1
Got a good fright this evening; desperately need help:
On my Mac (OSX Mavericks), I suddenly saw the following text typed into the Chrome address bar:
do you like me hey
It did not come in all at once, but character-by-character at a regular typing speed, as if someone had been on Screen Sharing (possibility) or had plugged in a second keyboard (conclusively ruled out).
I'm worried that my computer (or network) has been compromised: either over the internet, or by an internal program. No other text has been received, and I have not noticed any other strange behavior, so I have very little information to work with.
I do host a website on my Mac (just to use for simple html and php hosting); an attacker could have come in through there (but it seems unlikely). I've looked through my server logs and see only crawls by Google and Verisign, and various XSS/phpMyAdmin attempted attacks which had been (of course) 404'd. My bash history is also completely normal.
As a precaution I disconnected my home internet as soon as I saw the text; this is being posted via cell phone tethering.
I am at a complete loss as to how I should move forward from this point. However, I have considered the following three possibilities:
A virus was installed on my computer. Unlikely because I am very careful about what I install; also, why would someone engineer a virus to type that into a text field? A good virus would be silent, so as to not let the user know of its existence. Maybe a rogue Chrome extension? But I have only a few, well-known Chrome extensions that I have never before given me trouble.
Someone took control of my computer from within my LAN. Unlikely because I am the "sysadmin" for my house; my family members neither have the privileges to remotely control my computer nor the know-how to do so. I do also have an unsecured network (Apple Airport), so someone could have connected. But I'm still not sure how they would have been able to control my computer. Also, they would need to be relatively close to my house; I don't know anyone who would do this.
Someone took control of my computer from outside. That is, through my website. Unlikely because the only port I forward to my computer is 80, so no SSH, etc. access from the outside. However, maybe someone found a way to send shell commands remotely through PHP? Unlikely, however, because the
exec
commands in my PHP code all use hard-coded strings
This has mildly terrified me, and I need some guidance on how I might a) figure out how this occurred and/or b) prevent it from happening again.
- Is there a way I might look for a virus on my computer?
- I can post my website URL (and/or php source) if you would like to look at it.
- Should I contact my ISP?
- Is there any other place I might go for help?
Thank you very much.
So far all you know is that there seemed to be keyboard input coming from somewhere other than your keyboard. Lacking any other information you should consider wireless input methods such as Bluetooth as a possible source. – Kyle Jones – 2014-08-16T00:19:06.667
Definitely not; no wireless dongles connected and my only paired bluetooth device is my mouse. – baum – 2014-08-16T00:55:34.297
1take your LAN off the web until you've taken steps. you have clearly been compromised, and what you describe is an Advanced Persistent Threat scenario, so there are likely to be rootkits and raskits involved. It is VERY likely that attacks on PHP app and server tier were the source. Note blocking ports does NOTHING to protect the app on that port, and that PHP has a long history of vulnerability to attacks that allow the running of arbitrary code. Either way however that's just the initial vector, and the attacker certianly installed a software that allows them access. – Frank Thomas – 2014-08-16T03:25:13.743
1When you can confirm an interactive attack, there is no good option but to go offline, back up your content, and nuke the install. since you have a LAN, you may have compromises all over the house, so be sure to check all your systems. rebuild your mac, from scratch, generating new passwords, cryptokeys, and reviewing any config you are restoring. Do not put the PHP site back up (that needs to be on a server that has been stripped of everything except the services you need for the web app). Do not restore any executable code unless you can verify that its has not been modified. – Frank Thomas – 2014-08-16T03:33:42.817
Has the text appeared instead of entire URL or was some part of URL left untouched? Do you remember what site you were browsing when it happened? – gronostaj – 2014-08-16T08:21:17.123
I would guess that there are a few ways to do this using Javascript. And of course every page you reference anymore (including this one) downloads a ton of Javascript. Make sure you have your browser's web tools installed, and if it happens again immediately switch to the tools and see what Javascripts are present. – Daniel R Hicks – 2014-08-16T11:58:59.803
(And yes, there are probably a thousand ways to "look for a virus on my computer". Of course, about 900 of them are more likely to install a virus than find one, so be very careful.) – Daniel R Hicks – 2014-08-16T12:00:37.543
I had something similar on a Linux machine: bits of text appeared in whatever input box was active. It was directed at a windows machine, and was trying to run commands to go to a web-site, presumably to install something nasty. It turned out that I had foolishly forgotten to set the password when setting up remote access using VNC protocol and the open port had been spotted. Once I corrected this, there were no further problems: nothing had been compromised, because Linux did not respond to the attempt to bring up a run box and execute CMD.EXE. If you're lucky your problem may be similar. – AFH – 2014-08-16T21:29:30.593
@AFH yep, I thought of that. I do have VNC enabled on my Mac, but only with my password. Don't see how any party outside of my home network could have gotten my password. – baum – 2014-08-16T22:23:55.063