Am I going bananas or could a tracker be doing this?

[jaxk]

Hi, I'm a very inexperienced Macbook Air user and completely new to most of this stuff but I could really do with some advice on a situation and it is way out of my comfort zone. Ok, so I'll try and give a quick overview and anyone who is kind and patient enough to want to help can let me know if more information required.

Started to notice unusual activity on my Macbook around June, e.g. my Facebook account I had deactivated 4 years prior suddenly reactivated and not by me. Emails seemed to disappear, AOL instant messenger was suddenly on my macbook, even though I had never used or installed it, my Mac started to crash and hang with console saying iChat had caused it and showing logs of iChats which I couldn't access as they were on a private framework. Everything was done with my ID (sole user of my macbook) and my Apple ID. I tightened security, changed passwords etc but the situation worsened. All of my accounts were being accessed and all of this activity was going on which was not me. My iPhone is similarly affected. Unfortunately there is only one person with physical access to my laptop and iPhone, my husband and I totally blamed him, was sure he was having an affair. So, already this causing serious issues.

Then, Beg of Oct, I got a message from Apple that my ID had been used to login to a Macbook Air 13". I was out. Husband home. When I got home I checked my account, all in order. I allow no one on my laptop so my Guest User account is on shutdown always, no access ever. However, my account had been accessed, the preferences changed, a guest user account set up, used and exited from and the settings changed back. I only knew the guest user had been used because when I investigated I found AIM had been installed. I also found under an alias (can't remember what) a dmg file which had lists and lists of actions to be taken when instructions were issued remotely. Anyway, I have spent hours and hours researching and digging and learning as much as I can. The upshot is that I think the source is called tracker.amazonaws.com:6969 with lots of other letters also, but I'm not sure how relevant they are, things like bits etc. So, the problem is escalating, my iPhoto library with every pic I have of my 4 year old is gone, all of my mail accounts/social accounts are barmy, maps, calendar, my iPhone, in fact everything has a life of its own. I feel like I am losing the plot because stuff is happening that just shouldn't, and I am not sure if I'm over reacting, actions to take and what I can really do safely online any more. I'm also, if I'm truthful, still suspicious that ALL of this is being caused by some random tracker as some of the actions that are being taken seem really personal, but I'm afraid to belabour that issue incase I really do sound like a paranoid lunatic. So, can you help?? Please? Even just reassurance that this is possible?

sorry for what I'm sure is a huge paragraph of difficult to read blurb, but I'm too scared to edit incase I lose this and I then lose the nerve to try again!

Thanking you for even reading to the end of the post! Sincerely, Jacquie

 

[docx]

Has anyone had physical access to your computer?

 

[jaxk]

Sorry for delay in response

Hi, yes my husband has physical access. My administrator passwords, logins etc would be easy for him to find. It's why I assumed he was to blame, it seemed only logical explanation. He is not technical and has never shown the remotest interest in my Macbook, but without knowledge to the contrary he is the only suspect.

Incase it helps, the tracker seems to be operating via remote access and various activities carried out via Airdrop (which btw I have never used or set up). I have lots and lots of data and screen shots so holler if anything could throw light on this for you. Thank you.

 

[harryb2448]

What model mac and what operating system?

First step may be changing to User Password. Depending on the operating system you can do this via th install DVD, or later OS in System Preferences >Users & Groups > Password > Change Password.

Something strong us numerical and alphabetical and caps such as:-

n0More4yOu

 

[jaxk]

Hi, it's a MacBook Air 13 inch, late 2010. OS X Yosemite Version 10.10. 2GB Memory. Harry, my laptop is now password protected like it held the answers to the mysteries of the universe and I'm almost on complete shutdown. I've been changing my passwords daily, for about four months but it makes no difference. This thing continues to wreak havoc.

I'm thinking that possibly I'm not explaining myself very well. I'll post some specific documentation and hopefully it will clarify the situation. I'm rubbish at technical stuff so may take me all night but will you have a look for me Harry? docx?

 

[johnodd4]

ok let me ask you this question.

1.did you purchase yosemite version 10.10 from the apple store.

the reason i ask is it sounds like she got the airdrop back door issue but weird it was only suppose to be in the developers and beta testers versions of the operating system

see what happened when we where testing yosemite we noticed we could remote control a computer pardon the term by using airdrop and the iCloud drive feature on yosemite apple patched this in the full version 10.10.1 and removed the issue which does work we can no longer remote control a computer but you have another issue at hand here which is this.

If you didn't purchase yosemite and purchased the laptop used or refurbished and they didn't install a legal version of mac os x yosemite then you could be getting targeted by hackers because the backdoor is still there


Good news: there is a fix

Bad news: your not going to enjoy it.


Basically your apple id has been compromised and you need to basically start from ground zero sorry to say this throughout testing this out this was the only way we could stop it in testing.

Disconnect completely from the internet turn off the wireless and remove any lan cables attached to the macbook in question.

Now before you ask:

here is how

next to the clock on the upper right hand side of the screen you will see what looks like a bunch of vertical lines this is your wifi icon the lines will look like small to large lines.

click turn off wifi

Now here is the fun part to watch with the wifi disabled watch the wifi icon next to the clock if your wifi comes back on someone is on your wireless network itself and it's not the mac however if it doesn't come back on then i would say it's the mac.

Now for the good and the bad and the ugly.

good this means the machine can be saved

bad you have to do a complete format of the machine to fix it.

basically if they have control over your account then they have control over your wifi signal as well.

you need to change your wireless routers passwords and do a complete factory reset on the router to clear out any unauthorized information.

now you need to create a new password make sure you use caps lock and numbers to do so see most password crackers crack because people don't use numbers or capital letters.

once you have changed all of this you should affectively blocked out the little intruder who is hacking your machine.

once done take your machine into a apple store tell them the machine has been compromised and someone was hacking into my machine tell them you turned off the wifi on the machine to stop the hack and you need your important files backed up and the o.s completely reinstalled and because your apple id was compromised you cannot use the app store right now at all.

they should be able to help you reinstall a fresh o.s.

once finished theres even more bad news.

start a new apple id with a new user name and password.

and again caps lock and numbers in the password

this will fix and correct everything

 

[jaxk]

John, I could kiss you!!!!! Even the fact that your getting me is such a relief. Can I post a couple of screen shots on here? I found the actual lists of commands used to control and hundreds of logs of exports, migrations etc. I would really appreciate if I could ask you a couple of specific questions. Thank you for taking the time to reply, you have no idea how much I appreciate it.

 

[jaxk]

Screen shots I hope..

Of tracker commands.

 

[jaxk]

Screen shot tracker

 

[jaxk]

Could someone let me know if my attachments are showing in the thread please? My laptop is getting wonkier by the day.

 

[Quietone]

Could someone let me know if my attachments are showing in the thread please? My laptop is getting wonkier by the day.

Hello jaxk, I see your attachments. I hope you can get your machine fixed soon.

 

[jaxk]

Hello kind person, thank you for that.

 

[Quietone]

hi jaxk, it may take awhile for someone to get back to you, but I'm sure they will. You posted a lot of info that someone with a LOT more knowledge than me would have to analyze very carefully, possibly a person who understands programming language. I know how stressful it is waiting for an answer, especially when it comes to security issues.

Sincerely, Quietone

 

[dbm]

Hi Jaxk,

A bit of Bing searching suggests that the code you have in that rtf file is related to BitTorrent. Port 6969 is used by BitTorrent, as is that 'announce' command.

Do you use BitTorrent?

 

[jaxk]

Thanks for replying dbm. I have no idea what a BitTorrent is! Before this all started, I was an iPhoto, iTunes, internet only chick. I'm very out of my depth so any input/advice is greatly appreciated.

Hello Q, thank you, I appreciated that. I'll hang in there.

 

[dbm]

BitTorrent is used to download or share large files like movies or software.

Have you downloaded anything like that? You may have been prompted to install some kind of download assistant as part of downloading some other resource from the Internet?

 

[jaxk]

Reply dcm

Ah right, thanks for explaining and for being patient with me.

Well, I'm not knowledgable enough to rule out that theory, but I only download from iTunes or Application store and I don't file share at all.

This year I have only installed Yosemite plus updates for iTunes etc, but all via the Apple store. I only connect 2 devices, my iPhone and printer, both of which I have been using for years. I have never installed extensions.

The only major change that I can think of is that I signed up for Cloud. However, I don't use it for photo streaming or for family sharing, in fact I don't use it for anything apart from storage.

Is there some way I could check for the source? I found the commands on the guest dmg by accident in Oct/Nov but I suspect this has been going on at least from June.

My system profile shows hundreds of installations not made by me, but I've never looked for the actual source.

Not sure if relevant, but have I mentioned that my PC which is my Wi Fi Hub and my son's Arnova Childpad have also been affected by this? Neither of them are ever physically connected to my iPhone or laptop.

Jacquie

 

[dbm]

I have done some more searching. amazonaws.com is Amazon Web Services - provided by Amazon the website we all know for people to build their own applications with. Many well known services like Netflix run on the Amazon cloud. My gut feel is that this is unlikely to be nefarious, as Amazon are a reputable company. But they are also a big company so I wouldn't necessarily bank on that.

When you say you signed up for 'Cloud' this year, what do you mean?

Also, when you say that your PC is your wifi hub, what are you meaning by that too? Do you have a wifi router or just a wired router to your PC which then shares its internet connection?