My mac is possessed.
November 10, 2005 10:27 AM Subscribe
My Imac (running the latest patched version of Tiger) is possessed. While I watch, the cursor is flipping around, opening the terminal, and typing "wget" with nothing after it. I don't know if this is a bot, hacker, or hardware failure of some sort.
The behavior seems kind of programmed. That is, I don't think that someone has a rogue version of VNC running. I've turned off the machine, and am wondering what my next step should be, or if someone has seen this before. Thanks!
The behavior seems kind of programmed. That is, I don't think that someone has a rogue version of VNC running. I've turned off the machine, and am wondering what my next step should be, or if someone has seen this before. Thanks!
Try starting up in safe mode (shift key down) and see if it keeps this behavior up.
posted by filmgeek at 10:43 AM on November 10, 2005
posted by filmgeek at 10:43 AM on November 10, 2005
Response by poster: Of course, now that I've started my machine back up the behavior has stopped. I'm running top and will keep an eye on it. Very strange.
posted by craniac at 10:48 AM on November 10, 2005
posted by craniac at 10:48 AM on November 10, 2005
I thought wget didn't come with Tiger... (specifically, I recall downloading and installing it.)
posted by Wild_Eep at 11:14 AM on November 10, 2005
posted by Wild_Eep at 11:14 AM on November 10, 2005
Wild_Eep (how appropriate for this question)... yeah, I think you're right... I seem to remember the curl-instead-of-wget really bothering me in the beginning.
posted by chota at 11:30 AM on November 10, 2005
posted by chota at 11:30 AM on November 10, 2005
A VNC server comes with all copies of Tiger, I think the process is called or starts with AppleVNCServer. You can turn it on/off in Sharing preferences under Apple Remote Desktop. I dont think you can control mouse movements through scripts right?
posted by sammich at 12:08 PM on November 10, 2005
posted by sammich at 12:08 PM on November 10, 2005
Random question. Why is it that people, even people who own Macintosh computers, can't get their names right? This is about the third time this week I've seen. "Imac" or "I-mac" or "IMac". It's written on the computer, right?
But I'd be very interested to hear the outcome of this story.
I know someone who believed this was happening to them and I was very skeptical.
What are the possibilities? It sounds as if something like VNC is being used, as the cursor and windows are actually moving, visibly. As others have said, you don't need to open windows and move the mouse if you're able to log in remotely.
Whatever the exploit is, it seems like they have to use your login.
posted by AmbroseChapel at 12:13 PM on November 10, 2005
But I'd be very interested to hear the outcome of this story.
I know someone who believed this was happening to them and I was very skeptical.
What are the possibilities? It sounds as if something like VNC is being used, as the cursor and windows are actually moving, visibly. As others have said, you don't need to open windows and move the mouse if you're able to log in remotely.
Whatever the exploit is, it seems like they have to use your login.
posted by AmbroseChapel at 12:13 PM on November 10, 2005
Uh. Yeah. You have trouble.
If I had to guess, I'd say that you've got your system connected directly to the internet (no firewall), and you have a password that is easily-guessable. So a spammer has logged in, and they're using wget to download a little shell script that is turning your machine into a spam zombie.
Do this:
1. Unplug your iMac from the internet.
2. Change your passwords on all accounts.
3. Do not reconnect your iMac until you have a hardware firewall -- a router or something.
4. Call Apple tech support.
posted by waldo at 1:27 PM on November 10, 2005
If I had to guess, I'd say that you've got your system connected directly to the internet (no firewall), and you have a password that is easily-guessable. So a spammer has logged in, and they're using wget to download a little shell script that is turning your machine into a spam zombie.
Do this:
1. Unplug your iMac from the internet.
2. Change your passwords on all accounts.
3. Do not reconnect your iMac until you have a hardware firewall -- a router or something.
4. Call Apple tech support.
posted by waldo at 1:27 PM on November 10, 2005
Response by poster: It hasn't come back since I rebooted, and my firewall had been turned off. The cursor was moving in programmatic ways, the same way every time, and it was clicking on the terminal icon in my launchbar, then typing wget and other garbage in the command line. When I was in my browser the cursor would also move strangly and click on wherever it "landed."
Using top and ps -U username indicated no instances of VNC.
I'm not seeing anything too weird in my processes:
posted by craniac at 1:51 PM on November 10, 2005
Using top and ps -U username indicated no instances of VNC.
I'm not seeing anything too weird in my processes:
PID TT STAT TIME COMMANDBut I will call apple and ask about this.
71 ?? Ss 0:05.39 /System/Library/Frameworks/ApplicationServices.framew
72 ?? Ss 0:01.83 /System/Library/CoreServices/loginwindow.app/Contents
123 ?? Ss 0:01.16 /System/Library/CoreServices/pbs
130 ?? S 0:02.41 /System/Library/CoreServices/Dock.app/Contents/MacOS/
142 ?? S 0:02.76 /System/Library/CoreServices/SystemUIServer.app/Conte
144 ?? S 0:12.81 /System/Library/CoreServices/Finder.app/Contents/MacO
151 ?? S 0:01.13 /Applications/Stickies.app/Contents/MacOS/Stickies -p
175 ?? S 0:48.66 /System/Library/CoreServices/System Events.app/Conten
176 ?? S 0:00.55 /Applications/iCal.app/Contents/Resources/iCalAlarmSc
250 ?? S 0:00.09 /System/Library/Services/AppleSpell.service/Contents/
252 ?? S 1:51.35 /Applications/Utilities/Terminal.app/Contents/MacOS/T
351 ?? S 0:03.94 /Applications/Preview.app/Contents/MacOS/Preview -psn
356 ?? S 0:16.24 /Users/craniac/Library/Printers/hp LaserJet 1300-1.ap
515 ?? SNs 0:02.11 /System/Library/Frameworks/CoreServices.framework/Ver
556 ?? S 0:15.51 /Applications/iTunes.app/Contents/MacOS/iTunes -psn_0
587 ?? S 1:32.21 /Applications/Safari.app/Contents/MacOS/Safari -psn_0
254 p1 Ss 0:00.08 -bash
posted by craniac at 1:51 PM on November 10, 2005
Response by poster: Oh, and I've already finked wget.
posted by craniac at 1:59 PM on November 10, 2005
posted by craniac at 1:59 PM on November 10, 2005
Are you sure you want wget installed if there's some (potentially) evil script on your machine that needs it...?
posted by clarahamster at 2:06 PM on November 10, 2005
posted by clarahamster at 2:06 PM on November 10, 2005
use 'ps auxww' to get the all processes and to get the full paths of them.
posted by boaz at 3:35 PM on November 10, 2005
posted by boaz at 3:35 PM on November 10, 2005
I asked my very knowledgeable friend who works at Apple to comment on this thread, and he said,
"Someone was connected to mac via Apple Remote Desktop. TURN OFF ARD unless you have good reason not to."
I said, "That is the only way to move mouse remotely?"
He said, "Pretty much, only way I have heard of."
Apple Remote Desktop can be found under System Preferences > Sharing > Services.
posted by ikkyu2 at 4:05 PM on November 10, 2005
"Someone was connected to mac via Apple Remote Desktop. TURN OFF ARD unless you have good reason not to."
I said, "That is the only way to move mouse remotely?"
He said, "Pretty much, only way I have heard of."
Apple Remote Desktop can be found under System Preferences > Sharing > Services.
posted by ikkyu2 at 4:05 PM on November 10, 2005
btw, if anyone wants a secure version of this sort of functionality, Mark Pilgrim has a good guide to secure vnc using ssh port forwarding.
posted by lbergstr at 4:23 PM on November 10, 2005
posted by lbergstr at 4:23 PM on November 10, 2005
This might not be an intrusion. it might be some crappy software trying to do its thing the hard way. Very suspicious, but not an obvious break-in yet.
If you were running windows, it would be an open and shut case of course ;)
posted by clord at 6:46 PM on November 10, 2005
If you were running windows, it would be an open and shut case of course ;)
posted by clord at 6:46 PM on November 10, 2005
"Bulletproof" until you basically unbutton your kevlar vest and paint a big ol' target on your chest. Why on earth would you have enabled Apple Remote Desktop or, for that matter, any non-essential service?
posted by five fresh fish at 6:51 PM on November 10, 2005
posted by five fresh fish at 6:51 PM on November 10, 2005
I said, "That is the only way to move mouse remotely?" He said, "Pretty much, only way I have heard of."
ARD is only one of a zillion ways to more the mouse remotely.
posted by rajbot at 8:56 PM on November 10, 2005
ARD is only one of a zillion ways to more the mouse remotely.
posted by rajbot at 8:56 PM on November 10, 2005
This thread is closed to new comments.
does it still happen when you are unplugged from the internet?
Another thing you can do is run "top" at the command line, and then wait for the strangeness to start happening. observe the top few processes in the list, one of them may be the offender. from that, you might be able to find the script/executable itself, and turn it off.
posted by clord at 10:33 AM on November 10, 2005