Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

How much damage can you do in terminal? Expert needed.

J

Jazzandmetal?

macrumors regular
Original poster
Jan 24, 2008
167
0
Virginia
I thought I had a trojan so I followed instructions to find it in terminal.

I typed sudo crontab -l and got warned that I got delete stuff that is important. I put my password in wrong and exited.

Then I did sudo cron -l and it this came up:

Last login: Mon Jun 9 12:50:01 on ttys000
jeremy-fnstns-macbook:~ jeremyfnstn$ sudo cron -l
Password:
cron: illegal option -- l
usage: cron [-s] [-o] [-x debugflag[,...]]

debugflags: ext sch proc pars load misc test bit

Then I typed sudo crontab -1 and it said no contrab in root

I then typed in sudo crontab -l and it said the same thing

Did I do anything bad? It only warned me about deleting things the first time around. What would it say if I did have a trojan?
 
Wouldn't it be ironic if nothing was wrong with your Mac and you found malicious instructions to use in Terminal that actually screwed things up.

The only threat to Macs is user intervention.
 
Jazzandmetal? said:
I thought I had a trojan so I followed instructions to find it in terminal.

I typed sudo crontab -l and got warned that I got delete stuff that is important. I put my password in wrong and exited.

Then I did sudo cron -l and it this came up:

Last login: Mon Jun 9 12:50:01 on ttys000
jeremy-fnstns-macbook:~ jeremyfnstn$ sudo cron -l
Password:
cron: illegal option -- l
usage: cron [-s] [-o] [-x debugflag[,...]]

debugflags: ext sch proc pars load misc test bit

Then I typed sudo crontab -1 and it said no contrab in root

I then typed in sudo crontab -l and it said the same thing

Did I do anything bad? It only warned me about deleting things the first time around. What would it say if I did have a trojan?
Click to expand...

No you didn't do any damage.

The crontab file contains pointers to scripts that execute at specific times.

crontab -l just lists out the contents of the crontab file.

When cron executes, it reads the crontab file for instructions.

While you can read the various crontab files (system, user, etc.), unless you know unix and know what is supposed to be in there and what is not supposed to be there, it won't help you.

DO NOT MESS WITH CRON OR THE CRONTAB FILES UNLESS YOU KNOW UNIX AND HAVE ADMINISTERED UNIX SYSTEMS. You can really mess things up.

Actually after researching it, in OSX, all of the cron jobs (Apples) are handled by launchd, not cron.

What instructions did you get? Please post them. I'd like to know also where you got them from as cron and crontab mostly apply to other flavors of UNIX.
 
You didn't do any damage but you easily can if you don't know what you are doing in terminal, esp. if you have administrator or root privileges. As root you could fairly easily (by mistake of course) wipe your entire hard disk clean. Don't mess with terminal unless you know what you are doing! It can be very powerful, but also very dangerous, even for a pro. And if you do want to learn, get a good book and set your user account to "Standard", never "Administrator". And NEVER use the sudo command unless you know what you are doing or have very good instructions from a trusted source. I work in terminal every day, all day long (I am a software developer) and have seen far too many casualties caused by not following these rules. Fortunately, Macs are easy to clone and restore.
 
merl1n said:
Actually after researching it, in OSX, all of the cron jobs (Apples) are handled by launchd, not cron.

What instructions did you get? Please post them. I'd like to know also where you got them from as cron and crontab mostly apply to other flavors of UNIX.
Click to expand...

Here is the article that I got the instructions from.
 
Jazzandmetal? said:
http://www.macworld.com/article/60823/2007/10/trojanhorse.html

oops.
Click to expand...

Ok, I read the article. This is old information.

They said check this first:

If you’re running OS X 10.5, open your Network System Preferences pane and select your active interface (AirPort, Ethernet), then click Advanced. On the Advanced screen, click on the DNS tab. The leftmost box contains your DNS servers, and all the entries should be in black. If the trojan has been installed on your machine, you’ll see the phantom DNS in gray, listed above your normal DNS information, as seen in the image at right—the first two entries are the evil DNS, the last is the normal DNS. Note: There are other situations where the DNS info may be gray—it appears that if your DNS is provided by another machine, for instance, then your legitimate DNS information will be in gray, not black. So while this may be an indicator, keep reading for the best way to be certain if your machine is infected.
Click to expand...

Next they said:

The easiest way to tell if you’ve been infected is to go to the top-level /Library -> Internet Plug-Ins folder, and look for a file named plugins.settings . If you find one there, chances are, you’re infected. However, since the names used by the malware authors may change, it’s best to check a couple of other spots as well.
Click to expand...

Now to the section about using crontab:

The other thing to check is for the presence of the root cron job. To do this, open Terminal (in /Applications -> Utilities) and type this command:

sudo crontab -l
Enter your admin password when asked, and Terminal will then display any cron tasks for root. Typically this will be blank. If you see this output, though, it means you’ve got the malware:

* * * * * "/Library/Internet Plug-Ins/plugins.settings">/dev/null 2>&1
Click to expand...

Since your ran "crontab -l" and it reported that you have no crontab for root, that should tell you something.

You don't have a trojan. Again this article is old information back from Oct 2007.
 
Merl1n never ceases to amaze me as he's always there to help people (including me). I wish that this forum had a Cred option because he would have a ton by now.
Way to go Merl1n :D
Alan
 
merl1n said:
Ok, I read the article. This is old information.

They said check this first:



Next they said:



Now to the section about using crontab:



Since your ran "crontab -l" and it reported that you have no crontab for root, that should tell you something.

You don't have a trojan. Again this article is old information back from Oct 2007.
Click to expand...

Yes, I looked at the first 2 options first. I just really wanted to make sure I didn't delete anything. Also thank you everyone for any help.


For another poster I thought I got a trojan because I was looking at an adult site:eek:

A new window popped up and when I tried to exit it it came up with 2 smaller boxes. The first box read "if you want to exit please hit okay or hit cancel to stay". I hit okay on the first box and then on the second and I was able to close the window.

Since I hit okay in 2 boxes I wondered if I did something bad. I should have just force quit safari but did not think about that at the time.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back