Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Hacked via Terminal via Safari via iChat

H

Halsey12

macrumors regular
Original poster
Jan 1, 2006
149
0
Portland
Last night my girlfriend had a bad encounter with some nasty script via the "gnaa"... she clicked on a new iChat message that popped up and it was a link that opened Safari, then immediately opened a bunch of Terminal command windows, then was opening a slew of mail messages in Mail that it was trying to send.

I killed the Airport connection before any mail could send from her account, and we restarted her computer and reset her account password. Is the w command in Terminal the best way to check to see if someone else is using her computer still? I don't see anything else suspicious, but am not sure what something like this could actually do completely- copy passwords, continue remote access if the passwords have been changed? The firewall log shows a whole mess of rejected iChat attempts- a few hundred, but that is all I can see that looks leary, and nothing happening now.

Any suggestions on what to look for or if we should do a clean install would be appreciated. I did search the forums, but could only find one some what useful thread on a potential hack. The rest that came up in the search results were not that relevant. Thanks!
 
H

Halsey12

macrumors regular
Original poster
Jan 1, 2006
149
0
Portland
Wow, turns out they had root access and a bunch of other names showing up in the activity monitor. Pretty nasty script whatever it was. So much stuff in the activity monitor, runaway syslog constantly using 100% cpu. Doing a clean install right now, hopefully that will clear it all up.
 
B

Blogger

macrumors 6502
Jul 18, 2002
308
0
Local
Halsey12 said:
Wow, turns out they had root access and a bunch of other names showing up in the activity monitor. Pretty nasty script whatever it was. So much stuff in the activity monitor, runaway syslog constantly using 100% cpu. Doing a clean install right now, hopefully that will clear it all up.
Click to expand...

This is the first I've heard of such a thing. Can you give us a few more details?
Thanks.
 
H

Halsey12

macrumors regular
Original poster
Jan 1, 2006
149
0
Portland
Here is a screen capture of the Activity Monitor a couple days after this happened. Again, she was on iChat, and an incoming message came telling her that her LiveJournal had been hacked. She clicked on the the message which I guess was a link that opened a Safari page. She saw some porn pop up, then when she yelled for me and I came upstairs, a ton of Terminal windows were opening, and a ton of mail messages were opening in Mail saying to join the gnaa.us. That is the truth.

Since that happened, her fans were running non stop and a syslog was constantly running at 100 percent of the CPU. I don't know much about any of this, but I have never seen anything besides out user names in the activity monitors on our computer, and here is what hers looked like last night before the clean install, and this is an untouched screen capture-
 

Attachments

  • Picture 1.png
    Picture 1.png
    291.9 KB · Views: 261
  • Picture 2.png
    Picture 2.png
    288.3 KB · Views: 271
Peace

Peace

Cancelled
Apr 1, 2005
19,546
4,556
Space The Only Frontier
Halsey12 said:
Here is a screen capture of the Activity Monitor a couple days after this happened. Again, she was on iChat, and an incoming message came telling her that her LiveJournal had been hacked. She clicked on the the message which I guess was a link that opened a Safari page. She saw some porn pop up, then when she yelled for me and I came upstairs, a ton of Terminal windows were opening, and a ton of mail messages were opening in Mail saying to join the gnaa.us. That is the truth.

Since that happened, her fans were running non stop and a syslog was constantly running at 100 percent of the CPU. I don't know much about any of this, but I have never seen anything besides out user names in the activity monitors on our computer, and here is what hers looked like last night before the clean install, and this is an untouched screen capture-
Click to expand...

Those are all normal processes..Nothing unusual.
 
H

Halsey12

macrumors regular
Original poster
Jan 1, 2006
149
0
Portland
pseudobrit said:
Sounds like Last Measure. It'll crash your browser for sure but shouldn't allow root access.
Click to expand...

The Terminal windows opened instantly, and immediately after that her Mail opened with all those messages. I didn't get to see what was in the terminal commands before we killed the internet connection to stop the e-mails from sending and force quit her computer.

I also found a folder created in her user library for Esellerate, with a whole bunch of stuff in it I couldn't open. It was created on the date this happened. I know she was never used esellerate software.
 
pseudobrit

pseudobrit

macrumors 68040
Jul 23, 2002
3,416
3
Jobs' Spare Liver Jar
Halsey12 said:
The Terminal windows opened instantly, and immediately after that her Mail opened with all those messages. I didn't get to see what was in the terminal commands before we killed the internet connection to stop the e-mails from sending and force quit her computer.

I also found a folder created in her user library for Esellerate, with a whole bunch of stuff in it I couldn't open. It was created on the date this happened. I know she was never used esellerate software.
Click to expand...

It uses Javascript to open or try to open Skype, your default chat, ICQ and e-mail apps, as well as opening the Terminal and running a telnet command.

It should not be able to get root access. If you can find the link and post it here I can grab the script, or you can do it by disabling Javascript in your browser before opening the page, then viewing the source code.
 
pseudobrit

pseudobrit

macrumors 68040
Jul 23, 2002
3,416
3
Jobs' Spare Liver Jar
One example:

Code: 
var protos = [ 
        "lm.pdf",
        "jews.wmv",
        "irc://irc.gnaa.us/gnaa",
        "irc://irc.efnet.org/politics",
        "news:alt.flame.******s",
        "news:alt.flame.***",
        "mailto:JOIN@THE.GNAA?subject=2006_RECRUITMENT_DRIVE&body=www.gnaa.us",
        "callto://JOIN_THE_GNAA__2005_RECRUITMENT_DRIVE",
        "aim:GoIM?screenname=Gary_***&message=HY+LOL+HY+LOL",
        "rlogin://1.1.1.1:80",
        "telnet://1.1.1.1:80",
        "aim:addbuddy?listofscreennames=HY,LOL,HY,LOL,HY,LOL,join,the,gnaa,2006,RECRUITMENT,DRIVE,heartiez2incog&groupname=gnaa",
        "mailto:JOIN@THE.GNAA?subject=2006_RECRUITMENT_DRIVE&body=www.gnaa.us",
        "ed2k://|file|*********s From Outer Space [GNAA Digitally Remastered].avi|134174720|F8AF9D8A7091CD7A7B8968C9EB397C02|/",
 
Eidorian

Eidorian

macrumors Penryn
Mar 23, 2005
29,190
386
Indianapolis
pseudobrit said:
It uses Javascript to open or try to open Skype, your default chat, ICQ and e-mail apps, as well as opening the Terminal and running a telnet command.

It should not be able to get root access. If you can find the link and post it here I can grab the script, or you can do it by disabling Javascript in your browser before opening the page, then viewing the source code.
Click to expand...
I was about to ask if it was the typical Javascript vector.

I've gone through too many HijackThis logs from people that have been hit by this joke.
 
H

Halsey12

macrumors regular
Original poster
Jan 1, 2006
149
0
Portland
pseudobrit said:
One example:

Code: 
var protos = [ 
        "lm.pdf",
        "jews.wmv",
        "irc://irc.gnaa.us/gnaa",
        "irc://irc.efnet.org/politics",
        "news:alt.flame.******s",
        "news:alt.flame.***",
        "mailto:JOIN@THE.GNAA?subject=2006_RECRUITMENT_DRIVE&body=www.gnaa.us",
        "callto://JOIN_THE_GNAA__2005_RECRUITMENT_DRIVE",
        "aim:GoIM?screenname=Gary_***&message=HY+LOL+HY+LOL",
        "rlogin://1.1.1.1:80",
        "telnet://1.1.1.1:80",
        "aim:addbuddy?listofscreennames=HY,LOL,HY,LOL,HY,LOL,join,the,gnaa,2006,RECRUITMENT,DRIVE,heartiez2incog&groupname=gnaa",
        "mailto:JOIN@THE.GNAA?subject=2006_RECRUITMENT_DRIVE&body=www.gnaa.us",
        "ed2k://|file|*********s From Outer Space [GNAA Digitally Remastered].avi|134174720|F8AF9D8A7091CD7A7B8968C9EB397C02|/",
Click to expand...

That looks like exactly what it was based on the e-mail info and the attempts to use iChat and the AIM account that showed up in the firewall log constantly. The webpage it came from never showed up in the Safari history, so I was unable to view the page after it happened. I have no idea how it didn't show up.
 
H

Halsey12

macrumors regular
Original poster
Jan 1, 2006
149
0
Portland
Peace said:
Those are all normal processes..Nothing unusual.
Click to expand...

Oh! I had never seen anything beside our own user names in the activity monitor before. The Daemon and root and the windowserver and all that looked liked news to me.
 
Cleverboy

Cleverboy

macrumors 65816
May 25, 2007
1,435
1
Pocket Universe, nth Dimensional Complex Manifold
Halsey12 said:
Oh! I had never seen anything beside our own user names in the activity monitor before. The Daemon and root and the windowserver and all that looked liked news to me.
Click to expand...
In the upper right hand corner, the "Show" drop-down menu let's you choose "My Processes" and another called "Windowed Processes". It's possible you've only looked at your processes before while those were selected. With either on, your username is generally going to be the only one there.

That javascript trick is horrible.

~ CB
 
Peace

Peace

Cancelled
Apr 1, 2005
19,546
4,556
Space The Only Frontier
you can also click on "other users" in Activity Monitor..

That will normally show root,daemon,_windowsserver and a couple others.Don't get freaked out when you see "nobody" there :p
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom