Ghost typing — has my Mac been hacked?

1

Got a good fright this evening; desperately need help:

On my Mac (OSX Mavericks), I suddenly saw the following text typed into the Chrome address bar:

do you like me  hey

It did not come in all at once, but character-by-character at a regular typing speed, as if someone had been on Screen Sharing (possibility) or had plugged in a second keyboard (conclusively ruled out).

I'm worried that my computer (or network) has been compromised: either over the internet, or by an internal program. No other text has been received, and I have not noticed any other strange behavior, so I have very little information to work with.

I do host a website on my Mac (just to use for simple html and php hosting); an attacker could have come in through there (but it seems unlikely). I've looked through my server logs and see only crawls by Google and Verisign, and various XSS/phpMyAdmin attempted attacks which had been (of course) 404'd. My bash history is also completely normal.

As a precaution I disconnected my home internet as soon as I saw the text; this is being posted via cell phone tethering.

I am at a complete loss as to how I should move forward from this point. However, I have considered the following three possibilities:

  1. A virus was installed on my computer. Unlikely because I am very careful about what I install; also, why would someone engineer a virus to type that into a text field? A good virus would be silent, so as to not let the user know of its existence. Maybe a rogue Chrome extension? But I have only a few, well-known Chrome extensions that I have never before given me trouble.

  2. Someone took control of my computer from within my LAN. Unlikely because I am the "sysadmin" for my house; my family members neither have the privileges to remotely control my computer nor the know-how to do so. I do also have an unsecured network (Apple Airport), so someone could have connected. But I'm still not sure how they would have been able to control my computer. Also, they would need to be relatively close to my house; I don't know anyone who would do this.

  3. Someone took control of my computer from outside. That is, through my website. Unlikely because the only port I forward to my computer is 80, so no SSH, etc. access from the outside. However, maybe someone found a way to send shell commands remotely through PHP? Unlikely, however, because the exec commands in my PHP code all use hard-coded strings

This has mildly terrified me, and I need some guidance on how I might a) figure out how this occurred and/or b) prevent it from happening again.

  • Is there a way I might look for a virus on my computer?
  • I can post my website URL (and/or php source) if you would like to look at it.
  • Should I contact my ISP?
  • Is there any other place I might go for help?

Thank you very much.

baum

Posted 2014-08-15T23:44:12.470

Reputation: 255

So far all you know is that there seemed to be keyboard input coming from somewhere other than your keyboard. Lacking any other information you should consider wireless input methods such as Bluetooth as a possible source. – Kyle Jones – 2014-08-16T00:19:06.667

Definitely not; no wireless dongles connected and my only paired bluetooth device is my mouse. – baum – 2014-08-16T00:55:34.297

1take your LAN off the web until you've taken steps. you have clearly been compromised, and what you describe is an Advanced Persistent Threat scenario, so there are likely to be rootkits and raskits involved. It is VERY likely that attacks on PHP app and server tier were the source. Note blocking ports does NOTHING to protect the app on that port, and that PHP has a long history of vulnerability to attacks that allow the running of arbitrary code. Either way however that's just the initial vector, and the attacker certianly installed a software that allows them access. – Frank Thomas – 2014-08-16T03:25:13.743

1When you can confirm an interactive attack, there is no good option but to go offline, back up your content, and nuke the install. since you have a LAN, you may have compromises all over the house, so be sure to check all your systems. rebuild your mac, from scratch, generating new passwords, cryptokeys, and reviewing any config you are restoring. Do not put the PHP site back up (that needs to be on a server that has been stripped of everything except the services you need for the web app). Do not restore any executable code unless you can verify that its has not been modified. – Frank Thomas – 2014-08-16T03:33:42.817

Has the text appeared instead of entire URL or was some part of URL left untouched? Do you remember what site you were browsing when it happened? – gronostaj – 2014-08-16T08:21:17.123

I would guess that there are a few ways to do this using Javascript. And of course every page you reference anymore (including this one) downloads a ton of Javascript. Make sure you have your browser's web tools installed, and if it happens again immediately switch to the tools and see what Javascripts are present. – Daniel R Hicks – 2014-08-16T11:58:59.803

(And yes, there are probably a thousand ways to "look for a virus on my computer". Of course, about 900 of them are more likely to install a virus than find one, so be very careful.) – Daniel R Hicks – 2014-08-16T12:00:37.543

I had something similar on a Linux machine: bits of text appeared in whatever input box was active. It was directed at a windows machine, and was trying to run commands to go to a web-site, presumably to install something nasty. It turned out that I had foolishly forgotten to set the password when setting up remote access using VNC protocol and the open port had been spotted. Once I corrected this, there were no further problems: nothing had been compromised, because Linux did not respond to the attempt to bring up a run box and execute CMD.EXE. If you're lucky your problem may be similar. – AFH – 2014-08-16T21:29:30.593

@AFH yep, I thought of that. I do have VNC enabled on my Mac, but only with my password. Don't see how any party outside of my home network could have gotten my password. – baum – 2014-08-16T22:23:55.063

Answers

0

If the text that appeared on its own came right after the hostname in your address bar, an explanation for how this could be done is given here: https://stackoverflow.com/questions/4830361/how-can-i-write-something-in-browsers-address-bar-with-javascript-after-the-pag/4830402#4830402

That Stack Overflow question describes a method for modifying the text of the brower's address bar. If this is your situation, it's just a funny way to get your attention and does not mean that your computer has been affected.

Random typing by the way might also be caused by a certain type of light in your room that emits infrared light that is picked up by your infrared sensor and is then converted into typing. But your text clearly isn't random...(-;

heiglandreas

Posted 2014-08-15T23:44:12.470

Reputation: 1 153

Op, does this text replace the text in the address bar, or does the text appear after the domain for the site you were on? eg: superuser.com/ . Looking at the posts above the one linked here, it looks like this technique can only change text following the domain in the url, and it would do so all in one motion, so it shouldn't have the delayed appearance for each character. but then again, mabey someone came up with a new lick of js that managed to make chrome break the rules for AJAX processing. – Frank Thomas – 2014-08-16T08:15:04.083

1@FrankThomas if you can change the addressbar text at once then creating typing effect is simple, you just have to repeat it adding a character each time. – gronostaj – 2014-08-16T08:19:44.023

Hmm, interesting idea. I will try to replicate it this afternoon; however, when it happened the address bar had focus and I was in the midst of typing (i.e. the URL was not visible). I think I may have been on a new tab, anyways. As far as browser-side is concerned, I was thinking more along the line of a content script. – baum – 2014-08-16T17:05:36.277

Asked: 2014-08-15T23:44:12.470

Viewed: 2 111 times

Active: 2014-11-25T21:11:47.937