SOLVED I was tricked into running some commands and now I can’t get past my password screen

[inneedofsomehelp]

Earlier today I was tricked into running some commands. My friend’s discord (an app similar to Skype that lets people talk to each other via voice and instant message) account was hacked and someone sent messages as him telling me to run some commands. Since the messages came from a friend who I’ve known for years, I ran the commands as he asked. The commands were

“Sudo rm -r /“

I now know that this recursively deletes all your files, but I have some hope as all I was met with was a string of “permission denied” errors, and I terminated the process rather quickly after that.

Next, he had me run

“Perl -e “fork while fork”

This is a classic fork bomb, a script that exponentially creates new files until no more memory is left and the computer crashes.

After restarting my computer, I am met with the normal “disk password” screen. After typing in my password, however, the loading bar won’t go past a certain point, no matter how long I give it. Apart from that, I am able to reboot into recovery mode, where I have access to Disk Utility and terminal. Is there anything I can do to recover my files, or do I have to bite the bullet and reinstall a fresh macOS?

 

[Cory Cooper]

Hello and welcome.

I am sorry you were duped into this, which is becoming increasingly more prevalent these days.

Since your Mac does startup and get to the login screen, it seems as if not all files were deleted. There isn't an easy way to know how far it progressed, or which file it did successfully delete. If the commands were executed close together, the perl script may have filled the drive before the deletion completed. It obviously did some damage, due to the issue you are having. It is good that you can still enter the password. The progress bar issue can happen when the disk is too full to have enough free space for OS X to operate its virtual memory in.

Before going any further, did you have any form of Time Machine or other backup of your data?

C

 

[inneedofsomehelp]

Hello and welcome.

I am sorry you were duped into this, which is becoming increasingly more prevalent these days.

Since your Mac does startup and get to the login screen, it seems as if not all files were deleted. There isn't an easy way to know how far it progressed, or which file it did successfully delete. If the commands were executed close together, the perl script may have filled the drive before the deletion completed. It obviously did some damage, due to the issue you are having. It is good that you can still enter the password. The progress bar issue can happen when the disk is too full to have enough free space for OS X to operate its virtual memory in.

Before going any further, did you have any form of Time Machine or other backup of your data?

C

I’ve got a flash drive with my photos and some files from work. The majority of my important files are stored on google drive, so I could easily back those up. I believe I might have a time machine backup from ~1 year ago but I’m not sure and I don’t know how to check.

Some additional information that might be helpful in diagnosing the problem:

When the loading bar gets stuck, a spinning loading circle (see attached) appears. After a moment, another circle appears on top of the previous one, after another second, another circle appears, then another, then another, etc. Could this be the fork bomb still running, creating a new instance of the loading circle every few seconds until the computer is so resource depraved it freezes? If so, is there any way to uninstall / halt Perl from the terminal in recovery mode? Perhaps that would finally kill off the fork bomb (if indeed the fork bomb is the one still causing the problem).

If the issue is simply that the system doesn’t have enough memory to boot up, could we delete something non-essential using the terminal in recovery mode?

Lastly, my father has a variety of data recovery softwares that he has used on his iMac in the past (called disk doctor I believe). Would any of those be potentially helpful for my situation?

Thanks for the help so far.

Attached:

 

[inneedofsomehelp]

Not sure what the rule here is on double posting but since I haven’t gotten a reply yet I figured I’d add this bit. My friend told me that if the fork bomb still running is the issue at hand, I should try running

“killall -STOP -u username”
“killall -KILL -u username”
Username being my username

Would this work? Would it hurt to try? Also, how do I figure out what my username is?

 

[Cory Cooper]

Sorry...got distracted with some personal issues. I will give you more information tomorrow.

Hang in there,

C

 

[Lufbrarunner]

To find your username open a terminal window type users hit return.

 

[Cory Cooper]

Hello again,

You're not double posting, since you are continuing your original thread.

Not sure what those commands would do, since the issue has more to do with a corrupted/incomplete OS due to the previous commands.

Disk Doctor and the like may help, unless the files have been overwritten. Frankly, most data recovery software applications don't recover as much as they are intended to.

If you can startup from the recovery partition, you can see how much free space is left. If you have an external drive wiht OS X/macOS installed, you could use it to startup from and then be able to diagnose the issue that way.

So far, it seems the best option may be to perform an erase and install, to ensure the system is clean. If you don't need any of the files, that would be the way to go. NOTE: you would lose any files you don't have backed up somewhere else, as well as any software that you don't have to reinstall.

We'll keep at it,

C

 

[Peter Aretin]

Do you have Disk Warrior? If your files are still recoverable, running it from another volume might get them back.

 

[inneedofsomehelp]

Solved it.
Here’s how:

1. Put afflicted mac into target disk mode by restarting and holding “t”
2. Connect afflicted Mac to a working Mac via a thunderbolt / FireWire cable
3. The afflicted Mac now shows up as an external hard drive on he working Mac
4. Connect a separate external drive to the working Mac (at this point both the external drive and the afflicted Mac are connected to the working Mac)
5. Erase the external hard drive
6. Clone the afflicted hard drive onto the external hard drive
7. Unplug both the afflicted Mac and the external Hard drive from the working Mac
8. Restart the afflicted Mac into recovery mode by holding down command+”r”
9. Use disk Utility to erase the hard dive completely (remember a clone of the afflicted hard drive still exists on the external hard drive from before)
10. Reinstall a clean version of MacOs through recovery mode
11. Connect the external hard drive to the afflicted computer
12. Use “migration assistant to transfer the files over to the afflicted Mac. Migration assistant won’t bring over the corrupted operating system, only your files.
13. Congratulations, you’ve successfully replaced your operating system without jeopardizing your files.

This took me a few weeks to figure out so please share this solution if anyone ever runs into the same issues I had.