Currently Being ModeratedDec 30, 2012 2:59 AM (in response to whbb)
I'm wondering what this means in addition to the others. Thank you for your help.
Dec 30 00:41:13 administrators-computer-21 sudo: twoadmin : user NOT in sudoers ; TTY=ttyp1 ; PWD=/Users/twoadmin ; USER=root ; COMMAND=/usr/sbin/lsof -i
Currently Being ModeratedJan 2, 2013 9:12 AM (in response to whbb)
It looks like someone at least tried to hack you, though if so it would seem that they didn't know what they were doing as the command would shut off connection via Apple Remote Desktop, not what I'd usually expect a hacker to want to do. Is "twoadmin" a user account you set up and use, and if so does it have adminstrator privileges? And who do you know that would know your user name and IP address, both of which someone would almost certainly have had to know?
lsof is a command to list open files and processes. In the case of the specific command issued, someone appears to have been trying to find what IP ports and sockets were open on your system to try and gain access, or more access.
Whether or not a hacker was able to successfully access your system I can't say without being able to do more analysis on your system. I would as a precaution suggest backing up your important documents, erasing the hard drive, and reinstalling your OS and applications and restoring your data. Just reinstallating the OS might not eliminate any hack, should one have been successfully accomplished. A complete erase and reinstall might not be necessary, but since you can't be sure, it's probably wise.
Then make sure you don't turn on Remote Management, Remote Login, Screen Sharing or Remote Apple Events unless you really need those services. And keep your user account ID and password completely private.
Currently Being ModeratedJan 2, 2013 7:43 PM (in response to varjak paw)
I truly appreciate your help and advise, I knew something was going on but needed someone who knows this stuff more than me to just verify it. It would take me days to just figure out what you just told me. Thanks.
Question - if the computer is already hacked - would me getting a new router even help? Would they then have access to all the new settings etc in the new router? Might be best to do erase install and then buy a new router - ? Can you please confirm how I should proceed. Thanks.
Question: Is there a way to verify if someone right now is remotely accessing my system - either with terminal comands I could post here - or - not sure if this meets Apple policy - is there an expert I could contact off the forum?
BTW - I'm seeing lots of hostname changes in console.
1. I created twoadmin. It does not have administrator provideges - it is a standard user account I created for more security.
2. I have no idea how someone whould know my ip addy - other than the fact I think my iphone is already hacked and someone looked at my last connections in Gmail and found my ip there? think someone probabally did some sort of scan (i know there is a comand for it but I can't remember what it is now) of modems and routers in the area and found mine. since it is modem, it was easy to access. but no one knows my system account names. when I look at the very lame settings on the modem I see another connection to the modem: -MAC=00:21:a0:fb:7e:b4 Most of it is my fault with just using a S#*(( modem. Anyone knows it has NO security but all the stores were closed.
3. more items in console:
Dec 18 16:46:16 administrators-computer-21 sudo: twoadmin : TTY=ttyp1 ; PWD=/Users/twoadmin ; USER=root ; COMMAND=/sbin/ipfw list
Dec 18 16:46:55 administrators-computer-21 sudo: twoadmin : TTY=ttyp1 ; PWD=/Users/twoadmin ; USER=root ; COMMAND=/sbin/ipfw flush
4. So, now that someone knows my ip addy - how can I change it ?
5. BTW - Macscan and ClamAVX did not show anything.
Thanks for taking the time to help,
Currently Being ModeratedJan 2, 2013 7:54 PM (in response to whbb)
After looking at this site it appears that a person has been trying to adjust my firewall settings?
Thank you, this of course is concerning
Currently Being ModeratedJan 3, 2013 7:10 AM (in response to whbb)
If the computer is already hacked - would me getting a new router even help?
That would almost certainly not be necessary. Just reset the router and make sure you have it well secured. Many people don't even realize that the router has a password, so make sure yours has been set up with a difficult-to-guess password; absolutely do not leave it on the default. And make sure that your router is up to date with its firmware.
Is there a way to verify if someone right now is remotely accessing my system - either with terminal comands I could post here - or - not sure if this meets Apple policy - is there an expert I could contact off the forum?
If you turn off all the remote access settings in the Sharing system preference, then the chance that someone is accessing your system right now will be small. But there's no way to be absolutely certain someone didn't install some hidden software that would allow access outside of all those settings, which is why I recommend erasing the system, just to be sure.
now that someone knows my ip addy - how can I change it ?
You would need to talk to your Internet provider about that. The router will pick up its external-facing IP address from the provider, so you'll need to work with them to change it.
Macscan and ClamAVX did not show anything.
That doesn't mean much. Those can only detect identified malware, not the activites of a hacker installing otherwise-legitimate software or making changes to settings.
I have no idea how someone whould know my ip addy - other than the fact I think my iphone is already hacked and someone looked at my last connections in Gmail and found my ip there?
Your iPhone cannot be hacked unless you, or someone, jailbroke it. Nor would any one be able to determine your computers' IP address from your iPhone, though they could get enough information to try and guess your router's address. As to how someone could have found your IP address I can't say with any certainty. It could have been a random scan, a "drive by" from someone snooping your router's WiFi (I presume, since you mention an iPhone, that it's a WiFi router), or someone you know who had access to your computer. Again, secure your router against WiFi snooping; you'll find numerous sites with information on securing WiFi routers if you search the web.
I don't want to blame anyone you know, but that someone appears to have known your user ID makes me very suspicious that someone had physical access to your computer long enough to get the basic information from it. You'll probably need to be more careful of your system, particularly if you have workmen or other strangers in your house, logging it out (set the User Accounts preferences to require a name and password rather than presenting a list of users) or shutting it down in such cases.
Regards.iMac, OS X Mountain Lion (10.8.2), Core i7 Radeon 4850 8GB