MAC - Terminal Commands History - am I being Hacked??

Question

Level 1

26 points

MAC - Terminal Commands History - am I being Hacked??

Hello,

I have weeks a strange feeling my flatmate is in my computer. So I looked up how to find out and I got bit into terminal. As I didn't do anything and went out of no where into Terminal I saw all those command:

297 sudo killall -v storeaccountd

298 history

299 touch

300 cat

301 $ cat shoppingList.txt

302 b

303 f

304 curl

305 curl help

306 curl -help

307 cirl head

308 curl info

309 tar

310 tar -c

311 chmod

312 chmod help

313 diff

314 diff heelp

315 du

316 df -u

317 df -h

318 df devfs

319 info devfs

320 $ df -h

321 $ df -h devfs

322 history

323 unhide

324 showall

325 id

326 du -sh

327 du -sh ~

328 du -sh *

329 du

330 open

331 360./Pictures/Photos Library.photoslibrary/resources/proxies/derivatives/01/00/1e9

332 408

333 360./Pictures/Photos Library.photoslibrary/resources/proxies/derivatives/01/00/1e9

334 408

335 users

336 sudo dscl . -delete "/SharePoints/Hidden User's Public Folder"

337 sudo dscl . create /Users/hiddenuser IsHidden 0

338 users

339 sudo chflags nohidden /Users

340 usrs

341 users

342 sudo spctl --master-disable

343 open disk

344 unmask

345 sudo unmast

346 ls -ad .*

347 ls .bash_sessions

348 ls .bash_history

349 ls -ad .bash_history

350 open .bash_history

351 ls -ad .*

352 bash

353 ls -ad .*

354 ls -h

355 ls -a

356 ls -ld .?*

357 history

358 sudo history

359 F

360 history

361 root

362 login root

363 history

364 historry

365 history

366 bash

367 $ airport -s

368 $ airport -s

369 history

370 /bin/bash

371 $ airport -s

372 who

Like is this a usual hack? and How can I stop this or even better how can I found out that this is one of my flatmates and have proof he does this and can do something about it!

I hope someone please can help me!

Regards

MacBook Air (13-inch, Early 2015)

Posted on Dec 24, 2016 5:37 AM

Reply

Answer 1

Renshelmond Author

Level 1

26 points

Dec 24, 2016 7:59 AM in response to BobHarris

Thanks,

Do you know how I can find out who this is. Or can I let a IT guy come Over to check the network. And If I do this are those people who hacked my computer cable to hide themselves so I can't find out who it is.

Also has to be it someone on my network?

(I live in a share house with 8 people) same network.

thank you

Reply

Answer 2

BobHarris

Level 9

56,747 points

Dec 24, 2016 7:17 AM in response to Renshelmond

I would say yes.

The

337 sudo dscl . create /Users/hiddenuser IsHidden 0

is the biggest clue.

I would backup your system (2 backups are better, with 2 different destination devices, using 2 different backup utilities, as Murphy's Law doesn't care if Santa thinks you have been Good this year 🙂 )

Do a factory reset of your Mac.

Restore your data, but be careful about using Migration Assistant, you do not want to restore the hiddenuser account.

You might be better mounting one of the backup drives, and just dragging your data from the backup drive to your system.

Reply

Answer 3

WZZZ

Level 6

13,238 points

Dec 24, 2016 10:28 AM in response to Renshelmond

To identify the hidden account, you might find something useful in either of these two threads:

http://apple.stackexchange.com/questions/29874/how-can-i-list-all-user-accounts- in-the-terminal

how to find hidden accounts

Reply

Answer 4

Drew Reece

Level 6

10,684 points

Dec 24, 2016 1:29 PM in response to Renshelmond

I'd suggest you forget about trying to identify the person who did this. People who are smart enough to modify a Mac like this are unlikely to leave their own name on the system depending on what their aim is. You may simply cause hostility amongst your flatmates if you make the wrong accusation. I suspect your living situation needs to change but that is not the kind of thing you consult the internet for help with.

I doubt a forensics expert can track down who did it either, especially as there are multiple suspects that could have accessed the Mac. Physical access to any computer is a major security weakness.

It is clear that this user also knows your admin password (otherwise sudo commands would fail). So you have exposed your admin password somehow - a terrible idea.

Frankly the only way to prevent this happening again is to use File vault or to keep the Mac in your possession at all times. Simply reinstalling and putting a new user password is not enough - this person is probably capable enough to defeat a standard user account password.

Use FileVault to encrypt the startup disk on your Mac - Apple Support

File vault will cause all of the data on disk to be encrypted with a password that is separate to the user account passwords. That will prevent someone simply editing the system from recovery mode etc.

You also need to shutdown when leaving the machine unattended, otherwise there may be other attacks that can get around File vault (no system is 100% flawless, especially on 'consumer grade' hardware & software).

You can find third party software to take photos on login but the user may be accessing the Mac via the internet or network now they have user account setup. Your priority is to either stop using the Mac (to preserve evidence for any criminal/ legal advice) or to get a clean OS installed without the unwanted modifications.

I'm afraid that you may simply risk damaging your own data if you try to fix this manually. Editing user accounts via Terminal is tricky - do you have a backup yet?

Reply

Answer 5

Eric Root

Level 10

685,191 points

Dec 24, 2016 8:21 AM in response to Renshelmond

You might want to change your user password and make sure it is a strong password. I would suggest that when you are away from your computer, you log out. If you want to let the computer sleep instead of logging out, try going to System Preferences/Security & Privacy/General and check Require password immediately after sleep or screen saver begins.

User Password Reset (2)

Reply

Answer 6

Renshelmond Author

Level 1

26 points

Dec 24, 2016 10:56 AM in response to WZZZ

MACCI:~ macboorair$ dscacheutil -q user | grep -A 3 -B 2 -e uid:\ 5'[0-9][0-9]'

name: macboorair

password: ********

uid: 501

gid: 20

dir: /Users/macboorair

shell: /bin/bash

MACCI:~ macboorair$ dscl . list /Users | grep -v ^_.*

daemon

Guest

hiddenuser

macboorair

nobody

root

MACCI:~ macboorair$ dscl . list /Users | grep -v '^_'

daemon

Guest

hiddenuser

macboorair

nobody

root

MACCI:~ macboorair$ /var/db/dslocal/nodes/Default/users

-bash: /var/db/dslocal/nodes/Default/users: Permission denied

MACCI:~ macboorair$ sudo /var/db/dslocal/nodes/Default/users

Password:

well all this shows up. I don't know what to do else from here. I am not very computersmart

Reply

Answer 7

WZZZ

Level 6

13,238 points

Dec 24, 2016 2:03 PM in response to Renshelmond

Not sure how much it will reveal in this situation, but every so often just enter "who" (no quotes) in Terminal. See what comes up. This will display who is currently logged in, yourself and whoever else. But you may only get something obfuscated or "hidden user" and you're back to square one. Still, worth a try, as it's quite simple to remember.

If you enter "man who" in Terminal, you'll get some different options for the command.

In addition, you can enter "last" to see if there was a login after you logged out.

DESCRIPTION

Last will list the sessions of specified users, ttys, and hosts, in

reverse time order. Each line of output contains the user name, the tty

from which the session was conducted, any hostname, the start and stop

times for the session, and the duration of the session. If the session

is still continuing or was cut short by a crash or shutdown, last will so

indicate.

Reply