compuhurt

Q: Chinese hack by vpn

Hope someone can help.

 

The Macbook is used, but new to me.  I'm using a library computer for this query.

 

Turns out my ISP is hacked by a VPN and ISP will not help with problem.  Here's how it happened:  I download a manual is was seeking for a device I have from a site that it is now clear was a hacker site. This was done on a different computer and I could tell it was a VPN. First time I connected new-to-me Macbook, it got hacked and here are some of the clues I was able to find.

 

1. two chinese language apps had been downloaded.

2.  Internet wanted firewire connection--i've never had firewire.  MAC Add for Firewire IS 00:25:bc:cc:04 (ethernet same MAC add)

3.  Mac Add for my DSL Wifi is not the same  (don't know if this is a clue, but do not want to publish those numbers here)

4  In Networking Advanced view, WINS Net BIOS Name was changed to MACBOOK-DBCC04, WORKGROUP.  This is NOT my Net BIOS Name

5.  Security is WPA2 and should be WPA/WPA2 Personal

6. Settings for Firewire/ethernet:  Bypass prosy settings for these Hosts & Domains;  *.local, 169.254/16      checkmark on Use Passive FTP Mode  (PASV)

7.  Search of "Find My Device" resulted in 13 pages, but here are the entries that matter:

0x7fff959b1000-  0x7fff959bcff7libChineseTokenizer.dylib(16) <1794A880-9C3D-37B2-8F3E-6CAFFB396080> /usr/lib/libChineseTokenizer.dylib

plus:

/System/Library/PrivateFrameworks/Language/LanguageModeling.framework/Versions/A /LanguageModeling

0x7fff95bc8000 -  0x7fff95bd1fff com.apple.icloud.FindMyDevice (1.0 - 1 <28CE764F-4C4C-3A75-B7AE-EDBC7A189E82>

(to date I've not set up my own icloud account w/apple

I have futzed around and now get blinking folder/? screen on start up, or lock screen for password with hold option key on startup.

 

It was running El Capitan and I have a bootable usb for El Capitan--Note usb were disabled while hacker has control.

MacBook, OS X El Capitan (10.11.1)

Posted on Dec 15, 2015 11:38 AM

Close

Q: Chinese hack by vpn

  • All replies
  • Helpful answers

  • by my ginger,

    my ginger my ginger Dec 15, 2015 2:53 PM in response to compuhurt
    Level 4 (2,472 points)
    Dec 15, 2015 2:53 PM in response to compuhurt

    Are you running thru a router or straight off a modem with ethernet? Can you still get into your computer by normal boot or by safe boot? Shift key at startup. Do you have a backup of your system on time machine or something else? Just in case you need to use recovery to reinstall. Normally this will not delete any personal files. Did you have FileVault enabled?

  • by compuhurt,

    compuhurt compuhurt Dec 16, 2015 9:19 AM in response to my ginger
    Level 1 (0 points)
    Dec 16, 2015 9:19 AM in response to my ginger

    Thanks for your reply.

     

    I live very rurally and have crummy internet they don't want to spend what it would take to give us good service.--have modem/router (no ethernet cable plugged in) for ultra-slow dsl/wifi and live in a dead zone for direct wifi or mobile phone service.  I'm surrounded by trees, so not sure satellite would do me any good.

     

    I had just purchased a new-to-me older macbook, so had no personal files on the computer, yet.  Can't get normal boot.  Have not tried shift key at startup, as I'm not very mac savvy, but will try later ( I'm using library computer--10 miles from home). 

     

    Option at startup yields padlock wanting password and will not accept my password.  Command+option+s or r yields blinking folder+?.

     

    I'm going to have to end my current ISP because they cannot end the VPN connection that should not be there--I did not realize it would still be there when I connected this new-to-me macbook.

     

    The Chinese guy has ultimate control of the Macbook--can this be fixed?  Is there anything in my first post that would show who/where that guy is to cut him off?

  • by compuhurt,

    compuhurt compuhurt Dec 16, 2015 10:48 AM in response to compuhurt
    Level 1 (0 points)
    Dec 16, 2015 10:48 AM in response to compuhurt

    Forgot to mention:  Some of the information I was able to providein my first post is because the hacker/hijacker has a pop-up window:  Activity Monitor

    that came up each time I started up the MacBook.  It's how I found "Find My Device"

  • by my ginger,

    my ginger my ginger Dec 16, 2015 2:57 PM in response to compuhurt
    Level 4 (2,472 points)
    Dec 16, 2015 2:57 PM in response to compuhurt

    Are you sure that the operating system is 10.10.11 El Capitan? 169.254/16 is not an internet connection. This is a passive connection from computer to computer. It runs over WIFI . I have it on mine.   stem/Library/PrivateFrameworks/Language/LanguageModeling.framework/Versions/A /LanguageModeling 0x7fff95bc8000 - 0x7fff95bd1fff com.apple.icloud.FindMyDevice (1.0 - 1 <28CE764F-4C4C-3A75-B7AE-EDBC7A18 This is ICloud for Find my Mac or Find my Iphone. When you click on the find my, you opened ICloud. VNP setting are deleted from your network, not through your service provider. I would walk you through resetting your network configurations, but you say you cannot login. If using Command R at startup give you a screen with a padlock then, you have FileVault enabled. If the FileVault password is not the same as your user password ,that is why you cannot login. It might be the same as your Apple ID password. If the screen has a 4 or 6 bock login that would be a code for Find MY Mac.   https://support.apple.com/en-us/HT204156 click on this link and identify what screen you get.If you do not know or remember the password , then you would need to use an install disc such as Snow leopard to use disc utilities to erase the drive. Install snow leopard and then using you Apple ID go to the on line app store and download El Capitan and reinstall. If you have an apple store not to far away, they could help you. Also wiping the drive would get rid of any adware  or other things on the Macbook. Was this Macbook already setup when you got it?

  • by Mike Sombrio,

    Mike Sombrio Mike Sombrio Dec 16, 2015 3:04 PM in response to my ginger
    Level 6 (17,233 points)
    Apple Watch
    Dec 16, 2015 3:04 PM in response to my ginger

    I'm becoming more and more suspicious that this may be a stolen macbook. Could very well be wrong but my spidey sense is tingling.

  • by my ginger,

    my ginger my ginger Dec 16, 2015 4:07 PM in response to Mike Sombrio
    Level 4 (2,472 points)
    Dec 16, 2015 4:07 PM in response to Mike Sombrio

    Ya. Whenever someone posts a(locked out of my computer) it makes you wonder. I don't lose or forget passwords. especially the Find MY Mac.

  • by Mike Sombrio,

    Mike Sombrio Mike Sombrio Dec 16, 2015 7:29 PM in response to my ginger
    Level 6 (17,233 points)
    Apple Watch
    Dec 16, 2015 7:29 PM in response to my ginger

    my ginger wrote:

     

    Ya. Whenever someone posts a(locked out of my computer) it makes you wonder. I don't lose or forget passwords. especially the Find MY Mac.

    I don't mean to imply that the OP is the thief just that he may have purchased a stolen computer.

  • by my ginger,

    my ginger my ginger Dec 16, 2015 7:57 PM in response to Mike Sombrio
    Level 4 (2,472 points)
    Dec 16, 2015 7:57 PM in response to Mike Sombrio

    I didn't know that much about the Find My Mac, so I did some reading and you may very well be right and that explains the lock and password, As well as the folder and blinking question mark.

  • by compuhurt,

    compuhurt compuhurt Dec 17, 2015 2:03 PM in response to my ginger
    Level 1 (0 points)
    Dec 17, 2015 2:03 PM in response to my ginger

    I'm wondering if you folks actually read my post--like for instance the Chinese tokenizer, etc. The Activity Monitor screen that ops up.  A VPN connection that I should not have,but it was set up when another laptop (Dell) got hacked.  I did not realize it would carry over to the Mac.  It does not recognize either password I have used.

     

    I live near a small town in Kentucky and don't know any Chinese.  I bought the MacBook from a local computer repair shop. 

     

    I had not even had time to set up an icloud account and I actually don't trust cloud. Any icloud I got to was not mine.  Maybe there is an Apple store in Lexington.  Not likely it is stolen except by whoever in China, who has effectively stolen it. 

     

    What is a "bock"?

     

    Mac was set up when I got it, go hijacked as soon as I used my modem/router for my DSL/WiFi connection

  • by my ginger,

    my ginger my ginger Dec 17, 2015 2:44 PM in response to compuhurt
    Level 4 (2,472 points)
    Dec 17, 2015 2:44 PM in response to compuhurt

    Did it come with the operating system already installed? Did you have to startup and then go through a setup screen interring your name and password ,internet connection etc?   http://www.macworld.com/article/2010716/mac-101-getting-set-up.html You might need to take it to the place you bought it from. Any mac sold should be completely erased and a new operating system installed so the new user can customize it for their own use. The find my mac is a way that if a persons Macbook is stolen it can be locked so as not to let anyone get at their info. It is done thru ICloud. If non of the suggestions I gave you work. You would have to get an apple store genius bar person to look at it. You never told me, by look at my link which screen you were getting. The chances of a mac being hacked are very slim. You can get adware and malware. but that is about all. If your internet connection is encrypted and password enabled, someone would have to access to it to get in. As in know the password. Usually adware and malware does not change airport settings. It can redirect your search page in the web browser.

  • by compuhurt,

    compuhurt compuhurt Dec 18, 2015 9:19 AM in response to my ginger
    Level 1 (0 points)
    Dec 18, 2015 9:19 AM in response to my ginger

    Screens I get for now are only folder/? or Padlock wanting password.  I did not set up password for this function.

     

    Various thoughts about this situation.

     

    To my ginger:  you wrote:  "169.254/16 is not an internet connection. This is a passive connection from computer to computer. It runs over WIFI . I have it on mine."               There is no reason for me to have a passive connection from computer to computer.  Only one computer and I'm private owner.

     

    Stolen? Yes, admin rights have been stolen by some low-life clown in China.  Hack du jour:  people in countries with limited access to internet want to use US connections, thus the VPN.  Best guess:  The download that got the VPN set up was for an acupuncture device I have for private use.  Stupid guy though, my internet is so slow--1Mb.sec down .3Mb/sec up, but where I live only service available.  It is my hacked internet connection that allowed the hack is my best guess.  The hacker can just download some code to take admin control.

     

    never set up iCloud for self.   I don't want to use I cloud.

     

    I have my doubts the Macbook had clean install of operating system.  Had Mountain Lion, I downloaded ElCapitan, installed.

     

    I tried a bunch of stuff to get rid of the problem before I messed around and got locked out.  I never set up a password for File Vault, not important files to protect.  I have all my old file from other computer in a use flash drive and did not transfer them, yet.

     

    Before I locked myself out I tried-- think it's command+option+s--to change passwords, however it is set up in read only, so no good

    also the combo for recovery--no such luck.

     

    I've used internet for 20+ years and it's getting pretty awful.  Used to be info highway--now gimme, gimme highway.  I don't even use face book or social media due to risk.

  • by my ginger,

    my ginger my ginger Dec 18, 2015 10:08 AM in response to compuhurt
    Level 4 (2,472 points)
    Dec 18, 2015 10:08 AM in response to compuhurt

    That passive  connection is automatically installed when you set an internet connection on all mac's. No one slipped it in there. When I have sold Mac's, and I have sold a few. I ether do a fresh install and then shut it down( leaving it to go to the initialization screen) or set it up and give the buyer the password and user name.  I gave you a link that showed this screen. As I also gave you a link to the different startup screens that show on all mac's. I understand the folder screen, which means no startup volume. There are more than one lock screen. By looking at the screen link I gave you, I wanted you to name by the name given what screen you have. If you were able to install El Capitan, then that would give you a recovery partition that can be accessed by Command R on startup. The one thing about installing El Capitan is, that since it is an internet install you need a good internet connection. If yours is slow that can be a problem. As far as ICloud and Find My Mac, that is put into the machine by who ever owned it before you bought it.I do not know what place you bought the Macbook from as to wether it was a computer store or what.If it came with an operating system installed and working, then they should have done what I stated that I do when selling a used computer. IfFileVault is not turned on, then what is turned on is a firmware password or and ICloud password. Both of which would require you to take it to an Apple service provider to fix. Most of the people on this site are very knowledgeable, but we are all users.

  • by compuhurt,

    compuhurt compuhurt Dec 19, 2015 9:32 AM in response to my ginger
    Level 1 (0 points)
    Dec 19, 2015 9:32 AM in response to my ginger

    A few minutes ago I tried to set up an appointment at the Apple Store in Lexington, in three tried it refused with some long error code. I got their phone number and will try calling.  I'm not sure I trust the small local company I bought from to know what they are doing.  Nothing I do gets me past folder/? screen.  Thank for for your help in directing me to an Apple store.