User profile for user: Julias95
Julias95 Author
User level: Level 1
5 points

Do I have spyware?

Hey, I followed some terminal commands because my macbook has acted weird. I can't find the folders "KeyboardServices"-folder nor the "LanguageModeling". I've sensored my name by the way :) What do you think?


Terminal commands


MacBook Pro 13”, macOS 10.14

Posted on Apr 12, 2020 8:36 AM

Reply
Question marked as Top-ranking reply
User profile for user: John Galt
John Galt
User level: Level 10
155,882 points

Posted on Apr 13, 2020 10:16 AM

bash-3.2# dscl . list /Users | grep -v '^_'

...
hiddenuser
...


is hiddenuser in fact hidden in System Preferences > Users & Groups? Names themselves don't mean anything, but if hiddenuser does not appear in Users & Groups it's more than suspicious.


daemon
nobody
root


... are present by default. Nothing other than those and authorized User Accounts should appear. I am assuming you substituted myusername for your actual user name, whatever that is. Don't reveal it here.


I can't reveal personal details, but there is a fair chance someone has done a thoroughly job to access my data.


If that's the case then your data are in the wind and there's no undoing that fact. There is no point in continuing to use that Mac, including using it to find out who's accessing it. Turn it off, unplug it, etc. Do not use it. Place it in the hands of an expert.


Having said that, whatever means someone used to access it (and in all likelihood, everything else you use) is another story altogether. Unless and until that breach is determined and rectified the problem is likely to occur again, even if you were to completely erase and reconfigure that Mac.


MrHoffman wrote:
Change all passwords, change the passwords in the password-recovery paths, social media passwords, check your trusted telephone numbers, revoke any unrecognized app approvals, enable two-factor authentication, etc.

Check the other devices and the other connected hardware on your desk and on your local network for compromises, particularly your router and your network-connected printers, and upgrade all of that to current firmware, and seriously consider resetting and reconfiguring the router.


👍


And don't use that Mac to do that.

View in context

Similar questions

20 replies
User profile for user: Julias95
Julias95 Author
User level: Level 1
5 points

Apr 13, 2020 8:25 AM in response to MrHoffman

Wireshark? Yes. Remote desktop? Not a chance.


I can't reveal personal details, but there is a fair chance someone has done a thoroughly job to access my data. I've used Apple products for 10 years, and never suspected anything. It all started with the router acting weird, so I took a look at the maintenance log. Someone had disabled the firewall, initiated channel hopping and deleting all filters for allowed mac addresses.


I created a password protected folder to gather all the proof of compromise. After a couple of weeks I lost access to the folder because "you don’t have the necessary permission." I've also changed passwords everywhere, factory reset all my devices, enabled two-factor, and so on.


Here are some examples that makes me suspect compromise:


  1. When I look up the marked out usernames, it gives me less than 200 results on Google. In other words probably not validated by Apple: Link.
  2. When typing 'sudo -l' this is the result: Link.
  3. There is apparently a hidden user?: Link.
  4. This is the plist file in the Screensharing folder: Link.




Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Do I have spyware?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up