Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

My MacAir was hacked over a guest network. Got in Users Groups & changed passwords. How can I restore it?

HI, Was just setting up my new Time Machine and 3 Airport Express and added a guest network. After we confirmed connection I put the password. But a new "Guest" was in the Users & Groups, changed their status and took had parental control. Could not delete, nor access the preferences where one can. They changed the passwords on three computers and the 3 wi-fi networks we made.


Found strange icons in the Disk utility and when checked they disappeared. When I types my passwords some key worked, some did nothing and other two characters. Same with the Master Password.


Have reset router to the max and Exceptional Password.


If I PRAM I get by this, but now want to restore my iMac i7, MackBook Pro and the MacAir 11. I have a 32Gig Thumb drive. What should I do?


Need to work on important documents before Monday. Please help! What is the safest solution?


Alex

Posted on Apr 19, 2014 12:33 PM

Reply
Question marked as Best reply

Posted on Apr 19, 2014 6:18 PM

If you know or suspect that a hostile intruder has either had physical access to your computer, or has been able to log in remotely, then there are some steps you should take to make sure that the computer is safe to use.

First, if there's any chance that the incident will be the subject of legal action, then you should do nothing at all without consulting a lawyer or the police. Your computer would be the principal evidence in such a case, and you don't want to tamper with it.

Running any kind of software to scan for "viruses" or "rootkits" is worse than useless. If I broke into your system and wanted to leave a back door, I could do it in a way that would be undetectable by those means—and I don't pretend to any special skill as a hacker. You have to assume that any intruder can do the same. The "anti-virus" software itself will slow down and destabilize the computer with no offsetting benefit.

The only way you can be sure that the computer is not compromised is to erase at least the startup volume and restore it to something like the status quo ante. The easiest approach is to recover your entire system from a backup that predates the attack. Obviously, that's only practical if you know when the attack took place, and it was recent, and you have such a backup. You will lose all changes to your data, such as email, that were made after the time of the snapshot. Some of those changes can be restored from a later backup.

If you don't know when the attack happened, or if it was too long ago for a complete rollback to be feasible, then you should erase and install OS X. If you don't already have at least two complete, independent backups of your data, then you must make them first. One backup is not enough to be safe.

When you reboot after the installation, you'll be prompted to go through the initial setup process for a new computer. That’s when you transfer the data from one of your backups in Setup Assistant.

Select only users in the Setup Assistant dialog—not Applications, Other files and folders, or Computer & Network Settings. Don't transfer the Guest account, if it was enabled.


Reinstall your third-party software from original media or fresh downloads—not from a backup, which may be contaminated.


Unless you were the target of an improbably sophisticated attack, this procedure will leave you with a clean system. If you have reason to think that you were the target of a sophisticated attack, then you need expert help.

That being done, change all Internet passwords and check all financial accounts for unauthorized transactions. Do this after your system has been secured, not before.
2 replies
Question marked as Best reply

Apr 19, 2014 6:18 PM in response to amoffett

If you know or suspect that a hostile intruder has either had physical access to your computer, or has been able to log in remotely, then there are some steps you should take to make sure that the computer is safe to use.

First, if there's any chance that the incident will be the subject of legal action, then you should do nothing at all without consulting a lawyer or the police. Your computer would be the principal evidence in such a case, and you don't want to tamper with it.

Running any kind of software to scan for "viruses" or "rootkits" is worse than useless. If I broke into your system and wanted to leave a back door, I could do it in a way that would be undetectable by those means—and I don't pretend to any special skill as a hacker. You have to assume that any intruder can do the same. The "anti-virus" software itself will slow down and destabilize the computer with no offsetting benefit.

The only way you can be sure that the computer is not compromised is to erase at least the startup volume and restore it to something like the status quo ante. The easiest approach is to recover your entire system from a backup that predates the attack. Obviously, that's only practical if you know when the attack took place, and it was recent, and you have such a backup. You will lose all changes to your data, such as email, that were made after the time of the snapshot. Some of those changes can be restored from a later backup.

If you don't know when the attack happened, or if it was too long ago for a complete rollback to be feasible, then you should erase and install OS X. If you don't already have at least two complete, independent backups of your data, then you must make them first. One backup is not enough to be safe.

When you reboot after the installation, you'll be prompted to go through the initial setup process for a new computer. That’s when you transfer the data from one of your backups in Setup Assistant.

Select only users in the Setup Assistant dialog—not Applications, Other files and folders, or Computer & Network Settings. Don't transfer the Guest account, if it was enabled.


Reinstall your third-party software from original media or fresh downloads—not from a backup, which may be contaminated.


Unless you were the target of an improbably sophisticated attack, this procedure will leave you with a clean system. If you have reason to think that you were the target of a sophisticated attack, then you need expert help.

That being done, change all Internet passwords and check all financial accounts for unauthorized transactions. Do this after your system has been secured, not before.

Apr 20, 2014 10:30 AM in response to Linc Davis

Dear Linc,


Good advice, thank you. I also have a lot of data om iCloud. But there is a unknown gamil address for my test questions which leads me to belive he accessed my emails and password. I have a 2nd appeal to the community for that problem, but since I am hacked in Thailand it's hard to get access to the kind responses.


My new secutity protocols are superior and we have enough data I collected to day via screen shots and investigators are moving in as I write this thank you note.


For sure the purity of the OS is most important and I do back up in 4 locations. But was in the process of setting up a new Time Machine when this happened, but sense it's the same guy as last year when my companies Gmail was hacked a wire went out against fradulent instructions from me... What a world we live in today.


This Mac support system is part of an emerging new age of personal ethics guiding us out of some dark times.


Thanks again.


Best wishes,


Alex

My MacAir was hacked over a guest network. Got in Users Groups & changed passwords. How can I restore it?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.