It appears like someone or something may have broken into my computer, I logged into my Mac Pro running.. Mojave and found this in my Terminal Window. Can someone tell me if I am hacked.....
Mac Pro
kenecb wrote:
It appears like someone or something may have broken into my computer, I logged into my Mac Pro running.. Mojave and found this in my Terminal Window. Can someone tell me if I am hacked.....
<Here is what I found.log>
Is this your personal machine or a enterprise managed machine?
Have you had any service recently— screen sharing ?
You can get a good look at your System config. for conflicts or issues, you can run this utility http://etrecheck.com
If you need help interpreting the report you can post it here in its entirety in the "Additional Text" box in the editing toolbar below, in your reply.
You can set its preference to "Allow full Disk Access", with this you get a digest of issues from the last 7 days that are saved in your system.
I see SIP is disabled. At the least I would rest this, from terminal:
csrutil status
Rather than booting into Recovery Mode again to turn SIP back on, you can just run the command, copy and paste:
csrutil clear
and SIP will be reset to enabled.
Are you admin on this computer? YOu can see from terminal to get a sense:
dscacheutil -q group -a name admin
I looked quickly at Terminal capture and yes this is not normal.
Kickstart is the command line interface for Apple Remote Desktop.
It is going to be difficult to do a deep analysis of what happened through this forum.
My suggestion: Ask help from someone with technical knowledge or contact Apple Support.
Do not hesitate if you need more help,
WD
kenecb wrote:
I only use the Mac for design mostly. What do the command lines mean at the end? I did not do any of these lines.
Enterprise machine or personal computer?
Did you buy this computer new or used?
Any screen sharing / tech support from anywhere?
Do you ever use the terminal?
Curious like an old ghost?
That log in shows:
Last login: Fri Mar 1 21:52:56 on console
then restored next:
[Restored Dec 30, 2019 at 10:15:29 PM]
Last login: Sun Dec 29 11:56:19 on console
From the reference above, you can verify yourself in >System Preferences>Sharing
For increased security in macOS 10.14 and later, Screen Sharing gives you view-only access when you use the kickstart command-line tool to enable Remote Management on a Mac. If you want to both view and control the remote Mac with Screen Sharing, open System Preferences on the target Mac, click Sharing, then select the Remote Management checkbox. If Remote Management is already selected, deselect it and select it again.
kenecb,
As I recommended, get help from a knowledgeable person who can assist you side by side on the computer.
WD
I tried finding malware. Nothing. Ugh. This looks like a root kit.
I didn't expect malware too.
Are you the only one using this Mac?
WD
I only use the Mac for design mostly. What do the command lines mean at the end? I did not do any of these lines.
kenecb wrote:
If your Mac is enrolled in Mobile Device Management (MDM) via User Approved MDM enrollment or via Device Enrollment, you can allow the Mac to be controlled with Screen Sharing.
Use the kickstart command-line utility in Apple Remote Desktop
Use the kickstart command-line utility in macOS Mojave 10.14 and later
You can get a better look at the dialog—
the help command was issued 1st line, and a long trailing help follows:
Kens-Mac-Pro:~ Kenc$ sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -help
<truncated>
Drop to the bottom and a few commands were issued:
WARNING
This script can be used to grant very permissive incoming access
permissions. Do not use the -activate and -configure features unless
you know exactly what you're doing.
Kens-Mac-Pro:~ Kenc$ sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent
Starting...
Done.
Kens-Mac-Pro:~ Kenc$ sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
Starting...
Removed preference to start ARD after reboot.
Kenc: Set user remote access.
Done.
Kens-Mac-Pro:~ Kenc$ csrutil status
System Integrity Protection status: disabled.
Kens-Mac-Pro:~ Kenc$
[Restored]
Last login: Fri Mar 1 21:52:56 on console
Mac-Pro:~ Kenc$ csrutil status
System Integrity Protection status: disabled.
Mac-Pro:~ Kenc$
[Restored Dec 30, 2019 at 10:15:29 PM]
Last login: Sun Dec 29 11:56:19 on console
Kens-Mac-Pro:~ Kenc$
So call Apple support or bring it to a store?
Unless you feel tech savvy enough, yes.
WD
Terminal Window Left Open when I logged in and I found this...
