Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: JiminSF
JiminSF Author
User level: Level 1
4 points

Have I been hacked?

Yesterday I rebooted my system and immediately after logging in to a non-admin account, I was prompted for admin credentials by the loginwindow app to make a change to system preferences. I am very suspicious because I had not yet launched any apps at all. I had installed a couple of apps before the last reboot (Flash and Adium), but it does not appear that either was adding anything to the system preferences, let alone anything that would change them after the reboot, does anyone have any ideas what would cause this other than a hack? I'm new to OS X and the message about loginwindow changing my preferences was totally uninformative about what the actual change was and I can't seem to find any info about how to track this down this anywhere.

iMac 27 i7, Mac OS X (10.6.2), 16GB/2TB Model

Posted on Nov 26, 2009 7:29 AM

Reply
Question marked as Best reply
User profile for user: etresoft
etresoft
User level: Level 8
46,672 points

Posted on Nov 26, 2009 7:41 AM

You haven't been hacked. Some programs prefer to install support files or login items in a user's account instead of in a system area. I think Adium does this. The only way to do this is to install the files when the application runs.
View in context
6 replies
User profile for user: JiminSF
JiminSF Author
User level: Level 1
4 points

Nov 26, 2009 7:46 AM in response to etresoft

Thanks for the help & attention! Adium did not appear to be running at the time though, and the account was the same one that I had been logged into when I installed it in the first place. (And I think I may actually been asked for admin login credentials at install time.) Also, Adium is not set up as a login item on the machine. Is there some way to tell what system preferences were altered? And why would the requesting app show up as loginwindow rather than Adium if Adium were making the changes? Would it have created a one time login item that then removed itself or something?
Reply
User profile for user: JiminSF
JiminSF Author
User level: Level 1
4 points

Nov 26, 2009 8:05 AM in response to etresoft

Yeah, I looked at them and found the following:

Nov 25 17:14:05 X-iMac com.apple.SecurityServer25: UID 503 authenticated as user XXX (UID 501) for right 'system.preferences'
Nov 25 17:14:05 X-iMac com.apple.SecurityServer25: Succeeded authorizing right 'system.preferences' by client '/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Resources/ SCHelper' for authorization created by '/System/Library/CoreServices/loginwindow.app'

Unfortunately it doesn't tell me what preference change was actually being made or why - is there a an audit trail or log for what changes SCHelper is making somewhere?
Reply
User profile for user: JiminSF
JiminSF Author
User level: Level 1
4 points

Nov 26, 2009 10:01 AM in response to JiminSF

Other thoughts - I also disconnected a USB drive just before this. Could that cause this? I also, strangely, had an odd experience during boot that I think was just before this (though it could also have been afterward) in which my Bluetooth Magic Mouse and Keyboard were not detected when first booting. It took a minute during load for the system to find them, one after the other, before boot proceeded. Would either of these involve login items or loginwindow scripts that would involve the loginwindow app changing system preferences?
Reply

Have I been hacked?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up