Level 1

9 points

My Mac Book Air is Been Hacked - 0

Hi Respected Sir / Madam

I have lots of unresolved issue on my MacBook Air, which I have shared in the Apple Support Community by name kbnikhil as I have shared below screen shots

as I could see that Mac OS were getting heavily unstable and not working for me.

even I had a reinstall of MacOS Catelina from Apple Authorised Service Centre Imagine Store at Bangalore India, in the month of April 2022

even then seen high crashes were seen on applications like Text Editors, Face Time, High Encryption was seen on iMessages as I was reporting from almost a year now, it is not getting resolved, Antivirus Programs are not revealing any malware, virus, spyware, bloatware etc..,

But Operating System Gets Updated regularly, .

then I recently came across the below website which suggest there may be a Hacking going on my macOS Catalina.

https://macmyths.com/how-to-tell-if-someone-is-remotely-accessing-your-mac/

I had fallow all there steps, as flows

on System Preferences, Sharing Folder I did not find Screen Sharing Enabled so went on to next steps as fallows

Verify If New User Accounts Have Been Added

Fallowing Command Executed in Terminal

dscl . list /Users | grep -v '^_'

Out Put of the command as fallows

daemon

MyUserAccount

nobody

root

It Looks Normal

Check Which Programs Have Access To Camera And Mic

Fallowing Command Executed in Terminal

lsof | grep -i "AppleCamera"

No OutPut

Logs from /var/logs

Check The Logs For Possible Access Issues

found some things

WebKit Used to sharing was having to see getting sigkill,

also FsckAps Logs showing many disk present

also Failed iBooks Application

Also Failed Photos Application

And Other Applications

Also found Some BloatWare like Studentd Application

After All the Above things and Many Reinstalls still facing lots and lots of Application Failure, OverHeat, Network issues, Apple Store Issues and Many more etc..

So As per the

Al "MacMyths Autor"

Hi, I am Al. I've been working with computers for more than 20 years and I am passionate about Apple products.

is my macBook Catalina Os is Hacked If Yes how to tell, and get rid of these Hackers from my system

Eagerly waiting for some answer or some solution

thank you for listening hopefully I will get faster solution to it

thank you All

K B Nikhil

Posted on Oct 26, 2022 3:13 AM

Similar questions

22 replies

kbnikhil Author

Level 1

9 points

Jan 26, 2023 5:42 AM in response to John Galt

Hi John Galt, Apple community Support team.

Thank you for your suggestion and solutions

I tried to install Mojave and Catalina Mac OS after install of MacOS Marvicks

Also tried to remove majority of unwanted Open directory Utility Application content as fallowing screenshots.

PG 00

PG 01

PG 02

PG 03

PG 04

PG 05

PG 06

PG07

PG 08

PG 09

PG 10

Keeping only Above PG 11, rest of the record from PG 00 to PG 06 Removed, causing me to lose admin control of my MacBook Air , also the Master password also not working correctly.

PG 07 TO PG 10 I CAN'T ALTER OR DO ANYTHING.

FURTHER MORE.

Finding error with Thunderbolt network, I don't understand why ?

Further I tried to install Mojave and Catalina as shared in the next screenshots.

Thank you for reading

kbnikhil Author

Level 1

9 points

Jan 26, 2023 5:53 AM in response to kbnikhil

Further on I had run command odutil show all as fallow

odutil show all command

And I tried to install Mojave and Catalina as fallowing screenshots.

PG 00

PG 01

PG 02

PG 03

I don't know why it's not working,

Any way I will try once more by formatting, which remain 221MB of some files I don't know what it is I will get the photos of it, and then I will reload the time machine backup.

But if you have better suggestions I am all waiting,

If it fail I will take to iCare imagine Apple Authorized service center for re-install.

Thank you all for continued support and reading my post.

Eagerly waiting for solution.

Thank you once again.

Nikhil

kbnikhil Author

Level 1

9 points

Jan 28, 2023 3:24 AM in response to kbnikhil

Hi Everyone Thank you for reading my post,

Thank you John Galt and others, I could finally get MacOS Sierra install over Marvicks,

But 221MB still existing as shared in below screenshots.

PG00

PG01

PG02

PG03

PG04

PG05

PG06

PG 07

PG08

PG 09

PG 10

PG 11

PG 12

PG13

PG 14

PG15

PG 16

PG 17

PG 18

MacOS Sierra is successfully installed, next post I will share the logs of install stages.

Thank you for your continued support.

Nikhil

kbnikhil Author

Level 1

9 points

Jan 30, 2023 1:56 AM in response to kbnikhil

Hi Apple community Support Team

Thank you for going through my post.

As said I am sharing Log created when install Sieera on top of Marvicks.

Installer Log 27-Jan-2023

Installer Log 27-Jan-2023macos seria

Installer Log 27-Jan-2023macos sierra

The Screen shot showing Keychain with Directory Utility.

PG00

PG01

PG02

PG03

PG04

PG05

PG06

PG07

PG08

PG09

PG10

PG11

PG 12

System and install logs as fallows, Thank you for reading and suggestions.

kbnikhil Author

Level 1

9 points

Jan 30, 2023 2:19 AM in response to kbnikhil

The logs

Install logs are very huge for adding over a Samsung tablet. May be other system I can add it.

Might help me resolving my issues with continued crashes of all Application including text editor as shared in earlier post.

Thank you for your patience and continued support.

Nikhil.

kbnikhil Author

Level 1

9 points

Nov 16, 2022 4:38 AM in response to kbnikhil

Hello All

eagerly waiting for some solution to this hacked issue

below is the command out put showing lots of unwanted activity

or Looks to be some one has HACKED my matchbook air

Last login: Wed Nov 16 17:37:59 on console

id -a

uid=502(kbnikhilbr) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae),701(com.apple.sharepoint.group.1),702(com.apple.sharepoint.group.2),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp)

uid=70(_www) gid=70(_www) groups=70(_www),12(everyone),61(localaccounts),701(com.apple.sharepoint.group.1),702(com.apple.sharepoint.group.2),100(_lpoperator)

MAC PS

kbnikhilbr 640 s000 0.0 S 31T 0:00.00 0:00.00 grep httpd

root 126 ?? 0.0 S 31T 0:00.01 0:00.00 /usr/libexec/opendirectoryd

kbnikhilbr 642 s000 0.0 S 31T 0:00.00 0:00.00 grep opendirectoryd

kbnikhilbr 644 s000 0.0 S 31T 0:00.00 0:00.00 grep studentd

kbnikhilbr 646 s000 0.0 S 31T 0:00.00 0:00.00 grep tmutil

odutil

Active requests (time in microseconds):

PID Request ID Refs Type Active Time Node ID Nodename Current Module Parent Request Results Delivered

-------- ---------- ---- ---- ----------- ------- -------- -------------- -------------- -----------------

Active sessions:

PID Session ID Refs Type Target

-------- ---------- ---- ---- ------

httpd (no pid file) not running

aux PS

root 126 0.7 0.3 4356236 12356 ?? Ss 5:37PM 0:04.99 /usr/libexec/opendirectoryd

user 652 0.0 0.0 4285696 696 s000 S+ 5:45PM 0:00.00 grep opendirectoryd

user 654 0.0 0.0 4268288 660 s000 S+ 5:45PM 0:00.00 grep httpd

user 656 0.0 0.0 4268288 660 s000 S+ 5:45PM 0:00.00 grep studentd

user 658 0.0 0.0 4268288 660 s000 S+ 5:45PM 0:00.00 grep tmutil

tmutil

Created local snapshot with date: 2022-11-16-174506

tmutil: disable requires root privileges.

tmutil: delete requires root privileges.

% sudo ./myscript.sh

Password:

id -a

uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),12(everyone),20(staff),29(certusers),61(localaccounts),80(admin),701(com.apple.sharepoint.group.1),702(com.apple.sharepoint.group.2),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp)

uid=70(_www) gid=70(_www) groups=70(_www),12(everyone),61(localaccounts),701(com.apple.sharepoint.group.1),702(com.apple.sharepoint.group.2),100(_lpoperator)

MAC PS

root 668 s000 0.0 S 31T 0:00.00 0:00.00 grep httpd

root 126 ?? 0.0 S 31T 0:00.01 0:00.00 /usr/libexec/opendirectoryd

root 670 s000 0.0 S 31T 0:00.00 0:00.00 grep opendirectoryd

root 672 s000 0.0 S 31T 0:00.00 0:00.00 grep studentd

root 674 s000 0.0 S 31T 0:00.00 0:00.00 grep tmutil

odutil

Active requests (time in microseconds):

PID Request ID Refs Type Active Time Node ID Nodename Current Module Parent Request Results Delivered

-------- ---------- ---- ---- ----------- ------- -------- -------------- -------------- -----------------

Active sessions:

PID Session ID Refs Type Target

-------- ---------- ---- ---- ------

httpd (no pid file) not running

aux PS

root 126 2.2 0.3 4357284 12372 ?? Ss 5:37PM 0:05.29 /usr/libexec/opendirectoryd

root 680 0.0 0.0 4268288 664 s000 S+ 5:45PM 0:00.00 grep opendirectoryd

root 682 0.0 0.0 4268288 656 s000 S+ 5:45PM 0:00.00 grep httpd

root 684 0.0 0.0 4268288 660 s000 S+ 5:45PM 0:00.00 grep studentd

root 686 0.0 0.0 4268288 656 s000 S+ 5:45PM 0:00.00 grep tmutil

tmutil

Created local snapshot with date: 2022-11-16-174545

snapshot_path: No such file or directory (error 2)

Total deleted: 0B

above is the execution of fallowing commands

echo "id -a " ;

id -a ;

id -a _www ;

echo " MAC PS " ;

ps MAC | grep httpd ;

ps MAC | grep opendirectoryd ;

ps MAC | grep studentd ;

ps MAC | grep tmutil ;

echo " odutil " ;

odutil show requests ;

odutil show sessions ;

apachectl -k stop ;

echo " aux PS" ;

ps aux | grep opendirectoryd ;

ps aux | grep httpd ;

ps aux | grep studentd ;

ps aux | grep tmutil ;

echo "tmutil " ;

tmutil localsnapshot

tmutil disable ;

tmutil stopbackup ;

tmutil delete snapshot_path ;

John Galt

Level 10

155,936 points

Nov 28, 2022 4:34 AM in response to John Galt

Please review the earlier replies you received. I would not expect any further assistance until you follow those instructions.

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

My Mac Book Air is Been Hacked - 0