Skip navigation

ARDAgent in Console and PrivateFrameworks in Terminal History - Hack?

567 Views 5 Replies Latest reply: Jan 3, 2013 7:10 AM by varjak paw RSS
whbb Calculating status...
Currently Being Moderated
Dec 30, 2012 2:32 AM

Hi,

 

I'm posting in ARD because of what I found in console, if I need to post some place else please let me know.

 

In console I found this - does this mean I am being remote accessed?

 

Dec 30 00:18:27 administrators-computer-21 sudo: twoadmin : user NOT in sudoers ; TTY=ttyp1 ; PWD=/Users/twoadmin ; USER=root ; COMMAND=/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Res ources/kickstart -deactivate -configure -access -

 

Dec 30 00:18:33 administrators-computer-21 sudo: twoadmin : user NOT in sudoers ; TTY=ttyp1 ; PWD=/Users/twoadmin ; USER=root ; COMMAND=/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Res ources/kickstart -deactivate -configure -access -

 

When typing history in terminal this came up - I did not type this:

 

  /System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/activate Settings; exit

 

Disk permissions brought up this:

 

Permissions differ on ./usr/standalone/i386/boot.efi, should be -r--r--r-- , they are -r-xr-xr-x

Owner and group corrected on ./usr/standalone/i386/boot.efi

Permissions corrected on ./usr/standalone/i386/boot.efi

The privileges have been verified or repaired on the selected volume

 

I made the mistake and connected with ethernet via a simple modem, will obviously be connecting soon via a locked down router.

If I have in fact been hacked, will a simple reinstall of the OS be enough? I am running Mac Scan but don't think this wil help if someone has

somehow gained root access.

 

Thanks.

Sean

MacBook, Mac OS X (10.4.11)
  • varjak paw Level 10 Level 10 (167,195 points)

    It looks like someone at least tried to hack you, though if so it would seem that they didn't know what they were doing as the command would shut off connection via Apple Remote Desktop, not what I'd usually expect a hacker to want to do. Is "twoadmin" a user account you set up and use, and if so does it have adminstrator privileges? And who do you know that would know your user name and IP address, both of which someone would almost certainly have had to know?

     

    lsof is a command to list open files and processes. In the case of the specific command issued, someone appears to have been trying to find what IP ports and sockets were open on your system to try and gain access, or more access.

     

    Whether or not a hacker was able to successfully access your system I can't say without being able to do more analysis on your system. I would as a precaution suggest backing up your important documents, erasing the hard drive, and reinstalling your OS and applications and restoring your data. Just reinstallating the OS might not eliminate any hack, should one have been successfully accomplished. A complete erase and reinstall might not be necessary, but since you can't be sure, it's probably wise.

     

    Then make sure you don't turn on Remote Management, Remote Login, Screen Sharing or Remote Apple Events unless you really need those services. And keep your user account ID and password completely private.

     

    Regards.

  • varjak paw Level 10 Level 10 (167,195 points)

    If the computer is already hacked - would me getting a new router even help?

     

    That would almost certainly not be necessary. Just reset the router and make sure you have it well secured. Many people don't even realize that the router has a password, so make sure yours has been set up with a difficult-to-guess password; absolutely do not leave it on the default. And make sure that your router is up to date with its firmware.

     

    Is there a way to verify if someone right now is remotely accessing my system - either with terminal comands I could post here - or - not sure if this meets Apple policy - is there an expert I could contact off the forum?

     

    If you turn off all the remote access settings in the Sharing system preference, then the chance that someone is accessing your system right now will be small. But there's no way to be absolutely certain someone didn't install some hidden software that would allow access outside of all those settings, which is why I recommend erasing the system, just to be sure.

     

    now that someone knows my ip addy - how can I change it ?

     

    You would need to talk to your Internet provider about that. The router will pick up its external-facing IP address from the provider, so you'll need to work with them to change it.

     

    Macscan and ClamAVX did not show anything.

     

    That doesn't mean much. Those can only detect identified malware, not the activites of a hacker installing otherwise-legitimate software or making changes to settings. 

     

    I have no idea how someone whould know my ip addy - other than the fact I think my iphone is already hacked and someone looked at my last connections in Gmail and found my ip there?

     

    Your iPhone cannot be hacked unless you, or someone, jailbroke it. Nor would any one be able to determine your computers' IP address from your iPhone, though they could get enough information to try and guess your router's address. As to how someone could have found your IP address I can't say with any certainty. It could have been a random scan, a "drive by" from someone snooping your router's WiFi (I presume, since you mention an iPhone, that it's a WiFi router), or someone you know who had access to your computer. Again, secure your router against WiFi snooping; you'll find numerous sites with information on securing WiFi routers if you search the web.

     

    I don't want to blame anyone you know, but that someone appears to have known your user ID makes me very suspicious that someone had physical access to your computer long enough to get the basic information from it. You'll probably need to be more careful of your system, particularly if you have workmen or other strangers in your house, logging it out (set the User Accounts preferences to require a name and password rather than presenting a list of users) or shutting it down in such cases.

     

    Regards.

    iMac, OS X Mountain Lion (10.8.2), Core i7 Radeon 4850 8GB

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.