Hacking ... Any help or suggestions

I think you need to slow down, take a step back and listen to people who want to help.

Example:

Even when I wipe the software and make myself the admin with root user privileges he still has the " super" root control.

This is not possible without physical (hands-on) access to the computer. Does he still have your house keys?

Maybe you need to explain what you mean by "wiping" the software? Are you re-installing something he created? Or, using an installer from Apple?

Send them your system logs, and keep a full image of your hdd in case it's needed. However, if your attacker is any good, there probably won't be any evidence left on your machine.

If the attack happened over the internet, also ask your ISP to provide network logs.

Then in order to make sure it doesn't happens again:

1. Wipe your hdd completely so you can be sure there is nothing left from the intrusion. By completely I mean something like dd if=/dev/zero of=/dev/diskX, not just formatting your OS X partition. Or if you don't want to wait for a full zeroing out, at the very least delete all partitions (including the hidden ones like the esp and the recovery partition). Then reinstall OS X. Note that since you wiped the recovery partition, you will have to use either an install disk or internet recovery.

2. Use a strong password that no one can guess, don't tell it to anyone, and don't reuse it for anything else (especially if you use bootcamp, don't use the same password in windows and OS X). Most of the times when you get hacked into, the attacker either knew a password, guessed it successfully, or obtained it via social engineering.

3. Use filevault and/or make sure no one can access the computer physically. It is very easy to hack into an unencrypted computer you have physical access to. Try it now: just press cmd-S on boot and you have a root shell. Note however that filevault can't prevent all attacks, it just make them harder and more importantly protects your data - as long as you do not enter your password after your computer has been compromised.

4. Be careful about what you run. Never run an application coming from an untrusted source, especially if it's not signed. More importantly, never run anything you don't fully trust as root.

replace the drive, do not destroy it, do not destroy the data. Get the drive out, put a new drive in and set up the OS, keep the old drive in a static free bag and hang on to it. If you go to court later you will need evidence and a blank drive is not going to be useful to anyone, not even a data forensics expert who will charge you several hundred dollars at the very least with no guarantee the data can be recovered in the even the court needs it to determine what the extent of activity took place. You don't make an accusation based on evidence you destroyed, that can easily cost you the entire case.

What is your actual aim?

If you want evidence stop erasing & reinstalling - sorry you just have to accept that you are destroying evidence if you continue to use this machine & try to reset it. There is a good chance that you have ended his remote access (if you have erased & installed correctly), now you may just be chasing things that do not exist.

If you want to reset the Mac you have to follow a very specific set of steps…

You cannot boot from recovery mode, only Internet recovery or a USB installer will allow you to erase the ENTIRE disk. Recovery mode only allows you to erase the system partition.

Many of the things you describe may be normal…

Console does log FaceTime, hidd & all other processes, seeing them in messages is a sign they are running but it doesn't mean anything else.

The 'w' command will list your login session & the 'Terminal' session, multiple users in the list can be normal.

root is the system user. It is normal that many processes run in that user.

Guest access seems to be on by default from my limited tests.

System files should not be accessible to regular users - if you change the wrong permissions you will end up with an unbootable Mac. Editing permissions also makes your Mac less secure.

The only thing that sounds abnormal is Dropbox. If you really have correctly erased & installed OS X then Dropbox will not be installed. If you restored from a backup or migrated old data there is a chance that you restored the remote access.

Good luck with it.

If you have control of the Apple ID & have a safe iOS device you should enable 2 step authentication on the account. Other services can also have similar feature that make it harder for another person to edit the account details, especially if that person may know the password reset security questions like mothers maiden name, date of birth etc..

Frequently asked questions about two-step verification for Apple ID - Apple Support

It does make accounts a little harder to manage, but the extra protection is probably worth it.

if you remove the HD from the Mac you can put it in an external enclosure. If in the event any court allows him to have the computer back you still have the hard drive as evidence and it can be reconnected to any mac computer and read in it's present form.

Also you do not need the FBI for data forensics , there are a number of private companies who specialize in this.

Oh my goodness, i'm going through nearly exactly the same thing with my ex fiancé - although it's only been since April 2015. Please keep me updated on how you get on. I was living in Thailand and had to flee to the UK with my baby and i'm still being hacked on brand new devices including my iPhone 6 and brand new 13 inch MBPro only purchased 2 weeks ago from Apple in London.

I have the same console messages and he knows things that i've spoken about on the phone to my family, my camera is covered and apart from keeping my mac going to gain evidence i don't really know what else to do. My Samsung S6 Edge was also hacked, all my apps were immediately "updated" and my permissions 3 times longer than everyone elses, Google said "This is no reflection on us, we can't see any problem" covering their own ***** obviously. They said it's "normal" for Google maps to have permissions to film, take photos and record your voice without your permission and to send, receive and edit SMS messages and even delete them without my knowledge even if it costs me money.

As far as my Apple products, i now do not use Facebook, gmail or Dropbox with any of my apple machine as that alerted him to which machine i'm using. I know how you are feeling, you just want to STOP the hacking once and for all but it seems impossible and no one seems able to help, if someone really really wants to hack you - they will eventually. My ex knows where i am and what i'm doing at all times even though i'm in a remote location with just my family.

Please let me know how you get on and if i find out anything to help i'll let you know too.

Best wishes

Bella x

If any of what you say is true it is illegal under UK law, and international law. Contact the police if you have sufficient evidence you may be able to build a case & get legal help etc.

What actual evidence of the attacks do you have? It may be that one device or even service (like your email account) is giving all the info he needs to convince you of an attack. Having messages appear in Console is not a sign of an attack, it may be a normal part of the OS. It seems unlikely that iOS can be compromised in the ways you say, there are many security features that prevent hacks like this.

Have Apple looked at any of the Apple devices? They may be able to see things you could have overlooked, like remote access apps that could have been installed if you migrated data from an older Mac, there is potential for that to bring in apps that he could have access to. They can also talk you through the security features of iOS or your Apple account to help you better secure an account.

Have you changed all your online account passwords since leaving him? Have you also altered any password reset questions or enabled 2 factor authentication on any of the online accounts - he may be able to see certain accounts if he knows your date of birth, mothers maiden name, place of birth or any of the other common password reset questions. You need to remove every potential backdoor into your accounts.

You may also want to investigate the advanced settings on all your online accounts - some can notify you when a new login happens from an unknown device etc. It may give you indications of any accounts that are being abused by him. You should also remove any registered devices that you do not recognise from the accounts.

Also how has he told you things that prove he has hacked you? That will be evidence for a legal case.

The other advice here about removing disks may also help with Macs, you could allow the police to check the disk if you preserve the evidence.

Another thing to consider is… is it possible that he is simply talking to a family member or friend to get enough info to convince you that he has access to your devices, it may be that he is bluffing & knows less than you are assuming.

P.S. If you do not like Google Maps permissions you could try uninstalling it. The permissions are listed on the play store - your device should match up with those listed.

https://play.google.com/store/apps/details?id=com.google.android.apps.maps (permissions link is near the bottom).

Automatic app updates may also be normal on Android, depending on how you have the device configured.

Hi Drew,

Thank you for such a lengthy and detailed reply. I wish it was as easy as you say.

To explain, the hacker that is helping my ex did indeed have access to my 2 Macbook Pros and Macbook Air as he ‘fixes’ apple products on the island. So at one point or another he had each of my laptops in his house for a few days.

He changed my icloud passwords and used them to change the masterkeychain on my computers so when things weren’t working properly and I tried to wipe the disks and encrypt them, I couldn’t and he in fact wiped my laptops so nothing was left but a blank white screen. It was very easy for him to gain access to my other devices as my ex knew how to enter my house uninvited. They even managed to hack a brand new Macbook Pro that had been sitting in the factory sealed box for a few days (via serial numbers I’m assuming?) All those machines are still in Thailand, the only one I brought back was the iPhone 6 and that’s been wiped several times also.

So yes as you say my old accounts cannot be touched anymore (I’ve managed to save my baby’s photos etc off them) However since coming to UK I’ve created more facebook accounts in random names and email addresses however he still manages to find me (I’m assuming he’s hacked my family’s router in order to do this, we have another one being installed next week) not to mention many people have commented on strange beeps and noises when I’m talking to them on the phone so I’m relatively certain some bugging has been going on. Theres soooo much more but too much to write.

There’s a very long detailed story that surrounds this hacking which was supposed to end in my death and my ex and his side kick hacker getting a nice big payout - that didn’t happen and I managed to escape to England. However they are both obviously concerned on my talking to the police and want to know my movements and who I’m speaking to etc. Meaning it’s very hard for me to make plans for the future (without using a phone or email)

I’m under police protection here and as I said, I’m using my devices and letting him hack me for evidence sake although it’s extremely annoying. I don’t speak to anyone outside my family as far as where I am and what I’m doing and only use Proton Mail for discussing my businesses (I have 3 businesses over there that I still have to run) with staff etc. Needless to say none of my family are huge fans of his and certainly wouldn’t be giving him information, so unless he has my Proton mail account (which is fairly new) I don’t know how he’s doing this.

My new Macbook Pro is secured under Firewall and Filevault but was set up using the the family home router. I also use Avast but one of the messages in Console spoke of Avast scanning changed to contacts only. I’m also now using Little Snitch but as I’m not always sure if something is ok or not I don’t know what to authorize or not authorize.

In fact, here are some Console messages, if you don’t mind, I’d really appreciate it if you could let me know if you see anything dodgy as I’ve learnt a lot but I’m still not great on the geeky side of things. Maybe I’m just being a bit paranoid because of everything that’s happened.

However I should say that I’ve never switched on Bluetooth once, nor used Thunderbolt in the two weeks I’ve had the machine. Or used the camera. However it asks me for my Facetime password and to reenter my icloud password regularly, to which I don’t respond.

05/09/2015 11:11:51.000 kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340

05/09/2015 11:11:51.000 kernel[0]: AppleThunderboltNHIType2::waitForOk2Go2Sx - retries = 13

05/09/2015 11:11:51.931 discoveryd[75]: Basic DNSResolver UDNS Send(): UDP Sendto() failed to DNSNameServer 208.67.222.222 Port 53 errno 50, fd 68, ErrLogCount 4 ResolverIntf:0

05/09/2015 11:11:51.931 discoveryd[75]: Basic DNSResolver UDNS Send(): UDP Sendto() failed to DNSNameServer 208.67.222.222 Port 53 errno 50, fd 68, ErrLogCount 5 ResolverIntf:0

05/09/2015 11:11:51.931 discoveryd[75]: Basic DNSResolver UDNS Send(): UDP Sendto() failed to DNSNameServer 208.67.222.222 Port 53 errno 50, fd 68, ErrLogCount 6 ResolverIntf:0

05/09/2015 11:16:48.000 kernel[0]: Wake reason: EC.LidOpen (User)

05/09/2015 11:16:48.000 kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000320

05/09/2015 11:16:48.000 kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340

05/09/2015 11:16:48.000 kernel[0]: AppleCamIn::wakeEventHandlerThread

05/09/2015 11:16:48.002 watchdogd[482]: [watchdog_daemon] @( pm_callback) - ref=0x0 msg_type=0xe0000320 msg=0x0

05/09/2015 11:16:48.000 kernel[0]: Previous sleep cause: 5

05/09/2015 11:16:48.009 discoveryd[75]: Basic DNSResolver UDNSServer:: PowerState is FullWake

05/09/2015 11:16:48.000 kernel[0]: AppleThunderboltNHIType2::prePCIWake - power up complete - took 62641 us

05/09/2015 11:16:48.000 kernel[0]: AppleThunderboltGenericHAL::earlyWake - complete - took 16 milliseconds

05/09/2015 11:16:48.121 identityservicesd[324]: <IMMacNotificationCenterManager: 0x7fc6f8e24e30>: notification observer: com.apple.iChat notification: __CFNotification 0x7fc6f8d31550 {name = _NSDoNotDisturbDisabledNotification}

05/09/2015 11:16:48.121 imagent[360]: <IMMacNotificationCenterManager: 0x7fe86af0db90>: notification observer: com.apple.FaceTime notification: __CFNotification 0x7fe86ae37520 {name = _NSDoNotDisturbDisabledNotification}

05/09/2015 11:16:48.146 identityservicesd[324]: <IMMacNotificationCenterManager: 0x7fc6f8e24e30>: NC Disabled: NO

05/09/2015 11:16:48.146 imagent[360]: <IMMacNotificationCenterManager: 0x7fe86af0db90>: NC Disabled: NO

05/09/2015 11:16:48.156 imagent[360]: <IMMacNotificationCenterManager: 0x7fe86af0db90>: DND Enabled: NO

05/09/2015 11:16:48.156 identityservicesd[324]: <IMMacNotificationCenterManager: 0x7fc6f8e24e30>: DND Enabled: NO

05/09/2015 11:16:48.156 imagent[360]: <IMMacNotificationCenterManager: 0x7fe86af0db90>: Updating enabled: YES (Topics: (

"com.apple.ess",

"com.apple.private.ac"

))

05/09/2015 11:16:48.157 identityservicesd[324]: <IMMacNotificationCenterManager: 0x7fc6f8e24e30>: Updating enabled: YES (Topics: (

"com.apple.private.alloy.icloudpairing",

"com.apple.private.alloy.continuity.encryption",

"com.apple.private.alloy.continuity.activity",

"com.apple.private.alloy.idstransfers",

"com.apple.private.ids",

"com.apple.private.alloy.phonecontinuity",

"com.apple.ess",

"com.apple.madrid",

"com.apple.private.alloy.continuity.auth",

"com.apple.private.ac",

"com.apple.private.alloy.idsremoteurlconnection",

"com.apple.private.alloy.sms",

"com.apple.private.alloy.screensharing",

"com.apple.private.alloy.maps",

"com.apple.private.alloy.callhistorysync",

"com.apple.private.alloy.continuity.tethering"

05/09/2015 14:18:47.438 discoveryd[75]: Basic DNSResolver UDNSServer:: PowerState is DarkWake

05/09/2015 14:18:47.437 coreaudiod[297]: 2015-09-05 02:18:47.436605 PM [AirPlay] BTLE client stopping to browse for AirPlay Solo Target Presence.

05/09/2015 14:18:47.440 coreaudiod[297]: 2015-09-05 02:18:47.440175 PM [AirPlay] BTLE discovery removing all devices

05/09/2015 14:18:47.442 coreaudiod[297]: 2015-09-05 02:18:47.442172 PM [AirPlay] BTLE client stopped to browse for AirPlay Solo Target Presence.

05/09/2015 14:18:47.456 netbiosd[673]: network_reachability_changed : network is not reachable, netbiosd is shutting down

05/09/2015 14:18:47.000 kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340

05/09/2015 14:18:47.552 identityservicesd[324]: <IMMacNotificationCenterManager: 0x7f9391e28750>: notification observer: com.apple.iChat notification: __CFNotification 0x7f9391f34dc0 {name = _NSDoNotDisturbEnabledNotification}

05/09/2015 14:18:47.565 imagent[351]: <IMMacNotificationCenterManager: 0x7fa38bc2a4f0>: NC Disabled: NO

05/09/2015 14:18:47.572 identityservicesd[324]: <IMMacNotificationCenterManager: 0x7f9391e28750>: DND Enabled: YES

05/09/2015 14:18:47.572 imagent[351]: <IMMacNotificationCenterManager: 0x7fa38bc2a4f0>: DND Enabled: YES

05/09/2015 14:18:47.572 imagent[351]: <IMMacNotificationCenterManager: 0x7fa38bc2a4f0>: Updating enabled: NO (Topics: (

))

05/09/2015 14:18:47.572 identityservicesd[324]: <IMMacNotificationCenterManager: 0x7f9391e28750>: Updating enabled: NO (Topics: (

))

05/09/2015 14:18:48.000 kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340

05/09/2015 14:18:48.497 WindowServer[222]: device_generate_desktop_screenshot: authw 0x7fc9db468e70(2000), shield 0x7fc9db6465d0(2001)

05/09/2015 14:18:48.609 WindowServer[222]: device_generate_lock_screen_screenshot: authw 0x7fc9db468e70(2000)[0, 0, 1280, 800] shield 0x7fc9db6465d0(2001), dev [1280,800]

05/09/2015 14:18:54.868 loginwindow[92]: CoreAnimation: warning, deleted thread with uncommitted CATransaction; set CA_DEBUG_TRANSACTIONS=1 in environment to log backtraces.

05/09/2015 14:19:09.295 discoveryd[75]: Basic BTMMServer Sleep offload failed. Start deregistering

05/09/2015 14:19:09.297 airportd[51]: _configureScanOffloadParameters: Unable to configure scan offloading on en0 (Device power is off)

05/09/2015 14:19:12.000 kernel[0]: PM response took 3130 ms (47, powerd)

06/09/2015 04:47:06.000 kernel[0]: ARPT: 13805.962464: AirPort_Brcm43xx::checkInterfacePowerState: Check _pwrOffThreadCall!

06/09/2015 04:47:06.000 kernel[0]: AppleCamIn::systemWakeCall - messageType = 0xE0000340

06/09/2015 04:47:06.000 kernel[0]: AppleCamIn::wakeEventHandlerThread

06/09/2015 04:47:06.000 kernel[0]: AppleDeviceManagementHIDEventService::processWakeReason Wake reason: Host (0x01)

06/09/2015 04:47:06.000 kernel[0]: IOBluetoothUSBDFU::probe

06/09/2015 04:47:06.000 kernel[0]: IOBluetoothUSBDFU::probe ProductID - 0x8290 FirmwareVersion - 0x0090

06/09/2015 04:47:06.000 kernel[0]: **** [IOBluetoothHostControllerUSBTransport][start] -- completed -- result = TRUE -- 0x7800 ****

06/09/2015 04:47:06.000 kernel[0]: **** [BroadcomBluetoothHostControllerUSBTransport][start] -- Completed (matched on Device) -- 0x7800 ****

06/09/2015 04:47:06.000 kernel[0]: [IOBluetoothHCIController][staticBluetoothTransportShowsUp] -- Received Bluetooth Controller register service notification -- 0x7800

06/09/2015 04:47:06.000 kernel[0]: [IOBluetoothHCIController::setConfigState] calling registerService

06/09/2015 04:47:06.000 kernel[0]: **** [IOBluetoothHCIController][ProcessBluetoothTransportShowsUpActionWL] -- Connected to the transport successfully -- 0x2980 -- 0x7800 -- 0x7800 ****

06/09/2015 04:47:06.290 UserEventAgent[38]: assertion failed: 14D136: com.apple.telemetry + 32079 [739305C7-0487-39C4-A5A2-AFB07A1BBC9F]: 0x7f9140d333b0

Thanks for any help / advice, it’s really appreciated.

Bella

These are the SharingD messages only:

06/09/2015 21:25:32.561 sharingd[326]: 21:25:32.561 : Discoverable mode changed to Contacts Only

06/09/2015 21:25:32.561 sharingd[326]: 21:25:32.561 : BTLE scanning started

06/09/2015 21:25:32.561 sharingd[326]: 21:25:32.561 : Scanning mode Contacts Only

06/09/2015 21:25:32.563 sharingd[326]: 21:25:32.562 : BTLE scanner Powered On

06/09/2015 21:37:12.494 sharingd[326]: 21:37:12.494 : BTLE scanner Powered Off

06/09/2015 21:37:12.565 sharingd[326]: 21:37:12.564 : Discoverable mode changed to Off

06/09/2015 21:37:12.565 sharingd[326]: 21:37:12.564 : BTLE scanning stopped

06/09/2015 21:43:36.443 sharingd[326]: 21:43:36.442 : Discoverable mode changed to Contacts Only

06/09/2015 21:43:36.443 sharingd[326]: 21:43:36.443 : BTLE scanning started

06/09/2015 21:43:36.443 sharingd[326]: 21:43:36.443 : Scanning mode Contacts Only

06/09/2015 21:43:36.466 sharingd[326]: 21:43:36.465 : BTLE scanner Powered Off

06/09/2015 21:43:36.695 sharingd[326]: 21:43:36.695 : Starting AirDrop server for user 501 on wake

06/09/2015 21:43:36.695 sharingd[326]: 21:43:36.695 : Scanning mode Contacts Only

06/09/2015 21:43:36.802 sharingd[326]: 21:43:36.802 : BTLE scanner Powered On

06/09/2015 21:51:31.324 sharingd[326]: 21:51:31.324 : Discoverable mode changed to Off

06/09/2015 21:51:31.325 sharingd[326]: 21:51:31.324 : BTLE scanning stopped

06/09/2015 22:57:59.720 sharingd[326]: 22:57:59.720 : Starting AirDrop server for user 501 on wake

07/09/2015 07:49:31.240 sharingd[326]: 07:49:31.239 : Starting AirDrop server for user 501 on wake

07/09/2015 07:59:57.643 sharingd[326]: 07:59:57.642 : Starting AirDrop server for user 501 on wake

07/09/2015 08:59:07.644 sharingd[326]: 08:59:07.644 : Starting AirDrop server for user 501 on wake

07/09/2015 08:59:43.517 sharingd[326]: 08:59:43.516 : Discoverable mode changed to Contacts Only

07/09/2015 08:59:43.517 sharingd[326]: 08:59:43.516 : BTLE scanning started

07/09/2015 08:59:43.517 sharingd[326]: 08:59:43.517 : Scanning mode Contacts Only

07/09/2015 08:59:43.518 sharingd[326]: 08:59:43.518 : BTLE scanner Powered On

07/09/2015 09:08:10.527 sharingd[326]: 09:08:10.527 : BTLE scanner Powered Off

07/09/2015 09:08:29.270 sharingd[326]: 09:08:29.270 : Discoverable mode changed to Off

07/09/2015 09:08:29.270 sharingd[326]: 09:08:29.270 : BTLE scanning stopped

07/09/2015 09:16:34.439 sharingd[326]: 09:16:34.438 : Discoverable mode changed to Contacts Only

07/09/2015 09:16:34.439 sharingd[326]: 09:16:34.438 : BTLE scanning started

07/09/2015 09:16:34.439 sharingd[326]: 09:16:34.438 : Scanning mode Contacts Only

07/09/2015 09:16:34.440 sharingd[326]: 09:16:34.440 : BTLE scanner Powered Off

07/09/2015 09:16:34.649 sharingd[326]: 09:16:34.648 : Starting AirDrop server for user 501 on wake

07/09/2015 09:16:34.649 sharingd[326]: 09:16:34.648 : Scanning mode Contacts Only

07/09/2015 09:16:34.821 sharingd[326]: 09:16:34.821 : BTLE scanner Powered On

07/09/2015 09:22:43.857 sharingd[326]: 09:22:43.857 : BTLE scanner Powered Off

07/09/2015 09:23:02.690 sharingd[326]: 09:23:02.690 : Discoverable mode changed to Off

07/09/2015 09:23:02.690 sharingd[326]: 09:23:02.690 : BTLE scanning stopped

07/09/2015 09:26:22.436 sharingd[326]: 09:26:22.436 : Discoverable mode changed to Contacts Only

07/09/2015 09:26:22.437 sharingd[326]: 09:26:22.436 : BTLE scanning started

07/09/2015 09:26:22.437 sharingd[326]: 09:26:22.436 : Scanning mode Contacts Only

07/09/2015 09:26:22.438 sharingd[326]: 09:26:22.437 : BTLE scanner Powered Off

07/09/2015 09:26:22.761 sharingd[326]: 09:26:22.761 : Starting AirDrop server for user 501 on wake

07/09/2015 09:26:22.762 sharingd[326]: 09:26:22.761 : Scanning mode Contacts Only

07/09/2015 09:26:22.804 sharingd[326]: 09:26:22.804 : BTLE scanner Powered On

07/09/2015 09:32:36.510 sharingd[326]: 09:32:36.509 : BTLE scanner Powered Off

07/09/2015 09:32:46.176 sharingd[326]: 09:32:46.175 : Starting AirDrop server for user 501 on wake

07/09/2015 09:32:46.176 sharingd[326]: 09:32:46.176 : Scanning mode Contacts Only

07/09/2015 09:32:46.234 sharingd[326]: 09:32:46.234 : BTLE scanner Powered On

07/09/2015 09:33:49.260 sharingd[326]: 09:33:49.259 : BTLE scanner Powered Off

07/09/2015 09:33:49.316 sharingd[326]: 09:33:49.315 : Discoverable mode changed to Off

07/09/2015 09:33:49.316 sharingd[326]: 09:33:49.315 : BTLE scanning stopped

07/09/2015 09:48:11.437 sharingd[326]: 09:48:11.437 : Discoverable mode changed to Contacts Only

07/09/2015 09:48:11.437 sharingd[326]: 09:48:11.437 : BTLE scanning started

07/09/2015 09:48:11.438 sharingd[326]: 09:48:11.437 : Scanning mode Contacts Only

07/09/2015 09:48:11.455 sharingd[326]: 09:48:11.454 : BTLE scanner Powered Off

07/09/2015 09:48:11.663 sharingd[326]: 09:48:11.663 : Starting AirDrop server for user 501 on wake

07/09/2015 09:48:11.664 sharingd[326]: 09:48:11.663 : Scanning mode Contacts Only

07/09/2015 09:48:12.621 sharingd[326]: 09:48:12.620 : BTLE scanner Powered On

07/09/2015 09:57:13.979 sharingd[326]: 09:57:13.978 : Discoverable mode changed to Off

07/09/2015 09:57:13.979 sharingd[326]: 09:57:13.979 : BTLE scanning stopped

07/09/2015 10:36:51.672 sharingd[326]: 10:36:51.672 : Starting AirDrop server for user 501 on wake

07/09/2015 10:42:36.716 sharingd[326]: 10:42:36.715 : Discoverable mode changed to Contacts Only

07/09/2015 10:42:36.716 sharingd[326]: 10:42:36.716 : BTLE scanning started

07/09/2015 10:42:36.716 sharingd[326]: 10:42:36.716 : Scanning mode Contacts Only

07/09/2015 10:42:36.717 sharingd[326]: 10:42:36.717 : BTLE scanner Powered On

07/09/2015 10:46:37.921 sharingd[326]: 10:46:37.920 : Discoverable mode changed to Off

07/09/2015 10:46:37.921 sharingd[326]: 10:46:37.920 : BTLE scanning stopped

07/09/2015 11:55:13.666 sharingd[326]: 11:55:13.665 : Starting AirDrop server for user 501 on wake

07/09/2015 11:55:31.708 sharingd[326]: 11:55:31.707 : Discoverable mode changed to Contacts Only

07/09/2015 11:55:31.708 sharingd[326]: 11:55:31.708 : BTLE scanning started

07/09/2015 11:55:31.708 sharingd[326]: 11:55:31.708 : Scanning mode Contacts Only

07/09/2015 11:55:31.710 sharingd[326]: 11:55:31.709 : BTLE scanner Powered On

I have no idea if these are malicious or not.

Many thanks

Bella

Those messages are all over these forums

AppleCamIn::systemWakeCall - messageType = 0xE0000340

System keeps waking from sleep every 2 hours

MacBook Air keeps playing the restart sound every few hours

They appear to be normal, or at least part of a bug that others also see on 10.10. 'discoveryd' seems to have a part in this issue - update to the latest to see if it fixes it, discoveryd was removed around 10.10.4 if I recall correctly.

The network_reachability_changed : network is not reachable, netbiosd is shutting down message seems normal to me too. Sometimes the network simply changes state (particularly on wifi). So the OS notices & stops/ starts the services that are network based.

As for the sharingd messages below, they also look like a normal part of Airdrop. It has to scan your contacts if you have the option to share with contacts only.

Try turning off Airdrop if you don't need or use it. I don;t know if this still works on 10.10, I don;t have the hardware to test it…

https://derflounder.wordpress.com/2011/10/07/disabling-airdrop-from-the-command- line/

I understand you have a history that makes you very nervous but please be careful when assuming log messages are bad. OS X is a very complicated system that has many services that integrate into deep parts of the OS.

I feel the need to clear a few other things up too…

You can't hack a Mac via 'serial numbers', it must have been some other way like a compromised router or compromised account or a combination of several methods. You may also have had a faulty Mac - was the attack ever diagnosed by a professional?

Filevault & the OSX firewall are totally useless if you are on a network that is compromised in any way. Filevault can be bypassed when you use the machine (your data is decrypted & is readable). The OS X firewall can be bypassed if the network is malicious. Your network traffic can be abused to send you malicious files or traffic etc.

Avast is not something I recommend at all. It seems like it is a waste of time to me, many other users here suggest removing it altogether - you may find that some 'odd behaviour' goes away after Avast is removed. It does alter how the system behaves & can slow down the OS or just nag you with dialogs & warnings that are irrelevant or confusing. Little Snitch is equally difficult to see what is valid & what is invalid traffic.

OS X already has tools to stop common malicious software from running. Keep the OS up to date to help reduce the potential for compromises.

I don't doubt your concerns are valid, but you have to avoid assuming the worst, especially if the same issues are seen by users who are not 'hacked' or if there is a simpler explanation.

I wish you good luck with it, keep passing data to the professionals, they may be able to see patterns or find out what is happening.

One more thing,

You could consider using a VPN. It will make your 'exit point' on the internet appear to be in another location. If the 'ex & the hacker friend' has access to your online accounts or some sites you visit they may be able to see info that shows your originating IP address. A VPN can help to mask that by wrapping your traffic in an encrypted tunnel that exits at a new IP address.

VPN's can help to protect against malicious networks (to a limited extent).