User profile for user: AaronOSX
AaronOSX Author
User level: Level 1
8 points

New root user I did not create-hacked?

Greetings,

When I booted up my iMac today there was a new root user that I did not create. I found this curious and did a little research which led me to articles about possible vulnerability in the OS. From there I found this article:


How to Tell If Your Mac Computer Has Been Hacked | Techwalla.com


I followed the instructions and found the results "postgres" and then "root" as what appear to be the latest users created.


So have I been hacked or is this something I somehow did unknowingly on my end? Any thoughts/suggestions appreciated.


Thanks

iMac

Posted on Jan 5, 2018 7:43 AM

Reply
Question marked as Top-ranking reply
User profile for user: Kurt Lang
Kurt Lang
User level: Level 9
68,710 points

Posted on Jan 5, 2018 1:48 PM

There are all kinds of accounts created and used by the Mac OS and the underlying Unix system. I don't know why the instructions in your link bothered with the sudo command. All that was needed was the list command to see all user accounts.


Here's the list from mine. As long as it is, it's all normal stuff. It also includes the same two you mention. The one line of asterisks is me anonymizing my own account name.


_amavisd

_analyticsd

_appleevents

_applepay

_appowner

_appserver

_appstore

_ard

_assetcache

_astris

_atsserver

_avbdeviced

_calendar

_captiveagent

_ces

_clamav

_cmiodalassistants

_coreaudiod

_coremediaiod

_ctkd

_cvmsroot

_cvs

_cyrus

_datadetectors

_devdocs

_devicemgr

_displaypolicyd

_distnote

_dovecot

_dovenull

_dpaudio

_eppc

_findmydevice

_fpsd

_ftp

_gamecontrollerd

_geod

_hidd

_iconservices

_installassistant

_installer

_jabber

_kadmin_admin

_kadmin_changepw

_krb_anonymous

_krb_changepw

_krb_kadmin

_krb_kerberos

_krb_krbtgt

_krbfast

_krbtgt

_launchservicesd

_lda

_locationd

_lp

_mailman

_mbsetupuser

_mcxalr

_mdnsresponder

_mobileasset

_mysql

_netbios

_netstatistics

_networkd

_nsurlsessiond

_nsurlstoraged

_ondemand

_postfix

_postgres

_qtss

_sandbox

_screensaver

_scsd

_securityagent

_serialnumberd

_softwareupdate

_spotlight

_sshd

_svn

_taskgated

_teamsserver

_timed

_timezone

_tokend

_trustevaluationagent

_unknown

_update_sharing

_usbmuxd

_uucp

_warmd

_webauthserver

_windowserver

_www

_wwwproxy

_xserverdocs

daemon

Guest

**************

nobody

root

View in context
9 replies
Question marked as Top-ranking reply
User profile for user: Kurt Lang
Kurt Lang
User level: Level 9
68,710 points

Jan 5, 2018 1:48 PM in response to AaronOSX

There are all kinds of accounts created and used by the Mac OS and the underlying Unix system. I don't know why the instructions in your link bothered with the sudo command. All that was needed was the list command to see all user accounts.


Here's the list from mine. As long as it is, it's all normal stuff. It also includes the same two you mention. The one line of asterisks is me anonymizing my own account name.


_amavisd

_analyticsd

_appleevents

_applepay

_appowner

_appserver

_appstore

_ard

_assetcache

_astris

_atsserver

_avbdeviced

_calendar

_captiveagent

_ces

_clamav

_cmiodalassistants

_coreaudiod

_coremediaiod

_ctkd

_cvmsroot

_cvs

_cyrus

_datadetectors

_devdocs

_devicemgr

_displaypolicyd

_distnote

_dovecot

_dovenull

_dpaudio

_eppc

_findmydevice

_fpsd

_ftp

_gamecontrollerd

_geod

_hidd

_iconservices

_installassistant

_installer

_jabber

_kadmin_admin

_kadmin_changepw

_krb_anonymous

_krb_changepw

_krb_kadmin

_krb_kerberos

_krb_krbtgt

_krbfast

_krbtgt

_launchservicesd

_lda

_locationd

_lp

_mailman

_mbsetupuser

_mcxalr

_mdnsresponder

_mobileasset

_mysql

_netbios

_netstatistics

_networkd

_nsurlsessiond

_nsurlstoraged

_ondemand

_postfix

_postgres

_qtss

_sandbox

_screensaver

_scsd

_securityagent

_serialnumberd

_softwareupdate

_spotlight

_sshd

_svn

_taskgated

_teamsserver

_timed

_timezone

_tokend

_trustevaluationagent

_unknown

_update_sharing

_usbmuxd

_uucp

_warmd

_webauthserver

_windowserver

_www

_wwwproxy

_xserverdocs

daemon

Guest

**************

nobody

root

Reply
User profile for user: Eric Root
Eric Root
User level: Level 10
685,257 points

Jan 5, 2018 1:54 PM in response to AaronOSX

Then you may not have been hacked. Try doing a software check using the below to look for unusual software.


Try running this program in your normal user account, then copy and paste the output in a reply. The program was created by etresoft, a frequent contributor. Please use copy and paste as screen shots can be hard to read. On the screen with Options, please open Options and check the bottom 2 boxes before running. Click “Share Report” button in the toolbar, select “Copy Report” and then paste into a reply. This will show what is running on your computer. No personal information is shown.

Etrecheck – System Information

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

New root user I did not create-hacked?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up