Box keeps asking for Administrator password, no program name evident.

Discussion in 'OS X Mavericks (10.9)' started by qubex, Feb 16, 2014.

  1. qubex macrumors 6502

    qubex

    Joined:
    May 12, 2004
    Location:
    045°042'21.99"N, 009°005'056.57"E
    #1
    Hello.

    I’ve got a bit of an enigma going on here.

    I’m running 10.9.1 Mavericks and recently a dialog box has been popping up asking for Administrator privileges for no discernible reason. Rather disturbingly, it doesn’t mention what program wants to do what. There’s no apparent context to this: no regular schedule, no triggering event. Just an occasional annoyance. If it had coincided with something I had done (e.g., a recent software upgrade or something) I would be highly inclined to enter my credentials and let it do its thing, but since it isn’t obviously related to anything I’ve done, I’m a bit suspicious.

    First I tried entering false credentials (to avoid giving it the opportunity to run rampant if indeed it is something malicious) and I scanned the system log in the Console to see if there was any indication of what program had received flawed credentials: nothing came up.

    Then I reasoned it must be a wayward system daemon that has somehow lost it’s SUID bit so I rebuilt my permissions with Disk Utility, expecting that if it’s permissions were restored to default values it would be content and do it’s thing invisibly in the background. Again, no success: it reappeared. That strongly suggests it isn’t a system component, or at least not one included in the BOMs.

    Basically what I’m asking is this: how can I find out what process/program is prompting this box? If I can find out what the program is I’m fairly sure I can make a considered determination of whether it is safe or not.

    Thanks for your help.
     

    Attached Files:

  2. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #2
    When this happens try opening Activity Monitor and look in the CPU tab and sort by CPU time. That will show you all processes and the time they have been running. For example in my screenshot you can Activity Moniotor has been running 92 seconds. That may help pin it down.

    Also, look in Console log for any entries at the time this happens.

    I agree with you it is odd and you are right to be concerned.

    [​IMG]
     
  3. MacGizmo macrumors 6502a

    MacGizmo

    Joined:
    Apr 27, 2003
    Location:
    Arizona
    #3
    As the Weasel stated, wait until it pops up again, then launch the Activity Monitor to see what might be responsible for the dialog box.
     
  4. qubex thread starter macrumors 6502

    qubex

    Joined:
    May 12, 2004
    Location:
    045°042'21.99"N, 009°005'056.57"E
    #4
    Of the 97-odd processes running at the moment on my system, how do you suggest I figure out which obscure-sounding system process is responsible for the box? Surely there must be a better way than this? Some diagnostic tool that indicates the name (or PID) of the process owning a given dialog when you mouse-over?
     
  5. DeltaMac macrumors 604

    DeltaMac

    Joined:
    Jul 30, 2003
    Location:
    Delaware
    #5
    This would likely be a recently launched process, so I would surely begin with the highest (newest) PID, or within the latest 5 PIDs. One of those recent ones may give you clue about what suddenly is asking for authentication.

    You haven't mentioned if you have looked at your active apps, which would display a "dot" under each open app in the Dock. Are there any new icons in your dock that you may not have noticed? You can mouse across the dock to identify icons by name.
     
  6. smithrh macrumors 68020

    smithrh

    Joined:
    Feb 28, 2009
    #6
    For some reason the graphic won't load, but this looks like an installation of some package trying to complete...

    Anything you've intentionally tried to install recently?

    The other thing to do is to google all of your running process names.

    (Getting on my soapbox - dang there are a lot of processes now in Mavericks. This was something I abhorred in Windows and it looks like we're right there with Microsoft now... grrrr)

    Also, yes, you're right to be concerned, this could be the signature of a trojan. Not likely, but possible.
     
  7. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #7
    That doesn't look like the correct dialog box. It should name the program requesting the privilege elevation. The fact it doesn't suggests something fishy, such as the possibility of it being a fake security dialog (phishing).


    First, do the following experiment. I recommend reading everything below before doing anything.

    The purpose of this experiment is for you to see what the real security dialog box looks like, and what Activity Monitor shows while that dialog is presented.

    Launch Activity Monitor and make sure it's showing all processes.

    Next, Launch AppleScript Editor and paste this line into the script window:
    Code:
    do shell script "id" with administrator privileges
    Then run the script.

    The security dialog should appear. DO NOT ENTER YOUR ADMIN NAME AND PASSWORD. Instead, switch to Activity Monitor, and sort the list by process ID, with higher process IDs first. Take note of the top process. It should be "SecurityAgent" (or something similar, since I'm using Mountain Lion to run my examples, and Apple may have changed the agent's name in Mavericks).

    This example shows that a real security dialog originates from a distinctive process with a distinctive name and user ID.

    Now "Cancel" the dialog, and notice that the SecurityAgent process disappears from Activity Monitor's list.

    If you do an "Inspect" on the SecurityAgent process in Activity Monitor while the dialog is visible, you should see a parent process ID of 1, and a parent process name of launchd. This is the normal (and secure) way that the security dialog is presented. Unfortunately, this decouples the requester of the dialog from the process that actually presents the dialog, so there's no easy way to trace back to the originating requester.

    If you don't have an "Inspect" button on the Activity Monitor toolbar, then look for it in the Gear tools. The "Inspect" button is on Mountain Lion, and Activity Monitor received a major facelift in Mavericks. The presentation or name may differ, but it should be a tool to inspect details of the process selected in the list.


    If you have Xcode installed, look for "Accessibility Inspector.app".

    Launch it.

    While the real security dialog is visible, move the mouse over the dialog window and notice what AXApplication is identified as owning the AXWindow. It should say "SecurityAgent", which is consistent with what Activity Monitor showed you.

    So next time the questionable dialog appears, launch Accessibility Inspector and use it to tell you who owns the dialog. If it's not SecurityAgent, then the dialog is fake, and something is quite possibly trying to trick you. If the name of the owning process appears, then that should help you identify it in Activity Monitor. You can then Inspect on that process, and learn its parent process (i.e. who launched it), which may lead to something useful.

    Post what you find out.


    There is a Terminal command that can tell exactly where the program is located that's running. You can then track it down and decide what to do about it.
    Code:
    ps -alx >~/ps.txt
    
    Copy and paste this exact command into a Terminal window while the questionable dialog is showing.

    The complete list of processes will be written to the file "ps.txt" in your home folder. Post it, or at least post the parts that identify the process owning the dialog.


    If you don't have Xcode or Accessibility Inspector, then run the above command when the questionable dialog appears.

    However, you should first know what the output looks like for the real security dialog. To do that, I suggest running the command when the real security dialog is visible. That is, run an experimental security dialog (the posted AppleScript), run the Terminal command, then open "ps.txt" and take note of what the output looks like. This will guide you when the questionable dialog appears.
     
  8. smithrh macrumors 68020

    smithrh

    Joined:
    Feb 28, 2009
    #8
    Is the fact that the icon type is blank in the OPs pic interesting?

    I see that when I execute the AppleScript it actually has a mini-AppleScript icon on top of the lock...
     
  9. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #9
    It might or might not be significant.

    If the program making the request is faceless (a daemon or agent), then I don't think it will have an icon. AppleScript isn't faceless, so its icon appears.

    I'd have to build a faceless agent test-case to confirm whether a missing icon is significant. That would take me longer than writing this.
     
  10. smithrh macrumors 68020

    smithrh

    Joined:
    Feb 28, 2009
    #10
    launchctl list

    ...may be interesting if this is a trojan that's trying repetitively for access.
     
  11. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #11
    Yes, that's a good idea.

    It will still be a long list of obscurely named daemons, but it should be shorter than 'ps -alx'.
     

Share This Page