leifromglen ellyn

Q: my mac just got hacked(remote controlled). any ideas how?

Just now I was doing stuff on my macbook pro, and suddenly I lost control of the mouse.  The laptop barely(or even not at all) responds to my control.

Then there was somebody else controlling my mouse, my keyboard works fine however.  The guy hacking me looked at my mailbox, dropped a few things from the dock, made a new folder on the desktop, and I was sitting there stunned.  Then he opened my photo booth and I covered my camera and force shut down my laptop.  During all the time my keyboard works though, I was able to quit safari and mail, but I can't stop this guy changing stuff using mouse. 

Any ideas how he did it and how I can prevent this from happening again?  or even maybe find who did it..?

MacBook Pro, Mac OS X (10.6.8)

Posted on Sep 22, 2011 3:05 PM

Close

Q: my mac just got hacked(remote controlled). any ideas how?

  • All replies
  • Helpful answers

Page 1 Next
  • by Linc Davis,

    Linc Davis Linc Davis Sep 22, 2011 3:09 PM in response to leifromglen ellyn
    Level 10 (207,958 points)
    Applications
    Sep 22, 2011 3:09 PM in response to leifromglen ellyn

    Open the Sharing preference pane in System Preferences. Is "Screen Sharing" enabled (checked)? If so, disable it. If not, you or someone else must have installed third-party software that allows for remote control of the screen.

  • by WZZZ,

    WZZZ WZZZ Sep 22, 2011 3:15 PM in response to leifromglen ellyn
    Level 6 (13,112 points)
    Mac OS X
    Sep 22, 2011 3:15 PM in response to leifromglen ellyn

    As soon as you've got this locked up again, change all your important passwords. Do it off line.

  • by leifromglen ellyn,

    leifromglen ellyn leifromglen ellyn Sep 22, 2011 4:01 PM in response to Linc Davis
    Level 1 (1 points)
    Sep 22, 2011 4:01 PM in response to Linc Davis

    Thanks for replying!  Screen sharing was not checked when that happened. Any idea about how to find where the third party software is?

  • by Linc Davis,

    Linc Davis Linc Davis Sep 22, 2011 4:24 PM in response to leifromglen ellyn
    Level 10 (207,958 points)
    Applications
    Sep 22, 2011 4:24 PM in response to leifromglen ellyn

    Third-party system modifications are a common cause of instability and poor performance. The following procedure will help identify which such modifications you've installed. Don’t be alarmed by the complexity of these instructions -- they’re easy to carry out and won’t change anything on your Mac.

     

    Launch the Terminal application, copy or drag -- do not type -- the line of text below into the window, and press return:

     

    kextstat -kl | awk ' !/apple/ { print $6 $7 } '

     

    Post the lines of output (if any) that appear below what you just entered (the text, please, not a screenshot.)

     

    Next, do the same thing with this line:

     

    sudo launchctl list | sed 1d | awk ' !/0x|apple|com\.vix|edu\.|org\./ { print $3 } '

     

    That's one line, not two. You'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. You don't need to post the warning.

     

    Next, this command:

     

    launchctl list | sed 1d | awk ' !/0x|apple|edu\.|org\./ { print $3 } '

     

    Again, one line. Finally, one more:

     

    ls -1A {,/}Library/{Ad,Compon,Ex,Fram,In,La,Mail/Bu,P*P,Priv,Qu,Scripti,Sta}* 2> /dev/null

     

    Important: If you synchronize with a MobileMe account, your me.com email address will appear in the output of the above command. Change it to something like “user@me.com” before posting.

     

    Remember, this is all drag-and-drop or copy-and-paste, whichever you prefer -- no typing, except your password.

     

    You can then quit Terminal.

  • by leifromglen ellyn,

    leifromglen ellyn leifromglen ellyn Sep 22, 2011 5:09 PM in response to Linc Davis
    Level 1 (1 points)
    Sep 22, 2011 5:09 PM in response to Linc Davis

    Wow, that looks way pro.  I followed the instructions carefully (I think) and the following would be the result:

     

    Last login: Thu Sep 22 18:53:09 on ttys000

    Lei-Duans-MacBook-Pro:~ leiduan1010$ kextstat -kl | awk ' !/apple/ { print $6 $7 } '

    Lei-Duans-MacBook-Pro:~ leiduan1010$ sudo launchctl list | sed 1d | awk ' !/0x|apple|com\.vix|edu\.|org\./ { print $3 } '

     

     

    WARNING: Improper use of the sudo command could lead to data loss

    or the deletion of important system files. Please double-check your

    typing when using sudo. Type "man sudo" for more information.

     

     

    To proceed, enter your password, or type Ctrl-C to abort.

     

     

    Password:

    com.microsoft.office.licensing.helper

    Lei-Duans-MacBook-Pro:~ leiduan1010$ launchctl list | sed 1d | awk ' !/0x|apple|edu\.|org\./ { print $3 } '

    com.pando.PMB

    com.macpaw.CleanMyMac.helperTool

    com.google.keystone.user.agent

    Lei-Duans-MacBook-Pro:~ leiduan1010$ ls -1A {,/}Library/{Ad,Compon,Ex,Fram,In,La,Mail/Bu,P*P,Priv,Qu,Scripti,Sta}* 2> /dev/null

    /Library/Components:

     

     

    /Library/Extensions:

     

     

    /Library/Frameworks:

    Adobe AIR.framework

    NyxAudioAnalysis.framework

    PluginManager.framework

    iLifeFaceRecognition.framework

    iLifeKit.framework

    iLifePageLayout.framework

    iLifeSQLAccess.framework

    iLifeSlideshow.framework

     

     

    /Library/Input Methods:

    IMKQIM.app

    QQInput.app

     

     

    /Library/Internet Plug-Ins:

    DirectorShockwave.plugin

    Flash Player.plugin

    JavaPlugin2_NPAPI.plugin

    JavaPluginCocoa.bundle

    PandoWebPlugin.plugin

    Quartz Composer.webplugin

    QuickTime Plugin.plugin

    RealPlayer Plugin.plugin

    SharePointBrowserPlugin.plugin

    SharePointWebKitPlugin.webplugin

    flashplayer.xpt

    iPhotoPhotocast.plugin

    nsIQTScriptablePlugin.xpt

     

     

    /Library/LaunchAgents:

     

     

    /Library/LaunchDaemons:

    com.microsoft.office.licensing.helper.plist

     

     

    /Library/PreferencePanes:

    Fan Control.prefPane

    MediaBooster.prefPane

     

     

    /Library/PrivilegedHelperTools:

    com.microsoft.office.licensing.helper

     

     

    /Library/QuickLook:

    SogouSkinPreviewer.qlgenerator

    iWork.qlgenerator

     

     

    /Library/QuickTime:

    AppleIntermediateCodec.component

    AppleMPEG2Codec.component

     

     

    /Library/ScriptingAdditions:

    Adobe Unit Types.osax

     

     

    /Library/StartupItems:

    FanControlDaemon

     

     

    Library/Address Book Plug-Ins:

    SkypeABDialer.bundle

    SkypeABSMS.bundle

     

     

    Library/Input Methods:

    .localized

     

     

    Library/Internet Plug-Ins:

    ThunderPlugIn.plugin

     

     

    Library/LaunchAgents:

    com.apple.CSConfigDotMacCert-leiduan1010@me.com-SharedServices.Agent.plist

    com.apple.FTMonitor.plist

    com.apple.FolderActions.enabled.plist

    com.apple.FolderActions.folders.plist

    com.apple.imagent.plist

    com.apple.marcoagent.plist

    com.google.keystone.agent.plist

    com.macpaw.CleanMyMac.helperTool.plist

    com.pando.PMB.plist

     

     

    Library/PreferencePanes:

    Lei-Duans-MacBook-Pro:~ leiduan1010$

  • by WZZZ,

    WZZZ WZZZ Sep 22, 2011 5:21 PM in response to leifromglen ellyn
    Level 6 (13,112 points)
    Mac OS X
    Sep 22, 2011 5:21 PM in response to leifromglen ellyn

    You said you had screen sharing turned off. Is everything else off as well?

    Screen shot 2011-09-22 at 8.19.16 PM.png

  • by Linc Davis,

    Linc Davis Linc Davis Sep 22, 2011 5:32 PM in response to leifromglen ellyn
    Level 10 (207,958 points)
    Applications
    Sep 22, 2011 5:32 PM in response to leifromglen ellyn

    I don't think it's any of that. Post the output of this command:

     

    ps -cx

  • by leifromglen ellyn,

    leifromglen ellyn leifromglen ellyn Sep 22, 2011 5:33 PM in response to WZZZ
    Level 1 (1 points)
    Sep 22, 2011 5:33 PM in response to WZZZ

    Yes, there is nothing checked.

  • by leifromglen ellyn,

    leifromglen ellyn leifromglen ellyn Sep 22, 2011 5:35 PM in response to Linc Davis
    Level 1 (1 points)
    Sep 22, 2011 5:35 PM in response to Linc Davis

    PID TTY           TIME CMD

      101 ??         0:00.32 launchd

      105 ??         0:14.33 Dock

      106 ??         0:03.53 SystemUIServer

      107 ??         0:09.69 Finder

      111 ??         0:00.01 pboard

      114 ??         0:01.89 fontd

      116 ??         0:02.66 quicklookd

      119 ??         0:00.07 imklaunchagent

      124 ??         0:00.81 UserEventAgent

      131 ??         0:00.47 AirPort Base Station Agent

      134 ??         0:00.37 imagent

      138 ??         0:00.67 TISwitcher

      190 ??         4:30.38 Safari

      192 ??         6:58.57 WebProcess

      197 ??         0:00.37 AppleSpell

      198 ??         0:20.31 Mail

      201 ??         0:00.01 LKDCHelper

      300 ??         4:16.32 QQ

      344 ??         0:13.42 Software Update

      409 ??         3:17.23 PluginProcess

      523 ??         0:00.04 BezelUIServer

      612 ??         0:03.31 PluginProcess

      614 ??         0:13.79 java

      630 ??         0:00.56 mdworker

      675 ??         0:05.73 QQInput

      715 ??         0:00.14 SyncServer

      737 ??         0:00.13 Terminal

      738 ??         0:00.00 (SFLIconTool)

      739 ttys000    0:00.06 login

      740 ttys000    0:00.00 -bash

      743 ttys000    0:00.00 ps

  • by Linc Davis,

    Linc Davis Linc Davis Sep 22, 2011 5:55 PM in response to leifromglen ellyn
    Level 10 (207,958 points)
    Applications
    Sep 22, 2011 5:55 PM in response to leifromglen ellyn

    The only possibility I can see there is that you're running some kind of Java VNC server. Launch the Activity Monitor application, select "My Processes" from the popup menu in the toolbar, and enter "java" (without the quotes) in the filter box. Double-click the java process in the table. What are its parent process and open files?

  • by X423424X,

    X423424X X423424X Sep 22, 2011 6:19 PM in response to leifromglen ellyn
    Level 6 (14,237 points)
    Sep 22, 2011 6:19 PM in response to leifromglen ellyn

    Please post the output from ps ax as opposed to ps cx.

  • by MadMacs0,

    MadMacs0 MadMacs0 Sep 23, 2011 12:56 PM in response to leifromglen ellyn
    Level 5 (4,791 points)
    Sep 23, 2011 12:56 PM in response to leifromglen ellyn

    It might be related to a couple of Trojans that were announced today:

     

    F-Secure: Mac trojan posing as a PDF file

    http://www.f-secure.com/weblog/archives/00002241.html

     

    Sophos Security Blog: Mac OS X Trojan hides behind malicious PDF disguise

    http://nakedsecurity.sophos.com/2011/09/23/mac-os-x-trojan-hides-behind-maliciou s-pdf-disguise/

     

    MacFixIt: New OS X Trojan horse sends screenshots, files to remote servers

    http://reviews.cnet.com/8301-13727_7-20110677-263/

     

    except there should be a process called "checkvir" running.


  • by MikeMJD,

    MikeMJD MikeMJD Mar 10, 2012 2:35 PM in response to leifromglen ellyn
    Level 1 (0 points)
    Mar 10, 2012 2:35 PM in response to leifromglen ellyn

    Hi there, did you find a solution in the end? I've got the same problem now... Very annoying!

     

    Which of the above instructions should I follow?

  • by lkstevens,

    lkstevens lkstevens Oct 17, 2012 3:16 PM in response to leifromglen ellyn
    Level 1 (0 points)
    Oct 17, 2012 3:16 PM in response to leifromglen ellyn

    Had a similar experience as well.  Not sure what to do at this point either.  Tempted to just format and reinstall everything.

Page 1 Next