2

Yesterday, I noticed that, starting at 12:40, many thousands files had been automatically deleted from my drive. The computer is a Macbook Pro with a recent version of Mac OS X Yosemite. Since many folders are under Git version control, I could run a git status, which revealed deleted files in all those directories. I tried to detect a pattern, not using Got alone of course, and it seemed that files were deleted based on their extension.

  • Deleted: png, pdf, html, mp3, tex, sh, java, cpp, and more
  • not deleted: sty, toc, and more

The entire filesystem was affected by this, with probably 100K files deleted in total (10K images alone).

At least a very large subset of the files were in Trash, with the earliest timestamp set to about 12:40 yesterday; it seems that the deletions continued for more than an hour.

The computer was in my custody at the precise time when the files were deleted (based on their timestamp in Trash). I was home alone at the time, so I can rule out anyone manually deleting the files as a prank. Given the scale of the incident the files were most likely programmatically deleted.

Does this pattern of deleted files match any well-known, but unknown to me and my searches, Mac malware that is currently doing the rounds?

I have completely wiped the system.

Pimin Konstantin Kefaloukos
  • 121
  • 4

1 Answers1

1

Were you online at the time? I realise that this may be very obvious, but if your mac is linked to any online file sharing site such as dropbox or icloud then deleting files on that site (or another computer linked to the same sharing space) may result in local files being deleted at the next 'sync'. Also, systems such as dropbox have a history mechanism for retrieving lost files if you need them back. Of course git repo deletions will reflect locally if you do various git commands (again, you've probably thought of this).

Now you've wiped the system it may be quite difficult to tell what is happening, but it would have been worth checking the startup programs, which processes were running, the permissions (and therefore the require permissions to delete) of the files that were deleted.

Have you got a time machine backup? Have you thought about how much you will trust that backup?

David Scholefield
  • 1,824
  • 12
  • 21
  • I was online at the time. Files were delete in the local DropBox folder, which was reflected in the service via sync; I have reverted the changes. However, there was also a huge number of files outside the DropBox path that had been deleted. For me, this rules out the direction that files were deleted in DropBox first, my computer second. I do not have a time machine backup that I trust. Therefore I have wiped entirely. Luckily, all my content is backed up. My dream scenario is that this is a common virus or hardware failure. My nightmare scenario is that someone did this to only me. – Pimin Konstantin Kefaloukos Sep 22 '15 at 11:14