New To Mac-Forums?

Welcome to our community! Join the discussion today by registering your FREE account. If you have any problems with the registration process, please contact us!

Get your questions answered by community gurus Advice and insight from world-class Apple enthusiasts Exclusive access to members-only contests, giveaways and deals

Join today!

 
Start a Discussion
 

Mac-Forums Brief

Subscribe to Mac-Forums Brief to receive special offers from Mac-Forums partners and sponsors

Join the conversation RSS
OS X - Operating System General OS operation information and support

Was I Hacked?


Post Reply New Thread Subscribe

 
Thread Tools
MacShane

 
MacShane's Avatar
 
Member Since: Jun 01, 2010
Location: Japan
Posts: 186
MacShane has a spectacular aura about
Mac Specs: Gen1 15"MBP-R 2.3GHz i7, 8GB RAM, OSX 10.9.2

MacShane is offline
I was sitting there making an "Archives" file on my 3TB LaCie backup disk to backup documents and other files that had already served their purpose but I didn't what to delete permanently...

All of a sudden, the file I had just made along with one or two other files were had just been erased and my iPhoto Library had become a file folder and I couldn't restore. As I was sitting there trying to figure our what happened and pressing Command+z to try and reverse the damage, all my other files started disappearing - all my movies, pictures, TV programs, documents and everything from the last 15 years is just GONE! I'm in complete shock!

Was this the work of a hacker? As my folders were disappearing, I also noticed that Terminal was opened and I didn't open it.

I entered the command, dscl . list /Users and in the output, were two accounts I didn't recognize - "daemon" and "nobody", but these came up on my MacBook as well.

Is there anything more I can do to find out if I've been hacked?
What about my disc? I know there are utilities out there to restore lost data from discs, but I also know that the best ones are exorbitantly expensive. I would pay good money, but not an insane amount to have that disc restored. Recommendations? Thoughts?

Last edited by MacShane; 04-11-2014 at 07:12 AM.
QUOTE Thanks
MacShane

 
MacShane's Avatar
 
Member Since: Jun 01, 2010
Location: Japan
Posts: 186
MacShane has a spectacular aura about
Mac Specs: Gen1 15"MBP-R 2.3GHz i7, 8GB RAM, OSX 10.9.2

MacShane is offline
Bump. Anyone?
QUOTE Thanks
Lifeisabeach

 
Lifeisabeach's Avatar
 
Member Since: Sep 30, 2007
Location: Wilmington, NC
Posts: 6,843
Lifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond repute
Mac Specs: iMac i3 (mid-2010) + OS 10.9; TV 3; iPhone 5S; iPad 4

Lifeisabeach is offline
Were you hacked? That is highly unlikely. It is more likely that your drive has crashed. See the next link below for a tutorial of mine on how to test your hard drive.
NTFS for Mac not working

In order to recover deleted files, there are a couple utilities that are good at this. There was recently an outstanding deal on Disk Drill for $9.00. See this next discussion below about how to apply the discount code. It appears to be an excellent program, although one feature was poorly documented and handled (see discussion). I've tested it a little bit, and it seems quite competent otherwise.
Osxfuse
QUOTE Thanks
Lifeisabeach

 
Lifeisabeach's Avatar
 
Member Since: Sep 30, 2007
Location: Wilmington, NC
Posts: 6,843
Lifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond repute
Mac Specs: iMac i3 (mid-2010) + OS 10.9; TV 3; iPhone 5S; iPad 4

Lifeisabeach is offline
Hey wait a sec. You said Terminal was open and you didn't open that? Now that is bizarre. Can you open up Activity Monitor and give a list of everything that is running? There is an option to export the list to a text file, which you can then open to copy and paste here. Review it all before pasting, in case there's something you want to mask for privacy reasons.

EDIT: also open up System Preferences, then Sharing. What services are enabled? And do you know anyone who has physical access to your computer?
QUOTE Thanks
chas_m

 
chas_m's Avatar
 
Member Since: Jan 22, 2010
Location: Victoria, BC
Posts: 16,191
chas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond repute
Mac Specs: 2009 MBP, Black speakers, Black Benq second monitor, black(ish) iPhone 5s, Black 2012 iPad, etc.

chas_m is offline
I can't offer much help beyond what LIAB has offered, but I can assure you that its not a hacker. "Daemon" and "Nobody" are perfectly normal accounts to be found in a typical UNIX-based system as OS X is.
QUOTE Thanks
MacShane

 
MacShane's Avatar
 
Member Since: Jun 01, 2010
Location: Japan
Posts: 186
MacShane has a spectacular aura about
Mac Specs: Gen1 15"MBP-R 2.3GHz i7, 8GB RAM, OSX 10.9.2

MacShane is offline
Thanks for the replies.

This happened about 10 days ago, so I don't know if it'll help, but here are a couple of screen shots of all system processes running as of now:





Also the only sharing options I have enabled are Screen, File and Printer, with access to only Administrators (that would be only me).

I'm not so concerned about all the movies, programs and music I had on there as I am about all the pictures I had on that disk in the form of iPhoto Library. I wonder if it is a file format which is able to be recovered by even the best disk restoration programs out there.

I ran Disk Utilitiy's verification utility after the disk was erased and it said that "it seems to be okay." I just shut it down and unplugged it after that so that it couldn't be written on or tampered with further until I have a chance to do plenty of research on disk recovery programs and services, so I can decide what to do. In any case, I am about 5,000 miles away from that disk, on a business trip, right now and won't be able to get back to it for at least another 10 days...
QUOTE Thanks
Lifeisabeach

 
Lifeisabeach's Avatar
 
Member Since: Sep 30, 2007
Location: Wilmington, NC
Posts: 6,843
Lifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond repute
Mac Specs: iMac i3 (mid-2010) + OS 10.9; TV 3; iPhone 5S; iPad 4

Lifeisabeach is offline
If you have screen sharing enabled, then it's certainly possible someone discovered/guessed your password, logged into your system remotely and took control using that. Also, do you routinely log into your Mac as root?

EDIT: And when you enabled root (because you do have to deliberately do so), you DID use a strong password, didn't you? And for that matter, why did you enable it?
QUOTE Thanks
MacShane

 
MacShane's Avatar
 
Member Since: Jun 01, 2010
Location: Japan
Posts: 186
MacShane has a spectacular aura about
Mac Specs: Gen1 15"MBP-R 2.3GHz i7, 8GB RAM, OSX 10.9.2

MacShane is offline
Hmmm...wasn't aware that I was logging in as root or that I deliberately did so. I just set up myself as admin on my MBP and that's the only account I've ever used. I was using a pretty strong password before and use an even stronger one now.

I'd appreciate any further insight on how I should go about logging in more safely. I keep screen sharing enabled because I frequently share screens between my iMac at home and the MBP. I wasn't doing that at the time this happened, though I was connected to my iMac via my MBP over the network and was accessing the very hard disk that got erased. I'll go ahead and turn off screen share, since I am halfway around the world from my other computers right now.

Again, any further suggestions and details are welcome...
QUOTE Thanks
Lifeisabeach

 
Lifeisabeach's Avatar
 
Member Since: Sep 30, 2007
Location: Wilmington, NC
Posts: 6,843
Lifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond repute
Mac Specs: iMac i3 (mid-2010) + OS 10.9; TV 3; iPhone 5S; iPad 4

Lifeisabeach is offline
Hmmm... actually I don't think you aren't logged in as root. I see now you switched to the "System Processes" view. I don't see anything that jumps out at me as out of the ordinary, but since you didn't sort by name, I'm having a very hard time comparing it to what's running on my system. What about "All" processes?
QUOTE Thanks
MacShane

 
MacShane's Avatar
 
Member Since: Jun 01, 2010
Location: Japan
Posts: 186
MacShane has a spectacular aura about
Mac Specs: Gen1 15"MBP-R 2.3GHz i7, 8GB RAM, OSX 10.9.2

MacShane is offline
It's difficult to get any screen captures of the full output, since it refreshes and changes every 5 seconds. Is there a way to output that to text file?

Also, does anybody know what will happen when trying to restore that iPhoto Library file? Will I be able to restore that file or will it just restore each individual picture, if it can be recovered at all?
QUOTE Thanks
Lifeisabeach

 
Lifeisabeach's Avatar
 
Member Since: Sep 30, 2007
Location: Wilmington, NC
Posts: 6,843
Lifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond reputeLifeisabeach has a reputation beyond repute
Mac Specs: iMac i3 (mid-2010) + OS 10.9; TV 3; iPhone 5S; iPad 4

Lifeisabeach is offline
Quote:
Originally Posted by MacShane View Post
It's difficult to get any screen captures of the full output, since it refreshes and changes every 5 seconds. Is there a way to output that to text file?
Yes, it's an option in the menu. I don't know what it is offhand... I'm away from my Mac for a bit, but it should be obvious once you see it. Try to sort by name, it will be a lot easier to check and correlate against my own processes.

To be perfectly honest though, I'm not sure this will really help. Unless someone had direct physical access to your computer and secretly installed something that gave them remote access, it's more likely they accessed it via the existing Screen Sharing feature that you have turned on, if this was even an act by a 3rd party. It'd be most helpful I think to post logs from the timeframe when this happened.

In the meanwhile, I would at the minimum change your login password, and the password for Screen Sharing, if you have one set for that alone. Also change your iCloud password. You can also consider running AV software just to check your system for anything that OS X's XProtect isn't designed to catch.

Quote:
Also, does anybody know what will happen when trying to restore that iPhoto Library file? Will I be able to restore that file or will it just restore each individual picture, if it can be recovered at all?
I'll double check when I get home, but I believe the file you have in mind is in fact a "package" that contains all the photos in that library.
QUOTE Thanks

Post Reply New Thread Subscribe


« Upgrading to Mavericks | Backing up bad drive »
Thread Tools

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off
Forum Jump

Similar Threads
Thread
Thread Starter
Forum
Replies
Last Post
Official antivirus, malware, and firewall FAQ schweb Switcher Hangout 154 11-28-2013 07:25 PM
worried about getting my MBP hacked. mackbookpro703 Apple Notebooks 6 03-21-2011 11:11 PM

All times are GMT -4. The time now is 09:07 PM.

Powered by vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
X

Welcome to Mac-Forums.com

Create your username to jump into the discussion!

New members like you have made this community the ultimate source for your Mac since 2003!


(4 digit year)

Already a member?