2009 Mac mini - rootkit?

[BigRed1]

I have a 2009 mac mini as my main machine. A couple of weeks ago I started getting weird activity on my netflix account. First the language changed to spanish, then some, let's say less than appropriate things started popping up in my viewing history. Seemed strange for everyone in my family, so I changed the password and logged out of all my devices through the netflix account settings. Didn't think about it again for a few days, then checked the account access link again and someone had been logging into my account from Chile even after I had changed the password. I called netflix and it seems that someone had been logging into my account from some android and chromebook devices in Chile for the past couple of weeks. They surmised that since it happened both before and after I changed my password that I had been infected by some rootkit.

I've done a bit of google sloothing, but I can't seem to find any way to scan for a rootkit. I did run a scan on bitdefender which found nothing. Any ideas about whether I'm really infected? How I can figure out what's going on? If I am, will upgrading to el capitan do anything for me or is it too late now that I may actually have something. Sorry if this is the wrong forum to ask this question, but I'd appreciate any help y'all can give me. Thanks.

 

[BCmac1]

Hi BigRed1,
Sorry to hear about your hacking issue... I believe I am also infected with a Rootkit virus that created some weird hidden partitions in my hard drive, most of them size 524.3kb, and I can not remove them. When I get some terminal commands and I erase them, they come right back them I reboot the computer.... that is why I suspect that is a rootkit firmware type of virus that hold some malicious code in the BIOS ROM.

Did you check in terminal if you also had this partitions?

In order to see these hidden partitions, you need to boot up from the installation DVD, recovery mode or USB installation drive. Then you go to Terminal, and type "diskutil list" .... if you have what I have it will show you something list this...


-bash-3.2# diskutil list
/dev/disk0
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *1.0 TB disk0
1: EFI 209.7 MB disk0s1
2: Apple_HFS OK 999.9 GB disk0s2
/dev/disk1
#: TYPE NAME SIZE IDENTIFIER
0: Apple_partition_scheme *8.4 GB disk1
1: Apple_partition_map 30.7 KB disk1s1
2: Apple_Driver_ATAPI 848.5 MB disk1s2
3: Apple_HFS Mac OS X Install DVD 7.5 GB disk1s3
/dev/disk2
#: TYPE NAME SIZE IDENTIFIER
0: untitled *524.3 KB disk2
/dev/disk3
#: TYPE NAME SIZE IDENTIFIER
0: untitled *524.3 KB disk3
/dev/disk4
#: TYPE NAME SIZE IDENTIFIER
0: untitled *524.3 KB disk4
/dev/disk5
#: TYPE NAME SIZE IDENTIFIER
0: untitled *524.3 KB disk5
/dev/disk6
#: TYPE NAME SIZE IDENTIFIER
0: untitled *524.3 KB disk6
/dev/disk7
#: TYPE NAME SIZE IDENTIFIER
0: untitled *1.0 MB disk7



there are lot of other people with the same problem, but I am not able to find a solution.


https://discussions.apple.com/thread/6911724?start=0&tstart=0


http://apple.stackexchange.com/ques...-invalid-disks-that-only-show-up-on-mac-os-re


https://discussions.apple.com/thread/5020541?start=15&tstart=0


http://arstechnica.com/security/201...otkit-for-os-x-can-permanently-backdoor-macs/

This engineer describes why the mac are so vulnerable to this type of virus

Please let me know how you got around this problem...

Thank you!!!

Best regards,

BCmac1

 

[BigRed1]

Unfortunately I haven't gotten around it. I'll see if I can find an install disk to try your trick above. I've basically just relegated the machine to be Logic only. I'm just not entering any sensitive info on it anymore.

 

[buddhabelly]

Those aren't mysterious disks, they are expanded disk bundles from a recovery image, in your case, or internet recovery. That is why you only see them when booted from the recovery partition/internet recovery. They don't exist otherwise.