Was I Hacked?

Joined
Jun 1, 2010
Messages
195
Reaction score
5
Points
18
Location
Japan
Your Mac's Specs
Early 2015 13"MBA 2.2GHz i7, 8GB RAM, OS X 10.11.6
I was sitting there making an "Archives" file on my 3TB LaCie backup disk to backup documents and other files that had already served their purpose but I didn't what to delete permanently...

All of a sudden, the file I had just made along with one or two other files were had just been erased and my iPhoto Library had become a file folder and I couldn't restore. As I was sitting there trying to figure our what happened and pressing Command+z to try and reverse the damage, all my other files started disappearing - all my movies, pictures, TV programs, documents and everything from the last 15 years is just GONE! I'm in complete shock!

Was this the work of a hacker? As my folders were disappearing, I also noticed that Terminal was opened and I didn't open it.

I entered the command, dscl . list /Users and in the output, were two accounts I didn't recognize - "daemon" and "nobody", but these came up on my MacBook as well.

Is there anything more I can do to find out if I've been hacked?
What about my disc? I know there are utilities out there to restore lost data from discs, but I also know that the best ones are exorbitantly expensive. I would pay good money, but not an insane amount to have that disc restored. Recommendations? Thoughts?
 
Last edited:
OP
MacShane
Joined
Jun 1, 2010
Messages
195
Reaction score
5
Points
18
Location
Japan
Your Mac's Specs
Early 2015 13"MBA 2.2GHz i7, 8GB RAM, OS X 10.11.6
Bump. Anyone?
 
Joined
Sep 30, 2007
Messages
9,962
Reaction score
1,235
Points
113
Location
The Republic of Neptune
Your Mac's Specs
2019 iMac 27"; 2020 M1 MacBook Air; macOS up-to-date... always.
Were you hacked? That is highly unlikely. It is more likely that your drive has crashed. See the next link below for a tutorial of mine on how to test your hard drive.
http://www.mac-forums.com/forums/os-x-operating-system/301467-ntfs-mac-not-working.html#post1528773

In order to recover deleted files, there are a couple utilities that are good at this. There was recently an outstanding deal on Disk Drill for $9.00. See this next discussion below about how to apply the discount code. It appears to be an excellent program, although one feature was poorly documented and handled (see discussion). I've tested it a little bit, and it seems quite competent otherwise.
http://www.mac-forums.com/forums/os-x-apps-games/310540-osxfuse.html
 
Joined
Sep 30, 2007
Messages
9,962
Reaction score
1,235
Points
113
Location
The Republic of Neptune
Your Mac's Specs
2019 iMac 27"; 2020 M1 MacBook Air; macOS up-to-date... always.
Hey wait a sec. You said Terminal was open and you didn't open that? Now that is bizarre. Can you open up Activity Monitor and give a list of everything that is running? There is an option to export the list to a text file, which you can then open to copy and paste here. Review it all before pasting, in case there's something you want to mask for privacy reasons.

EDIT: also open up System Preferences, then Sharing. What services are enabled? And do you know anyone who has physical access to your computer?
 
C

chas_m

Guest
I can't offer much help beyond what LIAB has offered, but I can assure you that its not a hacker. "Daemon" and "Nobody" are perfectly normal accounts to be found in a typical UNIX-based system as OS X is.
 
OP
MacShane
Joined
Jun 1, 2010
Messages
195
Reaction score
5
Points
18
Location
Japan
Your Mac's Specs
Early 2015 13"MBA 2.2GHz i7, 8GB RAM, OS X 10.11.6
Thanks for the replies.

This happened about 10 days ago, so I don't know if it'll help, but here are a couple of screen shots of all system processes running as of now:





Also the only sharing options I have enabled are Screen, File and Printer, with access to only Administrators (that would be only me).

I'm not so concerned about all the movies, programs and music I had on there as I am about all the pictures I had on that disk in the form of iPhoto Library. I wonder if it is a file format which is able to be recovered by even the best disk restoration programs out there.

I ran Disk Utilitiy's verification utility after the disk was erased and it said that "it seems to be okay." I just shut it down and unplugged it after that so that it couldn't be written on or tampered with further until I have a chance to do plenty of research on disk recovery programs and services, so I can decide what to do. In any case, I am about 5,000 miles away from that disk, on a business trip, right now and won't be able to get back to it for at least another 10 days...
 
Joined
Sep 30, 2007
Messages
9,962
Reaction score
1,235
Points
113
Location
The Republic of Neptune
Your Mac's Specs
2019 iMac 27"; 2020 M1 MacBook Air; macOS up-to-date... always.
If you have screen sharing enabled, then it's certainly possible someone discovered/guessed your password, logged into your system remotely and took control using that. Also, do you routinely log into your Mac as root?

EDIT: And when you enabled root (because you do have to deliberately do so), you DID use a strong password, didn't you? And for that matter, why did you enable it?
 
OP
MacShane
Joined
Jun 1, 2010
Messages
195
Reaction score
5
Points
18
Location
Japan
Your Mac's Specs
Early 2015 13"MBA 2.2GHz i7, 8GB RAM, OS X 10.11.6
Hmmm...wasn't aware that I was logging in as root or that I deliberately did so. I just set up myself as admin on my MBP and that's the only account I've ever used. I was using a pretty strong password before and use an even stronger one now.

I'd appreciate any further insight on how I should go about logging in more safely. I keep screen sharing enabled because I frequently share screens between my iMac at home and the MBP. I wasn't doing that at the time this happened, though I was connected to my iMac via my MBP over the network and was accessing the very hard disk that got erased. I'll go ahead and turn off screen share, since I am halfway around the world from my other computers right now.

Again, any further suggestions and details are welcome...
 
Joined
Sep 30, 2007
Messages
9,962
Reaction score
1,235
Points
113
Location
The Republic of Neptune
Your Mac's Specs
2019 iMac 27"; 2020 M1 MacBook Air; macOS up-to-date... always.
Hmmm... actually I don't think you aren't logged in as root. I see now you switched to the "System Processes" view. I don't see anything that jumps out at me as out of the ordinary, but since you didn't sort by name, I'm having a very hard time comparing it to what's running on my system. What about "All" processes?
 
OP
MacShane
Joined
Jun 1, 2010
Messages
195
Reaction score
5
Points
18
Location
Japan
Your Mac's Specs
Early 2015 13"MBA 2.2GHz i7, 8GB RAM, OS X 10.11.6
It's difficult to get any screen captures of the full output, since it refreshes and changes every 5 seconds. Is there a way to output that to text file?

Also, does anybody know what will happen when trying to restore that iPhoto Library file? Will I be able to restore that file or will it just restore each individual picture, if it can be recovered at all?
 
Joined
Sep 30, 2007
Messages
9,962
Reaction score
1,235
Points
113
Location
The Republic of Neptune
Your Mac's Specs
2019 iMac 27"; 2020 M1 MacBook Air; macOS up-to-date... always.
It's difficult to get any screen captures of the full output, since it refreshes and changes every 5 seconds. Is there a way to output that to text file?

Yes, it's an option in the menu. I don't know what it is offhand... I'm away from my Mac for a bit, but it should be obvious once you see it. Try to sort by name, it will be a lot easier to check and correlate against my own processes.

To be perfectly honest though, I'm not sure this will really help. Unless someone had direct physical access to your computer and secretly installed something that gave them remote access, it's more likely they accessed it via the existing Screen Sharing feature that you have turned on, if this was even an act by a 3rd party. It'd be most helpful I think to post logs from the timeframe when this happened.

In the meanwhile, I would at the minimum change your login password, and the password for Screen Sharing, if you have one set for that alone. Also change your iCloud password. You can also consider running AV software just to check your system for anything that OS X's XProtect isn't designed to catch.

Also, does anybody know what will happen when trying to restore that iPhoto Library file? Will I be able to restore that file or will it just restore each individual picture, if it can be recovered at all?

I'll double check when I get home, but I believe the file you have in mind is in fact a "package" that contains all the photos in that library.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top