!cultOfApple
Level 1 (4 points)
Mac OS X

Q: Hacked or SOP

We have 2 MBPs, an iMac and a Mac Mini, each running Mac OS 10.11.6.

 

Each one of these has file vault turned on, firewall turned on and an Admin account setup that can't unlock the computer after booting and a single standard user that can - and we log in using this standard user account - using the Admin account only when needed. Guest User and Back To Mac is turned off on all and Find My Mac is turned on all.

 

Recently I noticed that on exactly the one MBP, at pre-boot logon, the option to login as a Guest User is available and choosing that option fires up Safari and WiFi is automatically turned on to connect to any available network.

 

We DO NOT want this option to appear on this computer, just as it doesn't on any of the others.

 

Googling would lead you to believe that this is a "security" feature to allow the novice thief to logon and allow Find My Mac to triangulate - and that disabling Find My Mac should eliminate this as a logon option. Also, toggling the Logon Options "Display login window as" and/or "Show fast user switching menu as" will prevent this Guest User option from appearing.

 

None of these are successful at disabling the Guest User option on the computer that it is showing up on. AND if this option is a "security" feature then why is it not showing up on the 3 other machines ?

 

Please help - have we been hacked - what is going on ? Do we need to reinstall from Time Machine (and re-encrypt the drives) - and will that actually get rid of the Guest Login (or enable it on all) - just need some consistency.

MacBook Pro with Retina display, OS X El Capitan (10.11.6)

Posted on Aug 3, 2016 5:21 PM

by !cultOfApple,Solvedanswer
!cultOfApple !cultOfApple
Level 1 (4 points)
Mac OS X
A:

Ok, the following steps seemed to have fixed the issue.

 

Toggling the "Allow guest user.." didn't do the trick (it was already disabled to begin with):

Screen Shot 2016-08-06 at 11.20.16 AM.png

 

Installing MalwareBytes Anti-malware and running its Scan found nothing - it was incredibly fast though, 10/15 seconds for a drive that is 512GB! - in fact uninstalling this software was a tad cumbersome (the uninstall option in the Help menu did put stuff in the Trash but on each reboot the software was still available - manually deleting it from the Applications directory removed it - hopefully it didn't leave any stragglers).

 

So here is what worked:

  1. Created a new Admin user
  2. Enabled Guest User access
  3. Shut down the mac
  4. Restarted and Guest User was no longer an option (which was weird since I had enabled it this time)
  5. Logged in as the standard user and removed the newly created Admin user from System Preferences
  6. Shut down the mac and on restart the Guest User option still didn't show back up

 

Not sure why this process worked - seems kind of hokey - but maybe something glitched in the plists or some random setting/preference and creating a new account cleared that out...

Posted on Aug 6, 2016 9:38 AM

Close
!cultOfApple

Q: Hacked or SOP

  • All replies
  • Helpful answers

  • by leroydouglas,Apple recommended

    leroydouglas leroydouglas Aug 3, 2016 6:03 PM in response to !cultOfApple
    Level 7 (22,920 points)
    Notebooks
    Aug 3, 2016 6:03 PM in response to !cultOfApple

    This might have something to do with iCloud sign on

     

    Use FileVault to encrypt the startup disk on your Mac - Apple Support

  • by William Kucharski,Apple recommended

    William Kucharski William Kucharski Aug 4, 2016 1:15 AM in response to !cultOfApple
    Level 6 (15,068 points)
    Mac OS X
    Aug 4, 2016 1:15 AM in response to !cultOfApple

    You have not been hacked.

     

    Simply go to System Preferences -> Users & Groups and click the lock icon. Authorize yourself as the admin user, click on the Guest User and deselect the box marked "Allow guests to log in to this computer."

     

    Screen Shot 2016-08-04 at 2.12.53 AM.png

    Enable the guest user access to shared folders as you desire for your particular machines.

  • by etresoft,

    etresoft etresoft Aug 4, 2016 7:04 AM in response to !cultOfApple
    Level 7 (29,081 points)
    Aug 4, 2016 7:04 AM in response to !cultOfApple

    Hello !cultOfApple,

    This could be a symptom of malware. Download and run MalwareBytes for Mac on the problem machine (https://www.malwarebytes.com/antimalware/mac/) and reply back regarding what it found.

  • by !cultOfApple,Solvedanswer

    !cultOfApple !cultOfApple Aug 6, 2016 9:38 AM in response to !cultOfApple
    Level 1 (4 points)
    Mac OS X
    Aug 6, 2016 9:38 AM in response to !cultOfApple

    Ok, the following steps seemed to have fixed the issue.

     

    Toggling the "Allow guest user.." didn't do the trick (it was already disabled to begin with):

    Screen Shot 2016-08-06 at 11.20.16 AM.png

     

    Installing MalwareBytes Anti-malware and running its Scan found nothing - it was incredibly fast though, 10/15 seconds for a drive that is 512GB! - in fact uninstalling this software was a tad cumbersome (the uninstall option in the Help menu did put stuff in the Trash but on each reboot the software was still available - manually deleting it from the Applications directory removed it - hopefully it didn't leave any stragglers).

     

    So here is what worked:

    1. Created a new Admin user
    2. Enabled Guest User access
    3. Shut down the mac
    4. Restarted and Guest User was no longer an option (which was weird since I had enabled it this time)
    5. Logged in as the standard user and removed the newly created Admin user from System Preferences
    6. Shut down the mac and on restart the Guest User option still didn't show back up

     

    Not sure why this process worked - seems kind of hokey - but maybe something glitched in the plists or some random setting/preference and creating a new account cleared that out...