remote terminal root hack

Question

remote terminal root hack

'm pretty sure my computer has been hacked remotely, to access some files. Before I go to law enforcement, I want to be a bit more certain.

On my terminal history I found quite a few commands that I never typed.

The only commands I typed were lines 15 through to 18. As you can see my worry is that they got in as a "sudo" user. I'm not sure what most of those commands mean. I also found a command "com.apple.mobilenotes.persistentstoreopen.lock" in terminal and had a screen shot of it but that seems to have disappeared into the entropy of the universe somehow.... It looks like they have tried to access my iPhone too.

On my hard drive with cmd, . ,shift, I found recent files hidden that I thought had been lost or not synced. But they were sitting there hidden on my hard drive so I wouldn't be able to normally find them. I had a photo of it but that too seems to have disappeared.

When I look on Little Snitch my connections are very much multiple and look like this. (I'm in New Zealand as you can tell).

I am bothered that if I back my mac up and reboot it I'm just recopying whatever hack is there onto the fresh reboot from the back up.

Does it look/ sound like a remote hack to anyone who has good knowledge of this sort of thing?

If so, how do I get rid of it?

How do I stop it in the future? How do I close unnecessary open ports?

Thanks so much. I'm really ****** off.

MacBook Air (13-inch, Early 2015)

Posted on Jul 3, 2017 6:15 PM

Reply

Answer 1

Dec 12, 2017 2:11 AM in response to it's silver and pretty

My MacBook Air was remote accessed without a doubt. My home network was invaded through the LAN Utility which is turned on, by default, on smart TV. The hackers knew every password to all of my email, online banking, everything. These are not your average hackers. They act as the “root” user and can delete and add files as they please. I marked all internet accessing utilities inactive to protect myself. Within an hour a “Bluetooth DUN” utility was remotely installed on my MacBook Air allowing the hackers to continue filling my memory with who knows what and then password protecting that which they installed! Senior Technology Supervisor at 1-800-my-Apple told me that was impossible. You’re not crazy. Hackers are capable of unbelievable action. Maybe you will have better luck with Apple as I got nothing but frustrated with their help.

Reply

Answer 2

red_menace

Level 6

17,066 points

Jul 4, 2017 6:11 AM in response to it's silver and pretty

The only files that were accessed looks like the system log and the hosts file - mdfind is a Spotlight search, sudo would require administrative access, and nano is a text editor (you might want to take a look at the hosts file). Apple does like to hide stuff, the defaults and chflags lines are to show hidden items (looks like the Finder was first set to show them, then I'm guessing that didn't do it). Any browser usage will result in multiple connections, as various web pages use advertising, analytics, and content from all over the place.

What you have shown doesn't really indicate any hacking (to me, anyway) - is there something else that makes you think so?

Reply

Answer 3

etresoft

Level 9

56,326 points

Jul 4, 2017 5:27 PM in response to it's silver and pretty

Hello it's silver and pretty,

Are you sure that you didn't enter those other commands at some point in the past? The history is just sequential. There is no time limit. Those earlier commands could have been executed years ago.

If you are sure that you never typed any of those commands, is it possible that someone else had access to your computer at some point in the past? Just because there is a "sudo" command listed doesn't mean that the "sudo" was successful. Also, many of the command listed are wrong or incomplete. It looks like those commands were copied and pasted from the internet. If this is the action of a hacker, you don't need to worry too much. Those commands don't show any evidence of hacking skill. Just change your password and review your sharing options.

Reply