Hi all, today I opened Console and noticed several strange messages:
Before that, I downloaded two free apps (TimeTrack and MPlayerX) from the Mac AppStore and updated Homebrew. I can't find any correlation between these apps and the messages.
Now, I'm not a Mac or Unix expert, but checking Activity Monitor and "ps -ax" show no unexpected processes running. Login items, LaunchAgents and LaunchDaemons don't reveal any surprises either. Can anyone suggest other locations where to look for the possible culprits?
By the presence of the URL, it certainly looks like some sort of browser hijacking attempt (but why Finder and not Safari?). For the record, the domain name "search.earthweb.com" doesn't resolve neither through my ISP nor Google DNS, so this part of the attack probably didn't work.
Googling for "event.commitKey" reveals that it's ActionScript, probably related to Flash, but I'm at loss trying to figure out how it might have anything to do with the Finder.
Code:
19/03/2011 03:57:49 com.apple.Finder[117] <<
19/03/2011 03:57:49 com.apple.Finder[117] /S /JavaScript
19/03/2011 03:57:49 com.apple.Finder[117] /JS (if \(event.commitKey == 2\)\012this.submitForm\("http://search.earthweb.com/search97cgi/s97r_cgi", false, false, "GMHGFMAHOFPONJMCKIEEOCPIKLKGPECPBB.form1.x", true\);)
19/03/2011 03:57:49 com.apple.Finder[117] >><<
19/03/2011 03:57:49 com.apple.Finder[117] /S /JavaScript
19/03/2011 03:57:49 com.apple.Finder[117] /JS (if \(event.commitKey == 2\)\012this.submitForm\("http://search.earthweb.com/search97/search_redir.cgi", false, false, "GMHGFMAHOFPONJMCKIEEOCPIKLKGPECPBB.form3.x", true\);)
19/03/2011 03:57:49 com.apple.Finder[117] >>
Before that, I downloaded two free apps (TimeTrack and MPlayerX) from the Mac AppStore and updated Homebrew. I can't find any correlation between these apps and the messages.
Now, I'm not a Mac or Unix expert, but checking Activity Monitor and "ps -ax" show no unexpected processes running. Login items, LaunchAgents and LaunchDaemons don't reveal any surprises either. Can anyone suggest other locations where to look for the possible culprits?
By the presence of the URL, it certainly looks like some sort of browser hijacking attempt (but why Finder and not Safari?). For the record, the domain name "search.earthweb.com" doesn't resolve neither through my ISP nor Google DNS, so this part of the attack probably didn't work.
Googling for "event.commitKey" reveals that it's ActionScript, probably related to Flash, but I'm at loss trying to figure out how it might have anything to do with the Finder.