My mother has a Mac Mini with Leopard installed. She mostly uses it to play pogo.com and load photos. She had been complaining that it would run fine for a while then slowdown to a crawl and she would need to reset it. I chalked this up to bad java programming on pogo, the thing has enough memory and CPU that it should be able to keep up with her computing demands.
However today I was upgrading her to the beta of Safari, thinking that may help, when I notice a folder in her home directory modified a week ago. It was an eggdrop bot. For those that don’t know, eggdrop is a program that logs into IRC chat room and interacts with it’s owner. It’s also a quick and easy way to set up a botnet. I know that my mother didn’t install it, which raises the question of how did it get there? Now, I did hop into the terminal and found that eggdrop was indeed running, doing whatever it is that it was set to do. I killed the process and archived and deleted the folder. I went through the standard places where other Mac trojans have dumped their payload (/Library/StartupItems, etc) but nothing turned up. In my mother’s account login items there was a missing Yahoo Messenger. Bingo! No Yahoo Messenger was actually installed in /Applications. Also Textedit.app was in the startup items, which I disabled.
I have no idea at this point. The machine is behind a router with only ssh open for remote admin. I have moved ssh to a non-standard port. Passwords are pretty random and have been changed again. No other strange software seems to have been installed.
Anybody else gotten eggdropped on OSX?