Re: Help With Mac Security! MacBookPro Hacked?

Discussion in 'Computer Security' started by Karl Marks, Mar 22, 2010.

  1. Karl Marks

    Karl Marks Guest

    On Wed, 17 Mar 2010 18:45:01 -0400, Jerry Lenstein wrote:

    > I have a friend who is convinced that his MacBookPro has been
    > hacked and is being accessed by "outside sources".

    How do you know it's from outside sources?
    Does anyone other than your friend have physical access to the
    machine?Any machine can be compromised if physical access is no
    locked down.

    > First off, this person used to run Windows and claimed the same
    > thing despite several highly knowledgeable people, including
    > myself, looking over the Windows system, re-installing clean etc
    > and finding nothing wrong.

    Maybe the problem is a hijacked router or switch? Is somebody
    possibly tapping into his ISP connection? If he is using wireless
    anything is possible. I have seen situations where neighbors have
    been leeching off unsecured routers belonging to some other person
    in the building. The poor sap had no idea he was providing free
    Internet access for more than his own family. Additionally he
    never changed the default router password and ID so anything could
    have been possible.

    > Keep this in mind when reading the stuff below because this is
    > pretty much the same complaints I got with Windows, as well as
    > with a Linux LIVE CD.
    > Keep that in mind.

    Windows sucks.
    Studies have shown that an unsecured Windows box lasts about 1 day
    on the net before being taken over.
    I suspect it's even less time considering that most Windows users
    are idiots and will click on anything.
    Linux is another story.
    Are you sure it was a modern version of Linux and was livedvd and
    not a borked install?

    > I am *not* a Mac person so I am asking for advice here.
    > This is what this person is telling me.
    > Please advise because I am pulling my hair out.
    > FWIW I have been a computer professional for 30+ years and have
    > never heard anything like this in my entire life, not even with
    > Windows.

    If you haven't heard of this happening with Windows you aren't too

    > Connection is broadband BTW.
    > Router has been swapped to 2 different brands.
    > MacBook is less than 6 months old and up to date AFAIK.


    > Here is what he is telling me and I would like to know, honestly,
    > what you guys think.

    You've already said that.

    > Keep in mind, I was getting a lot of the same kind of stuff from
    > this person, not exactly, but similar, with the Windows machine
    > and the Linux machine. Same machine dual boot.

    You've said this as well.
    Repeating yourself is no way to get ahead son.

    > I saw nothing wrong.

    Based upon what evidence?

    > The stuff below is from emails.


    > If there is a better group for this please point me that way!!

    Maybe you and your friend can get a group discount?

    > What do you think?

    About what?

    > ***************************Here is what I am being told********
    > Tonights login log starts with:
    > Dasboardadvisory.plist (My note: dashboard is a widget thing that
    > sits
    > on dock at bottom of desktop)


    > Bluetooth (my note: I set all communication things to inactive--
    > haven't set up Internet yet)

    Normal. It's used to transfer files from phones, pda etc.

    > CUPS (my note: yes I know this is normal process, but it also has
    > a
    > built in http server that can be logged on through port 80 just
    > like
    > any other URL. It will also open a port through firewall & listen
    > for
    > info. )


    That's one way to manage CUPS.
    It's normal.
    Port 80 is for the browser. will get you into the gui for CUPS.

    > These 3 things show up in log before I got the sign on screen
    > (that
    > shows up later in log).
    > After sign on screen in log is:
    > Kextload: /System/Library/Extensions/msdosfs.kext loaded
    > successfully

    It's to run Windows programs.

    > Kext files will load into memory as needed. I just logged on and
    > didn't do anyhing. Especially anything to do with Microsoft dos
    > which
    > is what that is. And there also now gets a name in WINS box & had
    > WORKGROUP put in also. I NEVER set up to share & especialy not
    > with
    > windows (hence my remark I said to apple employee when I bought
    > MacBook ) I know it was not there before.

    It was added when you configured the Mac.

    > I know abou cups. I have seen what the log said on it when I got
    > MacBook. It has different stuff in it now. So does my system
    > profiler.

    Different how?
    Be specific.

    > I thought I copied everything it said when I got mac but I can't
    > find
    > it. Network locations on my mac has tons of stuff in it where I
    > could
    > swear it was empty before. Stephs old MacBook has that location
    > empty
    > (it's using Internet with belkin wireless when I use magic Jack).

    I don't understand?You have 2 Macs with the same problem.
    What are you saying here?
    MagicJack is a VOIP setup.
    You will see all kinds of entries in your router when this is

    > Apple talk keeps starting up. That's a part of airport express
    > router
    > to connect printer. And in system profiler network, locations one
    > thing under Bluetooth says SMB: Workgroup: (& name I had put in)
    > SMB
    > is samba. Also under Bluetooth network location are setting that
    > you

    SMB is so you can connect to other machines like Windows machines.
    Mostly used for printing and file transfer.
    Turn it off if you don't like it.

    > would see under dial up modem (which I don have) like disconnect
    > on
    > idle (no), disconnect on logout (no).

    That's so you can use a cell phone via bluetooth for dialup.

    > Under network utility section for information about Ethernet and
    > airport wireless card, my Ethernet shows with Vendor: NVIDIA
    > Model:
    > MCP79-1 (& link status: not reported--should say inactive like
    > airport
    > as I turned both to inactive).

    That's because Nvida is the maker of the chip set.

    > Why does my graphics card show as Ethernet card? This same thing
    > happened on other computers.

    You are seeing Nvidia which makes both chip sets.
    If even it was, so what?
    How would this effect you?

    > System profiler, network, volumes says /home & /net mounted from
    > map
    > auto_home & map-hosts respectively. Both as automounted (when I
    > turn
    > computer on) & both autofs as type.


    > Yesterday I saw a new quest folder that was just created. Couldn't
    > access it but it has a size of file on info. It should be zero or
    > small # cause I had it off and empty.

    What is in it?
    Check the timestamp and try to recall what you did to create it.
    Maybe some kind of trial ware or something.

    > I have intego firewall and virus barrier. It also came with a
    > program
    > called washing machine that you use to clean out cookies cache and
    > downloads. I cleaned stuff out the other nite (hadn't been online,
    > but
    > didn't do it the last timei was--only safari "clean"). The next
    > morning there was stuff in there to clean---Internet explorer
    > cookies
    > and cache, & firefox too. Wireless is turned off and is always off
    > unless I'm online--I hadn't been). Cleaned it and it was back the
    > next
    > day ( sizes were different so it is not what I deleted just
    > returning,
    > these were new).

    Why are you messing with this?
    Leave it alone.
    Browsing generates cookies, it's normal.
    What kind of cookies were they?
    Turn cookies off if it makes you feel better.

    > I'm also apparently using a tablet with this MacBook as I was with
    > the
    > desktops. Even though I don't have one.

    Probably something you clicked on along with the other things you
    have been toying with.
    What harm is it doing?

    > As far as crossing over onto different operating systems & it
    > can't be
    > done, I think it can be done. VNC uses the RFB protocol to
    > remotely
    > control another computer.

    tell it to the VNC developers. I'll bet they get a laugh out of

    > RFB (Remote Framebuffer Protocol) is a simple protocol for remote
    > access to graphical user interfaces. Because it works at the
    > framebuffer level, it is applicable to windowing systems &
    > applications, including X11, windows & Macintosh. It's also used
    > in
    > any derivatives of VNC.

    You are using buzzwords and don't seem to have a clue what they

    > VNC would be a virtual (software only) version of the network
    > computer. A VNC connection can be estabished as a LAN connection
    > if
    > VPN is utilized as a proxy.

    So where is the proxy?
    Maybe it's your tablet?

    > I had tons of proxy stuff on desktop.

    Like what?

    > Don't know if going to apple. I also deleted some stuff. Not that
    > it
    > would matter. I was going to reset PRAM & NVRAM as per
    > instructions on
    > Some things that PRAM contains are apple talk,
    > virtual
    > memory, start up disk (I keep getting I'm starting from a network
    > disk), Ram disk. Disk cache, fonts, printer stuff & port stuff.

    You are very confused with this statement.
    Apple technicians are idiots anyway, but I'll bet even they
    haven't seen anything quite like your system. It might be worth it
    to bring it in even for a good laugh.

    > I did try to set up the free printer (when I bought MacBook) last
    > June
    > but could only get scan to work. Tried again in February 2010 &
    > same
    > thing. Uninstalled software both times. I find it odd that this
    > problem on all computers has connections to printer and me being a
    > print server. Even when I don't have a printer (2nd desktop I
    > never
    > connected one to it, but one was running--spooler). This new free
    > printer does not have fax, but I turned on MacBook yesterday & I
    > had a
    > fax icon on top bar of desktop next to my wireless icon.

    It's probably being misidentified as incorrect hardware.
    Happens all the time.
    What brand is it?

    > There is also something with time servers consistent with all the
    > computers. Which I always set to not check time automatically.

    The log should have an entry in it showing you disabling and
    re-enabling it.
    What harm is it causing?

    > Here is more:
    > Settings changing, verizon folder (don't have anything verizon),
    > strange icons & folders. Again with printer stuff running & fax
    > (icon
    > now placed on top bar on desktop I didn't put there). Samba, cups,
    > I'm
    > set up as a server. Remote desktop stuff in logs & virtual system.
    > Says I'm using my Ethernet connection & it now has Nvidia as
    > vendor.
    > My Ethernet is set to inactive(disabled).

    I think you are fucking around with things and causing more
    problems than you are fixing.

    > Same on oher machines, graphics cards doing screwy connecting,
    > remote
    > desk, server, print, fax, loopback, fonts, virtual system. I again
    > on
    > this one use IPV6 even though I set that to not use.


    > I looked through logs and the earlier ones from when I got it
    > mention
    > none of the bullshit I see now. I also apparently have clam xav,
    > firefox, and Internet explorer. Even though I never saw an icon
    > for
    > them & I never had clam xav on this computer. I have net barrier
    > x5 on
    > it since I got it. Thefirewall is set up to not allow incoming or
    > server & I had set denied to files that didn't need to connect
    > out.

    Based on your verbiage above you don't seem to have a clue.
    Reset everything to use defaults and leave it alone.

    > And the virus scan skips over files but as you said it remembers
    > stuff. But looking at scan logs it says that each file only
    > scanned
    > partially. Or it says I stopped it when I didn't. He'll I'm
    > sitting
    > here waiting two hours for it to finish but I guess it was only
    > going
    > through the motions.

    So what do you expect it to find?The maybe 50 viruses that exist
    in the wild for the Mac?
    You stand a better chance of being hit by lightening than getting
    one of those.

    > **************End of Emails*******************
    > Is there a problem here?

    Yes but it's not the computer.
    Seeing as several different computers running different operating
    systems were apparently hacked, is it possible that your friend's
    broadband or DSL connection has been compromised at the DSL modem
    or router level?

    That would explain why Linux, osx and windows are all getting
    It wouldn't be the first time a router MAC has been spoofed and
    That's where I would look to rectify the problems.
    A fresh install on all systems wouldn't hurt either.
    That's just my opinion though.
    Karl Marks, Mar 22, 2010
    1. Advertisements

  2. Karl Marks


    Oct 6, 2010
    same thing is happening to my comps and macs
    lolwtfomg, Oct 6, 2010
    1. Advertisements

  3. Karl Marks


    Nov 17, 2009
    i prefer use actymac. com ActyMac DutyWatch Remote.It’s prog for remote computer monitoring from iPhone.
    Williams, Jan 25, 2011
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Unk
  2. Jerry

    Re: Mac Security vs. Windows Security

    Jerry, Oct 27, 2003, in forum: A+ Certification
    Oct 27, 2003
  3. Ghost

    Re: Mac Security vs. Windows Security

    Ghost, Oct 28, 2003, in forum: A+ Certification
    Oct 28, 2003
  4. Tony Sivori

    Re: Mac Security vs. Windows Security

    Tony Sivori, Oct 28, 2003, in forum: A+ Certification
    Tony Sivori
    Oct 28, 2003
  5. ttripp
    Feb 5, 2010