3 Replies Latest reply: Sep 26, 2007 3:23 AM by roam
BTMR2007 Level 1 Level 1 (0 points)
I think my computer has been hacked into. One day last week, I was noticing it was sluggish. So, I attempted to restart it to clear out whatever processes might have been hung up. However, when I did so, the computer threw up a message asking if I really wanted to do that, since someone else was connected to it via Apple File Sharing (hence the sluggishness, I guess). No other computer in my place was even turned on. So, wondering if it was being hacked into, I changed passwords on the computer at that point and shut down any port mappings through the firewall (except for remote access).

This morning, I get a message on my browser from AT&T saying that I had too many simultaneous internet sessions open and they turned me off until I confirmed things were okay. I clicked okay and my main computer is up and running on the Internet. But, the others would not connect to the wireless network.

Since my other computers could not connect, I figured I must have changed the wireless password as well when the first instance occurred, above. So, I go into see what the password was set to and it was some random 65 character string that did not match what I had set for my wireless password (it was much shorter and simpler). In fact, my wireless password on the Airport Extreme was still my old password. But, here's the strange thing, I was able to connect to the internet this whole time from the computer with this funky password. So, again, this is fueling my suspicions that I've been hacked.

My question is this: Is there anyway to tell? I have been browsing log files, but I really don't know what I'm doing there. I did see some attempts to connect via FTP, but nothing that says a connection was made. Can I see who connected and when? Can I see what they were accessing, if someone indeed was hacked in?

Also, it appears from reading other posts that these log files clear out every so often. Is there a way to copy/save them so I can research this in the coming days? I'm afrain any evidence of this will disappear on me shortly.

Any help would really be appreciated.

Mac OS X (10.4.10)
  • roam Level 6 Level 6 (13,555 points)
    Hi BTMR2007

    It may be that your wireless connection was being ridden by freeloaders, but your questions are too broad and cannot be answered in a couple on one liners.
    You need to study the subject of internet security and how best you can protect and share your wireless network.
    Explore the issue of sharing services on your computer like Apple File Sharing, FTP and such and question what these services are for and whether you need to make them available.
    Avoid file sharing applications like Limewire and Torrent.
    Keep your Security Updates up to date.
    Mac's are quite secure under normal circumstances but you can consider extra security applications like Snort, Henwen, Little Snitch and Tripwire if you are concerned about network vulnerabilities, but these are not normally necessary if you are exercising some control over your Mac.
    Do a lot of reading first, and try to learn as much as possible, from other websites as well as this one.
    Then, with improved knowledge, your questions will be more focused and more easily answered.

    regards roam
  • BTMR2007 Level 1 Level 1 (0 points)
    Thanks for your comments. I generally keep it quite secure. I did open it up for a short time to serve some e-mail accounts. But, shut that down when all this happened. I also do intend to become somewhat of an expert on this, and I have read a lot on many sites over the past few days before posting here. However nothing I could find answered my questions directly.

    As for the post being general, the first 3 paragraphs were to describe what happened. I just figured that the background might be helpful. The question(s) themselves were in the fourth paragraph. I guess I might have been vague. So, let me try to restate them again.

    My questions are as follows: (1) do the facts that I have relayed give a strong indication that my computer was hacked into or could they just be erroneous behavior? (2) How can I tell if someone has logged into my system (whether they hacked in or not); and (3) where can I find in the system when someone has logged in and for how long they were logged into my computer (again, whether they had permission or not)? Seems like the answer to both of these questions should be in a log file somewhere.

    A bonus would be if I could track where they were and what files they accessed, but I believe that is not possible under OS X, without some extra software that I did not have installed at the time.

    Thanks again. I appreciate any input here. It is unnerving to have someone access your computer without permission.
  • roam Level 6 Level 6 (13,555 points)
    So, I go into see what the password was set to and it was some random 65 character string that did not match what I had set for my wireless password (it was much shorter and simpler).

    You are looking at its encrypted form that bears no relation to its original length. Besides if it was the same number of characters as the actual password it would make it easy to crack.

    In fact, my wireless password on the Airport Extreme was still my old password.

    So it hasn't been changed.

    Can I see who connected and when?

    Have you looked in system.log in Console, found in Application/Utilities. It would show if another user has logged in if; A) it was a normal login from another user's machine, and B) no effort was made to edit that log. Note that most shared services do not require login in and so would not show in system.log.

    Is there a way to copy/save them so I can research this in the coming days?

    Any log in the Console app can be copied and saved for later.