Hacked via Terminal via Safari via iChat

Discussion in 'macOS' started by Halsey12, Dec 22, 2007.

  1. Halsey12 macrumors regular

    Joined:
    Jan 1, 2006
    Location:
    Portland
    #1
    Last night my girlfriend had a bad encounter with some nasty script via the "gnaa"... she clicked on a new iChat message that popped up and it was a link that opened Safari, then immediately opened a bunch of Terminal command windows, then was opening a slew of mail messages in Mail that it was trying to send.

    I killed the Airport connection before any mail could send from her account, and we restarted her computer and reset her account password. Is the w command in Terminal the best way to check to see if someone else is using her computer still? I don't see anything else suspicious, but am not sure what something like this could actually do completely- copy passwords, continue remote access if the passwords have been changed? The firewall log shows a whole mess of rejected iChat attempts- a few hundred, but that is all I can see that looks leary, and nothing happening now.

    Any suggestions on what to look for or if we should do a clean install would be appreciated. I did search the forums, but could only find one some what useful thread on a potential hack. The rest that came up in the search results were not that relevant. Thanks!
     
  2. Cleverboy macrumors 65816

    Cleverboy

    Joined:
    May 25, 2007
    Location:
    Pocket Universe, nth Dimensional Complex Manifold
    #2
    Regardless of what other actions you take, download Little Snitch right now.
    http://www.obdev.at/products/littlesnitch/index.html

    Then, tell Little Snitch to report ANY activity to you visually, and watch it for a while. It's pretty damn good. Also, make sure you're system updates are current.

    ~ CB
     
  3. Halsey12 thread starter macrumors regular

    Joined:
    Jan 1, 2006
    Location:
    Portland
  4. Halsey12 thread starter macrumors regular

    Joined:
    Jan 1, 2006
    Location:
    Portland
    #4
    Wow, turns out they had root access and a bunch of other names showing up in the activity monitor. Pretty nasty script whatever it was. So much stuff in the activity monitor, runaway syslog constantly using 100% cpu. Doing a clean install right now, hopefully that will clear it all up.
     
  5. Blogger macrumors 6502

    Joined:
    Jul 18, 2002
    Location:
    Local
    #5
    This is the first I've heard of such a thing. Can you give us a few more details?
    Thanks.
     
  6. twoodcc macrumors P6

    twoodcc

    Joined:
    Feb 3, 2005
    Location:
    Right side of wrong
    #6
    yeah i'm curious as well
     
  7. WildPalms macrumors 6502a

    WildPalms

    Joined:
    Jan 4, 2006
    Location:
    Honolulu, HI
  8. ::Lisa:: macrumors 6502a

    ::Lisa::

    Joined:
    Oct 28, 2007
    Location:
    Nottingham, UK
    #8
    and me.
    I really hope everything is OK.
    Good luck
     
  9. Halsey12 thread starter macrumors regular

    Joined:
    Jan 1, 2006
    Location:
    Portland
    #9
    Here is a screen capture of the Activity Monitor a couple days after this happened. Again, she was on iChat, and an incoming message came telling her that her LiveJournal had been hacked. She clicked on the the message which I guess was a link that opened a Safari page. She saw some porn pop up, then when she yelled for me and I came upstairs, a ton of Terminal windows were opening, and a ton of mail messages were opening in Mail saying to join the gnaa.us. That is the truth.

    Since that happened, her fans were running non stop and a syslog was constantly running at 100 percent of the CPU. I don't know much about any of this, but I have never seen anything besides out user names in the activity monitors on our computer, and here is what hers looked like last night before the clean install, and this is an untouched screen capture-
     

    Attached Files:

  10. pseudobrit macrumors 68040

    pseudobrit

    Joined:
    Jul 23, 2002
    Location:
    Jobs' Spare Liver Jar
    #10
    Sounds like Last Measure. It'll crash your browser for sure but shouldn't allow root access.
     
  11. Peace macrumors P6

    Peace

    Joined:
    Apr 1, 2005
    Location:
    Space--The ONLY Frontier
    #11
    Those are all normal processes..Nothing unusual.
     
  12. Halsey12 thread starter macrumors regular

    Joined:
    Jan 1, 2006
    Location:
    Portland
    #12
    The Terminal windows opened instantly, and immediately after that her Mail opened with all those messages. I didn't get to see what was in the terminal commands before we killed the internet connection to stop the e-mails from sending and force quit her computer.

    I also found a folder created in her user library for Esellerate, with a whole bunch of stuff in it I couldn't open. It was created on the date this happened. I know she was never used esellerate software.
     
  13. Peace macrumors P6

    Peace

    Joined:
    Apr 1, 2005
    Location:
    Space--The ONLY Frontier
    #13
    You sure your friend wasn't giving screen sharing access at the time ?
     
  14. pseudobrit macrumors 68040

    pseudobrit

    Joined:
    Jul 23, 2002
    Location:
    Jobs' Spare Liver Jar
    #14
    It uses Javascript to open or try to open Skype, your default chat, ICQ and e-mail apps, as well as opening the Terminal and running a telnet command.

    It should not be able to get root access. If you can find the link and post it here I can grab the script, or you can do it by disabling Javascript in your browser before opening the page, then viewing the source code.
     
  15. pseudobrit macrumors 68040

    pseudobrit

    Joined:
    Jul 23, 2002
    Location:
    Jobs' Spare Liver Jar
    #15
    One example:

    Code:
    var protos = [ 
            "lm.pdf",
            "jews.wmv",
            "irc://irc.gnaa.us/gnaa",
            "irc://irc.efnet.org/politics",
            "news:alt.flame.******s",
            "news:alt.flame.***",
            "mailto:JOIN@THE.GNAA?subject=2006_RECRUITMENT_DRIVE&body=www.gnaa.us",
            "callto://JOIN_THE_GNAA__2005_RECRUITMENT_DRIVE",
            "aim:GoIM?screenname=Gary_***&message=HY+LOL+HY+LOL",
            "rlogin://1.1.1.1:80",
            "telnet://1.1.1.1:80",
            "aim:addbuddy?listofscreennames=HY,LOL,HY,LOL,HY,LOL,join,the,gnaa,2006,RECRUITMENT,DRIVE,heartiez2incog&groupname=gnaa",
            "mailto:JOIN@THE.GNAA?subject=2006_RECRUITMENT_DRIVE&body=www.gnaa.us",
            "ed2k://|file|*********s From Outer Space [GNAA Digitally Remastered].avi|134174720|F8AF9D8A7091CD7A7B8968C9EB397C02|/",
     
  16. Eidorian macrumors Penryn

    Eidorian

    Joined:
    Mar 23, 2005
    Location:
    Indianapolis
    #16
    I was about to ask if it was the typical Javascript vector.

    I've gone through too many HijackThis logs from people that have been hit by this joke.
     
  17. Halsey12 thread starter macrumors regular

    Joined:
    Jan 1, 2006
    Location:
    Portland
    #17
    That looks like exactly what it was based on the e-mail info and the attempts to use iChat and the AIM account that showed up in the firewall log constantly. The webpage it came from never showed up in the Safari history, so I was unable to view the page after it happened. I have no idea how it didn't show up.
     
  18. Halsey12 thread starter macrumors regular

    Joined:
    Jan 1, 2006
    Location:
    Portland
    #18
    We have never used screen sharing.
     
  19. Halsey12 thread starter macrumors regular

    Joined:
    Jan 1, 2006
    Location:
    Portland
    #19
    Oh! I had never seen anything beside our own user names in the activity monitor before. The Daemon and root and the windowserver and all that looked liked news to me.
     
  20. Cleverboy macrumors 65816

    Cleverboy

    Joined:
    May 25, 2007
    Location:
    Pocket Universe, nth Dimensional Complex Manifold
    #20
    In the upper right hand corner, the "Show" drop-down menu let's you choose "My Processes" and another called "Windowed Processes". It's possible you've only looked at your processes before while those were selected. With either on, your username is generally going to be the only one there.

    That javascript trick is horrible.

    ~ CB
     
  21. Peace macrumors P6

    Peace

    Joined:
    Apr 1, 2005
    Location:
    Space--The ONLY Frontier
    #21
    you can also click on "other users" in Activity Monitor..

    That will normally show root,daemon,_windowsserver and a couple others.Don't get freaked out when you see "nobody" there :p
     

Share This Page