Wifi Hacker

Do we have some cyber-ninja living next door

The only way to completely secure a network is to go 100% hard wired.

Yeah but hard wired is hard when you spent the money on a wireless router.

Turn off the guest access if that is possible.

Ensure you set the wireless security to wpa2 personal. and use a decent passkey.. 10-12 characters non dictionary word or phrase including caps and numbers. It has not been broken yet except maybe a lab under lab conditions.

Set the wireless to manual and also turn off either 2.4ghz or 5ghz if you don't use them.

If the guest arrives back in your system, check the MAC address and check against all the devices in your system.

Open System Preferences (gear icon on the dock)

Open Accounts

Do you have a Guest Account set up on the computer?

If yes, that is likely what you are seeing

Click on the lock to unlock the settings

Click on the Guest Account to highlight it

See if there is a check mark in the area to the right to allow Guests to connect to Shared Folders....there likely is.....that is why you see the Macxxxxxx under the SHARED heading in the Finder

If you do not want a Guest Account on the Mac, you can click the - (minus) button at the bottom of the Users list to delete it.

If you are using your Time Capsule as a wireless router.....and you want to be able to see how many devices are connected to the wireless network at any given time......post back for more details.

You can either delete the Guest again (it might on a different Mac), or ignore it, since you know what is occurring. My advice would be to ignore it. This is a normal occurrence on virtually any home network.

This is a question for Bob.

I'm having the same problem as dooooooooode. I have found a PC connecting to my wireless network on my Time Capsule.

I have enabled the firewall, am running in stealth mode and have changed the passwords on both my time capsule and my network several times using a password generator.

This person keeps getting access somehow.

This morning, I ran an antivirus check using XamClav and found something called shellcode x86. Apparently this is used to gain access to my computer. I have deleted this code and hopefully that will be the end of this. However, are there any other things I can do to secure my network? Fortunately the only thing this hacker has done so far (at least that I have noticed!) has been to delete music files. My archiving app stopped working so this person may be erasing program files as well.

I have absolutely nothing of value on my computer.I really don't know why this person is trying to get control of my system and deleting my files but I want it to stop.

Is there any way of tracking who is doing this and going to the police?

Any help would be greatly appreciated.

Hackers are usually not so much interested in the data on your computer, but they are very interested in using your Internet connection to send volumes of spam email messages.

It goes without saying that if you use your computer for banking or credit card transactions, that you want to watch these accounts very carefully for any suspicious activity.

Suggest that you contact a local IT computer firm that specializes in wireless and Internet security. They will have sophisticated tools to use at your home or business and will be able to direct you to the proper legal channels.

In the meantime, you should turn off the wireless function on your router and connect only using wired Ethernet connections.

I am a little relieved and a lot angry to find out that you are having the same problem that I have endured on a daily basis for months. My BULLY comes online and spares with me to the point that when I am talking to the ISP networking rep and naming my network BULLY comes online and renames it right before our eyes. Last week I'm working on the wifi on my cell hotspot and BULLY came on that network and added a new USER with a password and photo called OTHERS!

I've been to Apple, my local police, called the Attorney General and the State Bureau of Investigations. When we are trying to run businesses with our computers what can we do? BULLY is notorious for coming online and freezing my browser page.

Did you try my advice in the previous post to contact a local IT security specialist, who will likely be able ban your problem person's computer from connecting to your site?

Hi Bob.

Sorry about the long overdue response.

A few months ago I spoke to a techie friend of mine and he figured out my problem.

I had two seperate things occuring.

1. I had a virus and this was responsible for deleting my files. I ran a virus check with ClamXav and that solved the problem.

2. What I thought was a hacker was actually my virtual machine generating a random name using information in my virtual machine as I had not assigned a computer name. Apparently this system generated name still shows up in finder for some time after you shut down the virtual machine so I thought that someone had hacked into my computer.

A case of being a newbie and a little bit paranoid.

Thanks very much for your suggestions though Bob.

All the best.

KoreanSasquatch wrote:

1. I had a virus and this was responsible for deleting my files. I ran a virus check with ClamXav and that solved the problem.

You caught my attention with this one. I'm guessing you are referring to an infection named "Exploit.Shellcode.X86-Gen-1 (Clam)" which is the only one I could find containing Shellcode and X86. I'll see whatelse I can find out about it, but I don't think this is known to impact OS X. I doubt that it's an actual "virus" as there aren't any that currently affect Macs, but there are at least 30 other pieces of malware that do.

Can you explain how it was responsible for deleting files? In your previous post you seemed to indicate that a hacker used this to access your Mac and delete some music files. Is that still the case or do you think this malware was directly responsible for the deletions. Again, I'm not aware of any Mac malware that is capable of doing this by itself.

Assuming that it wasn't an actual virus (which spreads by itself) do you have any idea how it got on your computer?

Can you tell me the file name and where it was located? It should still be in your scan log. An easy way to find it would be to open the Terminal app (found in /Applications/Utilities/), then copy and paste the following after the "$ " prompt:

grep 'FOUND' ~/Library/Logs/clamXav-scan.log

If you find it, copy and paste the information back here.

After doing a bit of googling I have one more question. Are you running Windows in a virtual environment on your Mac?

All the Mac users I could find that reported this seem to have detected it there. Scanning a virtual Windows environment is never recommended as it sometime gives false detections and can overlook others. Always best to run an A-V scanner from within the Windows environment. ClamWin is one solution that uses the same definitions database.

The definition was added to ClamAV in April 2005, so it's pretty old.

Sorry, I typed in the prompt that you gave me and I didn't come up with anything. It was the Exploit.Shellcode.X86-Gen-1 that I found though and one or two other variations of it as well. I had had my mac for just over two years at that point and had never run a virus check.

If the Exploit.Shellcode is not responsible for deleting my files, I'm not sure what was.

To answer your second question, I ran Windows 7 with Paralells 7 (I've recently upgraded to Parallels 8). I now have Microsoft Security Essentials which I use to scan my virtual machine and I use ClamXav for my Mac.

KoreanSasquatch wrote:

Sorry, I typed in the prompt that you gave me and I didn't come up with anything. It was the Exploit.Shellcode.X86-Gen-1 that I found though and one or two other variations of it as well. I had had my mac for just over two years at that point and had never run a virus check.

If the Exploit.Shellcode is not responsible for deleting my files, I'm not sure what was.

I wasn't aware that this happened some time ago. I suspect the log you had back then was either deleted or rolled over which is why grep was unable to find anything. Probably more trouble than it's worth to try and recover that info now. Judging by the list of signatures posted at the same time, it's not surprising that there would have been others associated with it.

To answer your second question, I ran Windows 7 with Paralells 7 (I've recently upgraded to Parallels 8). I now have Microsoft Security Essentials which I use to scan my virtual machine and I use ClamXav for my Mac.

In that case, I think there's a strong possibility that what you found was installed in the Windows / Parallels portion of your hard drive and could well have cause problems there. I believe that this malware was also known as the W32.Blaster.Worm which Symantec has info on here. It's so old that I'm surprised it would even install on Windows 7. Seems to be designed to launch a denial of service attack agains various sites once a month. I think it's a stretch to think it could have deleted anything from the Mac side of your computer.