Is there a way to tell if someone has gotten into my Mac remotely?

Discussion in 'macOS' started by Naimfan, Apr 28, 2006.

  1. Naimfan macrumors 68040

    Naimfan

    Joined:
    Jan 15, 2003
    #1
    All--

    I think the thread title says it all: I need to know if there is a way to tell if someone has remotely accessed my Mac without my knowledge. Is there?

    Thanks in advance.

    Bob
     
  2. mad jew Moderator emeritus

    mad jew

    Joined:
    Apr 3, 2004
    Location:
    Adelaide, Australia
    #2
    You could use an app like Little Snitch to catch unwanted network activity. Of course, you could only catch them in the act this way. It wouldn't be able to check if you have been hacked.

    What makes you think you've been hacked? Are you running with a password enabled? :)
     
  3. Naimfan thread starter macrumors 68040

    Naimfan

    Joined:
    Jan 15, 2003
    #3
    Mad Jew--

    Thanks for the tip on Little Snitch--now installed and running.

    I don't know that I have been hacked--I just noticed that recently my Yahoo messenger started flaking out, and that some sites on Safari took a lot longer to load then they had previously. That's the "what made me think of it part."

    The why part--short form--my ex-fiance just accused me of using a computer program to find out her passwords, and her ex-husband fancies himself as something of a computer type. So the thought crossed my mind that he may have tried to access my Mac over the web. I don't have any kind of file sharing turned on, so I don't know if someone could get into it. But I thought I'd ask!

    Bob
     
  4. mad jew Moderator emeritus

    mad jew

    Joined:
    Apr 3, 2004
    Location:
    Adelaide, Australia
    #4
    Ahh, okay. Well, make sure your accounts have passwords on them (these can be turned on or changed in System Preferences) and ensure your firewall is also turned on. Although still possible, your Mac is pretty secure if you take those two steps. :)

    I'm sorry to hear about the hate. :(
     
  5. tonyl macrumors 6502

    Joined:
    Jan 18, 2006
    #5
    Wow, you need to change your pd once a month. look for some security sites.
     
  6. Naimfan thread starter macrumors 68040

    Naimfan

    Joined:
    Jan 15, 2003
    #6
    Mad Jew--

    UPDATE--I just looked in the trash, and discovered a whole host of Word work files. Most disturbingly, there appears, under "ownership and permissions" details, a group called "wheel" appears as having "read only" access. I have never set up any group--I'd have to go to Help to even find out how to do it.

    Also, "smbclient" wanted to talk to IP address 167.254.27.255. So I now fear the worst has happened.

    Thanks again--I have always done both of those, and use a user account for most everything. Both accounts are password protected, and firewall is always on.

    I've changed my passwords again on the off chance there is some sort of remote keystroke recorder program running.

    Bob
     
  7. mad jew Moderator emeritus

    mad jew

    Joined:
    Apr 3, 2004
    Location:
    Adelaide, Australia
    #7

    Potentially worrying, however...



    ...the chances of a keystroke app running in the background are very slim. Changing the password should be enough to keep you out of trouble. These Word documents in the Trash are disturbing though. If it keeps happening, I'd think about telling the police.

    Good luck with it all. :)
     
  8. blackstone macrumors regular

    Joined:
    Dec 12, 2005
    Location:
    Washington, DC
    #8
    I know the "wheel" group is supposed to exist, so this may be normal. From what I know, any user with root access is supposed to be a member of "wheel."

    smbclient is the application that allows you to access Windows shares.

    I ran whois on that address, which revealed that it's part of a block of addresses belonging to Fujitsu:

    Code:
    OrgName:    Fujitsu Network Transmission Systems, Inc.
    OrgID:      FNTS-1
    Address:    2801 Telecom Parkway
    City:       Richardson
    StateProv:  TX
    PostalCode: 75082
    Country:    US
    
    NetRange:   167.254.0.0 - 167.254.255.255
    
    Is there anyone who works for Fujitsu in this web of intrigue?
     
  9. lsyx macrumors newbie

    Joined:
    Apr 29, 2006
    #9
    Naimfan-

    I don't think you have anything to worry about based on the symptoms you've given. The Word work files you've discovered are a common occurence if you use Word regularly; it tends to sock settings and backup copies of your work in those files, then throw them away when you quit. As for the wheel group, this is the group on your computer that contains all administrators, and is created by default when the operating system is installed. You are most likely running as an administrator and are thus a member of this group.

    As for smbclient, I'm not absolutely sure when this program is used, but it's entirely possible that it's being called by some other, more innocent program. In any case, a whois lookup on the address it's talking to gives the following:

    OrgName: Fujitsu Network Transmission Systems, Inc.
    OrgID: FNTS-1
    Address: 2801 Telecom Parkway
    City: Richardson
    StateProv: TX
    PostalCode: 75082
    Country: US

    If that looks familiar, then you may have a problem. If not, or if neither you nor your ex-fiance's ex-husband live in texas, then that is almost certainly unrelated to any problems you've been having.

    Further, breaking into a mac is very difficult if filesharing is off and the firewall is up. So don't fret too much about the weirdness of your mac's internal workings, most of the time you'll be safe.

    Good luck.
     
  10. lsyx macrumors newbie

    Joined:
    Apr 29, 2006
    #10
    Looks like blackstone and I were thinking the same thing at the same time. :)
     
  11. blackstone macrumors regular

    Joined:
    Dec 12, 2005
    Location:
    Washington, DC
    #11
    Haha, I guess great minds think alike... ;)
     
  12. Naimfan thread starter macrumors 68040

    Naimfan

    Joined:
    Jan 15, 2003
    #12
    Thanks all!

    I really really appreciate your help and input!

    I have indeed talked to the police--not about this, but about the underlying incident (BAD breakup!).

    I feel much better--I also did a whois and a network trace, and didn't see a single reference to the IP address I was concerned about. And no, no one involved works for Fujitsu, at least not that I know of.

    Not to be repetitive, but thanks all!

    Bob
     

Share This Page