我很抱歉发帖太长,但我认为完整的内容更有价值:
20120822,我的浏览器无法解析域名,所以我进入终端进行检查,结果!我发现了这些疯狂的命令残留:
mac-mini$ su Password:
sh-3.2# sudo /Applications/TextEdit.app/Contents/MacOS/TextEdit /etc/hosts
Mar 22 23:07:08 my-Mac-mini.local TextEdit[88957] <Error>: kCGErrorIllegalArgument: _CGSFindSharedWindow: WID -1
Mar 22 23:07:08 my-Mac-mini.local TextEdit[88957] <Error>: kCGErrorFailure: Set a breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.
Mar 22 23:07:08 my-Mac-mini.local TextEdit[88957] <Error>: kCGErrorIllegalArgument: CGSSetWindowShadowAndRimParametersWithStretch: Invalid window 0xffffffff
2012-03-22 23:07:19.202 TextEdit[88957:7207] PersistentUI: LSSharedFileListInsertItemURL() failed at inserting URL file://localhost/etc/hosts
更糟糕的是,我发现“logmein”的一个副本被删除了。以下是一些历史:
20 /Library/Application\ Support/LogMeIn/uninstaller.command ; exit;
21 killall Toolkit
22 "/Library/Application Support/LogMeIn/bin/LogMeIn.app/Contents/Resources/logmeinserverctl" stop
23 launchctl stop /Library/LaunchDaemons/com.logmein.logmeinserver.plist
24 launchctl unload /Library/LaunchDaemons/com.logmein.logmeinserver.plist
25 launchctl unload /Library/LaunchAgents/com.logmein.LMILaunchAgentFixer.plist
26 launchctl unload /Library/LaunchAgents/com.logmein.logmeingui.plist
27 launchctl unload /Library/LaunchAgents/com.logmein.logmeinguiagent.plist
28 rm -rf /Library/LaunchAgents/com.logmein.LMILaunchAgentFixer.plist
29 rm -rf /Library/LaunchAgents/com.logmein.logmeingui.plist
30 rm -rf /Library/LaunchAgents/com.logmein.logmeinguiagent.plist
31 rm -rf /Library/LaunchDaemons/com.logmein.logmeinserver.plist
32 rm -rf "/Library/Application Support/LogMeIn/"
33 rm -rf /Library/Logs/LogMeIn/
34 rm -rf /Library/Receipts/LogMeIn\ Server\ Installer.pkg/
35 rm -rf /Library/Receipts/LogMeIn\ Installer.pkg/
36 rm -rf /Library/Printers/LogMeIn
37 rm -rf /usr/libexec/cups/backend/LogMeInBackend
38 rm -rf /usr/libexec/cups/filter/LogMeInFilter
39 rm -rf /usr/libexec/cups/filter/commandtoLogMeIn
40 rm -rf "/Applications/LogMeIn/LogMeInUninstaller.app"
41 rm -rf "/Applications/LogMeIn/StartLogMeIn.app"
42 rm -rf "/Applications/LogMeIn/Toolkit.app"
43 if [ -e "/Applications/LogMeIn/LogMeInPluginUninstaller.app" ];
then echo not removing LogMeIn directory; else rm -rf "/Applications/LogMeIn/"; fi
44 rm -rf "/Library/Receipts/LogMeIn Installer.pkg"
45 rm -rf "/Library/Receipts/logmein.pkg"
46 rm -rf "/private/var/db/receipts/com.logmein.logmeinserverinstaller.bom"
47 rm -rf "/private/var/db/receipts/com.logmein.logmeinserverinstaller.plist"
48 dscl . -delete /users/LogMeInRemoteUser
49 killall LMILaunchAgentFixer
然后我进去寻找这个 logmein,但除了卸载程序之外,它不存在。文件显示一个大约 3 月的旧时间戳,但仍然让我感到紧张。
我以 su 身份检查了更多历史记录并发现:
5 sudo /Applications/TextEdit.app/Contents/MacOS/TextEdit /etc/hosts
6 stty -onlcr -echo echonl
7 /usr/bin/atos -p "1" -printHeader
8 /usr/bin/atos -p "10" -printHeader
9 /usr/bin/atos -p "11" -printHeader
10 /usr/bin/atos -p "12" -printHeader
11 /usr/bin/atos -p "13" -printHeader
12 /usr/bin/atos -p "14" -printHeader
13 /usr/bin/atos -p "15" -printHeader
14 /usr/bin/atos -p "16" -printHeader
15 /usr/bin/atos -p "17" -printHeader
16 /usr/bin/atos -p "18" -printHeader
17 /usr/bin/atos -p "19" -printHeader
18 /usr/bin/atos -p "21" -printHeader
19 /usr/bin/atos -p "24" -printHeader
20 /usr/bin/atos -p "25" -printHeader
21 /usr/bin/atos -p "27" -printHeader
22 /usr/bin/atos -p "29" -printHeader
23 /usr/bin/atos -p "30" -printHeader
24 /usr/bin/atos -p "33" -printHeader
25 /usr/bin/atos -p "35" -printHeader
26 /usr/bin/atos -p "39" -printHeader
27 /usr/bin/atos -p "40" -printHeader
28 /usr/bin/atos -p "42" -printHeader
29 /usr/bin/atos -p "44" -printHeader
30 /usr/bin/atos -p "46" -printHeader
31 /usr/bin/atos -p "48" -printHeader
32 /usr/bin/atos -p "53" -printHeader
33 /usr/bin/atos -p "90" -printHeader
34 /usr/bin/atos -p "91" -printHeader
35 /usr/bin/atos -p "96" -printHeader
36 /usr/bin/atos -p "108" -printHeader
37 /usr/bin/atos -p "110" -printHeader
38 /usr/bin/atos -p "119" -printHeader
39 /usr/bin/atos -p "122" -printHeader
40 /usr/bin/atos -p "123" -printHeader
41 /usr/bin/atos -p "128" -printHeader
42 /usr/bin/atos -p "129" -printHeader
43 /usr/bin/atos -p "131" -printHeader
44 /usr/bin/atos -p "132" -printHeader
45 /usr/bin/atos -p "133" -printHeader
46 /usr/bin/atos -p "134" -printHeader
47 /usr/bin/atos -p "139" -printHeader
48 /usr/bin/atos -p "141" -printHeader
49 /usr/bin/atos -p "144" -printHeader
50 /usr/bin/atos -p "149" -printHeader
51 /usr/bin/atos -p "154" -printHeader
52 /usr/bin/atos -p "160" -printHeader
53 /usr/bin/atos -p "161" -printHeader
54 /usr/bin/atos -p "164" -printHeader
55 /usr/bin/atos -p "197" -printHeader
56 /usr/bin/atos -p "209" -printHeader
57 /usr/bin/atos -p "212" -printHeader
58 /usr/bin/atos -p "1593" -printHeader
59 /usr/bin/atos -p "1594" -printHeader
60 /usr/bin/atos -p "17892" -printHeader
61 /usr/bin/atos -p "82995" -printHeader
62 /usr/bin/atos -p "82996" -printHeader
63 /usr/bin/atos -p "82997" -printHeader
64 /usr/bin/atos -p "BezelUIServer" -printHeader
65 /usr/bin/atos -p "83003" -printHeader
66 /usr/bin/atos -p "taskgated" -printHeader
67 /usr/bin/atos -p "83006" -printHeader
68 /usr/bin/atos -p "83007" -printHeader
69 /usr/bin/atos -p "83010" -printHeader
70 /usr/bin/atos -p "com.apple.hiserv" -printHeader
71 /usr/bin/atos -p "83014" -printHeader
72 /usr/bin/atos -p "83015" -printHeader
现在,也许当这一切发生时我喝醉了,但我很确定我没有运行所有这些命令。
从第一行,我可以看到他们正在查看 hosts 文件,因此我对其进行了 cat 并发现:
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost
好吧,我已经改变了我的 su 传递和常规传递,并且我已经删除了主机,希望这可以阻止进一步的污染?
或者我只是在欺骗自己,应该重新格式化我的整个计算机?
答案1
线路
stty -onlcr -echo echonl
以及重复的
/usr/bin/atos -p "XXX" -printHeader
来自 stackshot 程序,该程序用于为所有正在运行的进程生成堆栈转储。
我在我的日志中发现了相同的条目并且真的很怀疑,但是经过一番谷歌搜索之后我发现按下Control-Option-Command-Shift-Period(同时)会启动堆栈快照,令我惊讶的是它实际上会在中产生这些条目/var/root/.sh_history。
如果有谁对 OS X 有更多了解,可以解释为什么在后台执行的 shell 脚本会这样做,我将不胜感激。
对我来说,这肯定是因为我(愚蠢地)决定在 Mac 运行时清洁键盘。:)
答案2
听起来确实像是有人在捣鼓你的 Mac。除非你正在运行 ssh 服务器以允许远程访问,否则听起来像是有人物理访问了你的计算机。更改密码可能是个好主意,你还应该确保在你不在时计算机已锁定,这样其他人就无法访问它。此外,请记住,只要具备适当的技能,每台机器都可能被黑客入侵,因此你最好的办法是定期检查是否有看起来不对劲的奇怪东西。我认为你很好地发现了它。