Mac terminal found open with “man James” text. Have I been hacked?
I found a terminal window open with the below.
I ran /bin/bash -x and it looks like VMware was accessed and GPG tools.
It also added something suspicious to my login items... have I been hacked?! Also who is “James”
Here's the output of bash -x. I don't see how I could have done this accidentally:
Last login: Fri Dec 24 13:49:08 on ttys000
+ '[' -x /usr/libexec/path_helper ']'
++ /usr/libexec/path_helper -s
+ eval 'PATH="/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware' 'Fusion.app/Contents/Public:/usr/local/MacGPG2/bin";' export 'PATH;'
++ PATH='/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware Fusion.app/Contents/Public:/usr/local/MacGPG2/bin'
++ export PATH
+ '[' /bin/bash '!=' no ']'
+ '[' -r /etc/bashrc ']'
+ . /etc/bashrc
++ '[' -z '\s-\v\$ ' ']'
++ PS1='\h:\W \u\$ '
++ shopt -s checkwinsize
++ '[' -r /etc/bashrc_Apple_Terminal ']'
++ . /etc/bashrc_Apple_Terminal
+++ '[' -z '' ']'
+++ PROMPT_COMMAND=update_terminal_cwd
+++ '[' 0 -eq 0 ']'
+++ '[' -n B3526B6E-3B69-45CD-8A59-121709AEFBEA ']'
+++ '[' '!' -e /Users/USER/.bash_sessions_disable ']'
+++ SHELL_SESSION_DID_INIT=1
+++ SHELL_SESSION_DIR=/Users/USER/.bash_sessions
+++ SHELL_SESSION_FILE=/Users/USER/.bash_sessions/B3526B6E-3B69-45CD-8A59-121709AEFBEA.session
+++ mkdir -m 700 -p /Users/USER/.bash_sessions
+++ '[' -r /Users/USER/.bash_sessions/B3526B6E-3B69-45CD-8A59-121709AEFBEA.session ']'
+++ '[' 1 -eq 1 ']'
+++ SHELL_SESSION_HISTFILE=/Users/USER/.bash_sessions/B3526B6E-3B69-45CD-8A59-121709AEFBEA.history
+++ SHELL_SESSION_HISTFILE_NEW=/Users/USER/.bash_sessions/B3526B6E-3B69-45CD-8A59-121709AEFBEA.historynew
+++ SHELL_SESSION_HISTFILE_SHARED=/Users/USER/.bash_history
+++ '[' -s /Users/USER/.bash_sessions/B3526B6E-3B69-45CD-8A59-121709AEFBEA.history ']'
+++ PROMPT_COMMAND='shell_session_history_check; update_terminal_cwd'
+++ SHELL_SESSION_TIMESTAMP_FILE=/Users/USER/.bash_sessions/_expiration_check_timestamp
+++ trap shell_session_update EXIT
The default interactive shell is now zsh.
To update your account to use zsh, please run `chsh -s /bin/zsh`.
For more details, please visit https://support.apple.com/kb/HT208050.
++ shell_session_history_check
++ '[' 0 -eq 0 ']'
++ SHELL_SESSION_DID_HISTORY_CHECK=1
++ shell_session_history_allowed
++ '[' -n /Users/USER/.bash_history ']'
++ local allowed=0
++ shopt -q histappend
++ '[' -n '' ']'
++ allowed=1
++ '[' 1 -eq 1 ']'
++ return 0
++ shell_session_history_enable
++ umask 077
++ /usr/bin/touch /Users/USER/.bash_sessions/B3526B6E-3B69-45CD-8A59-121709AEFBEA.historynew
++ HISTFILE=/Users/USER/.bash_sessions/B3526B6E-3B69-45CD-8A59-121709AEFBEA.historynew
++ SHELL_SESSION_HISTORY=1
++ '[' 'shell_session_history_check; update_terminal_cwd' = shell_session_history_check ']'
++ [[ shell_session_history_check; update_terminal_cwd =~ (.*)(; *shell_session_history_check *| *shell_session_history_check *; *)(.*) ]]
++ PROMPT_COMMAND=update_terminal_cwd
++ update_terminal_cwd
++ local url_path=
++ local i ch hexch LC_CTYPE=C LC_COLLATE=C LC_ALL= LANG=
++ (( i = 0 ))
++ (( i < 19 ))
++ ch=/
++ [[ / =~ [/._~A-Za-z0-9-] ]]
++ url_path+=/
++ (( ++i ))
++ (( i < 19 ))
++ ch=U
++ [[ U =~ [/._~A-Za-z0-9-] ]]
++ url_path+=U
++ (( ++i ))
++ (( i < 19 ))
++ ch=s
++ [[ s =~ [/._~A-Za-z0-9-] ]]
++ url_path+=s
++ (( ++i ))
++ (( i < 19 ))
++ ch=e
++ [[ e =~ [/._~A-Za-z0-9-] ]]
++ url_path+=e
++ (( ++i ))
++ (( i < 19 ))
++ ch=r
++ [[ r =~ [/._~A-Za-z0-9-] ]]
++ url_path+=r
++ (( ++i ))
++ (( i < 19 ))
++ ch=s
++ [[ s =~ [/._~A-Za-z0-9-] ]]
++ url_path+=s
++ (( ++i ))
++ (( i < 19 ))
++ ch=/
++ [[ / =~ [/._~A-Za-z0-9-] ]]
++ url_path+=/
++ (( ++i ))
++ (( i < 19 ))
++ ch=t
++ [[ t =~ [/._~A-Za-z0-9-] ]]
++ url_path+=t
++ (( ++i ))
++ (( i < 19 ))
++ ch=r
++ [[ r =~ [/._~A-Za-z0-9-] ]]
++ url_path+=r
++ (( ++i ))
++ (( i < 19 ))
++ ch=a
++ [[ a =~ [/._~A-Za-z0-9-] ]]
++ url_path+=a
++ (( ++i ))
++ (( i < 19 ))
++ ch=v
++ [[ v =~ [/._~A-Za-z0-9-] ]]
++ url_path+=v
++ (( ++i ))
++ (( i < 19 ))
++ ch=i
++ [[ i =~ [/._~A-Za-z0-9-] ]]
++ url_path+=i
++ (( ++i ))
++ (( i < 19 ))
++ ch=s
++ [[ s =~ [/._~A-Za-z0-9-] ]]
++ url_path+=s
++ (( ++i ))
++ (( i < 19 ))
++ ch=d
++ [[ d =~ [/._~A-Za-z0-9-] ]]
++ url_path+=d
++ (( ++i ))
++ (( i < 19 ))
++ ch=a
++ [[ a =~ [/._~A-Za-z0-9-] ]]
++ url_path+=a
++ (( ++i ))
++ (( i < 19 ))
++ ch=r
++ [[ r =~ [/._~A-Za-z0-9-] ]]
++ url_path+=r
++ (( ++i ))
++ (( i < 19 ))
++ ch=g
++ [[ g =~ [/._~A-Za-z0-9-] ]]
++ url_path+=g
++ (( ++i ))
++ (( i < 19 ))
++ ch=i
++ [[ i =~ [/._~A-Za-z0-9-] ]]
++ url_path+=i
++ (( ++i ))
++ (( i < 19 ))
++ ch=e
++ [[ e =~ [/._~A-Za-z0-9-] ]]
++ url_path+=e
++ (( ++i ))
++ (( i < 19 ))
++ printf '\e]7;%s\a' file://USER-MacBook-Pro.local/Users/USER
USER-MacBook-Pro:~ USER$
Maybe you've been hacked, maybe you haven't. But the fact that you got a "man James" window open is a poor indicator of a hack, and it's far more likely that you accidentally triggered the opening of that window yourself.
Here's how it might have been triggered:
- Double-click the word "James" to select it in some application — for example, on this page in your web browser.
- Hit ⌘-⇧-M on your keyboard, which triggers the "Open man page in Terminal" service.
The telltale indicator that the "Open man page in Terminal" service was triggered is the fact that the window opened with a yellow background. If an attacker had opened that window in any other way, they would likely not have gone to the trouble to make it yellow.
Furthermore, the existence of a keyboard shortcut in the default configuration of macOS suggests that you may have triggered it accidentally yourself. To see where that keyboard shortcut is defined, go to “System Preferences → Keyboard → Shortcuts → Services.”
As for the bash -x output, it all looks very innocuous to me. Those are just the commands that get run automatically every time you launch a shell, usually silently, to compose the dynamic shell prompt. See /etc/bashrc on an installation of any recent version of macOS.
I doubt man James was run directly, i.e. by someone typing that in Terminal. The window in your screenshot shows the default theme for man page output.
There is a default text service provided by Terminal that opens a man page for the selected text. I believe the text ‘James’ was right-clicked and the service selected, or selected and the keyboard shortcut pressed.
All we can say is that something or someone on your Mac used Terminal to run man James.
- running
bash -xafterwards doesn‘t help, you may want to look at the bash history though - The Terminal output in the second screenshot shows how PATH gets defined (assume you have installed VMware and GPG)
- Toolbox Tool Launcher seems to be an entry for an application which isn‘t installed anymore (click on the yellow sign for details)
Also, the code you are showing as run is the usual code which gets executed when starting bash or zsh, see /etc/profile, /etc/bashrc and /etc/bashrc_Apple_Terminal.
You were not hacked.
Somehow a keyboard shortcut was accidentally triggered.
This is mentioned in 200_success’s answer, but I am posting my own answer to add more specific details and references.
There is a default/built-in keyboard shortcut called: “Open man Page in Terminal” that is triggered by highlighting text and hitting this combination of keys: ⇧ (Shift)+⌘ (Command)+M
I just did that while highlighting the name of my main system drive — “Primary” — and this is the output:
A few things to note about that terminal screenshot:
- The yellow is not the default Terminal color which is typically just a basic white background with black text.
- The title bar has the text,
man Primarywhich reflects that the command run via a script. Open up a Terminal window and the default text is basically[username] — -bash —80x24and even if you ranman Primaryon your own the title would not change to that.
Also, the output of the bash -x command simply shows the startup commands that are run when a terminal session — or SSH login session to your machine — when you open up a Terminal window. When you run bash -x it opens up Bash in tracing mode as explained here:
”Print a trace of simple commands, for commands, case commands, select commands, and arithmetic for commands and their arguments or associated word lists after they are expanded and before they are executed. The value of the PS4 variable is expanded and the resultant value is printed before the command and its expanded arguments.”
Which basically means it launches a Bash session in a verbose mode that shows you exactly what Bash is doing when it starts. For example, here is what the bash -x output looks like on my machine:
+ export PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
+ PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
+ export PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
+ PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
My Bash setup is fairly simple, but if you were to look into the .bash_history, .bash_profile and .bashrc files in your terminal you would see items that are the equivalent of your output in some way.