Results 1 to 11 of 11

Thread: Was I Hacked?

  1. #1

    MacShane's Avatar
    Member Since
    Jun 01, 2010
    Location
    Japan
    Posts
    194
    Specs:
    Early 2015 13"MBA 2.2GHz i7, 8GB RAM, OS X 10.11.1
    Was I Hacked?
    I was sitting there making an "Archives" file on my 3TB LaCie backup disk to backup documents and other files that had already served their purpose but I didn't what to delete permanently...

    All of a sudden, the file I had just made along with one or two other files were had just been erased and my iPhoto Library had become a file folder and I couldn't restore. As I was sitting there trying to figure our what happened and pressing Command+z to try and reverse the damage, all my other files started disappearing - all my movies, pictures, TV programs, documents and everything from the last 15 years is just GONE! I'm in complete shock!

    Was this the work of a hacker? As my folders were disappearing, I also noticed that Terminal was opened and I didn't open it.

    I entered the command, dscl . list /Users and in the output, were two accounts I didn't recognize - "daemon" and "nobody", but these came up on my MacBook as well.

    Is there anything more I can do to find out if I've been hacked?
    What about my disc? I know there are utilities out there to restore lost data from discs, but I also know that the best ones are exorbitantly expensive. I would pay good money, but not an insane amount to have that disc restored. Recommendations? Thoughts?
    Last edited by MacShane; 04-11-2014 at 08:12 AM.

  2. #2

    MacShane's Avatar
    Member Since
    Jun 01, 2010
    Location
    Japan
    Posts
    194
    Specs:
    Early 2015 13"MBA 2.2GHz i7, 8GB RAM, OS X 10.11.1
    Bump. Anyone?

  3. #3

    Lifeisabeach's Avatar
    Member Since
    Sep 30, 2007
    Location
    The Republic of Neptune
    Posts
    7,760
    Were you hacked? That is highly unlikely. It is more likely that your drive has crashed. See the next link below for a tutorial of mine on how to test your hard drive.
    http://www.mac-forums.com/forums/os-...ml#post1528773

    In order to recover deleted files, there are a couple utilities that are good at this. There was recently an outstanding deal on Disk Drill for $9.00. See this next discussion below about how to apply the discount code. It appears to be an excellent program, although one feature was poorly documented and handled (see discussion). I've tested it a little bit, and it seems quite competent otherwise.
    http://www.mac-forums.com/forums/os-...0-osxfuse.html

  4. #4

    Lifeisabeach's Avatar
    Member Since
    Sep 30, 2007
    Location
    The Republic of Neptune
    Posts
    7,760
    Hey wait a sec. You said Terminal was open and you didn't open that? Now that is bizarre. Can you open up Activity Monitor and give a list of everything that is running? There is an option to export the list to a text file, which you can then open to copy and paste here. Review it all before pasting, in case there's something you want to mask for privacy reasons.

    EDIT: also open up System Preferences, then Sharing. What services are enabled? And do you know anyone who has physical access to your computer?

  5. #5


    Member Since
    Jan 22, 2010
    Location
    Victoria, BC
    Posts
    20,911
    Specs:
    Mid-2012 MBP (16GB, 1TB HD), Monoprice 24-inch second monitor, iPhone 5s 32GB, iPad Air 2 64GB
    I can't offer much help beyond what LIAB has offered, but I can assure you that its not a hacker. "Daemon" and "Nobody" are perfectly normal accounts to be found in a typical UNIX-based system as OS X is.

  6. #6

    MacShane's Avatar
    Member Since
    Jun 01, 2010
    Location
    Japan
    Posts
    194
    Specs:
    Early 2015 13"MBA 2.2GHz i7, 8GB RAM, OS X 10.11.1
    Thanks for the replies.

    This happened about 10 days ago, so I don't know if it'll help, but here are a couple of screen shots of all system processes running as of now:





    Also the only sharing options I have enabled are Screen, File and Printer, with access to only Administrators (that would be only me).

    I'm not so concerned about all the movies, programs and music I had on there as I am about all the pictures I had on that disk in the form of iPhoto Library. I wonder if it is a file format which is able to be recovered by even the best disk restoration programs out there.

    I ran Disk Utilitiy's verification utility after the disk was erased and it said that "it seems to be okay." I just shut it down and unplugged it after that so that it couldn't be written on or tampered with further until I have a chance to do plenty of research on disk recovery programs and services, so I can decide what to do. In any case, I am about 5,000 miles away from that disk, on a business trip, right now and won't be able to get back to it for at least another 10 days...

  7. #7

    Lifeisabeach's Avatar
    Member Since
    Sep 30, 2007
    Location
    The Republic of Neptune
    Posts
    7,760
    If you have screen sharing enabled, then it's certainly possible someone discovered/guessed your password, logged into your system remotely and took control using that. Also, do you routinely log into your Mac as root?

    EDIT: And when you enabled root (because you do have to deliberately do so), you DID use a strong password, didn't you? And for that matter, why did you enable it?

  8. #8

    MacShane's Avatar
    Member Since
    Jun 01, 2010
    Location
    Japan
    Posts
    194
    Specs:
    Early 2015 13"MBA 2.2GHz i7, 8GB RAM, OS X 10.11.1
    Hmmm...wasn't aware that I was logging in as root or that I deliberately did so. I just set up myself as admin on my MBP and that's the only account I've ever used. I was using a pretty strong password before and use an even stronger one now.

    I'd appreciate any further insight on how I should go about logging in more safely. I keep screen sharing enabled because I frequently share screens between my iMac at home and the MBP. I wasn't doing that at the time this happened, though I was connected to my iMac via my MBP over the network and was accessing the very hard disk that got erased. I'll go ahead and turn off screen share, since I am halfway around the world from my other computers right now.

    Again, any further suggestions and details are welcome...

  9. #9

    Lifeisabeach's Avatar
    Member Since
    Sep 30, 2007
    Location
    The Republic of Neptune
    Posts
    7,760
    Hmmm... actually I don't think you aren't logged in as root. I see now you switched to the "System Processes" view. I don't see anything that jumps out at me as out of the ordinary, but since you didn't sort by name, I'm having a very hard time comparing it to what's running on my system. What about "All" processes?

  10. #10

    MacShane's Avatar
    Member Since
    Jun 01, 2010
    Location
    Japan
    Posts
    194
    Specs:
    Early 2015 13"MBA 2.2GHz i7, 8GB RAM, OS X 10.11.1
    It's difficult to get any screen captures of the full output, since it refreshes and changes every 5 seconds. Is there a way to output that to text file?

    Also, does anybody know what will happen when trying to restore that iPhoto Library file? Will I be able to restore that file or will it just restore each individual picture, if it can be recovered at all?

  11. #11

    Lifeisabeach's Avatar
    Member Since
    Sep 30, 2007
    Location
    The Republic of Neptune
    Posts
    7,760
    Quote Originally Posted by MacShane View Post
    It's difficult to get any screen captures of the full output, since it refreshes and changes every 5 seconds. Is there a way to output that to text file?
    Yes, it's an option in the menu. I don't know what it is offhand... I'm away from my Mac for a bit, but it should be obvious once you see it. Try to sort by name, it will be a lot easier to check and correlate against my own processes.

    To be perfectly honest though, I'm not sure this will really help. Unless someone had direct physical access to your computer and secretly installed something that gave them remote access, it's more likely they accessed it via the existing Screen Sharing feature that you have turned on, if this was even an act by a 3rd party. It'd be most helpful I think to post logs from the timeframe when this happened.

    In the meanwhile, I would at the minimum change your login password, and the password for Screen Sharing, if you have one set for that alone. Also change your iCloud password. You can also consider running AV software just to check your system for anything that OS X's XProtect isn't designed to catch.

    Also, does anybody know what will happen when trying to restore that iPhoto Library file? Will I be able to restore that file or will it just restore each individual picture, if it can be recovered at all?
    I'll double check when I get home, but I believe the file you have in mind is in fact a "package" that contains all the photos in that library.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Help! Have I been hacked?
    By Al_Cl_Qu in forum OS X - Operating System
    Replies: 4
    Last Post: 12-12-2012, 04:40 PM
  2. Hacked
    By adychis in forum OS X - Operating System
    Replies: 8
    Last Post: 11-12-2012, 12:39 PM
  3. Does this mean I have been hacked/
    By zoey21 in forum Switcher Hangout
    Replies: 3
    Last Post: 09-23-2012, 02:18 AM
  4. hacked?
    By kyleholcomb in forum Apple Notebooks
    Replies: 4
    Last Post: 03-12-2011, 12:27 AM
  5. Hacked?
    By benjiathome in forum OS X - Operating System
    Replies: 9
    Last Post: 12-03-2008, 04:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •