"U R h4X3r3D" message in Terminal

I've started seeing the following popping up a lot in my Terminal


I'm going to stick my neck out, and guess that's not good Does anyone have any idea on how to isolate where this is coming from or get rid of it? Ideally, other than "reinstall everything"!

It doesn't happen after every command, it seems to appear when there's an exclamation mark in the command. E.g. simply entering: !" will do it. I only noticed it today as I was installing/testing redis and inserted a key with an exclamation mark which obviously caused it to appear.

Any help appreciated!

Thanks for the suggestions! The filename didn't turn up anything (that would have been too easy..) I'm doing the file-contents search now.

It's found a couple of hits, but they may be false positives (one's in a .fla file that's included with Flash CS4 and the other in the Lion installer dmg) but both only include "h4X3" with none of the other text.

The below is how I noticed it. I just happened to enter an exclamation mark in a test string I was entering into redis (a popular key value store I just installed), and you can see what popped up below. As you can see on the last line, just entering !" will bring up that text.


I also found the following in my .bash-history, these commands seem to be from months ago:


The odd thing about the above, is those strings are appearing just below where I was entering the recommended test for the Flashback trojan. Seems very odd that they're juxtaposed like that. (And FYI, I'd never trust a popup installer when browsing, if installing Flash updates I'd always navigate directly to the Adobe site and not trust any link).

Many thanks!

Other accounts on the same machine seem unaffected (at least I can't reproduce the same behaviour) so I'll switch another local account until I have time to wipe & reinstall everything.

I would love to know what the attack vector is/was. I don't download any pirated software, and do install the Apple security updates. It is possible that any 3rd party utility could (deliberately or inadvertently) include malware, or it could involve some kind of drive-by vulnerability. What surprised me was that I couldn't find many others who had the same issue. There was one user in a previous thread on this site who posted a similar message in the Flashback thread, but no further info.

ElectricSheep said:

You should be aware that ! is the bash history expansion token. If you use ! as part of a command and it is not escaped or enclosed in double-quotes, bash will treat it as the history expansion token and not a literal exclamation point. This means that a command like redis-cli set testkey "Hello, world!" will try to use bash history expansion searching for a command in your bash history that started with a double-quote (the expansion of !"). Since you looked in your bash history, that will match:

Code:

"U R h4X3r3D... DIE NUBEclscls"clear

.

If you need to use the exclamation point in a string literal as part of a bash command, enclose it in single-quotes.

Click to expand...

I knew the exclamation mark had something to do with the history expansion, but didn't know what the effects of !" would do. Following up on your comment, I think I've figured out what happened. Please don't read this, as it makes me look like a complete IDIOT!

I deleted my .bash_history, and lo and behold the "problem" went away. I think when checking my system for the Flashback trojan some months ago, I copied text from the thread above. I must have accidentally pasted the 'h4x3' text above into a Terminal window instead of into the Google search textfield (damn you keyboard focus). Thus, that text was in my bash history. Then, it just happens that the exclamation mark is pulling that text out of the history file every time.

No malware. User is just an idiot! Thanks for helping me figure this out!

smithrh said:

Not knowing anything about the OPs environment, but is the computer physically secure? Any roommates?

It's not hard with a little bit of Unix shell background to have a bit of a laugh with someone's account.

Click to expand...

Hah. It is that kind of office! I once logged into a colleague's computer via telnet and used Applescript commands to say "I see dead people" in the Whisper voice, or randomly eject the CD drawer. In this case though, the explanation is much simpler (and more embarrassing!), see above.