User profile for user: chrmay
chrmay Author
User level: Level 1
8 points

Computer was hacked through screensharing. Some questions...

Hello all,

So while I was out the other day I received a notification on my iphone that I had just purchased an iphone 5 on eBay. I called Paypal to let them know it wasn't me. When I got home I found someone remotely going through my computer using screensharing. He had gone to eBay where I had the password auto fill. He was then able to buy the phone because I had recently linked my paypal account to eBay. I shut the computer down and unplugged from the internet.


When I turned it back on I see he had deleted browser history so I couldn't verify where he had gone. Unfortunately I had also saved my passwords so he may have found those (I know, will delete that, have changed many passwords all day). Checked my console logs and see that for the past 4 days 10 different ip addresses had been constantly hitting my screensharingd.bundle trying to get in. One finally succeeded two days prior to my discovery. I see that on 5 different occasions over the past two days they had logged on from two different ip addresses. I'm afraid my wife's laptop may have also been compromised since we are on the same network.


So- what are the chances they were able to install key logging software or something similar? Any other viruses or back ends to be worried about?


I have wiped my wife's laptop and done a fresh install. I was going to use Migration Assistant to put back her apps, docs, and settings but is there a chance that the assistant puts back some malicious files if there are any? Concerned about this when I do it to the iMac also.


What can I do to make sure this never happens again? I realize I made some big mistakes and had become complacent with my macs security since in 20 years I've never had a problem. I will make sure the firewalls are on and in stealth mode. Will I be able to use screen share in the house still since I tend to use it a lot? What password protects the screenshare or was it even a password they hacked?


Should I call the police or the associated ISPs with the ip addresses?


Any info or insight is greatly appreciated.

iMac, OS X Mavericks (10.9.1), iBook 10.6.8

Posted on Dec 31, 2013 8:40 AM

Reply
28 replies
User profile for user: WZZZ
WZZZ
User level: Level 6
13,238 points

Jan 1, 2014 5:00 AM in response to Kingoftypos

I don't think getting a new IP address will make any difference to this, or is necessary. That's a public IP, and if things are closed up properly on the router, as seems to have been done, no one is getting through. But the idea of changing routers to get a new one is absurd. This can be attempted in several ways: there may be a setting in the router, Release DHCP Lease, which may or may not do it; power cycle the router: turn it off for at least 30 min., and then turn it back on; call or contact the ISP and ask them to do it.

Reply
User profile for user: MrHoffman
MrHoffman
Community+ 2025
User level: Level 10
145,103 points

Jan 1, 2014 7:20 AM in response to Kingoftypos

Kingoftypos wrote:


Also get a different router, or modem/router. As installing a different router will most certainly change your public IP Address.


I'm sure there is a way to chage the IP Address on your current router or modem/router. But I have no idea how to do it.


Also, don't use a static public IP Address. Mine hasn't changed in a while and I too have two ports forwarding. I haven't kept my router long enough to see if it changes with in so many months. But I suppose if the IP Address is changed, then I can just simply change a setting on my iPhone.



I would strongly disagree with the above advice.


A port scan of the entire IPv4 address space can be completed in about three minutes given enough bandwidth, either with a sufficiently large network link used by the scanning tools (example) or by the use of a botnet and its massively distributed bandwidth. The 30C3 conference had a 100 gigabit network uplink available to all attendees just last week. You can scan everything with that much bandwidth. Twice. Typical botnets used for scanning for open ports also have bandwidth proportional to their size, and many of those are very large.


Put another way, changing your IP address does nothing to help with security; an open port will get found, and — if you're connected to the net long enough — a weak password will get exploited.


There are nice lists of the five or ten thousand most common passwords these days, and those are common fodder for dictionary attacks on any open ports.


The use of dynamic or static IP addresses are not relevant here. The IPv4 port scanners and the botnets can't reliably make that determination, and don't bother.


The brand of the router also has little to do with the frequency with which the ISP might (or might not) rotate the IP addresses they are assigning via DHCP. Some ISPs will rotate those, and some don't bother.


The general solution here is good passwords or the use of certificates (which are better passwords), fewer or no forwarded ports in normal operations, and VPNs and TLS-protected (encrypted) links when you need connectivity inward.


Probably the only reason I'd swap out firewall gateway here is to upgrade to a model with an integrated VPN server.

Reply
User profile for user: LD150
LD150
User level: Level 10
100,155 points

Jan 1, 2014 10:30 AM in response to chrmay

"Ok that's pretty scary. So the only thing to do is beef up the passwords?"


I would also say never ever leave passwords on autofill with anything that allows money to be spent. Amazon is another example.


You must have had paypal password on autofill as even when linked to Ebay you need to log into Paypal with password to pay. Once in, the delivery address on paypal could be changed too.

Reply
User profile for user: chrmay
chrmay Author
User level: Level 1
8 points

Jan 1, 2014 10:37 AM in response to chrmay

Last night I used Migration Assistant as Linc suggested, letting it put back my photo's, music, docs but no apps, settings, etc....


This morning working on getting some stuff reinstalled. Been back and forth out of the room. Went down to the dock to pull up an app and saw that terminal was running. To the best of my knowledge I didn't launch it. Is it possible that some of Apple's installers would have launched it and left it open?


Console lists the last login as Wed Jan 1 10:58:57 on ttys000. In console I find this:


1/1/14 10:58:57.931 AM login[4439]: USER_PROCESS: 4439 ttys000

1/1/14 10:58:59.309 AM defaults[4485]:

The domain/default pair of (/Users/mayboy/Library/Preferences/loginwindow, AutoLaunchedApplicationDictionary) does not exist

1/1/14 10:58:59.365 AM defaults[4489]:

The domain/default pair of (/Users/mayboy/Library/Preferences/loginwindow, AutoLaunchedApplicationDictionary) does not exist

1/1/14 10:58:59.424 AM defaults[4493]:

The domain/default pair of (/Users/mayboy/Library/Preferences/loginwindow, AutoLaunchedApplicationDictionary) does not exist

1/1/14 10:58:59.439 AM login[4439]: DEAD_PROCESS: 4439 ttys000


Can someone tell me if this is normal!?!?!


I look at Console messages now and everything appears devious to me.


I am so freaking paranoid right now.

Reply
User profile for user: MrHoffman
MrHoffman
Community+ 2025
User level: Level 10
145,103 points

Jan 1, 2014 10:45 AM in response to chrmay

  • Did you wipe the disk and reinstall OS X from distribution, or did you use Migration Assistant without the wipe and install?
  • Did you close that forwarded port your NAT device?
  • Did you change all of your passwords?
  • Is your login short name mayboy?
  • Do you have any tools or scripts that start automatically when you log in?  > System Preferences > Users & Groups > Login Items
Reply
User profile for user: chrmay
chrmay Author
User level: Level 1
8 points

Jan 1, 2014 11:04 AM in response to MrHoffman

Did you wipe the disk and reinstall OS X from distribution, or did you use Migration Assistant without the wipe and install?

I wiped and reinstalled via a USB device. Then I used Migration Assistant to move back only my old User account. Didn't do Apps, Settings

Did you close that forwarded port your NAT device?

Yes

Did you change all of your passwords?

Yes

Is your login short name mayboy?

Yes

Do you have any tools or scripts that start automatically when you log in?  > System Preferences > Users & Groups > Login Items

Yes. I thought I had removed them but I guess I did it before I did the M.A. restore which then put them back. Obviously it was trying to launch applications that weren't there, which could have caused terminal to load?

Reply
User profile for user: WZZZ
WZZZ
User level: Level 6
13,238 points

Jan 3, 2014 3:52 PM in response to jackm831

jackm831 wrote:


System Preferences>Sharing make sure everything is turned off. Unfortunately, that setting can't be locked making it possible to change without needing the admin password.

That's incorrect. If the checkbox marked below is checked, Sharing, or anything for that matter, will require an admin password for unlocking.


User uploaded file

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Computer was hacked through screensharing. Some questions...

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up