Updated - File Downloaded From Mac Rumours Deleted My OS X Documents, Files and Settings!

Discussion in 'OS X El Capitan (10.11)' started by sh33p, Mar 20, 2017.

  1. sh33p, Mar 20, 2017
    Last edited: Mar 20, 2017

    sh33p macrumors newbie

    Joined:
    Aug 3, 2012
    #1
    Hey guys,

    I downloaded a freeware file from macrumors which had a command line script to fix my iMac fan which was continuously running. I tried the program but decided it wasn't any good for me so I used the command line script included to uninstall...

    Right before my eyes I seen my desktop files and folders disappear one by one.

    I lost my files from my documents and downloads folders as well as my desktop.

    Firefox and other programs have reset themselves, I have lost all settings and bookmarks for firefox and some programs which I have a license for (e.g. BetterTouchTool) now wants me to re enter my license info.

    I've lost a lot but I'm not sure if these files have been deleted?

    I'm still using my same account on the mac, it's just that everything has disappeared.

    I downloaded the file from here...
    https://forums.macrumors.com/threads/fan-noise-on-startup-and-wake-from-sleep.1638399/#post-19125759

    Here is the code from the uninstall script included in the link that ended up wiping all my files and settings.

    Code:
    #! /bin/sh
    
    echo "***** SOS WakeUp fan loud for early MacPro 2006-2007 *****"
    
    sleep 2
    
    echo "***** Now uninstall in progress *****"
    echo "***** Please enter your administrator password *****"
    
    pid=$(ps -fe | grep 'sleepwatcher' | awk '{print $2}')
    sudo kill $pid
    
    sleep 1
    
    echo "***** Uninstall -> Sleepwatcher with config *****"
    
    sudo rm -rf /usr/local/sbin/sleepwatcher
    
    sudo rm -rf /usr/local/share/man/man8/sleepwatcher.8
    
    sudo rm -rf /Library/LaunchDaemons/de.bernhard-baehr.sleepwatcher-20compatibility.plist
    
    echo "***** Uninstall -> SmcFanControl with config *****"
    
    # Set Mac Pro default fan speed :
    /Applications/smcFanControl.app/Contents/Resources/smc -k F0Mx -w 2d50
    /Applications/smcFanControl.app/Contents/Resources/smc -k 'FS! ' -w 0000
    
    sleep 1
    
    pid=$(ps -fe | grep 'smcFanControl' | awk '{print $2}')
    sudo kill $pid
    
    sleep 1
    
    localUser=$( dscl . list /Users UniqueID | awk '$2 >= 501 {print $1}' | grep -v admin )
    
    sudo rm -rf /Users/$localUser/Library/Preferences/com.eidac.smcFanControl2.plist
    
    sudo rm -rf /Users/$localUser/Library/Application\ Support/smcFanControl
    
    sleep 1
    
    osascript -e 'tell application "System Events" to delete login item "smcFanControl"'
    
    sudo rm -rf /Applications/smcFanControl.app
    
    echo "*****  Uninstall OK ! *****"
    
    exit 0
    Please help :(
     
  2. casperes1996 macrumors 65816

    casperes1996

    Joined:
    Jan 26, 2014
    Location:
    Horsens, Denmark
    #2
    I don't see anything in that scrip that would delete any other files than the ones appropriate for the script to actually delete
     
  3. chown33, Mar 20, 2017
    Last edited: Mar 20, 2017

    chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #3
    I don't see anything that would intentionally delete a user's Desktop, Documents, etc.

    However, I do see some latent problems that might accidentally do so. Lack of knowledge (ignorance), lack of skill (incompetence), or lack of planning (myopia) could all be contributing causes on the part of the shell script's author.


    Here's the start of the potential problem I see:
    Code:
    localUser=$( dscl . list /Users UniqueID | awk '$2 >= 501 {print $1}' | grep -v admin )
    
    The potential problem here is that multiple usernames can be output. These are stored in the variable 'localUser', with newlines between them. If there's only one username output, everything should be fine. It's the multi-name case that's perilous.

    The variable 'localUser' then gets used in 2 places:
    Code:
    sudo rm -rf /Users/$localUser/Library/Preferences/com.eidac.smcFanControl2.plist
    
    sudo rm -rf /Users/$localUser/Library/Application\ Support/smcFanControl
    
    This is where the latent problem of multiple names leads to disaster.

    Because $localUser isn't quoted, it gets expanded with the newlines treated as whitespace between words. The result is that the first username in the list will have their entire home directory deleted recursively. That is, everything in that user's home directory is deleted. Kaboom, all gone.

    If $localUser had been quoted like this:
    Code:
    sudo rm -rf /Users/"$localUser"/Library/Preferences/com.eidac.smcFanControl2.plist
    it would still be expanded to multiple names, but the newlines between the names would have been treated as if they were part of an actual filename, rather than being treated as line endings or whitespace between words. Furthermore, since no such directory exists, nothing would have happened.

    SUMMARY:
    Improper or missing quoting can cause serious problems.


    Although I'm fairly good with shell scripting, some of the commands in the script are opaque, and aren't obvious what their intent is, nor why they do something in that way.

    For example, this:
    Code:
    pid=$(ps -fe | grep 'smcFanControl' | awk '{print $2}')
    sudo kill $pid
    
    might be replaceable with the single command 'killall smcFanControl'.

    As another example, I'm not clear what the author expects this to do:
    Code:
    localUser=$( dscl . list /Users UniqueID | awk '$2 >= 501 {print $1}' | grep -v admin )
    
    I understand what this does, I'm just not clear on why it's being done this way.

    If the goal is to get the current user name, then there's an environment variable for that: LOGNAME.

    If the goal is to get the user's home directory, there are two ways to do that:
    Code:
      ~/
      "$HOME/"
    If the goal is to get what may be a list of usernames separated by whitespace, then that command makes sense. Unfortunately, the result isn't being properly handled as a list of names, which then leads to disaster.

    Other commands are more plainly reckless, such as the recursive option (-r) to remove (rm) things that should only be single files. One of the rules of good system admin is to stop if something unexpected happens. If a file isn't deleted because it's actually a directory, the right thing to do is stop, not pretend it doesn't matter and recursively delete.


    I wish I knew of a way to restore what was deleted, but I can't think of one.

    I think this shell script is sufficiently dangerous that its link should be removed.
     
  4. casperes1996 macrumors 65816

    casperes1996

    Joined:
    Jan 26, 2014
    Location:
    Horsens, Denmark
    #4
    Hadn't thought of those problems when I read through it. Seemed innocuous to me at first, but damn, you're right.
    I think the "kill 'PID'" instead of "killall SMCFanControl" is just the scriptwriter now knowing of killall, cause I thought the same when i read through it - "Why isn't killall just being used?".
    Also wondered why even single .plist files were being removed with the recursive flag.

    Since none of the files were removed with the "srm" command, and only rm, depending on what drive you have in your computer, data recovery software may be able to get some of your data back, but it is highly unlikely you'll get all. Depends if it's been written over. If it's an SSD, it's probably already gone as a result of garbage collecting and TRIM.
     
  5. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #5
    Thank you so much for taking the time to look this over. I have removed the post linked by the OP.
     
  6. sh33p thread starter macrumors newbie

    Joined:
    Aug 3, 2012
    #6
    Thanks for the reply guys. Like I said, I had 95% of stuff backed up. There's just some PSD's, bookmarks and other documents which I'm trying to recover now. Thank you chown33 for chiming in, it is very much appreciated. I will report back.
     
  7. casperes1996 macrumors 65816

    casperes1996

    Joined:
    Jan 26, 2014
    Location:
    Horsens, Denmark
    #7
    Hope you have success in recovering what you've lost
     

Share This Page