6723187 ...erm...

mkrishnan

Moderator emeritus
Original poster
Jan 9, 2004
29,777
12
Grand Rapids, MI, USA
Okay, this is a bit of a strange one....

In my ~/library/application support/ I have an executable file called 6723187 with no extension. It's not in a sub-folder. It is dated 5/10/06, is 4kb long, and I have no idea how it got there.

Anyone know what it is? Google searching "6723187" was non-informative. :(
 

iGary

Guest
May 26, 2004
19,583
1
Randy's House
mkrishnan said:
Okay, this is a bit of a strange one....

In my ~/library/application support/ I have an executable file called 6723187 with no extension. It's not in a sub-folder. It is dated 5/10/06, is 4kb long, and I have no idea how it got there.

Anyone know what it is? Google searching "6723187" was non-informative. :(
Your machine is about to self destruct. That is the destruct code.
 

mkrishnan

Moderator emeritus
Original poster
Jan 9, 2004
29,777
12
Grand Rapids, MI, USA
Blue Velvet said:
How did you get my phone number?


Ermm...I'm not sure I'ma gonna run it. :eek:

Don't get me wrong... note my miserable failure to start this thread with "OMG I FOUND THE !ST MACOS ViRuS!!!!!111111oneoneoneoneeleveneleven". ;)
 

balamw

Moderator
Staff member
Aug 16, 2005
19,368
978
New England
If you're really curious, open Terminal and run the following

Code:
strings ~/library/application support/6723187* | less
That'll show you any embedded strings longer than a few characters which might help you track it down.

B
 

UKnjb

macrumors 6502a
May 23, 2005
717
0
London, UK
Isn't that the up-dated file that supersedes 6723186?

Helluva programme and from where did you rip it? US government restricted and all ---- :cool:
 

Mitthrawnuruodo

Moderator emeritus
Mar 10, 2004
13,802
174
Bergen, Norway
mkrishnan said:
In my ~/library/application support/ I have an executable file called 6723187 with no extension. It's not in a sub-folder. It is dated 5/10/06, is 4kb long, and I have no idea how it got there.
You got anything else (especially applications) with that same date?
 

yellow

Moderator emeritus
Oct 21, 2003
16,033
1
Portland, OR
mkrishnan said:
Did someone call me? I saw the Oh Snap spotlight against the cloudy night sky!

For what it's worth..

Code:
-rwxrwxrwx    1 yellow  yellow    121 Mar 23 15:32 814379*
Yours is bigger than mine. :(

Anyway.. it's just text, at least mine is:

Code:
[null:~/Library/Application Support]yellow% file 814379 
814379: ASCII text
[null:~/Library/Application Support] yellow% more 814379 
CIA_USB_MONITOR=/Library/Frameworks/HPServicesInterface.framework/Runtime/hpusbmond

${CIA_USB_MONITOR} FROM_INSTALLER &
Looks like HyperPieceofshit strikes again? Or is the CIA after us again?
 

mkrishnan

Moderator emeritus
Original poster
Jan 9, 2004
29,777
12
Grand Rapids, MI, USA
yellow said:
-rwxrwxrwx 1 yellow yellow 121 Mar 23 15:32 814379*
Do you really have a file like that?

P.S. Thanks for the strings suggestion. I suppose I should've just more'd it. It's a script file!

#!/bin/sh

# Known browser binary paths
ieProc='Contents/MacOS/Internet Explorer'
caminoProc='Contents/MacOS/Camino'
mozillaProc='Contents/MacOS/mozilla-bin'
firefoxProc='Contents/MacOS/firefox-bin'
operaProc='Contents/MacOS/Opera'
safariProc='Contents/MacOS/Safari'

rm -f ~/PSResult
rm -f ~/BrowserProcessFound

ps ax -ww -o command > ~/PSResult

# Detect the browser binary paths in the processes
if grep "${ieProc}" ~/PSResult ; then
echo "${ieProc}" > ~/BrowserProcessFound
elif grep "${caminoProc}" ~/PSResult ; then
echo "${caminoProc}" > ~/BrowserProcessFound
elif grep "${mozillaProc}" ~/PSResult ; then
echo "${mozillaProc}" > ~/BrowserProcessFound
elif grep "${firefoxProc}" ~/PSResult ; then
echo "${firefoxProc}" > ~/BrowserProcessFound
elif grep "${operaProc}" ~/PSResult ; then
echo "${operaProc}" > ~/BrowserProcessFound
elif grep "${safariProc}" ~/PSResult ; then
echo "${safariProc}" > ~/BrowserProcessFound
fi

rm -f ~/PSResult
So it just looks for the existence of a running browser process, basically.

I wonder what uses it. I don't see any apps with similar dates. I guess it could be part of FreePOPs. But then I should have been able to find out about it by googling...also it's strange of them to give weird names like this to their files. Hmmm...
 

Mitthrawnuruodo

Moderator emeritus
Mar 10, 2004
13,802
174
Bergen, Norway
mkrishnan said:
So it just looks for the existence of a running browser process, basically.
Did you install Flash, Shockwave, Flip4Mac or any other plugins about that date?

Many of those want to quit all browsers as part of the install procedure...
 

mkrishnan

Moderator emeritus
Original poster
Jan 9, 2004
29,777
12
Grand Rapids, MI, USA
Mitthrawnuruodo said:
Did you install Flash, Shockwave, Flip4Mac or any other plugins about that date?

Many of those want to quit all browsers as part of the install procedure...
That's certainly a possibility. Oh, well, seems innocuous enough. I'll just delete it. :p Unlikely that anything is depending critically on it....It was probably just a temp script that didn't get deleted.

Thank you everyone for the help! :)
 

Makosuke

macrumors 603
Aug 15, 2001
6,166
350
The Cool Part of CA, USA
Note that if it's browser-related, it might intentionally use a random string as its name. I seem to remember that some browser files use random naming schemes to prevent attacks that rely on the specific location of a file from functioning.

Totally random guess, though, and obviously "security through obscurity" only gets you so far--more of a "just so everybodys' isn't the same", I think.