rswc90

Q: iMac (Mavericks) hacked by remote user

A couple of weeks ago I noticed my camera on - as I approached the computer it shut off. I thought that maybe a family member started to facetime me and change their mind (there was no ringing) That happened 2 times. I forgot to ask anyone about it.

 

A week later, my PayPal account was broken into, as was my bank account connected to PayPal. They took more than $2000.00. PayPal has not yet explained how this happened.

 

3 days ago, early on Sunday morning, I saw my computer screen lit up and all these windows opening and closing. At first I was unsure that I was actually seeing what was happening. Then I bumped the mouse and the windows started to close...fast. It finally hit me that someone was "there." I turned off the wifi (no cable connected) - then I went to the trash to see what was there -- nothing. So I opened up the browser history and saw all my bank accounts listed. I checked my e-mail and saw all these alerts from my banks stating that someone had incorrectly answered the security questions -- in 4 banks. the DID get into an old credit card account online. I communicated with all my banks. I also have emailed DYN.com as I use(d) their services for years -- as a paid subscriber, I thought they would respond to me -- I was wondering if that is how the remote access occurred. I have heard nothing from them either...

 

I looked in settings and there was an added user "Mrs Tester" was added as an admin. I deleted the account, unchecked remote login and screen share. I also changed my home network code and base station code.  I NEED remote login for my work.  I called Apple security and the guy told me that I had already done everything they would tell me to do. I have the hackers history. (bitcoins were the accounts he was going back to after each attempt at a bank) -- Of course I have changed all my pass codes and made them all unique -- do I call the police? How can I tell if my computer is safe again.

 

 

So there's my question...how do I scan to see if there's anything on  my system logging my key strokes etc. I installed "eset" trial user, as was recommended by the local computer store.   Any other thoughts? With all the password changes, is there a way I can get back online and use remote login?

 

I have to say, I feel like a naked man has been staring at me from outside my window... YUCK.

 

Thanks for your help...

Posted on Jun 4, 2014 4:22 PM

Close

Q: iMac (Mavericks) hacked by remote user

  • All replies
  • Helpful answers

Page 1 of 3 last Next
  • by John Galt,Helpful

    John Galt John Galt Jun 4, 2014 5:39 PM in response to rswc90
    Level 8 (49,777 points)
    Mac OS X
    Jun 4, 2014 5:39 PM in response to rswc90

    It certainly sounds as though someone has remote access to your Mac. In such circumstances you should not consider that Mac trustworthy, and should unplug it immediately.

     

    If you have any idea who may have had access to it, you ought to consider preserving evidence to be used in criminal prosecution. The first people to suspect are those you know, but have reason to distrust. Who stands to gain the most through theft of your private information is a question only you can answer. As a suggestion, start by considering remote access from your place of employment that you described.

     

    Nothing less than completely erasing that Mac and configuring it again from the ground up should be considered an adequate solution, and even that may be insufficient. There are simple remote access tools that could explain what happened, but merely ruling out those few known possibilities cannot provide absolute assurance that something else, such as a keylogger, is not installed.

     

    It gets worse, in that hardware modifications are also a possibility, and erasing your Mac will be ineffective in that case.

     

    Consider your router as well, since routers that use a web page or Telnet for configuration can be maliciously altered, conceivably in a manner that can intercept or divert its communications. Using your router's hardware reset function and reconfiguring it ought to eliminate that possibility, but non-Apple router support goes beyond the scope of this support site. In general though, be sure to deselect its ability to be configured over WAN and use secure passwords for both your wireless network and the device itself.

     

    It's also possible that the intrusion may have involved the low-tech possibility of someone doing exactly what you wrote - literally by looking through your window, or having had a camera installed in the vicinity of your Mac. Cameras are both sufficiently small and inexpensive enough today for anyone to obtain. More esoteric intrusions are possible but they get prohibitively expensive, and you are not likely to discover them on your own.

     

    Uninstall Eset. It's worthless in general, but particularly worthless for the situation you describe.

     

    You have some work to do, but don't trust that Mac in its present condition.

  • by rswc90,

    rswc90 rswc90 Jun 4, 2014 6:40 PM in response to John Galt
    Level 1 (10 points)
    Desktops
    Jun 4, 2014 6:40 PM in response to John Galt

    Yikes. I will reply to this in as best order as I can -- sorry if I ask "obvious" questions. They are not to me (or I wouldn't ask them!)  I have turned off the wireless for now on that machine. I had already turned off the screen sharing and remote login permissions.  There is no one here that has access or desire or knowledge to mess with this iMac. I am the "house geek" -- everything is relative ;-)

     

    My place of employment is my office - alone - I am the only one there. the computer is password protected just the same! I feel very sure that no one has contact with my machine to physically alter it. Either I am here or someone else is (who knows nothing about computers).

     

    So how do I "completely erase" the computer? I have time machine back ups, but I am guessing that this would NOT be the reinstall you are talking about?!

     

    My Apple router and base station both got reset passwords (even though the Apple security guy said that wouldn't do anything - I felt I had to do it). It was never set to be able to be set over WAN.

     

    My computer is sitting such that the BACK of the computer can be seen from the back window -- no keypad strokes can be seen by looking in the windows ;-)  and finally, I use a password program that claims to keep everything encrypted and (now) I have 14-digit, random passwords assigned to each different site, account or whatever. OY!

     

    So, where do I start? and do I do this alone? CAN I do this alone? DO I bring it to an Apple store to do?

     

    Again, much obliged for your time and wisdom.

  • by Linc Davis,Helpful

    Linc Davis Linc Davis Jun 4, 2014 7:33 PM in response to rswc90
    Level 10 (208,000 points)
    Applications
    Jun 4, 2014 7:33 PM in response to rswc90

    If you know or suspect that a hostile intruder has either had physical access to the computer, or has been able to log in remotely, then there are some steps you should take to make sure that the computer is safe to use.

    First, depending on the circumstances, computer tampering may be a crime, a civil wrong, or both. If there's any chance that the matter will be the subject of legal action, then you should do nothing at all without consulting a lawyer or the police. The computer would be the principal evidence in such a case, and you don't want to contaminate that evidence.

    Running any kind of "anti-virus" software is pointless. If I broke into a system and wanted to leave a back door, I could do it in a way that would be undetectable by those means—and I don't pretend to any special skill as a hacker. You have to assume that any intruder can do the same. Commercial keylogging software—which has legitimate as well as illegitimate uses—won't be recognized as malware, because it's not malware.

    The only way you can be sure that the computer is not compromised is to erase at least the startup volume and restore it to something like the status quo ante. The easiest approach is to recover the entire system from a backup that predates the attack. Obviously, that's only practical if you know when the attack took place, and it was recent, and you have such a backup. You will lose all changes to data, such as email, that were made after the time of the snapshot. Some of those changes can be restored from a later backup.

    If you don't know when the attack happened, or if it was too long ago for a complete rollback to be feasible, then you should erase and install OS X. If you don't already have at least two complete, independent backups of all data, then you must make them first. One backup is not enough to be safe.

    When you restart after the installation, you'll be prompted to go through the initial setup process for a new computer. That’s when you transfer the data from a backup in Setup Assistant.

    Select only users in the Setup Assistant dialog—not Applications, Other files and folders, or Computer & Network Settings. Don't transfer the Guest account, if it was enabled.

    Reinstall third-party software from original media or fresh downloads—not from a backup, which may be contaminated.

    Unless you were the target of an improbably sophisticated attack, this procedure will leave you with a clean system. If you have reason to think that you were the target of a sophisticated attack, then you need expert help.


    That being done, change all Internet passwords and check all financial accounts for unauthorized transactions. Do this  after the system has been secured, not before.
  • by John Galt,

    John Galt John Galt Jun 22, 2014 3:17 PM in response to rswc90
    Level 8 (49,777 points)
    Mac OS X
    Jun 22, 2014 3:17 PM in response to rswc90

    I apologize for not seeing your reply until now. That happens with this site on occasion.

     

    rswc90 wrote:

     

    So how do I "completely erase" the computer?

     

    Follow these instructions: OS X Mavericks: Erase and reinstall OS X

  • by rswc90,

    rswc90 rswc90 Jun 22, 2014 6:19 PM in response to John Galt
    Level 1 (10 points)
    Desktops
    Jun 22, 2014 6:19 PM in response to John Galt

    (Is this where you wanted me to reply?)  Carbonite does not back up the password program which is encrypted anyway -- But I want to know about the key logger now. This is all getting so hour of hand - Apple already claims I have "done everything" they would do -- hard to believe a newbie can guess what the experts would do in case of hacking ?!  I posted the log -- is there evidence of key logging in the other post? Do I really need to start from scratch again?

  • by John Galt,

    John Galt John Galt Jun 22, 2014 6:41 PM in response to John Galt
    Level 8 (49,777 points)
    Mac OS X
    Jun 22, 2014 6:41 PM in response to John Galt

    .

  • by Kingoftypos,

    Kingoftypos Kingoftypos Jun 22, 2014 6:43 PM in response to rswc90
    Level 3 (757 points)
    Jun 22, 2014 6:43 PM in response to rswc90

    In the days/weeks preceding to the hack. Did you download and install any software/apps? If so, would you mind sharing with us what the name of them are and where you got them from?

     

    KOT

  • by thomas_r.,

    thomas_r. thomas_r. Jun 22, 2014 6:54 PM in response to rswc90
    Level 7 (30,929 points)
    Mac OS X
    Jun 22, 2014 6:54 PM in response to rswc90

    rswc90 wrote:

     

    Do I really need to start from scratch again?

     

    If someone actually has remote access to your Mac somehow - which certainly seems like it is likely to be the case, from your description - then there is one and only one way to solve the problem, and that is to erase the hard drive. Of course, you need to keep in mind Linc's advice above regarding possible legal action. Don't do anything that would destroy evidence!

     

    It is extremely likely that any remote access has been set up by someone with physical access to the computer. You say that you don't think this is happening because there's a password on it, but note that if you don't have FileVault turned on, that password means nothing. Someone with unmonitored physical access could do what they want with your machine whether there's a password on it or not. You must turn on FileVault after erasing and installing a new system, so that someone with physical access cannot tamper with the system or see your files.

     

    There is a small chance that the remote access is being established through installation of malware... but note that you would have to be installing the malware, and it would have to be something that isn't already detected by the anti-malware protection in Mac OS X. The list of possible malware that you could have installed is extremely small. If you install malware, FileVault won't help you, because you're inviting the malware past that protection. Just be cautious what you install, and where you download it from.

  • by John Galt,

    John Galt John Galt Jun 22, 2014 7:07 PM in response to rswc90
    Level 8 (49,777 points)
    Mac OS X
    Jun 22, 2014 7:07 PM in response to rswc90

    (Is this where you wanted me to reply?)

     

    Yes, thanks. On occasion replies to posts don't appear for some reason. It's an annoying bug with this site that has persisted for some time.

     

    The essence of my earlier reply was that while it is possible to identify the presence of a number of well-known keylogger programs, and it is possible to determine the presence of programs whose purpose is unknown, it is not possible for anyone on this site to determine with absolute assurance a keylogger program does not exist on your Mac. That's the reason for recommending it be completely erased and reconfigured, beginning at that known state.

     

    Moreover, hardware devices exist whose presence cannot be determined without an extensive physical examination of your Mac and the equipment it's using, which can be difficult even for computer forensics experts.

     

    ... I posted the log -- is there evidence of key logging in the other post? Do I really need to start from scratch again?

     

    Post whatever new information you have to this discussion, since this is the one that remains unresolved. Adding your own questions to other people's questions won't help you, or them. The familiarity of yours just caused me to notice that this one remained open even as your reply remained invisible to me. That was sheer luck though.

  • by rswc90,

    rswc90 rswc90 Jun 22, 2014 7:10 PM in response to John Galt
    Level 1 (10 points)
    Desktops
    Jun 22, 2014 7:10 PM in response to John Galt
    Of course I have changed all my pass codes and made them all unique — I filed a police report.  I was starting to feel better about all this when 2 days ago someone successfully logged in and changed my Social Security account password. I changed it again nd changed the email that went with it. I called SS and asked how this could have happened. She was so laissez fair about the entire thing. Said “hon, it’s OKAY!”  That’s it. She said because I have no bank account attached to it, it didn't matter -- Don't they now have all my identity stuff?  When I logged in to change the password after receiving an email alert, I saw a very quick flash across the screen that read something like "Someone may be watching you" I couldn't get it to repeat.

     

     

    How can I tell if my computer is safe again.

     

    So there's my question...how do I scan to see if there's anything on  my system logging my key strokes etc.  Any other thoughts? With all the password changes, is there a way I can get back online and use remote login?

     

    Now, also, JAVA has been removed (or was never installed?!) on my MB Air and many things will not run. Even airline websites to book flights need java.  I have now updated JAVA on my iMac (the computer where I saw the hacker working) -

     

    Here is the log -- THANKS!

     

    Start time: 17:13:21 06/22/14

     

     

    Model Identifier: iMac13,1

    System Version: OS X 10.9.3 (13D65)

    Kernel Version: Darwin 13.2.0

    Boot Mode: Normal

    Time since boot: 3 days 10:12

     

     

    USB

     

     

      Photosmart C4200 series (Hewlett Packard)

      LaCie Device (LaCie)

      USB2.0 Hub (Genesys Logic, Inc.)

      USB2.0 Hub (Genesys Logic, Inc.)

      MT1887 (MediaTek Inc.)

     

     

    Diagnostic reports

     

     

      2013-11-17  crash

      2014-05-25 dyn_updater crash

      2014-06-02 ExpanderDaemon crash

      2014-06-02 Kernel panic

      2014-06-02 Kernel panic

      2014-06-02 Kernel panic

      2014-06-03 esets_proxy crash

      2014-06-05 CarboniteDaemon crash

      2014-06-06 Mail crash

      2014-06-09 Google Drive crash

      2014-06-13 CarboniteDaemon crash

      2014-06-13 Mail crash

      2014-06-20 AppleFileServer crash

     

     

    Log

     

     

      Jun 18 19:02:51 wl0: Roamed or switched channel, reason #4, bssid 20

      Jun 19 07:03:50 process CarboniteDaemon[116] thread 3699 caught burning CPU! It used more than 50% CPU (Actual recent usage: 92%) over 180 seconds. thread lifetime cpu usage 90.030437 seconds, (88.341544 user, 1.688893 system) ledger info: balance: 90005043742 credit: 90005043742 debit: 0 limit: 90000000000 (50%) period: 180000000000 time since last refill (ns): 96944526539

      Jun 19 09:56:02 key_getsastat: Error finding SAs.

      Jun 19 09:56:35 key_getsastat: Error finding SAs.

      Jun 19 09:57:05 key_getsastat: Error finding SAs.

      Jun 19 09:57:13 ip6_output (ipsec): error code 22

      Jun 19 09:57:38 key_getsastat: Error finding SAs.

      Jun 19 09:58:08 key_getsastat: Error finding SAs.

      Jun 19 09:58:41 key_getsastat: Error finding SAs.

      Jun 19 09:59:14 key_getsastat: Error finding SAs.

      Jun 19 09:59:47 key_getsastat: Error finding SAs.

      Jun 19 10:00:20 key_getsastat: Error finding SAs.

      Jun 19 10:00:53 key_getsastat: Error finding SAs.

      Jun 19 10:01:26 key_getsastat: Error finding SAs.

      Jun 19 10:01:59 key_getsastat: Error finding SAs.

      Jun 19 10:02:32 key_getsastat: Error finding SAs.

      Jun 19 10:03:05 key_getsastat: Error finding SAs.

      Jun 19 10:03:35 key_getsastat: Error finding SAs.

      Jun 19 10:04:08 key_getsastat: Error finding SAs.

      Jun 19 10:04:41 key_getsastat: Error finding SAs.

      Jun 19 10:05:14 key_getsastat: Error finding SAs.

      Jun 19 11:04:22 process Mail[581] thread 177641 caught burning CPU! It used more than 50% CPU (Actual recent usage: 54%) over 180 seconds. thread lifetime cpu usage 90.036547 seconds, (89.425471 user, 0.611076 system) ledger info: balance: 90000865602 credit: 90000865602 debit: 0 limit: 90000000000 (50%) period: 180000000000 time since last refill (ns): 165132323665

      Jun 19 15:33:14 ip6_output (ipsec): error code 22

      Jun 20 19:56:37 esp6_input: mbuf allocation failed

      Jun 21 10:24:59 process Acrobat[19068] caught causing excessive wakeups. Observed wakeups rate (per sec): 209; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 359644

     

     

    Activity

     

     

      CPU: user 20%, system 6%

     

     

    CPU per process: CarboniteDaemon (UID 0) is using 75.2  %

     

     

    Daemons

     

     

      com.oracle.java.Java-Updater

      com.oracle.java.JavaUpdateHelper

      com.rim.BBDaemon

      com.oracle.java.Helper-Tool

      com.microsoft.office.licensing.helper

      PenCommService

      com.google.keystone.daemon

      com.flipvideo.FlipShareServer.launchd

      com.fitbit.galileod

      com.fitbit.fitbitd

      com.carbonite.daemon

      com.adobe.SwitchBoard

      com.adobe.fpsaud

     

     

    Agents

     

     

      com.hp.scanModule.68672.UUID

      2BUA8C4S2C.com.agilebits.Apassword-helper

      net.culater.SIMBL.Agent

      com.rim.BBLaunchAgent

      com.puredigitaltechnologies.FlipShareAutoRun

      com.oracle.java.Java-Updater

      com.hp.help.tocgenerator

      com.google.keystone.system.agent

      com.flipvideo.FlipShareAutoRun

      com.coupons.coupond

      com.carbonite.carbonitestatus

      com.carbonite.carbonitealerts

      com.adobe.CS5ServiceManager

      com.google.Chrome.framework.service_process~/Library/Application_Support/Google /Chrome

      com.facebook.videochat.updater

      com.akamai.single-user-client

      com.akamai.client.plist

      com.adobe.ARM.UUID

     

     

    launchd

     

     

      /System/Library/LaunchAgents/com.apple.AirPortBaseStationAgent.plist

      (com.apple.AirPortBaseStationAgent)

      /System/Library/LaunchAgents/com.apple.servernotifyd.plist

      (com.apple.servernotifyd)

      /Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist

      (com.adobe.AAM.Startup-1.0)

      /Library/LaunchAgents/com.adobe.CS5ServiceManager.plist

      (com.adobe.CS5ServiceManager)

      /Library/LaunchAgents/com.carbonite.launchd.carbonitealerts.plist

      (com.carbonite.carbonitealerts)

      /Library/LaunchAgents/com.carbonite.launchd.carbonitestatus.plist

      (com.carbonite.carbonitestatus)

      /Library/LaunchAgents/com.coupons.coupond.plist

      (com.coupons.coupond)

      /Library/LaunchAgents/com.flipvideo.FlipShare.AutoRun.plist

      (com.flipvideo.FlipShareAutoRun)

      /Library/LaunchAgents/com.google.keystone.agent.plist

      (com.google.keystone.system.agent)

      /Library/LaunchAgents/com.hp.help.tocgenerator.plist

      (com.hp.help.tocgenerator)

      /Library/LaunchAgents/com.oracle.java.Java-Updater.plist

      (com.oracle.java.Java-Updater)

      /Library/LaunchAgents/com.puredigitaltechnologies.FlipShare.AutoRun.plist

      (com.puredigitaltechnologies.FlipShareAutoRun)

      /Library/LaunchAgents/com.rim.BBLaunchAgent.plist

      (com.rim.BBLaunchAgent)

      /Library/LaunchAgents/net.culater.SIMBL.Agent.plist

      (net.culater.SIMBL.Agent)

      /Library/LaunchDaemons/com.adobe.fpsaud.plist

      (com.adobe.fpsaud)

      /Library/LaunchDaemons/com.adobe.SwitchBoard.plist

      (com.adobe.SwitchBoard)

      /Library/LaunchDaemons/com.carbonite.launchd.carbonitedaemon.plist

      (com.carbonite.daemon)

      /Library/LaunchDaemons/com.fitbit.fitbitd.plist

      (com.fitbit.fitbitd)

      /Library/LaunchDaemons/com.fitbit.galileod.plist

      (com.fitbit.galileod)

      /Library/LaunchDaemons/com.flipvideo.FlipShareServer.launchd.plist

      (com.flipvideo.FlipShareServer.launchd)

      /Library/LaunchDaemons/com.google.keystone.daemon.plist

      (com.google.keystone.daemon)

      /Library/LaunchDaemons/com.livescribe.PenCommService.plist

      (PenCommService)

      /Library/LaunchDaemons/com.microsoft.office.licensing.helper.plist

      (com.microsoft.office.licensing.helper)

      /Library/LaunchDaemons/com.oracle.java.Helper-Tool.plist

      (com.oracle.java.Helper-Tool)

      /Library/LaunchDaemons/com.oracle.java.JavaUpdateHelper.plist

      (com.oracle.java.JavaUpdateHelper)

      /Library/LaunchDaemons/com.rim.BBDaemon.plist

      (com.rim.BBDaemon)

      Library/LaunchAgents/com.adobe.ARM.UUID.plist

      (com.adobe.ARM.UUID)

      Library/LaunchAgents/com.akamai.client.plist

      (com.akamai.client.plist)

      Library/LaunchAgents/com.akamai.single-user-client.plist

      (com.akamai.single-user-client)

      Library/LaunchAgents/com.apple.FolderActions.enabled.plist

      (com.apple.FolderActions.enabled)

      Library/LaunchAgents/com.apple.FolderActions.folders.plist

      (com.apple.FolderActions.folders)

      Library/LaunchAgents/com.facebook.videochat.plist

      (com.facebook.videochat.updater)

      Library/LaunchAgents/com.google.Chrome.framework.plist

      (com.google.Chrome.framework.service_process~/Library/Application_Support/Googl e/Chrome)

      Library/LaunchAgents/ws.agile.APasswordAgent.plist

      (ws.agile.APasswordAgent)

     

     

    Startup items

     

     

      /Library/StartupItems/DoubleCommand/config.command

      /Library/StartupItems/DoubleCommand/DoubleCommand

      /Library/StartupItems/DoubleCommand/install.command

      /Library/StartupItems/DoubleCommand/login.command

      /Library/StartupItems/DoubleCommand/StartupParameters.plist

      /Library/StartupItems/DoubleCommand/uninstall.command

      /Library/StartupItems/HP IO/HP IO

      /Library/StartupItems/HP IO/Resources/version.plist

      /Library/StartupItems/HP IO/StartupParameters.plist

      /Library/StartupItems/Qmaster/Qmaster

      /Library/StartupItems/Qmaster/StartupParameters.plist

     

     

    Bundles

     

     

      /System/Library/Extensions/LivescribeSmartpen.kext

      (com.livescribe.kext.LivescribeSmartpen)

      /System/Library/Extensions/MacOSXCameraDriver.kext

      (com.flipvideo.IOUSBCameraMassStorage)

      /System/Library/Extensions/RIMBBUSB.kext

      (com.rim.driver.BlackBerryUSBDriverInt)

      /System/Library/Extensions/RIMBBVSP.kext

      (com.rim.driver.BlackBerryUSBDriverVSP)

      /System/Library/Extensions/SiLabsUSBDriver.kext

      (com.silabs.driver.SiLabsUSBDriver)

      /System/Library/Extensions/VaraAudio.kext

      (com.vara.driver.VaraAudio)

      /Library/Audio/MIDI Drivers/EmagicUSBMIDIDriver.plugin

      (info.emagic.driver.unitor)

      /Library/Audio/Plug-Ins/Components/A52Codec.component

      (com.shepmater.A52Codec)

      /Library/Audio/Plug-Ins/Components/Flip4Mac WMA Import.component

      (net.telestream.wmv.import)

      /Library/Audio/Plug-Ins/HAL/DVCPROHDAudio.plugin

      (com.apple.DVCPROHDAudio)

      /Library/InputManagers/1PasswdIM/1PasswdIM.bundle

      (com.1passwd.InputManager)

      /Library/Internet Plug-Ins/AdobeAAMDetect.plugin

      (com.AdobeAAMDetectLib.AdobeAAMDetect)

      /Library/Internet Plug-Ins/AdobePDFViewer.plugin

      (com.adobe.acrobat.pdfviewer)

      /Library/Internet Plug-Ins/CouponPrinter-FireFox_v2.plugin

      (com.coupons.plugin.mozilla-plugin)

      /Library/Internet Plug-Ins/disabled/JavaAppletPlugin.plugin

      (com.oracle.java.JavaAppletPlugin)

      /Library/Internet Plug-Ins/DivXBrowserPlugin.plugin

      (com.divx.DivXBrowserPlugin)

      /Library/Internet Plug-Ins/eMusicRemote.plugin

      (com.emusic.plugins.emp.mac)

      /Library/Internet Plug-Ins/Flash Player.plugin

      (N/A)

      /Library/Internet Plug-Ins/Flip4Mac WMV Plugin.plugin

      (net.telestream.wmv.plugin)

      /Library/Internet Plug-Ins/Google Earth Web Plug-in.plugin

      (com.Google.GoogleEarthPlugin.plugin)

      /Library/Internet Plug-Ins/googletalkbrowserplugin.plugin

      (com.google.googletalkbrowserplugin)

      /Library/Internet Plug-Ins/iPhotoPhotocast.plugin

      (com.apple.plugin.iPhotoPhotocast)

      /Library/Internet Plug-Ins/JavaAppletPlugin.plugin

      (com.oracle.java.JavaAppletPlugin)

      /Library/Internet Plug-Ins/o1dbrowserplugin.plugin

      (com.google.o1dbrowserplugin)

      /Library/Internet Plug-Ins/OfficeLiveBrowserPlugin.plugin

      (com.microsoft.officelive.browserplugin)

      /Library/Internet Plug-Ins/RealPlayer Plugin.plugin

      (com.RealNetworks.RealPlayerPlugin)

      /Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin

      (com.microsoft.sharepoint.browserplugin)

      /Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin

      (com.microsoft.sharepoint.webkitplugin)

      /Library/Internet Plug-Ins/Silverlight.plugin

      (com.microsoft.SilverlightPlugin)

      /Library/Internet Plug-Ins/SnagitSafariScroller.webplugin

      (com.techsmith.SnagitSafariScroller)

      /Library/Mail/Bundles (Disabled)/UnsubMailPluginMailAppOSX.mailbundle

      (com.unsubscribeinc.UnsubMailPluginMailAppOSX)

      /Library/PreferencePanes/3ivxPrefPane.prefPane

      (com.3ivx.prefpane)

      /Library/PreferencePanes/Carbonite.prefPane

      (com.carbonite.prefpanel)

      /Library/PreferencePanes/Flash Player.prefPane

      (com.adobe.flashplayerpreferences)

      /Library/PreferencePanes/Flip4Mac WMV.prefPane

      (net.telestream.wmv.prefpane)

      /Library/PreferencePanes/JavaControlPanel.prefPane

      (com.oracle.java.JavaControlPanel)

      /Library/PreferencePanes/MacFUSE.prefPane

      (com.google.MacFUSE)

      /Library/PreferencePanes/Perian.prefPane

      (org.perian.PerianPane)

      /Library/PreferencePanes/Tuxera NTFS.prefPane

      (com.tuxera.ntfs.mac.prefpane)

      /Library/QuickTime/AC3MovieImport.component

      (com.cod3r.ac3movieimport)

      /Library/QuickTime/AppleHDVCodec.component

      (com.apple.AppleHDVCodec)

      /Library/QuickTime/DesktopVideoOut.component

      (com.apple.DesktopVideoOut)

      /Library/QuickTime/DivX 6 Decoder.component

      (com.DivXInc.DivXDecoder)

      /Library/QuickTime/DVCPROHDCodec.component

      (com.apple.DVCPROHDCodec)

      /Library/QuickTime/DVCPROHDMuxer.component

      (com.apple.DVCPROHDMuxer)

      /Library/QuickTime/DVCPROHDVideoDigitizer.component

      (com.apple.DVCPROHDVideoDigitizer)

      /Library/QuickTime/DVCPROHDVideoOutput.component

      (com.apple.DVCPROHDVideoOutput)

      /Library/QuickTime/DVCPROHDVideoOutputClock.component

      (com.apple.DVCPROHDVideoOutputClock)

      /Library/QuickTime/DVCPROHDVideoOutputCodec.component

      (com.apple.DVCPROHDVideoOutputCodec)

      /Library/QuickTime/Flip4Mac WMV Advanced.component

      (net.telestream.wmv.advanced)

      /Library/QuickTime/Flip4Mac WMV Export.component

      (net.telestream.wmv.export)

      /Library/QuickTime/Flip4Mac WMV Import.component

      (net.telestream.wmv.import)

      /Library/QuickTime/FLV.component

      (com.theoryllc.FLVComponentBundle)

      /Library/QuickTime/IMXCodec.component

      (com.apple.IMXCodec)

      /Library/QuickTime/LiveType.component

      (com.apple.LiveType.component)

      /Library/QuickTime/Perian.component

      (org.perian.Perian)

      /Library/QuickTime/QTMpeg4Codec.component

      (com.apple.QTMpeg4Codec)

      /Library/ScriptingAdditions/Adobe Unit Types.osax

      (N/A)

      /Library/ScriptingAdditions/SIMBL.osax

      (net.culater.SIMBL.osax)

      /Library/Spotlight/GBSpotlightImporter.mdimporter

      (com.apple.garageband.spotlightimporter)

      /Library/Spotlight/Microsoft Entourage.mdimporter

      (com.microsoft.entourageMDImporter)

      /Library/Widgets/VersionTracker.wdgt

      (com.versiontracker.updates)

      Library/Address Book Plug-Ins/SkypeABDialer.bundle

      (com.skype.skypeabdialer)

      Library/Address Book Plug-Ins/SkypeABSMS.bundle

      (com.skype.skypeabsms)

      Library/Caches/com.apple.Safari/Extensions/1Password.safariextension

      (com.agilebits.onepassword4-safari)

      Library/Caches/com.apple.Safari/Extensions/Disconnect.safariextension

      (me.disconnect.disconnect)

      Library/Caches/com.apple.Safari/Extensions/DoNotTrackMe- Online Privacy Protection.safariextension

      (com.abine.dntpsafari)

      Library/Caches/com.apple.Safari/Extensions/dotdotdot.safariextension

      (com.dotdotdot.importer)

      Library/Caches/com.apple.Safari/Extensions/Omnibar.safariextension

      (com.genieo.safari)

      Library/Internet Plug-Ins/CitrixOnlineWebDeploymentPlugin.plugin

      (com.citrixonline.mac.WebDeploymentPlugin)

      Library/Internet Plug-Ins/EvernoteSafariClipperPlugin.webplugin

      (com.evernote.EvernoteSafariClipperPlugin)

      Library/Internet Plug-Ins/FacebookVideoCalling.bundle

      (com.skype.FacebookVideoCalling)

      Library/Internet Plug-Ins/fbplugin_1_0_3.plugin

      (com.facebook.plugin)

      Library/Internet Plug-Ins/Move-Media-Player.plugin

      (com.movenetworks.movemediaplayer.plugin)

      Library/Internet Plug-Ins/Picasa.plugin

      (com.google.PicasaPlugin)

      Library/iTunes/Mobile Backups/1B925U5V201/Structured

      (N/A)

      Library/PreferencePanes/AkamaiNetSession.prefPane

      (com.yourcompany.AkamaiNetSession)

      Library/PreferencePanes/AkamaiNetSession.prefPane/Contents/Resources

      (com.yourcompany.${PRODUCT_NAME)

      Library/PreferencePanes/handyPrint.prefPane

      (com.netputing.handyPrint)

      Library/Widgets/Hotcards.wdgt

      (com.Hotcards.widget.HotcardsWidget)

      Library/Widgets/HP Ink Widget.wdgt

      (com.hp.widget.inkwidget)

      Library/Widgets/MadLibs 2.wdgt

      (com.tacowidgets.madlibs)

      Library/Widgets/swf_ultimate_lastfm.wdgt

      (org.steinewerfer.widgets.swf_ultimate_lastfm)

     

     

    dylibs

     

     

      /usr/lib/libgutenprint.2.0.3.dylib

      /usr/lib/libimckit.dylib

      /usr/lib/libopengpulib.1.0.0.dylib

      /usr/lib/libopengpulib.1.0.dylib

      /usr/lib/libopengpulib.1.dylib

      /usr/lib/libopengpulib.dylib

      /usr/lib/openlibraries-0.3.0/openassetlib/lib/libopenassetlib_al.0.dylib

      /usr/lib/openlibraries-0.3.0/openassetlib/lib/libopenassetlib_py.0.dylib

      /usr/lib/openlibraries-0.3.0/openassetlib/plugins/libopenassetlib_filesystem_pl ugin.0.dylib

      /usr/lib/openlibraries-0.3.0/openassetlib/plugins/libopenassetlib_sqlite3_plugi n.0.dylib

      /usr/lib/openlibraries-0.3.0/openeffectslib/lib/libopeneffectslib_fx.0.dylib

      /usr/lib/openlibraries-0.3.0/openeffectslib/plugins/libopeneffectslib_colour_ef fect.0.dylib

      /usr/lib/openlibraries-0.3.0/openeffectslib/plugins/libopeneffectslib_gpu_kerne l.0.dylib

      /usr/lib/openlibraries-0.3.0/openeffectslib/plugins/libopeneffectslib_openimage lib_source.0.dylib

      /usr/lib/openlibraries-0.3.0/openeffectslib/plugins/libopeneffectslib_openmedia lib_source.0.dylib

      /usr/lib/openlibraries-0.3.0/openimagelib/lib/libopenimagelib_il.0.dylib

      /usr/lib/openlibraries-0.3.0/openimagelib/lib/libopenimagelib_py.0.dylib

      /usr/lib/openlibraries-0.3.0/openimagelib/plugins/libopenimagelib_3D_lightmap.0 .dylib

      /usr/lib/openlibraries-0.3.0/openimagelib/plugins/libopenimagelib_dds.0.dylib

      /usr/lib/openlibraries-0.3.0/openimagelib/plugins/libopenimagelib_exr.0.dylib

      /usr/lib/openlibraries-0.3.0/openimagelib/plugins/libopenimagelib_hdr.0.dylib

      /usr/lib/openlibraries-0.3.0/openimagelib/plugins/libopenimagelib_quicktime.0.d ylib

      /usr/lib/openlibraries-0.3.0/openimagelib/plugins/libopenimagelib_sgi.0.dylib

      /usr/lib/openlibraries-0.3.0/openimagelib/plugins/libopenimagelib_tga.0.dylib

      /usr/lib/openlibraries-0.3.0/openmedialib/lib/libopenmedialib_ml.0.dylib

      /usr/lib/openlibraries-0.3.0/openmedialib/plugins/libopenmedialib_avformat.0.dy lib

      /usr/lib/openlibraries-0.3.0/openmedialib/plugins/libopenmedialib_glew.0.dylib

      /usr/lib/openlibraries-0.3.0/openmedialib/plugins/libopenmedialib_mlt.0.dylib

      /usr/lib/openlibraries-0.3.0/openmedialib/plugins/libopenmedialib_oil.0.dylib

      /usr/lib/openlibraries-0.3.0/openmedialib/plugins/libopenmedialib_openal.0.dyli b

      /usr/lib/openlibraries-0.3.0/openmedialib/plugins/libopenmedialib_template.0.dy lib

      /usr/lib/openlibraries-0.3.0/openobjectlib/lib/libopenobjectlib_sg.0.dylib

      /usr/lib/openlibraries-0.3.0/openobjectlib/plugins/libopenobjectlib_3ds.0.dylib

      /usr/lib/openlibraries-0.3.0/openobjectlib/plugins/libopenobjectlib_dae.0.dylib

      /usr/lib/openlibraries-0.3.0/openobjectlib/plugins/libopenobjectlib_obj.0.dylib

      /usr/lib/openlibraries-0.3.0/openobjectlib/plugins/libopenobjectlib_tsto.0.dyli b

      /usr/lib/openlibraries-0.3.0/openobjectlib/plugins/libopenobjectlib_x3d.0.dylib

      /usr/lib/openlibraries-0.3.0/openobjectlib/plugins/libopenobjectlib_x3dbz.0.dyl ib

      /usr/lib/openlibraries-0.3.0/openobjectlib/plugins/libopenobjectlib_x3dz.0.dyli b

      /usr/lib/openlibraries-0.3.0/openpluginlib/lib/libopenpluginlib_pl.0.dylib

      /usr/lib/openlibraries-0.3.0/openpluginlib/lib/libopenpluginlib_py.0.dylib

     

     

    Login hook

     

     

      /Library/StartupItems/DoubleCommand/login.command

     

     

    Font issues: 46

     

     

    Firewall: On

     

     

    DNS: 208.67.222.222 (static)

     

     

    Listeners

     

     

      launchd: afpovertcp

      kdc: kerberos

      cupsd: ipp

      nfsd: 1023

      rpc.statd: exp1

      rpcbind: sunrpc

      rpc.lockd: 1017

      rpc.rquot: garcon

      AppleFile: afpovertcp

     

     

    Restricted files: 938

     

     

    Safari extensions

     

     

      dotdotdot

      DoNotTrackMe- Online Privacy Protection

      1Password

      Disconnect

     

     

    Widgets

     

     

      HP Ink Widget

     

     

    Elapsed time (s): 21

  • by MrHoffman,

    MrHoffman MrHoffman Jun 22, 2014 7:25 PM in response to rswc90
    Level 6 (15,637 points)
    Mac OS X
    Jun 22, 2014 7:25 PM in response to rswc90

    Facetime does not enable the camera until after the connection has been authorized.

     

    Something has exposed access into your system.

     

    Passwords are the most obvious, whether re-used or otherwise, or due to passwords shared with others.

     

    Any decent and decently-configured NAT firewall-gateway-router device will (initially) block remote access attempts, even if your passwords have been exposed.  Though there are vulnerable firewall devices around, unfortunately.  AFAIK, the Apple AirPort and Time Capsule devices are secure — this unless something within your network — that does not have to be your Mac, for that matter — has opened up remote ingress.  Some other computer connected on your local network can potentially cause problems, for instance.

     

    Back to my Mac can expose remote access, if that's been enabled and if your AppleID password has been compromised.

     

    Local WiFi can also allow remote access from any folks nearby, particularly if that's been insecurely configured.  WPA2 with a long password would be typical here.  (Though there are attacks against WiFi devices running even WPA2 security.)  Selecting WEP or unencrypted access is wide-open access.

     

    If this breach isn't secondary to a firewall vulnerability or due to an exposed password (with access into your system on a deliberately-open port), that would imply that there's something that's been installed that's granted remote users access into your system.  This is the path that a remote user would need — some software foothold running locally, either explicitly and directly installed, or installed as part of a "drive by" download — that foothold would then enable an ingress path in through your firewall device.

     

    All sorts of nasty stuff can be downloaded onto your system from compromised web sites, or from so-called "cracked" software or torrents, or from software that's been downloaded from distribution sites other than the original developer — some sites are adding junk to downloads — or possibly due to drive-by problems due to web browsing from down-revision or vulnerable versions of Oracle Java or Adobe Flash Player, or other vulnerable browser extensions.  There can also be bugs in down-revision software, too.

     

    It's also possible that this software could have been installed locally, by someone with direct physical access to your system.  (Though if they're going after your bank accounts in the fashion described, then whoever this was is probably not among your best friends.)

     

    Figuring out exactly what happened here can take several days of concerted digging and sometimes longer, if nothing obvious turns up.  (The last time I did one of these breach investigations, the immediate access path became fairly obvious, but it took rather longer to determine whether there were likely any "backdoors" that had been left.  Most folks don't want to pay for this sort of detailed digging, which means the usual recommendations are to reinstall OS X and distributions from known-good distributions, reset and re-secure the firewall or entirely replace it (and replace it immediately, if it's one of the various known-vulnerable models), upgrade all packages to current, and reset all passwords.  Don't transfer over and continue to use applications that were present in your old (breached) environment.  Re-download copies of those from the sources.

     

    I wrote up some notes for OS X Server hacks a while back, and some of that same list is applicable to OS X client hacks.  Some of the stuff there is specific to OS X Server, such as the mail server settings.  But again, figuring out exactly what happened will require direct access into your system, and some concerted digging.  Even then, the source of the attack might not be obvious.

     


     

    I see that the list has appeared after I've posted this, and it includes Skype, Java, Flash Player (none of which I personally particularly trust) and a whole bunch of other remote stuff, and that you're using cloud backup — if those cloud backups you're using have become accessible to somebody, your passwords can be targeted for brute-force attacks, for instance.  (Adobe Flash Player and Java have definitely been used for attacks, and Skype has had its issues with security.  Adobe Acrobat is showing a large number of failed activations.)  There are a number of other packages installed that I do not recognize.

     


     

    I'd wipe and re-install this system, and reinstall only what you need, and only from the original sources and not from other sites, and change all passwords, and check and re-secure the firewall.

  • by Loner T,

    Loner T Loner T Jun 22, 2014 7:14 PM in response to rswc90
    Level 7 (24,409 points)
    Safari
    Jun 22, 2014 7:14 PM in response to rswc90

    Is your account tied to a Network Directory? Corporate devices usually get tied to such and anyone hacking into Corporate now has remote Admin rights to your machine.

     

    Did you ever disable the Guest account? The Public Dropbox is another thing to check.

     

    If you have Time Machine backups, you can pinpoint the date/time of "Mrs Tester" being added, because it would appear in the backup (if the hacker did not change your TM configuration ). Console logs can also be helpful. It is also possible the OpenSSL issues (heartbleed and other associated ones) could have been exploited. 

  • by John Galt,

    John Galt John Galt Jun 22, 2014 7:24 PM in response to rswc90
    Level 8 (49,777 points)
    Mac OS X
    Jun 22, 2014 7:24 PM in response to rswc90

    Are you aware that bugs in Google Chrome and Google Talk can be exploited to eavesdrop on your private conversations, translate speech to text, and subsequently upload it to some remote site? Your original concern was that your private information has been exploited, and yet you continue to use Google?

     

    If you are concerned about privacy, avoid Chrome. Avoid Google altogether. Use none of Google's products.

     

    That Mac has problems, lots of them. My earlier recommendation to erase and reconfigure it is even more justified.

  • by Loner T,

    Loner T Loner T Jun 22, 2014 7:26 PM in response to John Galt
    Level 7 (24,409 points)
    Safari
    Jun 22, 2014 7:26 PM in response to John Galt

    Passwords saved in Safari can be seen in cleartext using Admin privileges and Keychain.

Page 1 of 3 last Next