Apple Intelligence now features Image Playground, Genmoji, Writing Tools enhancements, seamless support for ChatGPT, and visual intelligence.

Apple Intelligence has also begun language expansion with localized English support for Australia, Canada, Ireland, New Zealand, South Africa, and the U.K. Learn more >

You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

How do you find the culprit when unauthorized access to a computer is a problem?

One of our users had an issue with someone controlling her mouse. Any way to find on her MAC the identity of the person that was using Apple Remote Desktop to do this? Log file with IP?

Apple Remote Desktop-OTHER, Mac OS X (10.6.8)

Posted on May 30, 2012 3:21 PM

Reply
4 replies

Apr 19, 2017 10:49 AM in response to rjben

I found a login in system.log


This was on a laptop running El Capitan:


screensharingd [5791]: Authentication: SUCCEEDED :: User Name: XXX Viewer Address :: 172.xx.xx.xx :: Type DH


So search system.log on the attacked computer for some of these things and you will at least get the ip address, and if you are fast you could relate that back to the computer that it was done from. In this case they had shoulder surfed the password from the attacked computer, so they were logging in with what they know is a local user of the victim computer.

May 30, 2012 8:23 PM in response to rjben

the secure.log includes logs of computers that remote into the computer VIA ARDAgent. This includes the time date, account, and IP address of a computer they used to remote into the computer. The secure log is found in /var/logs/secure.log.


If they're using some thing other then the built-in remote fetures of the mac. Then your not going to see any thing in the secure log.


of corse you could just have all the passwords updated on the mac. Make sure ARDAgent is restricted. So they hopefully can't remote into the computer.


Also keep in mind an IP address has limitations. IE if I remote into a computer on 1/2/12 and then you check the log on 4/2/12, by that time some one else may have that IP address.

May 31, 2012 9:57 AM in response to TeenTitan

You may also want to completly change the password on YOUR ARD sever. If someone has comprimised YOUR system, you may find out that it was your system doing the "illegal" mosue movements. You may also want to check to be sure to NOT allow your system to be controlled by ARD from someone else. The Setting is in the ARD (Server) Preferences Menu under the Security tab.

How do you find the culprit when unauthorized access to a computer is a problem?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.