Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
I was hoping somebody else would jump in here with an idea where to look for this script.
Here's an idea. I don't know how well it might work, and I don't have time to explore it or implement it right now.

The basic idea is simple: change the setting in Terminal to run a custom shell as a "trap".

The setting itself is under Terminal's General pane, "Shells open with". See post #18, 2nd screenshot.

The hard part is that the trap being run isn't an actual shell, it's a shell script that collects some diagnostic info. Assuming the OP doesn't ever actually use Terminal, he can set it up, collect the info when the unwanted script runs, and post the results. Then he can go back to using the default login shell simply by changing the Terminal preference.

The contents of the shell script can be any sequence of shell commands. Or really, it could be any executable script, such as a Python script that starts with "#!/usr/bin/python". The diagnostic code might change over time, if one attempt doesn't show anything useful.

This "trap" script writes its data to a text file in the user's home dir. It can append or overwrite.

It could also trigger some audible indicator, such as the 'say' command, so the user knows it just ran.


My first thought was to echo the "$@" args, but I doubt that's going to show anything. It might, so it's worth trying as a first attempt, just to make sure the diagnostic info can be captured.

I notice the title bar of the Terminal window in post #1 contains an actual command-line, rather than the name of a shell (contrast with post #18). It's a syntactically defective command-line, which is one reason it fails. Those familiar with the 'chmod' cmd should easily be able to spot the defect.

Anyway, the appearance of the title bar may mean that Terminal is being sent commands using AppleScript, in a form like this:
Code:
tell application "Terminal" to do script "chmod +x/Fails_here; exit"
The appearance of the command in the title bar is controlled by one of the Terminal window configuration options. I don't recall where it is, but it's under Preferences.

I also note that whoever wrote this, and wherever it comes from, is unaware of the AppleScript 'do shell script' command. That scripting command wouldn't open a Terminal window at all.


My second thought was to capture a list of all the processes running at the time the script is run.

The 'ps' command will do this, and there are plenty of options to control what data it captures. It should include all processes on the system, not just the user processes. It should also capture full command-line, not short process name. Also capture pid and parent pid (PPID), so one can see who runs whom. I suspect parentage won't reveal much, but better to have it than not.

The 'ps' output might show something obvious, but it's more likely it will have to be compared to the list of processes when the unwanted script isn't running.

However, even a process list might not show anything. There could easily be a daemon process just idling and occasionally telling Terminal to run a borked 'chmod' command. If that process is always running, than it'll show up in both process-list captures, and looking for diffs won't reveal anything.


So that's an outline of the basic idea, and a couple simple examples of what might be captured. Someone with shell-scripting skills could likely bang this out and test it in a couple hours, and probably much less to tell whether it would even work as a "trap" to capture Terminal windows opening.

I hope that's of some use. I have to get back to work.
 
  • Like
Reactions: Weaselboy
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.