My mac is hacked

Joined
Feb 25, 2010
Messages
10
Reaction score
0
Points
1
Suspicious activity on my mac

I have a friend here at school who is majoring in computer engineering. I use the term losely because its more of a social friendship. We drink and socialize at college. At the begining of the year, maybe about 6 days after i got a new computer, He called me up over the phone and wanted me to build a website with me. Told me I can be an admin for a fraternal social networking site he wanted to start. Thusly I agreed and made an admin account using my password thats used for everything. After getting back to school for this semester, he invited me out to lunch to just talk and get back in touch. We mulled over ideas for the site, but it ended up going no where.

Recently I have been experience several hour long lag spikes. I am talking about 48 kbs internet through a wired connection with a Dlink router. I assumed it was my room mate downloading music. I then accessed the router using 192.168.1.1 and blocked all websites with the name torrent bit isohunt and such. The problem didn't resolve. I then proceeded to block access from his computer to the router, so his internet wouldn't work. The problem didn't stop. I then disconnected the router, and directly connected to my computer and then ran a bandwidth test. It showed a speed of 700 kbs.

Then I went and downloaded Little Snatch, a program used to check outgoing data. I had it running in the back round.

After doing that, I created a membership here and started typing away. From about 4 in the morning to 6, I had been doing Due Diligence about hacking and OSX. I learned to look for files that looked out of place. I found one.

In the documents folder
documents.png


A folder called Microsoft User Data


preferencesv.png



In this folder was an Entourage folder that was dated before I bought my mac.

entouragescriptmenus.png


In the Entourage folder were files I could click on as read the script.

eventu.png


There were also files in the Automator.

thisisthedataintheautom.png


Also, is this activity in my library/prefernces suspicious?

microsoftuserdata.png


At the point I thought i was being hacked, and thought the hacker was looking at my computer, it was 6:30am...after two hours of Due Diligence.

I typed into a text document..

YOU HACKER I KNOW YOUR LOOKING AT THIS RIGHT NOW. YOU THINK YOU CAN STOP ME. I AM ABOUT TO FIND OUT WHO YOU ARE.

...and started writing this article.


Now the first time I tried typing this in, My browser froze half way through the article. At this point, I had kept disconnecting and reconnecting my computer to the router because I was paranoid. Then, at one point i just decided to connect directly to the router. When i went back to the web, my internet jumped from 48 kbs on the bandwidth site to 400 kbs. I was then asked by an unknown source with an IP in columbus ohio (I'm located 2 hours away from columbus) to access my computer. A notification send by Little Snitch. I kept the message up while writting down its ip, and while writting this article for the second time. My internet web browser soon froze. It was in the middle of looking up the Ip and typing this.

The third time around i blocked everything accessing my computer.
Little snitches connection history shows

dns-cac-lb-02.rr.com
dns-cac-lb-0a.rr.com
10.24.17.107
10.24.17.102

At the point I thought i was being hacked, and thought the hacker was looking at my computer, it was 6:30am...after two hours of Due Diligence.

I typed into a text document..

Another suspicious thing. Before I got all paranoid and started blocking connections through Little Snitch.....I was observing the Activity Monitor and saw constant and blinking usage form MDworker. It was only flickering at around 1 percent, and stopped doing this as soon as I started managing Little Snitch.

Im constantly looking for more stuff. Let me know if I'm paranoid of if I'm on to something here. Im deeply worried.
 
OP
M
Joined
Feb 25, 2010
Messages
10
Reaction score
0
Points
1
Another suspicious thing.

At one point I was so paranoid about this that i started typing this post offline. When i got back online, I had another lag spike and had to restarted my browser.
Here is a folder i found, edited at about the time I came back on the internet. Notice the time it was edited.

Today, 7:03

userdata.png


But then within the file, there are different dates.

workscriptmenu.png


sampleautomaterworkflow.png
 
Joined
Mar 11, 2009
Messages
469
Reaction score
9
Points
18
Sounds like you're dealing with a mess. Do a clean reinstall of OS X, or at least delete that other admin account and change your password. That was a really stupid thing to do in the first place.
 
OP
M
Joined
Feb 25, 2010
Messages
10
Reaction score
0
Points
1
I just changed my password. Is there any definitive way to find a ghosted trail of someone accessing your computer. Maybe even in the kernal. I found two logs that im reading through in the console that were dated Feb 12. I cant make any sense of them, if you want me to email them or look for anything particular in them. let me know.
 
OP
M
Joined
Feb 25, 2010
Messages
10
Reaction score
0
Points
1
Can someone make sense of this message, particularly the code setugid

-MacBook-Pro UserNotificationCenter[2251]: The application with bundle ID (null) is running setugid(), which is not allowed.
 
OP
M
Joined
Feb 25, 2010
Messages
10
Reaction score
0
Points
1
and this

1
Feb 25 06:41:13 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter): Throttling respawn: Will start in 10 seconds
Feb 25 06:41:21 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[488]): posix_spawn("/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd", ...): No such file or directory
Feb 25 06:41:21 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[488]): Exited with exit code: 1
Feb 25 06:41:21 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd): Throttling respawn: Will start in 10 seconds
Feb 25 06:41:23 cpe-174-102-116-115 UserNotificationCenter[489]: The application with bundle ID (null) is running setugid(), which is not allowed.
Feb 25 06:41:23 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter[489]): Exited with exit code: 1
Feb 25 06:41:23 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter): Throttling respawn: Will start in 10 seconds
Feb 25 06:41:31 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[490]): posix_spawn("/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd", ...): No such file or directory
Feb 25 06:41:31 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[490]): Exited with exit code: 1
Feb 25 06:41:31 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd): Throttling respawn: Will start in 10 seconds
Feb 25 06:41:33 cpe-174-102-116-115 UserNotificationCenter[491]: The application with bundle ID (null) is running setugid(), which is not allowed.
Feb 25 06:41:33 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter[491]): Exited with exit code: 1
Feb 25 06:41:33 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter): Throttling respawn: Will start in 10 seconds
Feb 25 06:41:41 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[492]): posix_spawn("/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd", ...): No such file or directory
Feb 25 06:41:41 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[492]): Exited with exit code: 1
Feb 25 06:41:41 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd): Throttling respawn: Will start in 10 seconds
Feb 25 06:41:43 cpe-174-102-116-115 UserNotificationCenter[493]: The application with bundle ID (null) is running setugid(), which is not allowed.
Feb 25 06:41:43 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter[493]): Exited with exit code: 1
Feb 25 06:41:43 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter): Throttling respawn: Will start in 10 seconds
Feb 25 06:41:51 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[494]): posix_spawn("/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd", ...): No such file or directory
Feb 25 06:41:51 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[494]): Exited with exit code: 1
Feb 25 06:41:51 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd): Throttling respawn: Will start in 10 seconds
Feb 25 06:41:53 cpe-174-102-116-115 UserNotificationCenter[495]: The application with bundle ID (null) is running setugid(), which is not allowed.
Feb 25 06:41:53 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter[495]): Exited with exit code: 1
Feb 25 06:41:53 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter): Throttling respawn: Will start in 10 seconds
Feb 25 06:42:01 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[496]): posix_spawn("/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd", ...): No such file or directory
Feb 25 06:42:01 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[496]): Exited with exit code: 1
Feb 25 06:42:01 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd): Throttling respawn: Will start in 10 seconds
Feb 25 06:42:03 cpe-174-102-116-115 UserNotificationCenter[497]: The application with bundle ID (null) is running setugid(), which is not allowed.
Feb 25 06:42:03 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter[497]): Exited with exit code: 1
Feb 25 06:42:03 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter): Throttling respawn: Will start in 10 seconds
Feb 25 06:42:11 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[498]): posix_spawn("/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd", ...): No such file or directory
Feb 25 06:42:11 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[498]): Exited with exit code: 1
Feb 25 06:42:11 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd): Throttling respawn: Will start in 10 seconds
Feb 25 06:42:13 cpe-174-102-116-115 UserNotificationCenter[499]: The application with bundle ID (null) is running setugid(), which is not allowed.
Feb 25 06:42:13 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter[499]): Exited with exit code: 1
Feb 25 06:42:13 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter): Throttling respawn: Will start in 10 seconds
Feb 25 06:42:21 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[500]): posix_spawn("/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd", ...): No such file or directory
Feb 25 06:42:21 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[500]): Exited with exit code: 1
Feb 25 06:42:21 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd): Throttling respawn: Will start in 10 seconds
Feb 25 06:42:23 cpe-174-102-116-115 UserNotificationCenter[501]: The application with bundle ID (null) is running setugid(), which is not allowed.
Feb 25 06:42:23 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter[501]): Exited with exit code: 1
 
OP
M
Joined
Feb 25, 2010
Messages
10
Reaction score
0
Points
1
I have blocked the ip address, which is an ohio ip address-my school is located in ohio. It is denied any UDP connections to port 67 (bootps), though I' m worried it still has a connection through any of the thousands of ports.


/usr/libexec/configd

Deny UDP connections to port 67 (bootps) of 65.24.14.18 until configd quits

IP Address: 65.24.14.18

wants to connect to cncnoh-dhcp-03.ohiordc.rr.com on UDP port 67 (bootps).
 
Joined
Apr 26, 2008
Messages
2,963
Reaction score
120
Points
63
Location
Belgium
Your Mac's Specs
iPad Pro 12.9 latest iOS
In my view, this thread is not going anywhere ...

My suggestion is t backup your documents and other stuff you need, do a clean install, reload your documents and stuff .... that should do it.

Cheers ... McBie
 
Joined
Nov 28, 2007
Messages
25,564
Reaction score
486
Points
83
Location
Blue Mountains NSW Australia
Your Mac's Specs
Silver M1 iMac 512/16/8/8 macOS 11.6
Some folk should never be allowed near a computer. Pop in your OS X install DVD, erase the HDD, zeroing if it makes you happy, and do a clean install.
 
OP
M
Joined
Feb 25, 2010
Messages
10
Reaction score
0
Points
1
I have now decided that since there was such a drastic decrease in my internet speed-48kbs down from 700kbs-My computer wasn't the only one being looked at. If there was a hacker in our network, He had to be looking at every computer. It's sad.
 
Joined
Jul 18, 2007
Messages
3,184
Reaction score
93
Points
48
Location
Central California
Your Mac's Specs
2.16GHz C2D MacBook w/ 2GB RAM & 120GB HD. HTC Droid Incredible.
Some folk should never be allowed near a computer. Pop in your OS X install DVD, erase the HDD, zeroing if it makes you happy, and do a clean install.

Wise words.
 
OP
M
Joined
Feb 25, 2010
Messages
10
Reaction score
0
Points
1
I have tried to block ports that are associated with mdworker. Every time I tried using little snitch, a new port becomes assigned to mdworker. How can I prevent this.

Also, I have used barely used safari today. At one point, about a half hour ago. I was unable to move my windows. Usually i can scroll my pointer on the screen to the bottom left/right of my desktop to shuffle windows and to show the desktop. At one point while using safari, I was unable to do both functions until I rebooted the computer.

I also am noticing popups from safari that just do not seem to respond.

screenshot20100226at122.png


screenshot20100225at924.png





I also noticed something that may or may not be important in Network connections.

**notice the bypass proxy settings for these host and domains**

screenshot20100226at100.png
 
Joined
Sep 9, 2009
Messages
5,473
Reaction score
201
Points
63
Location
Down Under :D
Your Mac's Specs
Back to my old 2.2GHz C2D MB after selling my MBP and wondering what my next Mac will be :)
In my view, this thread is not going anywhere ...

My suggestion is t backup your documents and other stuff you need, do a clean install, reload your documents and stuff .... that should do it.

Cheers ... McBie

Some folk should never be allowed near a computer. Pop in your OS X install DVD, erase the HDD, zeroing if it makes you happy, and do a clean install.

In case you missed it, I have posted these 2 resposes for you to read!

Follow their advise, and then you are done, and you can stop freaking yourself out :D
 
OP
M
Joined
Feb 25, 2010
Messages
10
Reaction score
0
Points
1
Wow I am such a noob. I just finally looked to see if my firewall was on. It has been turned off in system preferences/security/firewall.

There was also no Master password set.

Also there were no security settings enabled except use secure virtual memory.
 
C

chas_m

Guest
Macnoob5:

1. There is no hacker. Nothing you reported is in any way out of the ordinary.

For example, "mdworker" is SPOTLIGHT. It's not stalking you, its trying to index all those files you keep altering.

2. You don't need a software firewall. At all. You don't need "secure virtual memory" and you *absolutely* don't need Filevault.

3. With this level of paranoia, and assuming you're not on some kind of medication, I'm going to suggest you go back to Windows where at least this irrational fear is justified. :)

4. Finally, you've had a simple, thorough solution that will solve your imaginary "problems" posted to you at least three times. That you haven't done it says a lot about you, but nothing good.
 
Joined
Sep 9, 2009
Messages
5,473
Reaction score
201
Points
63
Location
Down Under :D
Your Mac's Specs
Back to my old 2.2GHz C2D MB after selling my MBP and wondering what my next Mac will be :)
chas_m
pmsl trying to type....
rofl still while typing :D
What can I say? I guess sometimes we could all use a little medication ;/
Give the poor OP a break!
 
Joined
Mar 2, 2011
Messages
5
Reaction score
0
Points
1
you're not paranoid

100% sure on this one.


My wife works for an Ohio School, we just attended a rally against SB5, and now I'm seeing system intrusions from dns-cac-lb-02.rr.com

I know how to keep my system relatively secure, and I am able to see ridiculously bad attempts at exploiting my system

I should also note that my wife has insisted on keeping an anti Senate Bill 5 sign in our front window, and we've been analyzing full text of the law over the internet, closely following things via internet, etc

so, you're not paranoid
 

BrianLachoreVPI


Retired Staff
Joined
Feb 24, 2011
Messages
3,733
Reaction score
124
Points
63
Location
Maryland
Your Mac's Specs
March 2011 15" MBP 2.3GHz i7 Quad Core 8GB Ram | Mid 2011 27" iMac 3.4 GHz i7 16 GB RAM 2 TB HDD

cwa107


Retired Staff
Joined
Dec 20, 2006
Messages
27,042
Reaction score
812
Points
113
Location
Lake Mary, Florida
Your Mac's Specs
14" MacBook Pro M1 Pro, 16GB RAM, 1TB SSD
My wife works for an Ohio School, we just attended a rally against SB5, and now I'm seeing system intrusions from dns-cac-lb-02.rr.com

That looks to be a DNS server for your ISP (RoadRunner). DNS servers convert human-friendly names (like Google.com) to IP addresses (like 72.14.204.99).
 
Joined
Mar 2, 2011
Messages
5
Reaction score
0
Points
1
Alls I can say is I see a whole bunch of ips blocked through that gateway now that I have the firewall on.

ports blocked for a couple of exploits. i knew my mysql installation was insecure but never thought it would matter...

so I blocked that.

some other program, too.

shell script was running on my computer that I got rid of.

not pointing any fingers, but I'm curious :)
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top