"U R h4X3r3D" message in Terminal

Discussion in 'Mac Basics and Help' started by whooleytoo, May 21, 2014.

  1. whooleytoo macrumors 603

    whooleytoo

    Joined:
    Aug 2, 2002
    Location:
    Cork, Ireland.
    #1
    I've started seeing the following popping up a lot in my Terminal

    Code:
    "U R h4X3r3D... DIE NUBEclscls"clear
    I'm going to stick my neck out, and guess that's not good :) Does anyone have any idea on how to isolate where this is coming from or get rid of it? Ideally, other than "reinstall everything"!

    It doesn't happen after every command, it seems to appear when there's an exclamation mark in the command. E.g. simply entering: !" will do it. I only noticed it today as I was installing/testing redis and inserted a key with an exclamation mark which obviously caused it to appear.

    Any help appreciated!
     
  2. Supp0rtLinux macrumors member

    Joined:
    Feb 28, 2008
    #2
    Stop looking at porn. Simple enough. You thought "hey, free porn" and got spyware. To remediate:

    Open up terminal first see if there's a file with that string in the name: sudo su -; cd /; find . -name "h4X3" -print

    If that matches something, do an "ls -als <filename> and see when it was created (this isn't fool proof... a good scripter can use touch to modify the timestamp, but it should help).

    If that doesn't match, then you need to search each file for that string to see which file(s) contain it. So try something like this: sudo su -; cd /; find . -type f -exec grep -H 'H4X3' {} \; or grep -rnw 'directory' -e "pattern" where pattern is "h4X3"

    Once you find a list of files that contain that string, do an "ls -als <filename>" to see when the file was created. Then reboot into your recovery partition and reinstall OS X and then restore from Time Machine with a date earlier than the date in the output from "ls"...

    Or you could try one of the free AV scanners on the Mac App store...
     
  3. whooleytoo thread starter macrumors 603

    whooleytoo

    Joined:
    Aug 2, 2002
    Location:
    Cork, Ireland.
    #3
    Thanks for the suggestions! The filename didn't turn up anything (that would have been too easy..) I'm doing the file-contents search now.

    It's found a couple of hits, but they may be false positives (one's in a .fla file that's included with Flash CS4 and the other in the Lion installer dmg) but both only include "h4X3" with none of the other text.
     
  4. smithrh macrumors 68020

    smithrh

    Joined:
    Feb 28, 2009
    #4
    Can you paste a transcript of some commands in terminal?

    I'd like to see exactly what you're seeing.
     
  5. whooleytoo thread starter macrumors 603

    whooleytoo

    Joined:
    Aug 2, 2002
    Location:
    Cork, Ireland.
    #5
    The below is how I noticed it. I just happened to enter an exclamation mark in a test string I was entering into redis (a popular key value store I just installed), and you can see what popped up below. As you can see on the last line, just entering !" will bring up that text.

    Code:
    Last login: Thu May 22 11:16:47 on ttys000
    XXXXXXXXXs-MacBook-Pro:~ XXX$ redis-cli set testkey "Hello, world!"
    redis-cli set testkey "Hello, world"U R h4X3r3D... DIE NUBEclscls"clear
    > 
    XXXXXXXXXs-MacBook-Pro:~ XXX$ redis-cli set testkey "Hello, world"OK
    XXXXXXXXXs-MacBook-Pro:~ XXX$ !"
    "U R h4X3r3D... DIE NUBEclscls"clear
    -bash: U R h4X3r3D... DIE NUBEclsclsclear: command not found
    XXXXXXXXXs-MacBook-Pro:~ XXX$ 
    
    I also found the following in my .bash-history, these commands seem to be from months ago:

    Code:
    defaults read /Applications/Safari.app/Contents/Info LSEnvironment
    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
    echo "U R h4X3r3D... DIE NUBEdefaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIESdefaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES"
    cls
    "U R h4X3r3D... DIE NUBEclscls"clear
    clear
    echo "U R h4X3r3D... DIE NUBEclearclear"
    clear
    echo "U R h4X3r3D... DIE NUBEclearclear"
    echo "U R h4X3r3D... DIE NUBEecho "U R h4X3r3D... DIE NUBEclearclear"echo "U R h4X3r3D... DIE NUBEclearclear""
    
    The odd thing about the above, is those strings are appearing just below where I was entering the recommended test for the Flashback trojan. Seems very odd that they're juxtaposed like that. (And FYI, I'd never trust a popup installer when browsing, if installing Flash updates I'd always navigate directly to the Adobe site and not trust any link).

    Many thanks!
     
  6. silvetti macrumors 6502a

    silvetti

    Joined:
    Nov 24, 2011
    Location:
    Poland
    #6
    I'm gonna be blunt.

    Reinstall your Mac.

    Change all your passwords.

    Stop watching Porn. ;) (this one is optional)
     
  7. whooleytoo thread starter macrumors 603

    whooleytoo

    Joined:
    Aug 2, 2002
    Location:
    Cork, Ireland.
    #7
    Other accounts on the same machine seem unaffected (at least I can't reproduce the same behaviour) so I'll switch another local account until I have time to wipe & reinstall everything.

    I would love to know what the attack vector is/was. I don't download any pirated software, and do install the Apple security updates. It is possible that any 3rd party utility could (deliberately or inadvertently) include malware, or it could involve some kind of drive-by vulnerability. What surprised me was that I couldn't find many others who had the same issue. There was one user in a previous thread on this site who posted a similar message in the Flashback thread, but no further info.
     
  8. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #8
    You should be aware that ! is the bash history expansion token. If you use ! as part of a command and it is not escaped or enclosed in double-quotes, bash will treat it as the history expansion token and not a literal exclamation point. This means that a command like redis-cli set testkey "Hello, world!" will try to use bash history expansion searching for a command in your bash history that started with a double-quote (the expansion of !"). Since you looked in your bash history, that will match:

    Code:
    "U R h4X3r3D... DIE NUBEclscls"clear
    .

    If you need to use the exclamation point in a string literal as part of a bash command, enclose it in single-quotes.
     
  9. smithrh macrumors 68020

    smithrh

    Joined:
    Feb 28, 2009
    #9
    Not knowing anything about the OPs environment, but is the computer physically secure? Any roommates?

    It's not hard with a little bit of Unix shell background to have a bit of a laugh with someone's account.
     
  10. whooleytoo thread starter macrumors 603

    whooleytoo

    Joined:
    Aug 2, 2002
    Location:
    Cork, Ireland.
    #10
    I knew the exclamation mark had something to do with the history expansion, but didn't know what the effects of !" would do. Following up on your comment, I think I've figured out what happened. Please don't read this, as it makes me look like a complete IDIOT! :)

    I deleted my .bash_history, and lo and behold the "problem" went away. I think when checking my system for the Flashback trojan some months ago, I copied text from the thread above. I must have accidentally pasted the 'h4x3' text above into a Terminal window instead of into the Google search textfield (damn you keyboard focus). Thus, that text was in my bash history. Then, it just happens that the exclamation mark is pulling that text out of the history file every time.

    No malware. User is just an idiot! :) Thanks for helping me figure this out!

    Hah. It is that kind of office! I once logged into a colleague's computer via telnet and used Applescript commands to say "I see dead people" in the Whisper voice, or randomly eject the CD drawer. In this case though, the explanation is much simpler (and more embarrassing!), see above.
     

Share This Page