PASSI PRENDITI
- Registrato su Mac stamattina
- Attività rilevate e file generati che non ho avviato
- Ha fatto storia di bash. Output allegato sotto
Impostazioni
- Tutta la condivisione era disattivata
- Non utilizzare alcuna condivisione di file o accesso remoto
- Firewall è stato impostato su Blocca tutte le connessioni in entrata
- Rete domestica senza altri utenti attivi alla volta
- Aggiornato ieri a Mavs 10.9.2
Per questo pubblicazione ; SUID disabilitato in ARDAgent con;
sudo chmod u-s \
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
Hai bisogno di aiuto per determinare se si tratta di un processo canaglia, ignorabile o qualcosa che richiede più azioni da parte mia
Administrator$ history 1 rm -rf ~/.Trash/* 2 cd 3 . 4 ./ 5 cd 6 lib 7 cd/ 8 9 ls 10 cd downloads 11 ls downloads 12 ls Downloads 13 find / -nouser -ls 14 find /~nouser -ls 15 ls 16 ls /library 17 /LaunchAgents 18 ls /LaunchAgents 19 ls /Automator 20 ls /KeyChains 21 sha 22 toop 23 top 24 dscl . -list /Users UniqueID 25 $ dscl -plist . readall /users 26 $ dscl . readall /users 27 $ dscl . readall /503 28 ls/Users 29 - dscacheutil -q group 30 cd 31 cd. 32 cd . 33 ls 34 ifconfig 35 ifconfig 36 ifconfig 37 config helper 38 config 39 ls 40 ssh XXXXXX 41 defaults write com.google.Keystone.Agent checkInterval 0 42 exit 43 exit 44 /var/log/secure.log 45 ssh XXXXXX 46 exit 47 kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}' 48 sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}' 49 launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}' 50 ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null 51 osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null 52 top 53 ps 54 top 55 top 56 top 57 sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -agent -stop 58 man who 59 who 60 whoami 61 ps -aux 62 ps 63 top 64 ps -eo pid,etime 65 top 66 ps aux | less 67 pstree 68 ps -eo euser,ruser,suser,fuser,f,comm,label 69 pgrep 70 pgrep remote 71 apt-get install htop 72 htop 73 netstat -tulpn | grep :80 74 ls -l /proc/635/exe 75 swapon -a 76 ma ps 77 man ps 78 man ps 79 ps -a 80 ps -A 81 whoami 82 ps -f 83 ps -G 84 ps -g 85 ps -T 86 ps-t 87 ps -v 88 ps start 89 top 90 ps 91 users 92 last 93 ls /var/log/wtmp* 94 last -f /var/log/wtmp.1 95 last -f /var/log/wtmp.0 96 ~/.bash_history 97 cat ~/.bash_history 98 ls /Automator 99 cat Automator 100 open ~/.bash_history 101 dscl . readall /users 102 ls/library 103 cd/library 104 cd.. 105 cd 106 ls 107 cd Library 108 cd/Library 109 ls/Automator 110 toop 111 top 112 ifconfig 113 config helper 114 config 115 top 116 ps -a 117 ps -A 118 ps -aux 119 ps 120 getprocessforpid(677) 121 man ps 122 ps -U 123 ps -u 124 GetProcessPID(494) 125 GetProcessPID() q 126 GetProcessPID494 127 GetProcessPID 494 128 netstat -b 129 top 130 top 131 top 132 netstat -a 133 netstat -a | grep vnc | grep ESTABLISHED 134 top 135 netstat -a 136 top 137 top 138 netstat -a 139 ps -aux 140 netstat -a | grep vnc | grep ESTABLISHED 141 ps -aux 142 ps -A 143 ps -A 144 netstat -a | grep vnc | grep ESTABLISHED 145 netstat -a 146 top 147 top 148 netstat -a 149 netstat -a 150 netstat -a 151 q 152 top 153 top 154 sudo tmutil disablelocal 155 exit 156 top 157 top 158 top 159 top 160 top 161 top 162 neststat -n 163 netstat -n 164 netstat -n 165 ls 166 lsaf 167 cd .. 168 cd .. 169 cd .. 170 cd .. 171 ls 172 top 173 netstat 174 dscl . list/users 175 cd ~ 176 dscl . list/users 177 dscl . list /users 178 dscl . list /groups 179 dscl . readall /users 180 netstat 181 netstat 182 whoami 183 ls 184 cd .. 185 cd .. 186 cd . 187 cd .. 188 ls 189 tree 190 cd Users 191 ls 192 cd Administrator 193 ls 194 cd .. 195 cd .. 196 cd .. 197 ls 198 cd Users 199 ls 200 cd Adminstrator 201 cd Administrator 202 ls 203 cd Downloads 204 ls 205 exit 206 whoami 207 ls 208 ls 209 cd Library 210 ls 211 cd Application Support 212 ls 213 cd .. 214 ls 215 cd .. 216 ls 217 cd peterobrien 218 ls 219 cd Library 220 whoami 221 sudo - Adminsitrator 222 ls 223 ls 224 sudo - 225 more /etc/hosts 226 scc ver 227 scc numprofiles 228 netstat -an |find /i "listening" 229 netstat 230 top 231 kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}' 232 sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}' 233 launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}' 234 ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null 235 osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null 236 osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null 237 top 238 dscacheutil -flushcache 239 sudo killall -HUP mDNSResponder 240 top 241 ./bitcoin-qt 242 cd $home 243 ls 244 cd .. 245 cd .. 246 cd .. 247 ls 248 cd Applications 249 ls 250 ./bitcoin-qt.app 251 top 252 ps -420 253 ps -9541 254 top 255 /Applications/Postgres93.app/Contents/MacOS/bin/psql ; exit; 256 /Applications/Postgres93.app/Contents/MacOS/bin/psql ; exit; 257 top 258 ps -a (2077) 259 ps -a2077 260 sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist 261 top 262 on run 263 do shell script "osascript -e 'tell app \"ARDAgent\" to do shell script \"say quack\"'" 264 end run 265 ls -ls /System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp 2 266 sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist
FINE