我的 Mac 被黑了吗?发现了奇怪的东西

我的 Mac 被黑了吗?发现了奇怪的东西

我很抱歉发帖太长,但我认为完整的内容更有价值:

20120822,我的浏览器无法解析域名,所以我进入终端进行检查,结果!我发现了这些疯狂的命令残留:

mac-mini$ su Password:
sh-3.2# sudo /Applications/TextEdit.app/Contents/MacOS/TextEdit /etc/hosts
Mar 22 23:07:08 my-Mac-mini.local TextEdit[88957] <Error>: kCGErrorIllegalArgument: _CGSFindSharedWindow: WID -1
Mar 22 23:07:08 my-Mac-mini.local TextEdit[88957] <Error>: kCGErrorFailure: Set a     breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.
Mar 22 23:07:08 my-Mac-mini.local TextEdit[88957] <Error>: kCGErrorIllegalArgument:     CGSSetWindowShadowAndRimParametersWithStretch: Invalid window 0xffffffff
2012-03-22 23:07:19.202 TextEdit[88957:7207] PersistentUI: LSSharedFileListInsertItemURL() failed at inserting URL file://localhost/etc/hosts

更糟糕的是,我发现“logmein”的一个副本被删除了。以下是一些历史:

20  /Library/Application\ Support/LogMeIn/uninstaller.command ; exit;    
21  killall Toolkit    
22  "/Library/Application Support/LogMeIn/bin/LogMeIn.app/Contents/Resources/logmeinserverctl" stop    
23  launchctl stop /Library/LaunchDaemons/com.logmein.logmeinserver.plist    
24  launchctl unload /Library/LaunchDaemons/com.logmein.logmeinserver.plist    
25  launchctl unload /Library/LaunchAgents/com.logmein.LMILaunchAgentFixer.plist    
26  launchctl unload /Library/LaunchAgents/com.logmein.logmeingui.plist    
27  launchctl unload /Library/LaunchAgents/com.logmein.logmeinguiagent.plist    
28  rm -rf /Library/LaunchAgents/com.logmein.LMILaunchAgentFixer.plist    
29  rm -rf /Library/LaunchAgents/com.logmein.logmeingui.plist    
30  rm -rf /Library/LaunchAgents/com.logmein.logmeinguiagent.plist    
31  rm -rf /Library/LaunchDaemons/com.logmein.logmeinserver.plist    
32  rm -rf "/Library/Application Support/LogMeIn/"    
33  rm -rf /Library/Logs/LogMeIn/    
34  rm -rf /Library/Receipts/LogMeIn\ Server\ Installer.pkg/    
35  rm -rf /Library/Receipts/LogMeIn\ Installer.pkg/    
36  rm -rf /Library/Printers/LogMeIn    
37  rm -rf /usr/libexec/cups/backend/LogMeInBackend    
38  rm -rf /usr/libexec/cups/filter/LogMeInFilter    
39  rm -rf /usr/libexec/cups/filter/commandtoLogMeIn    
40  rm -rf "/Applications/LogMeIn/LogMeInUninstaller.app"    
41  rm -rf "/Applications/LogMeIn/StartLogMeIn.app"    
42  rm -rf "/Applications/LogMeIn/Toolkit.app"    
43  if [ -e "/Applications/LogMeIn/LogMeInPluginUninstaller.app" ]; 
    then echo not removing LogMeIn directory; else rm -rf "/Applications/LogMeIn/"; fi  
44  rm -rf "/Library/Receipts/LogMeIn Installer.pkg"     
45  rm -rf "/Library/Receipts/logmein.pkg"     
46  rm -rf "/private/var/db/receipts/com.logmein.logmeinserverinstaller.bom"    
47  rm -rf "/private/var/db/receipts/com.logmein.logmeinserverinstaller.plist"   
48  dscl . -delete /users/LogMeInRemoteUser    
49  killall LMILaunchAgentFixer

然后我进去寻找这个 logmein,但除了卸载程序之外,它不存在。文件显示一个大约 3 月的旧时间戳,但仍然让我感到紧张。

我以 su 身份检查了更多历史记录并发现:

5  sudo /Applications/TextEdit.app/Contents/MacOS/TextEdit /etc/hosts            
6  stty -onlcr -echo echonl
7  /usr/bin/atos -p "1" -printHeader 
8  /usr/bin/atos -p "10" -printHeader 
9  /usr/bin/atos -p "11" -printHeader     
10  /usr/bin/atos -p "12" -printHeader     
11  /usr/bin/atos -p "13" -printHeader     
12  /usr/bin/atos -p "14" -printHeader     
13  /usr/bin/atos -p "15" -printHeader     
14  /usr/bin/atos -p "16" -printHeader     
15  /usr/bin/atos -p "17" -printHeader     
16  /usr/bin/atos -p "18" -printHeader     
17  /usr/bin/atos -p "19" -printHeader     
18  /usr/bin/atos -p "21" -printHeader     
19  /usr/bin/atos -p "24" -printHeader     
20  /usr/bin/atos -p "25" -printHeader     
21  /usr/bin/atos -p "27" -printHeader     
22  /usr/bin/atos -p "29" -printHeader     
23  /usr/bin/atos -p "30" -printHeader     
24  /usr/bin/atos -p "33" -printHeader     
25  /usr/bin/atos -p "35" -printHeader     
26  /usr/bin/atos -p "39" -printHeader     
27  /usr/bin/atos -p "40" -printHeader     
28  /usr/bin/atos -p "42" -printHeader     
29  /usr/bin/atos -p "44" -printHeader     
30  /usr/bin/atos -p "46" -printHeader     
31  /usr/bin/atos -p "48" -printHeader     
32  /usr/bin/atos -p "53" -printHeader     
33  /usr/bin/atos -p "90" -printHeader     
34  /usr/bin/atos -p "91" -printHeader     
35  /usr/bin/atos -p "96" -printHeader     
36  /usr/bin/atos -p "108" -printHeader     
37  /usr/bin/atos -p "110" -printHeader     
38  /usr/bin/atos -p "119" -printHeader     
39  /usr/bin/atos -p "122" -printHeader     
40  /usr/bin/atos -p "123" -printHeader     
41  /usr/bin/atos -p "128" -printHeader     
42  /usr/bin/atos -p "129" -printHeader     
43  /usr/bin/atos -p "131" -printHeader     
44  /usr/bin/atos -p "132" -printHeader     
45  /usr/bin/atos -p "133" -printHeader     
46  /usr/bin/atos -p "134" -printHeader     
47  /usr/bin/atos -p "139" -printHeader     
48  /usr/bin/atos -p "141" -printHeader     
49  /usr/bin/atos -p "144" -printHeader     
50  /usr/bin/atos -p "149" -printHeader     
51  /usr/bin/atos -p "154" -printHeader     
52  /usr/bin/atos -p "160" -printHeader     
53  /usr/bin/atos -p "161" -printHeader     
54  /usr/bin/atos -p "164" -printHeader     
55  /usr/bin/atos -p "197" -printHeader     
56  /usr/bin/atos -p "209" -printHeader     
57  /usr/bin/atos -p "212" -printHeader     
58  /usr/bin/atos -p "1593" -printHeader     
59  /usr/bin/atos -p "1594" -printHeader     
60  /usr/bin/atos -p "17892" -printHeader     
61  /usr/bin/atos -p "82995" -printHeader     
62  /usr/bin/atos -p "82996" -printHeader     
63  /usr/bin/atos -p "82997" -printHeader     
64  /usr/bin/atos -p "BezelUIServer" -printHeader     
65  /usr/bin/atos -p "83003" -printHeader     
66  /usr/bin/atos -p "taskgated" -printHeader     
67  /usr/bin/atos -p "83006" -printHeader     
68  /usr/bin/atos -p "83007" -printHeader     
69  /usr/bin/atos -p "83010" -printHeader     
70  /usr/bin/atos -p "com.apple.hiserv" -printHeader     
71  /usr/bin/atos -p "83014" -printHeader     
72  /usr/bin/atos -p "83015" -printHeader

现在,也许当这一切发生时我喝醉了,但我很确定我没有运行所有这些命令。

从第一行,我可以看到他们正在查看 hosts 文件,因此我对其进行了 cat 并发现:

127.0.0.1          localhost
255.255.255.255    broadcasthost
::1                localhost
fe80::1%lo0        localhost

好吧,我已经改变了我的 su 传递和常规传递,并且我已经删除了主机,希望这可以阻止进一步的污染?

或者我只是在欺骗自己,应该重新格式化我的整个计算机?

答案1

线路

stty -onlcr -echo echonl 

以及重复的

/usr/bin/atos -p "XXX" -printHeader 

来自 stackshot 程序,该程序用于为所有正在运行的进程生成堆栈转储。

我在我的日志中发现了相同的条目并且真的很怀疑,但是经过一番谷歌搜索之后我发现按下Control-Option-Command-Shift-Period(同时)会启动堆栈快照,令我惊讶的是它实际上会在中产生这些条目/var/root/.sh_history

如果有谁对 OS X 有更多了解,可以解释为什么在后台执行的 shell 脚本会这样做,我将不胜感激。

对我来说,这肯定是因为我(愚蠢地)决定在 Mac 运行时清洁键盘。:)

答案2

听起来确实像是有人在捣鼓你的 Mac。除非你正在运行 ssh 服务器以允许远程访问,否则听起来像是有人物理访问了你的计算机。更改密码可能是个好主意,你还应该确保在你不在时计算机已锁定,这样其他人就无法访问它。此外,请记住,只要具备适当的技能,每台机器都可能被黑客入侵,因此你最好的办法是定期检查是否有看起来不对劲的奇怪东西。我认为你很好地发现了它。

相关内容