SMB. This suggests that the entire "/Library" > "StartupItems" folder was copied from somewhere else. Note that items in the "StartupItems" folder get run at boot time and run as "root".

Apple sets the default permissions on the "/Library" folder to be writable by "admin", so assuming your permissions were correct, in order to replace the "StartupItems" folder outright, the user would need at least "admin" level access... If on the other hand, you mean that the "._DS_Store" files are within folders inside the "StartupItems" folder (and not directly in the "StartupItems" folder), apparently Panther's "repair permissions" doesn't enforce permissions on the the "StartupItems" folder itself (there were complaints earlier that bad installers were allowed to create "world writable" "StartupItems" directories) so depending on the situation, it may have been possible for a user to install a startup item without "admin" privileges, but of course they would subsequently gain full "root" privileges once the items ran. If this is the case, it might be of interest to determine specifically which startup items contained the "._DS_Store" files. The scripts inside could give an indication to what the intended goal was.

Hi iVoltage

Before I get started, I just wanted to give you a piece of advice from The Hitchhiker's Guide to the Galaxy:

DON'T PANIC

Remember, this is just data. Nobody is going to die. If you panic and do something without thinking, you may make things worse.

Your posts seem very rushed and panicy, and as such I am finding it hard to get the necessary information out them that I need to help you with. So I'm going to start over, and ask a heap of question. When (or if) you reply to this post, please make sure you address every question with as much detail as possible. DON'T rush through the answers; you may miss something that is important to those that are helping you.

1. Computers

There are three computers that you look after

1. a PowerMac (yours)
2. a PowerBook (your mum's)
3. and an Emac (your sister's)

Question 1.1: Is this correct?
Question 1.2: What version of Mac OS X are on them? Please specify which version number (eg, 10.3.9)
Question 1.3: Is there any hardware that are attached to these computers (eg, external harddrives, USB key drives, iPods)? These could be ways a virus/trojan/worm could get in and should be considered.
Question 1.4: Are the symptoms you are describing happening on all three computers, or just yours?
Question 1.5: What services are running? To answer this, open 'System Preferences', click on the 'Sharing' icon and then click on the 'Services' tab. Then post here all the lines that are ticked, clearly marking from which computer you took the information (make sure you scroll right down to the bottom of the list).
Question 1.6: Do the computers have a firewall?
If you are using Mac OS X's in-built firewall, open 'System Preferences', click on the 'Sharing' icon and then click on the 'Firewall' tab. The very first line will say either "Firewall On" of "Firewall Off". Please post here if it is on or off. If it is ON, please list all the lines underneath that have a tick next to them (make sure you scroll right down to the bottom of the list).
If you are using another application as a firewall, please specify which application, the version number and any changes you made to the configuration of the firewall.

2. Network

I think I've understood what you've written in your original post, but I just want to be certain. I've tried to make a network diagram.
Question 2.1: Is this accurate? In other words, is the eMac connected to the other computers via your local network (wired or wireless) or is the only way to transfer data from the eMac to the other computers via e-mail or USB thumbdrives?

You mentioned in your second post something about a firewall on a router
Question 2.2: Is this router the Airport Extreme Base Station, the Airport Express or the DSL modem?

Question 2.3: Are there any other connections, wired or unwired, between these computer or these computers and other computers at any time (for example, your mum takes her laptop to work or an internet cafe)?

Question 2.5: Is the software on the Airport Base Station and Express up to date? Use 'Software Update' to update all your software (making sure you haven't marked any updates to be "ignored").

Question 2.5: How have you configured the Airport Extreme Base Station? Please use the Aiport Admin Utility (found in Applications->Utilities) to log into the Base Station and list the configuration. Of particular interest are the following: do you have a password on the Base Station itself, do you have a password on the network (they are different things), what encryption you have on the wireless network (double check this) and do you have a closed network? Please list as much as you can; the more information you give, the more help you get.

Question 2.5: How have you configured the Airport Express? Please list the same configuration details as for the Extreme Base Station

3. Applications

Question 3.1: What applications are install on each computer? Please give a full list, not just the ones you think are the ones giving you the problems. Please include all Apple applications, all applications you have install, plug-ins for any applications and other programs you have run such as Applescripts.

Question 3.2: What applications are running on each computer?
To answer this, open the Terminal application (in Applications->Utilities), then type in 'ps jax' (without the quotes) and then highlight the whole lot (press CMD-A), and copy (using Edit->Copy or CMD-C) and paste the text and post it here, CLEARLY marking from which computer you got the information from.

4. Miscellaneous

Question 4.1: Who is logged into each computer?
On each computer, open the Terminal application, and then type in 'who' (without the quotes) and then copy, paste and post the output (again, clearly marking from which computer you got the information from). This will show if anyone is logged into any of the computers from over the network.

Question 4.2: Which log files are empty?
The best way to answer this is by typing 'ls -la /var/log/' in the Terminal program and post the output here. On my computer, ipfw.log, lookupd.log, lpr.log and mail.log are empty, which is fine. However, if your system.log is empty, then there could be a problem. Are you using any applications that claim to clean up caches, etc. Maybe these are deleting you logs.

Question 4.3: What do you mean? Which files disappeared?

Question 4.4: I've never known files to make noises unless I've opened an MP3 or similar file. What do you mean? Mac OS X regularly writes small chunks of information to the hard disk. This is normal. However, if there is continued, heavy access of the hard disk when no user application are running, this may mean something.

Question 4.5: So you don't have confidence in your technical ability, but you use complicated programs like these? Do you know how to interpret the information these programs give? It would have been better to post the output of these programs (please do).

Question 4.6: What were the files that you thought were odd? Where did they come from? Where did you find "vim.info"? What do you mean by "jump "something" line"? You said you don't use vi/vim. Have you ever used vi/vim?

Question 4.7: Do you mean a file with the extension '.rtf'? Only files which you execute (such as applications or shell scripts) or directories should have the exectue bit set. However, normal files (such as text documents, image files, etc) can have the execute permissions/bits set without any repercusion. Could you please use 'ls -la' to show the permission bits of the files in question?

Question 4.8: As someone already said, .swp files are created by vi/vim when it is editing a file. As you said, this is highly indicative of someone using vi/vim to edit files.

Question 4.9: What program did you use to view these "machine sockets"? SYN packets start a TCP connection, so a program on you machine is making TCP connections with another computer. It could be something simple like an e-mail client or a file-sharing program, or it could be something worse. Output of a program would help.

You should be OK to access the files on the external hard drive, as long as you don't execute any programs that are on it. If there are any programs on it, they should be deleted immediately and re-installed from your original CDs or downloaded again from the internet. Better yet, ask yourself if you really need to use them and don't install the programs you don't use. Also, install the programs one per day and see if there is any program in particular that gives you any problems.

Question 4.10: This is very supicious of cracker/hacker activity. Did this problem go away when you switch mouses?

Question 4.11: This all seem very logical. Do you think anyone in your family could have turned on 'Windows File Sharing' without your knowledge? It's also highly possible that a cracker/hacker started 'Windows File Sharing'/Samba without your knowledge. An output of ps would help.

Yes.

It seems likely that you either have a program or programs that are behaving badly, or more likely, someone has cracked/hacked into your computers.

I think that it is highly unlikely that your computer(s) are infected by a trojan/virus/worm. They simply don't exist on the Macintosh platform (for the moment). I also believe that Mac OS X does a great job at looking after itself.

Therefore, in my humble opinion, installing and using anti-virus software and 'performance enhancing' software on Mac OS X is a waste of resources. You may think they help, but they take up memory and CPU cycles doing a job that really doesn't need to be done. As long as you keep your operating system and applications up to date (by regularly running 'Software Update' and install all the updates, not just the ones you think you need), you shouldn't run into too much trouble, if any.

Note: Always install a anti-virus program and firewall on Windows :mad:

Your next step is to back up every bit of data that you value and re install Mac OS X.

This is not as easy as it sounds. You've got to make sure that you don't repeat the same mistakes you made the first time.

1. Back Up

• Back up everything on read-only media (ie CD or DVD). This way a cracker/hacker can't delete it later (which they could if it's on an external hard drive).

2. Secure your network.

• If you have a DSL modem/router, make sure it is secure (has a good password, doesn't have unnecessary services/ports open, etc). Refer to the documentation that come with the modem/router.
• Make sure your access points have the latest software.
• Change your network name to something that isn't easily guessed.
• Make sure you have a password on your Airport Base Station and Express. Make it a good one, not something easily guessed. Don't write it down. There are some good guides on the internet of how to make a good password - read them. If you can't find them, ask someone.
• Make sure you have a password on your network (Your access point password and network password are not the same thing, but you can make them the same). Make it a good one. Don't write it down.
• Encrypt your wireless network with WPA (if you can). Don't use WEP (if you can help it). If you don't understand the difference, ask someone.
• Make a closed network. This won't stop everyone from finding your network, but it will help. Turning this setting on will mean that when you configure your other computers, you will need to type in the network name exactly as you have it configured on the Base Station or Express. You may not what to use this, but I recommend it.
• Don't use port forwarding.
• Apple Airport Base Stations (and possibly Express) have MAC filtering. This is where only those computers with the correct hardware are able to access the wireless network. This option is located under the 'Access Control' tab. Use the 'Help' in the 'Airport Admin Utilty', search for 'access control' and find the article entitled "Restricting access to your AirPort network" and read the instructions on how to enter your and other computers MAC addresses. If you have any troubles with this, ask someone.
• Turn off unnecessary services on the Base Station. In the 'AirPort' tab, click on the 'Base Station Options' button. Under the 'WAN Ethernet Port' tab, deselect all the available options.

3. Reinstall Mac OS X

• Reinstall the operating system, making sure to completely erase the previous operating system. I can't remember exactly where in the install process this is, but it will ask you if you wish to "Upgrade", "Archive and Install" or "Erase and Install". You want to choose "Erase and Install". There should also be an option to reformat your hard drive and this option may be hidden, so make sure you look carefully at each window that is displayed, looking for something like an 'Option' button
• Choose the 'Custom' or 'Advanced' install option and only install those applications that you use. For example, if you use Safari, deselect Internet Explorer.
• Make sure you have a password for your account. Make it a good one. Don't write it down.

When you have the new operating system installed,

• turn on the firewall,
• don't configure Mac OS X to automatically log in,
• don't turn on any services that you don't need,
• turn off Bluetooth if you don't use it,
• don't make other accounts unless someone is actually using them,

and then use your computer as is, for a week or more. DON'T under any circumstances install ANY other programs, even if you think it will make your computer more secure or faster.

After a week or more, slowly install one application at a time, leaving some time in between each installation. This way you can ensure that if your problems are being caused by a bad application you're going to track down the problem.

But, before you install any application, ask yourself if you really need it. Does it serve a purpose, will you use it, or is it just going to take up hard disk space, memory and CPU time? And if after install a program you realise you don't need it anymore, delete it.

I hope this helps, and please post something about how you're getting on and what you have found.

Hey, guys, thanks again for all the sterling advice. I feel more confident that I can deal with this now. I've only recently got used to the idea of the Terminal so this I'm in at the deep end.

OK ... Hayne, I've started to go through the log files but for the most part they're empty. There seem to be a couple of "unknown events" which happen during the boot process though. Firewall also routinely reports problems. When I grew suspicious, I made sure that I had a secure keyboard in the Terminal and executed the only commands I thought might help ... ifconfig -a sudo lsof -i netstat -a /-n ps -aux. I saved the output to a few of them in a text file. I have lots of incidences of openinfo and openexec, whatever they may be.

I guess I'll have to do forensics and see whether there was a problem. I have good security generally but I was using an admin account day-to-day. I suspect a root kit. Inside out rather than the other way. I'll run non-privileged hereon in.

I've gone back to a clean system like you said and I also compiled a gpg-hardened samhain (WOW!) tripwire and snort. I'm just rolling Nessus to check my fortifications then I'll feel a lot better.

One question. How do I know what is an application and what's not? Any ideas, cunning scripts?

Also, biovizier, the files were ._.DS_Store and ._.Trashes ... does that make a difference?

Once again, thanks for the help. Just like Ghostbusters :D

Peace

I just posted my last reply and I saw your post Synack!! I have stopped panicking. I will reply once I have read your post. BRB

You'll indeed need some time to work through snyacks exhaustive list.

To complement the "don't panic" mantra, some additional thoughts.

Basically, there are roughly four options of what happened:

1
Any conjunction of malfunctioning software, disk corruption and other innocent reasons. Not very probable, given what you told us so far.

2
An inside job. Someone with physical access to your computer.
Depending on what only you can know, that may include spook agencies.

3
Someone targeting you tricked you to run manipulated software or somehow cracked your network. Also looking at the aiports configurations and changing passwords might be a good idea.

4
Skript-kiddie attack. Few to focus on Macs.

Whatever of these four options looks the most likely determines how you respond in a sensible way.

1.1: Yes
1.2: 10.4.1 on all of them
1.3: My sister has an iPod and I have 3 Firewire disks (250GB each) and a USB key drive.
1.4 All three computers are behaving strangely. Whirring hard disks. Mostly mine but my sister is having problems getting to sites suddenly. Safari will suddenly warn her about the certificates on really established sites like MSN or Amazon.
1.5 No services are running on any machines. I even turned off the network time server when we got Tiger.
1.6 The OS Firewall is also turned on for all of us. I recently turned on the "block UDP" option on our machines. I was running NetBarrier (10.3.6) till it started to quit at start-up.


2.1 Totally accurate. The only way to transfer information to the eMac is via the internet or flash drives.
2.2 The firewall on a DG834 Netgear router/modem. My sister gets along with just the software firewall.
2.3 My mum uses a PC at work but my sister sometimes borrows it for college.
2.4 All software bang up-to-date
2.5 Not a closed network but I set up WPA Personal encryption. No SNMP, remote access or other options allowed. Good long passwords for network and basestation.
2.6 The same as above.

3.1 I will only list the programs which are not part of the base OS install for Tiger as we all have those.

Mother
Firefox,
Office 2004
Keynote 2
MacGourmet. (Good mother!)

Sister
Photoshop 7
Illustrator 10
Dreamweaver MX
Circus Ponies Notebook
Toast 6
Candy Bar
Pixadex (full of gaudy icons)
VPC 7
Acquisition (uh-oh)
iView Multimedia
Retrospect
Adium
FontCard
Snapz Pro 2


Me
Toast 6
Netbarrier 10.3.6
Norton AV 10
iClip
iDrum
iPulse
FruitMenu
Speed Download
StickyBrain
Omni Outliner 2
Recycle 2.1
Popcorn
Stylus RMX
World Of Warcraft
Palm Clicker
NetNewsWire
Concierge
Unison
Pages
Super Duper
PGP 9

3.2

ME
USER PID PPID PGID SESS JOBC STAT TT TIME COMMAND
root 1 0 1 4f04e88 0 S<s ?? 0:00.25 /sbin/launchd
root 21 1 21 4f04c60 0 Ss ?? 0:00.00 /sbin/dynamic_pager -E -F /private/var/vm/swapfile
root 25 1 25 4f04b4c 0 Ss ?? 0:00.73 kextd
root 31 1 31 4f04a38 0 Ss ?? 0:07.29 /usr/sbin/configd
root 32 1 32 4f04924 0 Ss ?? 0:00.18 /usr/sbin/coreaudiod
root 33 1 33 4f046fc 0 Ss ?? 0:00.22 /usr/sbin/diskarbitrationd
root 34 1 34 4f04810 0 Ss ?? 0:00.02 /usr/sbin/memberd -x
root 35 1 35 4f045e8 0 Ss ?? 0:00.27 /usr/sbin/securityd
root 37 1 37 4f044d4 0 Ss ?? 0:00.13 /usr/sbin/notifyd
root 38 1 38 4f043c0 0 Ss ?? 0:00.81 /usr/sbin/DirectoryService
root 39 1 39 4f04084 0 Ss ?? 0:00.01 /usr/sbin/KernelEventAgent
root 40 1 40 4f03e5c 0 Ss ?? 0:00.19 /usr/sbin/mDNSResponder -launchdaemon
root 41 1 41 4f03f70 0 Ss ?? 0:00.31 /usr/sbin/netinfod -s local
root 42 1 42 4f042ac 0 Ss ?? 0:00.29 /usr/sbin/syslogd
root 43 1 43 4f04198 0 Ss ?? 0:00.02 /usr/sbin/cron
root 48 1 48 4f03c34 0 Ss ?? 0:02.61 /usr/sbin/update
windowse 56 1 56 4f038f8 0 Ss ?? 1:16.12 /System/Library/Frameworks/ApplicationServices.framework/Frameworks/CoreGra
root 61 31 31 4f04a38 0 S ?? 0:00.23 /usr/sbin/blued
root 62 1 62 4f03a0c 0 Ss ?? 0:00.96 /System/Library/CoreServices/coreservicesd
root 64 1 64 4f037e4 0 Ss ?? 0:00.17 /usr/sbin/distnoted
greg 73 1 73 4f036d0 0 Ss ?? 0:01.55 /System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.fra
greg 74 1 74 4f03d48 0 Ss ?? 0:00.46 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow con
root 77 1 77 4f035bc 0 Ss ?? 0:03.34 /usr/sbin/lookupd
root 102 1 102 4f029e0 0 Ss ?? 0:00.00 /usr/libexec/crashreporterd
root 121 1 121 4f02f44 0 Ss ?? 0:00.00 nfsiod -n 4
root 136 1 136 4f03394 0 Ss ?? 0:00.00 rpc.lockd -w
root 140 1 140 4f026a4 0 Ss ?? 0:00.29 /usr/sbin/automount -f -m /Network -nsl -mnt /private/var/automount
root 158 1 158 4f02590 0 Ss ?? 0:00.02 /usr/sbin/automount -f -m /automount/Servers -fstab -mnt /private/Network/S
root 161 1 161 4f027b8 0 Ss ?? 0:24.68 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.frame
greg 167 74 167 4f02d1c 0 Ss ?? 0:00.18 /System/Library/CoreServices/pbs
greg 175 56 56 4f038f8 0 S ?? 0:01.75 /System/Library/CoreServices/Dock.app/Contents/MacOS/Dock -psn_0_524289
greg 176 56 56 4f038f8 0 S ?? 0:00.08 aped
greg 177 56 56 4f038f8 0 S ?? 0:01.58 /System/Library/CoreServices/SystemUIServer.app/Contents/MacOS/SystemUIServ
greg 178 56 56 4f038f8 0 S ?? 0:04.25 /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder -psn_0_786433
greg 190 56 56 4f038f8 0 S ?? 2:12.18 /Applications/Safari.app/Contents/MacOS/Safari -psn_0_1310721
greg 239 56 56 4f038f8 0 S ?? 2:51.31 /Applications/Mail.app/Contents/MacOS/Mail -psn_0_1966081
greg 268 56 56 4f038f8 0 S ?? 0:07.07 /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal -psn_0_2228225
greg 317 175 56 4f038f8 0 S ?? 0:00.56 /System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.ap
greg 318 175 56 4f038f8 0 S ?? 0:00.60 /System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.ap
greg 319 175 56 4f038f8 0 S ?? 0:00.60 /System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.ap
greg 320 175 56 4f038f8 0 S ?? 0:00.66 /System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.ap
greg 330 1 330 4f03280 0 SNs ?? 0:00.46 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Met
greg 348 56 56 4f038f8 0 S ?? 0:20.72 /Applications/TextEdit.app/Contents/MacOS/TextEdit -psn_0_3014657
greg 351 56 56 4f038f8 0 S ?? 0:00.33 /System/Library/Services/AppleSpell.service/Contents/MacOS/AppleSpell -psn_
root 370 268 370 4f02c08 0 Ss p1 0:00.01 login -pf greg
greg 371 370 371 4f02c08 1 S p1 0:00.01 -bash
root 375 371 375 4f02c08 1 R+ p1 0:00.00 ps jax
root 29 1 2 4f04d74 0 S+ ?? 0:00.00 /usr/libexec/ipfwloggerd

SISTER
USER PID PPID PGID SESS JOBC STAT TT TIME COMMAND
root 1 0 1 1895e88 0 S<s ?? 0:00.73 /sbin/launchd
root 21 1 21 1895c60 0 Ss ?? 0:00.00 /sbin/dynamic_pager -E -F /private/var/vm/swapfile
root 25 1 25 1895b4c 0 Ss ?? 0:04.06 kextd
root 52 1 52 1895924 0 Ss ?? 0:05.08 /usr/sbin/configd
root 53 1 53 1895810 0 Ss ?? 0:01.03 /usr/sbin/coreaudiod
root 54 1 54 18956fc 0 Ss ?? 0:02.06 /usr/sbin/diskarbitrationd
root 55 1 55 1895a38 0 Ss ?? 0:00.07 /usr/sbin/memberd -x
root 56 1 56 18955e8 0 Ss ?? 0:00.73 /usr/sbin/securityd
root 58 1 58 18954d4 0 Ss ?? 0:00.37 /usr/sbin/notifyd
root 59 1 59 18953c0 0 Ss ?? 0:01.12 /usr/sbin/DirectoryService
root 61 1 61 1894e5c 0 Ss ?? 0:00.04 /usr/sbin/KernelEventAgent
root 62 1 62 1894d48 0 Ss ?? 0:00.55 /usr/sbin/mDNSResponder -launchdaemon
root 63 1 63 1894f70 0 Ss ?? 0:01.02 /usr/sbin/netinfod -s local
root 64 1 64 1895084 0 Ss ?? 0:00.16 /usr/sbin/syslogd
root 70 1 70 1894c34 0 Ss ?? 0:06.38 /usr/sbin/update
windowse 81 1 81 1894b20 0 Ss ?? 1:35.40 /System/Library/Frameworks/ApplicationServices.framework/Frameworks/CoreGraphics.
root 83 1 83 18952ac 0 Ss ?? 0:05.59 /usr/sbin/distnoted
root 84 1 84 1894a0c 0 Ss ?? 0:00.80 /usr/sbin/lookupd
root 86 1 86 18948f8 0 Ss ?? 0:06.49 /System/Library/CoreServices/coreservicesd
jo 87 1 87 18947e4 0 Ss ?? 0:02.42 /System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework
jo 88 1 88 18946d0 0 Ss ?? 0:01.89 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow console
root 103 1 103 1893f44 0 Ss ?? 0:00.01 /usr/libexec/crashreporterd
root 136 1 136 1894058 0 Ss ?? 2:18.03 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/V
jo 205 88 205 1893e30 0 Ss ?? 0:00.82 /System/Library/CoreServices/pbs
jo 210 81 81 1894b20 0 S ?? 0:01.56 /System/Library/CoreServices/Dock.app/Contents/MacOS/Dock -psn_0_524289
jo 211 81 81 1894b20 0 S ?? 0:04.50 /System/Library/CoreServices/SystemUIServer.app/Contents/MacOS/SystemUIServer -ps
jo 213 81 81 1894b20 0 S ?? 1:31.21 /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder -psn_0_786433
nobody 253 1 253 18944a8 0 SNs ?? 0:15.70 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.
root 254 1 81 1894b20 0 S ?? 16:56.82 /System/Library/Frameworks/Carbon.framework/Versions/A/Support/LaunchCFMApp /Appl
root 261 1 261 18945bc 0 Ss ?? 0:00.11 /Library/StartupItems/RetroRun/RetroRun
jo 264 81 81 1894b20 0 S ?? 0:10.12 /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal -psn_0_1441793
jo 269 1 269 1894394 0 SNs ?? 0:01.29 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.
jo 289 81 81 1894b20 0 S ?? 0:07.60 /Applications/iTunes.app/Contents/MacOS/iTunes -psn_0_1835009
root 300 1 300 1893c08 0 Ss ?? 0:00.19 /System/Library/PrivateFrameworks/DiskImages.framework/Resources/hdiejectd
jo 301 81 81 1894b20 0 S ?? 0:06.35 /Volumes/Adium X 0.82/Adium.app/Contents/MacOS/Adium -psn_0_1966081
jo 305 86 86 18948f8 0 Z ?? 0:00.00 (SFLSharedPrefsTo)
jo 306 81 81 1894b20 0 S ?? 0:01.36 /System/Library/CoreServices/System Events.app/Contents/MacOS/System Events -psn_
root 282 264 282 1893af4 0 Ss p1 0:00.05 login -pf jo
jo 283 282 283 1893af4 1 S p1 0:00.06 -bash
root 307 283 307 1893af4 1 R+ p1 0:00.02 ps -jax
root 50 1 2 1895d74 0 S+ ?? 0:00.01 /usr/libexec/ipfwloggerd


4.1 My sister is logged in twice on console and ttyp1. Same for me.

4.2 I'll have to go back to the backup. I've reinstalled the system software on mine and my sister's machines. My Mum needs a reformat when she gets back.

4.3 My PGP keys disappeared. PGP crashed just after I created a new one. When I reopened it it was gone. My receipts folder disappeared unless I threw it out. Also, I've just remembered while rooting round the terminal, I found a file called find.codes in etc/

4.4 OK, I don't like having FileVault on because it makes my disk whirr as it encrypts on-the-fly. This is the same sound but for longer periods, like I had a scratch disk. Data being written or read. My G5 shouldn't make this noise when idle. My sister's was doing the same.

4.5 No. I just remember the commands from a Unix book I was reading recently. If I am curious I read the man pages. I was going to use TCPdump but I didn't know quite what to make of the packets. I'll stick to the GUI.

4.6 No. I have used pico.

4.7 This is my iDisk. Using ls -la -F.


iDisk
drwxrwxrwx 1 greg greg 2048 May 26 15:28 ./
drwxrwxrwt 6 root admin 204 Jul 3 20:06 ../
-rwxrwxrwx 1 greg greg 6148 Jun 29 01:43 .DS_Store*
drwxrwxrwx 1 greg greg 2048 Mar 31 02:27 .Groups/
drwxrwxrwx 1 greg greg 2048 May 17 14:42 .TemporaryItems/
-rwxrwxrwx 1 greg greg 82 May 17 14:42 ._.TemporaryItems*
-rwxrwxrwx 1 greg greg 29087 Apr 29 19:35 About your iDisk.rtf*
drwxrwxrwx 1 greg greg 2048 Mar 31 02:26 Backup/
drwxrwxrwx 1 greg greg 2048 Jun 29 01:43 Documents/
drwxrwxrwx 1 greg greg 2048 Apr 5 02:10 Library/
drwxrwxrwx 1 greg greg 2048 Mar 31 02:26 Movies/
drwxrwxrwx 1 greg greg 2048 Mar 31 02:26 Music/
drwxrwxrwx 1 greg greg 2048 Jun 16 20:06 Pictures/
drwxrwxrwx 1 greg greg 2048 May 29 08:06 Public/
drwxrwxrwx 1 greg greg 2048 Mar 31 02:27 Sites/
drwxrwxrwx 1 greg greg 2048 May 5 22:47 Software/

Pictures Folder
drwxrwxrwx 1 greg greg 2048 Jun 16 20:06 ./
drwxrwxrwx 1 greg greg 2048 May 26 15:28 ../
-rwxrwxrwx 1 greg greg 6148 Jun 28 19:01 .DS_Store*
-rwxrwxrwx 1 greg greg 82 Apr 2 21:14 ._.DS_Store*
drwxrwxrwx 1 greg greg 2048 May 12 02:32 User Pix/


User Pix (In Picture Folder)
drwxrwxrwx 1 greg greg 2048 May 12 02:32 ./
drwxrwxrwx 1 greg greg 2048 Jun 16 20:06 ../
-rwxrwxrwx 1 greg greg 82 Apr 30 07:50 ._Benny.png*
-rwxrwxrwx 1 greg greg 82 Apr 30 07:50 ._Bruce Wayne.png*
-rwxrwxrwx 1 greg greg 82 Apr 30 07:50 ._Colonel K.png*
-rwxrwxrwx 1 greg greg 82 May 12 02:32 ._Custard.png*
-rwxrwxrwx 1 greg greg 82 Apr 30 07:51 ._DM In A Pickle.png*
-rwxrwxrwx 1 greg greg 82 Apr 30 07:51 ._Danger Mouse.png*
-rwxrwxrwx 1 greg greg 82 Apr 30 07:52 ._Frank.png*
-rwxrwxrwx 1 greg greg 82 Apr 30 07:52 ._Louis.png*
-rwxrwxrwx 1 greg greg 82 Apr 30 07:52 ._Moo.png*
-rwxrwxrwx 1 greg greg 82 Apr 30 07:53 ._Roger.png*
-rwxrwxrwx 1 greg greg 3202 Apr 30 07:50 Benny.png*
-rwxrwxrwx 1 greg greg 2751 Apr 30 07:50 Bruce Wayne.png*
-rwxrwxrwx 1 greg greg 5229 Apr 30 07:51 Colonel K.png*
-rwxrwxrwx 1 greg greg 4960 May 12 02:32 Custard.png*
-rwxrwxrwx 1 greg greg 4609 Apr 30 07:51 DM In A Pickle.png*
-rwxrwxrwx 1 greg greg 4451 Apr 30 07:51 Danger Mouse.png*
-rwxrwxrwx 1 greg greg 1883 Apr 30 07:52 Frank.png*
-rwxrwxrwx 1 greg greg 3186 Apr 30 07:52 Louis.png*
-rwxrwxrwx 1 greg greg 3236 Apr 30 07:52 Moo.png*
-rwxrwxrwx 1 greg greg 3193 Apr 30 07:53 Roger.png*

4.9 I will grab this off the disk. I used sudo lsof -i to see the SYN packets. I will not install anything off the disk at all. I'm sure you can you hide programs in pictures. No? ApplicationsI can live without but all my docs, pix and music .... my life ... are on one big disk.

Synack that was a great post. |t has made me stop and think for once. I'm sure I can do away with some programs. I also need to implement a better backup strategy. And trash my sister's copy of Acquisition. If I have been hacked I still have the hacked system backed up. I am going to go through the logs with a fine toothcomb and use read -only media backups.

Thanks again. I really appreciate it!

Netgear has a pretty shoddy security record.
You might want to check for known exploits and make sure the firmware your sister runs isn't vulnerable.

And as for the uh-oh item in the list of your sisters progs, indeed, make sure none of the apps downloaded that way were manipulated. Either getting copies from known good sources or checksumming are the only easy ways to do that I could think of.

Don't forget to change all of your passwords!

Hmm, ._.Trashes folder wouldn't normally get created without copying over an entire disk. This could happen if someone were to copy files from a Mac onto a PC formatted thumb drive for example, (thereby creating the ._AppleDouble files), mounted that disk on your Mac then cmd-dragged the disk icon onto your hard drive. I just tried this, and it turns out that all of the files end up with rwxrwxrwx permissions as well (at least on my "Panther" system - not sure about your "Tiger"). So SMB may not necessarily be involved after all - a local user could also be responsible (intentionally, or by being tricked as others have pointed out).

As for the ._.DS_Store files, the files themselves aren't so important (the dates might provide a clue if SMB turned out to be involved but would be less useful in a situation involving a disk). They may be useful in indicating which folders were transferred though, and it would bother me if there were any in "StartupItems". Things in "/Library/StartupItems" are generally those that don't come with the system. If anything turns up in "/Library/StartupItems" using ls -al, other than the "dot" files themselves, they would be worth examining further. I take it "RetroRun" is something related to "Retrospect" - I wonder if these weird AppleDouble files and odd permissions are just a side effect of using or installing that software...

So basically, by themselves, the permissions issues and the "._" files could be innocent, but that still doesn't explain the vi files and disappearing logs...

dunno if this helps, but a quick google search reveals that vi isn't the only program to create .swp files. (it seems the majority of programs might be on the PC side, but it's something else to consider)

Thanks for the reply, iVoltage. It's pretty detailed. Unfortunately, I don't have Tiger, so I can't compare your output to a trusted computer, but I can't see anything which seems totally out of place.

Are you having the same trouble with your newly install operating systems?

1.x
The problem with Safari is very strange. Does this happen all the time? Is the problem with the new installation, the old or the both? Other than that, nothing seems wrong here. The low lever disk activity is normal even if you don't have FileVault on. Information in system memory is constanty being written to and read from the hard disk and stored in an area of your computer called virtual memory.

I just did an experiement, where I quit all my applications except 'Safari' and 'Activity Monitor', and then watched what my disk was doing (by clicking on the tab 'Disk Activity' at the bottom of the window). Even when I wasn't touching the computer, about 100k of data was being written/read roughly every 5-10 seconds. My hard disk also makes noises, but no data is being transferred and yours probably does the same; this is just the read/write head moving about.

If there is more activity than this, try using something like 'top -ocpu -R -F -s 2' or 'Activity Monitor' sorted with the '%CPU' descending to find out what is using the most CPU cycles (and thus hard disk activity because you need the CPU to write to the hard disk) and tell us if there is a program that increases in activity when the hard disk makes it noise.

2.x
voldenuit's advice about double checking your firmware for the Netgear router is very sound, especially considering what other people are saying.

Again, nothing seems bad here, as long as the passwords aren't easily guessed (like they are your street name and a neighbour has guessed them and gotten into the network).

Another thing to try is turn off all your computers and watch the LEDs on the Airport Extreme Base Station and Express, to see if there is any activity. If there's only a little, that's probably background noise. If there's a lot, then someone is using you network.

If there isn't a lot of activity, turn on a computer, one at a time, (making sure any applications that access the internet, like Mail, aren't running) and watch the network. If there is more activity, then something isn't right with that computer. Use 'lsof -i' to find out which application is connecting to the internet.

3.x

I'm guessing the 'ps' outputs are from your newly installed systems.

I did notice a couple of things. On your 'ps' listing, you had a program running called 'aped', which after a quick google search reveals some people have a problem with it. I realise this isn't the problem you describe, but it does add weight to my argument that you shouldn't install "third party" applications until you've tracked down the problem.

You also have Dashboard running. What widgets do you have installed and which ones are you running?

Your sister also has Retrorun running, which also has some problems with it. Perhaps you should move the 'Startup Item' to a safe place and reboot the computer to see if this fixes anything.

There's also the line ""root 254 1 81 1894b20 0 S ?? 16:56.82 /System/Library/Frameworks/Carbon.framework/Versions/A/Support/LaunchCFMApp /Appl"" which has been chopped off. Without the full line, I can't comment on this.

I can't find any information on the program 'hdiejectd'. Perhaps someone else can make a comment on this? In my mind, it doesn't seem out of place.

There also the line ""jo 305 86 86 18948f8 0 Z ?? 0:00.00 (SFLSharedPrefsTo)"" which is a program that has locked up (if I remember correctly). You should try 'kill -9' and then the process id number (which in this case is '305'). The program may have exited by the time you read this, so double check before typing 'kill'.

The other thing to consider is if a rootkit has been install on your computer, there could be programs that aren't showing up on 'ps' and thus the output of 'ps' can't be trusted. You should try to use both 'ps' and 'Activity Monitor' and check that they both list the same programs. If there is a program that shows up in 'Activity Monitor' but not 'ps', then cracker/hacker activity is highly suspected.

4.x
In regards to 4.1, good. Keep an eye on this, especially when the problems come up. This only indicates if a cracker is logged in, not if their programs are running, so it could have been that they weren't logged in at the particular moment that you issued the 'who' command. Also, if a cracker is logged in, they will most likely be using your user name, so make sure you correlate the log in place (I don't know the technical name for this, but either console of ttyp?) to where you are actually logged in.

4.2 So you've reinstalled Mac OS X? Do you still have the problems. Have you reinstalled your "third party" software or are you only using Apple software.

Admin rule #1: Don't delete ANYTHING. Even if you know what it's for, move it to a different location, don't delete it. And if you don't know what it is for, don't touch it. I also have find.codes in /etc/. It's empty. Is yours?

I personally wouldn't take much notice on the permissions on iDisk. Like I said previously, it's not harmful for 'normal' files (docs, images, etc) to have the exectue permissions set. The ._.???? files might be just from copying the corresponding .???? files to the iDisk. However, I don't have iDisk, so I can't say for sure.

An output of 'lsof -i' would be great to try to find out which applications are making the connections.

The only way to "hide programs in pictures" would be if the reading application contained a security hole like a buffer overflow or something similar. This shouldn't be a problem with your setup as your software is up to date (in other words, if there is a security hole, you've done everything you can).

Unfortunately, you've learnt the hard way of why a good backup strategy is necessary, especially considering how much data you've got. And let that be a lesson to the rest of you! ... nuts. (I'm quoting Chief Wiggum, I'm not calling anyone here nuts)

In regards to what vancenase said, changing the google search suggests that vi/vim is the only program that makes .swp files on Mac OS X. The other thing to look for is if the .swp files correspond to alread existing files. So for example, if you have a file, something.txt and something.txt.swp, then it's more than likely vim, whereas something.swp or othername.swp probably isn't.

Lastly, if you could give a list of your recent actions (like if you've reinstall the operating system (and which computer you've installed it on) and what applications you've install/uninstalled),that you would be great.

for a file called file.txt, vi/vim creates a swp file as .file.txt.swp (begins with a period)

You're absolutely correct. Sorry, me bad.

While I'm pretty impressed with your in-depth analysis, may I modestly point you to this paper

http://www.ccc.de/congress/2004/fahr...rity-paper.pdf

which, among other things, describes in 3.7 a way to fabricate something that pretty much looks like a document, yet behaves like an app.
Apple was notified by the author before publication, yet failed to see the problem. I have not checked whether, and if so, when they got it fixed. However, at least Apple Germany was kind of not amused by the publication.

Greg, in cases where someone is really out to get you, it takes a rather experienced unix admin to run a sufficiently tight ship.
They only need to find one hole, you are screwed the moment you make your first mistake.

Try to get a unix wiz you trust to look at your machines or start reading stuff like the NSA-security-guide for OS X:

http://www.nsa.gov/snac/downloads_macX.cfm

if i sounded like a prick above, i apologize (post facto) :) i was typing during a 16+ hour workday. iVoltage, you're in good hands!

Now that I feel like I'm on terra firma again with a known good, I have had time to think about the possible (likely?) intrusion from a more objective standpoint. I am really learning through all of this.

OK, now all of my passwords have been changed - they are always long and involved, anyway - I have turned my attention to recovering my "life" from a 250GB Firewire drive filled with thousands upon thousands of scattered files. I am interested in what Voldenuit has pointed out, something which I raised earlier. How the hell do I know if it's an application?

From my highly limited understanding, there is no easy way to tell. For instance, just before I pulled the modem lead, I had scanned my files with Zebra Scanner, a utility which detects applications or executable code which is not tagged thus in its file type. It seems to be an imprecise science but it's better than nothing. Especially when VirusBarrier and NAV don't bother to check.

I'm taking this one step further now. I have just compiled and configured (I know, what change a week can make) a GPG-enabled Tripwire which stenographically conceals files within an image file or suitable binary. Couldn't a Trojan do the same? Wouldn't it be fairly routine to do so? The idea makes me uncomfortable.

Despite the fact we are always told we are pretty safe from Trojans and viruses, I am not so convinced. A little social engineering, a lot of complacency and a carefully crafted Trojan could spread like wildfire, even if it wasn't technically a virus. Maybe I'm just paranoid now. Hehe.

I don't run ANY widgets, by the way. Widgets are evil. Widgets are pointless. Widgets suck. In the Book of Revelations it clearly states that widgets will herald an age of darkness. Nostradamus agreed (that's when he wasn't playing Tetris).

OK, I really better do some work. Once again, thanks a million, guys. You are priceless. I am humbled by your knowledge and appreciate you sharing it with me.

;)

i don't know if anyones mentioned this ..
 

but do you have Finder set to "calculate all file sizes"?

because i found that, inevitably, if i leave a Finder window open with that value set on, my whole system gets chunky .. i actually depend on filesizes in Finder a lot, its one of the reasons I use Finder (to manage things), if ever (most of the time it is "Quit" .. i don't leave it running, since I'm a term kinda guy on OSX anyway ..).

Just saying, anyway, if your system is chunky: make sure you haven't overlooked blaming Finder. It is a bit of a rude program at times.. still.

No, it couldn't spread like wildfire on OS X or Linux systems, although of course it could (and does, every day) on Windows systems.

Think of a disease organism, such as an infectious bacteria, that spreads by moving from person to person. But for this imaginary bacteria that we are thinking of, 90-95% of the people are immune to it. (This corresponds very roughly to a Mac virus, worm, or Trojan--roughly 90-95% of computers run something other than OS X and would be immune to OS X malware.) Because the vast vast majority of infection vectors are dead ends--they end in a person who is immune--this imaginary bacteria would only spread very very slowly, or even die out quickly as the 5% who could be infected developed immunities.

In the same way, OS X malware (when someone finally sinks low enough to write some) would of necessity spread very slowly. Because of the nature of computer viruses, etc. the anti-virus companies would have ways to fight an OS X virus long before it became an issue, just because it's spread would be so slow.

On Windows, on the other hand, malware has an approximate 90% of hosts that CAN be infected, and so Windows malware can spread very quickly.

Trevor

Confirmed
 

This actually is a trojen of some sort, either hand designed or otherwise :)

To be honset I found this out because i'm at work and my employeer has decided to bug my system.

Or I suppose I could always speak with my employeer about it, its pretty disconcerning considering they've given the abillity to moniter my system by another employee.

Details please.
By referring to "this", do you actually mean to say that you have experienced exactly the same things as described a year and a half ago by the original poster in this thread?

Probably just CarbonKeys or something. You could just use Activity Monitor and kill it, I've tried using that program, and for some reason it gets screwed up whenever you type in your keychain or login password.

Hi, just wanted to reply that I just saw the very same app "sflsharedprefsto" crawl up on my computer, too. I tried to load a bunch of bookmarks into tabs with a prerelease version of safari. Is now gone again - strange.

Update:Ok, located the problem to this url:
feed://musicthing.blogspot.com/atom.xml

Update 2: Ok, was probably a result of bothe the prerelease WebKit version and changing "Web" and RSS to this app with RCDefaultApp.