Computer was hacked through screensharing. Some questions...

Ouch!

Courtesy of TReed for a similar, but not identical, question:

This means that the safest thing to do at this point might be to erase the hard drive completely, reinstall the system and any apps from scratch, and then restore your documents (and only documents, no settings files, applications or other such things!) from a backup. That is the only way that you can be 100% sure that there's nothing installed that is still giving these scammers access to your data.

Are you using WiFi? If so, is it set to use a long (I mean 40+ characters, all over the keyboard) WPA2/AES password? Almost any router you use will be an NAT router and will not expose your devices to the "outer" world, so that means the Mac firewall is unnecessary. Make sure the router is not set for remote login and turn its firewall on.

I don't know what sharing you use, but I would certainly turn off anything not absolutely necesary, especially anything "remote." If your local network is secure, behind an NAT router, and a really strong WPA2 password, I don't see anyone getting into that.

When your're back up you can check out this site.

https://www.grc.com/x/ne.dll?bh0bkyd2

What can I do to make sure this never happens again?

Are you running a public VNC server? That is, is an external port being forward from your router?

Off the top... After the wipe and restore from distribution (and only reload apps from distros or from pre-breach backups), also reset all your passwords, including at least the following:

• AppleID accounts (main or iTunes or iCloud accounts (whatever you're using)
• all email accounts configured on your system
• revoke and regenerate any private keys, including any digital certificates you have stored locally. This includes the developer certificates for Apple Xcode, for ssh connections, and otherwise.
• Facebook, eBay, Twitter, LinkedIn, Google including gmail, Adobe, etc.

Don't use the same or even similar passwords, as somebody running some website you've signed up for will almost inevitably store your password in cleartext or with a weak or with a fast cryptographic hash and then get breached, and if there's a theme used for your passwords or if there's any password reuse, then that can then be obvious to an attacker.

Confirm that all of the reset email addresses are still as expected with each of the major services you use, and particularly first with the services involving money. Ensure the reset addresses have not been reset to some other email address.

Contact the credit card companies for any credit card data you might have stored either in text files, or in Keychain.

For some cases such as Twitter, you might have to see whether there are unexpected or additional Twitter client applications registered to your account — this is less of a factor for most folks, but if you're a "higher-profile" target, definitely check this and definitely reset any clients you're not using. Same for stock trading applications or related services; services where specific clients might get authorized to automatically access some server.

Though others might disagree, I prefer to have the integrated firewall raised at all times, as it's easy to forget to raise that when you wander off your private network with your laptop. The less I have to remember here, the better.

If you're getting directly accessed from remote sites, then you don't have a firewall, or your firewall has been configured to be be fairly open. (Some folks will port-forward various services, and the attackers will then find and target those ports and services. If you do have a firewall, then it has been set up to port-forward at least RDP/ARD/VNC via TCP port 5900.)

If you want or need or use remote access, then consider a firewall with an integrated VPN server. If you are using a VPN server, change the VPN credentials.

You can certainly chat with the police, and simply having that case report documentation might be handy if there's something more that arises from this misadventure. Whether anything happens via the police, I don't know.

It seems that you've enabled some kind of remote access to the computer. However you did that, it's secured by a password. Almost certainly the password was guessed.

If you use the same password for anything else, change those passwords too, and make them all different. Internet passwords should be random strings of at least 10 characters. You most likely don't need to, and should not be able to, remember them. They should be saved in your keychain and backed up with the rest of your data.

One way to generate a secure password is the following. Triple-click anywhere the line below on this page to select it:

openssl rand -base64 10 | cut -c-14 | pbcopy

Copy the selected line to the clipboard by pressing the key combination command-C. Launch the Terminal application and paste into the window that opens (command-V). A string of 14 random characters will be copied to the Clipboard. Use that string, or a substring, as the password. To generate another random string, press the up-arrow key and then the return key with the Terminal window active. You can then quit Terminal.

So- what are the chances they were able to install key logging software or something similar? Any other viruses or back ends to be worried about?

They can install anything once in & controlling your computer, & to the other computers likely also. 😟

I will make sure the firewalls are on and in stealth mode.

If you're behind an NAT router, the application firewall serves no purpose and would not have prevented the attack.

So the only thing to do is beef up the passwords?

That's the main thing, but you also need to know what services you're exposing to the Internet. I wouldn't recommend running a public VNC server, even with a strong password. You should use "Back to My Mac" in iCloud if you need to access the computer remotely when it's unattended.

"Little Snitch" would have done nothing to protect you from this intrusion, or any intrusion. Mostly what it does is to bombard you with incessant and useless warnings of normal system activity.

I disagree: Little Snitch wouldn't have prevented this, but it may now detect suspicous outgoing activity. The thing is, you need to be able to know what would constitute suspicious or abnormal outgoing connections. And those it might pick up. If they installed a backdoor and it's connecting to some command and control somewhere, or who knows what, in order to receive your sensitive data, LS may pick that up. Post back with any LS alerts you want us to check out for you. You can also Google any of the URLs LS is flagging before you either allow or deny. If you click on top to "show details," you can get the IP as well. Here's what it will look like. It will run as a trial for 3 hours, but can be renewed before you decide to buy.

MrHoffman wrote: (Some folks will port-forward various services, and the attackers will then find and target those ports and services. If you do have a firewall, then it has been set up to port-forward at least RDP/ARD/VNC via TCP port 5900.)

You can use the link I gave you at Shields up, above, to see which ports, including 5900, might be open. And go to Port Forwarding in your router and see which ports, if any, are open. But Shields up will not check any of the more "unusual" ports unless requested. So you have to know what those might be.

Something else needs to be clarified here. You are not interested in carrying out a forensic investigation to determine how your system has been compromised, if at all, by software that some intruder installed. Rather, you're interested in making sure that there is no compromise. The only way to do that is to erase the startup volume, reinstall OS X, restore only your user data and settings, and then reinstall all your other software from known-good sources. Any other measures you take are pointless and a complete waste of effort.

I can assure you of one thing: If I broke into your system and wanted to leave a back door, I could do it in a way that would be undetectable by "Little Snitch" or anything else — and I don't pretend to have any special skill as a "hacker." You have to assume that your intruder could do whatever I could do.

It's safe to use your backup drive. You just have to restore selectively.

You could have used Setup Assistant to transfer your user data from the backup. If you've already set up an account, create a temporary administrator account and log into it after logging out of the existing account. You can then run Migration Assistant and do the same, replacing the original account. Don't transfer "Applications," "Other files and folders," or "Computer & Network Settings" — all that will have to be recreated. You can then delete the temporary account.

OS X: How to migrate data from another Mac using Mavericks

This is what I'd call a measured response. Unless you were the target of an improbably sophisticated attack, it will leave you with a clean system.

You still have to change all Internet passwords and check all financial accounts for unauthorized transactions.

Also get a different router, or modem/router. As installing a different router will most certainly change your public IP Address.

I'm sure there is a way to chage the IP Address on your current router or modem/router. But I have no idea how to do it.

Also, don't use a static public IP Address. Mine hasn't changed in a while and I too have two ports forwarding. I haven't kept my router long enough to see if it changes with in so many months. But I suppose if the IP Address is changed, then I can just simply change a setting on my iPhone.

KOT