remote terminal root user hack

Question

remote terminal root user hack

I'm pretty sure my computer has been hacked remotely, to access some files. Before I go to law enforcement, I want to be a bit more certain.

On my terminal history I found quite a few commands that I never typed.

The only commands I typed were lines 15 through to 18. As you can see my worry is that they got in as a "sudo" user. I'm not sure what most of those commands mean. I also found a command "com.apple.mobilenotes.persistentstoreopen.lock" in terminal and had a screen shot of it but that seems to have disappeared into the entropy of the universe somehow.... It looks like they have tried to access my iPhone too.

On my hard drive with cmd, . ,shift, I found recent files hidden that I thought had been lost or not synced. But they were sitting there hidden on my hard drive so I wouldn't be able to normally find them. I had a photo of it but that too seems to have disappeared.

When I look on Little Snitch my connections are very much multiple and look like this. (I'm in New Zealand as you can tell).

I am bothered that if I back my mac up and reboot it I'm just recopying whatever hack is there onto the fresh reboot from the back up.

Does it look/ sound like a remote hack to anyone who has good knowledge of this sort of thing?

If so, how do I get rid of it?

How do I stop it in the future? How do I close unnecessary open ports?

Thanks so much. I'm really ******.

MacBook Air (13-inch, Early 2015)

Posted on Jul 3, 2017 4:32 PM

Reply

Answer 1

John Galt

Level 10

156,596 points

Jul 4, 2017 7:02 PM in response to it's silver and pretty

it's silver and pretty wrote:

I'm pretty sure my computer has been hacked remotely, to access some files. Before I go to law enforcement, I want to be a bit more certain.

If that's all the information you have, don't bother going to law enforcement. None of the information you provided is evidence of anything nefarious. What else is making you suspicious of unauthorized intrusion?

Terminal's history command just shows a sequential list of the last commands used. They will not have any time or date associated with them, so they could have been executed months or years ago. Besides, none of them appear to be malicious, but I would like to see what that Mac's hosts file looks like for the same reasons that kaz-k expressed. To learn more about that please read Fixing a hacked /etc/hosts file.

I don't have any use for "Little Snitch" but that screenshot appears to be a graphical representation of servers with which your Mac has been communicating. That's not a surprise either, since just about everyone living in the free world can connect to any server anywhere on Earth, with the overwhelming majority of them located in North America and Europe.

I understand your concerns and am not being dismissive of them, but before you bother going to law enforcement, you should anticipate their questions. In the US, they would undoubtedly ask "what else you got?" before taking any action. No legal action would be justified based solely on the information in your post.

Reply