Detecting and removing a trojan?

Discussion in 'macOS' started by DeadSirius, May 13, 2008.

  1. DeadSirius macrumors member

    Joined:
    Sep 16, 2006
    #1
    My idiot next door apartment neighbors talked too loud and revealed that they have hacked into my computer. What they said implies that there is a trojan in there. What is the best way to isolate it and have it removed?

    The facts:

    - Mac Pro with the most recent 10.4 update.
    - 2 bootable OS X drives, 1 drive for Windows, 1 drive for data (4 drives total)
    - NO Bluetooth or wireless devices
    - Linksys wired router between the DSL modem and CPU which before the incident had no settings changed by me. After the incident, I reset it to factory defaults and changed the admin password.
    - One of the neighbors accurately described the contents of one of the drives. I have never let them into the apartment.
    - At one point, one of them said “I’m on his computer now.” I immediately put the machine to sleep, and he said, “Oh… he must have detected us.”
    - (This freaks me out the most.) With the router/modem unplugged from the machine completely, one of them announced, “See? He’s wiping one of his drives.” At that moment, I was in fact using Techtool Pro to wipe free space from one of the drives.

    I’ve since put the OS X firewall in Stealth mode, and also turned on logging. I’ve watched Activity Monitor and read the logs, but I honestly don’t know what I’m looking for. Is it possible to remove a trojan, or do I have to start over with a blank drive? Is there a freeware solution for this?
     
  2. Eraserhead macrumors G4

    Eraserhead

    Joined:
    Nov 3, 2005
    Location:
    UK
    #2
    It seems more likely they are accessing your wireless network, though Install Little Snitch and see whether it picks anything up.
     
  3. Tallest Skil macrumors P6

    Tallest Skil

    Joined:
    Aug 13, 2006
    Location:
    1 Geostationary Tower Plaza
    #3
    Confront them or the authorities.

    You don't have one, but do that anyway.
     
  4. Eidorian macrumors Penryn

    Eidorian

    Joined:
    Mar 23, 2005
    Location:
    Indianapolis
    #4
    I'd run 'last' via the command line to see if anyone else has logged in to your computer.

    If your computer has no connectivity and they're still talking then you're a little too paranoid.
     
  5. kkat69 macrumors 68020

    kkat69

    Joined:
    Aug 30, 2007
    Location:
    Atlanta, Ga
    #5
    For starters isn't this extremely illegal? I mean regardless if one user didn't set up his/her wireless network properly, the fact that another has willingly and knowingly intruded into anthers computer is like invasion of privacy, but with it being a computer makes it a cybercrime (snicker cuz of the word cyber, ok immature moment done with).

    I would though make sure (since I'm a malicious one) that READ ONLY is established in your sharing preferences, place a few binary files and rename them to "Police Report 1.doc" etc (put a few in there) along with some more legitimate looking files like "Network Traffice.txt", "Traceroute.txt", "Lil-Snitch Intrusion Report.txt" see what they say after that. Also include a "CyberCrime Law" file in there.

    Let them see those files, then lock up your "sharing" permissions tighter than a ticks ass.

    Continue to run Lil-snitch, and check the permissions browser in lil snitch see if anything looks out of the ordinary.

    What is confusing is you say your WIRED and not WIRELESS. If your macpro has a wireless capability, TURN IT OFF in the MP, Disable AirPort, that'll pretty much fix that.
     
  6. MacBoobsPro macrumors 603

    MacBoobsPro

    Joined:
    Jan 10, 2006
    #6
    Could they be using screen sharing/remote desktop and watching what you are doing? Turn that off in system preferences as well as your airport card if you dont have a use for it.
     
  7. DeadSirius thread starter macrumors member

    Joined:
    Sep 16, 2006
    #7
    I'm sorry it was confusing. I have no wireless devices. I have no Bluetooth. I have no AirPort. All data travels through wires. The router connects through the Ethernet.

    All filesharing preferences have been off from the start. There is only one account on the machine, mine.

    I had been led to believe that having a router between the DSL modem and the Ethernet port creates a very reliable firewall, yet these guys seem to have looked right through it.

    I really wish someone would address my question about detecting and *removing* a trojan. Is it possible?
     
  8. GroovyLinuxGuy macrumors regular

    GroovyLinuxGuy

    Joined:
    Apr 2, 2006
    Location:
    Canada
    #8
    It's all fine and dandy to put pointless police files on your computer for your "hackers" to find, but in reality you have really only one option...wipe your hard drive and reinstall. I would make a backup of anything important and completely erase your hard drive and start over. Once you have done that and before you connect to your wireless to do updates, set your security on your mac, make sure screen sharing is turned off and file sharing is off as well (i think this is the default anyways.) Next from a wired connection connect to your router and set up the security there (WPA is better than WEP), change your SSID to not display and only accept connections from your computers mac address (all of this can be found in your routers owner manual). If you have any need for remote access to your computer make sure your password is secure and try and use a remote desktop connection like NoMachine which makes it's connections over ssh (so it is secure and no passwords are sent in clear text over the internet.) Also remember that your email password is sent in clear text over the internet when you use most mail clients, so checking your email via webmail is a better idea (since most companies use HTTPS for this, which is secure.) and above all change your passwords on a regular basis...and don't use the same password for everything.

    As for removing the trojan...it is really better to rebuild and be sure it is gone.

    Cheers!
     
  9. kkat69 macrumors 68020

    kkat69

    Joined:
    Aug 30, 2007
    Location:
    Atlanta, Ga
    #9
  10. longofest Editor emeritus

    longofest

    Joined:
    Jul 10, 2003
    Location:
    Falls Church, VA
    #10
    the definition of a trojan is something that is sent to you and you think is innocent but really has malicious intent. For instance, you are sent what looks to be an image or video file, but it really executes commands on your computer.

    If you haven't done anything like that, then I'd say they don't really have a "trojan" installed on your computer.

    Have there been any incidents since you reset the router password and activated your firewall?
     
  11. MacBoobsPro macrumors 603

    MacBoobsPro

    Joined:
    Jan 10, 2006
    #11
    A trojan is an application so if you had been sent it or downloaded OSX would of warned you it was an app before you opened it.
     
  12. DeadSirius thread starter macrumors member

    Joined:
    Sep 16, 2006
    #12
    Granted, my only evidence is what I heard these guys saying. They are not friends, and have no physical access to the machine. Nothing otherwise seems to be amiss, and they have mentioned nothing new since I reset the router. (I think they know I heard them.)

    I was just startled that they knew what was in the machine, and one of them expressed a sincere desire to cause trouble. (How exactly, I'm not sure.)
     
  13. Consultant macrumors G5

    Consultant

    Joined:
    Jun 27, 2007
    #13
    Don't want you to get really paranoid or anything, but if you are online and they can see what you are doing, maybe they have a video camera installed or maybe they can look into your window somehow?

    Have you changed your account password and see whether there are other accounts that you don't know of on your computer?
     
  14. CanadaRAM macrumors G5

    CanadaRAM

    Joined:
    Oct 11, 2004
    Location:
    On the Left Coast - Victoria BC Canada
    #14
    First step, read your router's manual. There is a default admin password which every hacker in the world knows, so you have to change the ROUTER admin password, or else someone could control your router settings remotely to open up your router firewall. (you say you have now changed it, good. Should have been done at first setup though. Oops.)

    So, they probably had wired access through your router because of a weak password.

    Next, if they can see what is happening on your machine, that means that they have some remote access or screen viewing sofware that is able to access your machine. VNC, Timbuktu, Apple Remote Access, or various others.

    If you say there is no filesharing or remote access turned on (do you REALLY know this, or are you saying that you assume it is off because you never went in and turned it on? Two different things...) then the other thing you have to consider is that they guessed or broke your username / password... this would give them full access to the machine's drives of course. And then, they could install any software they wanted.

    Have you changed your User password on the Mac?

    Another possibility of course is that they don't have any access to your computer at all, but have run a pinhole camera through the wall, and they are watching you, and deliberately saying "Now he is running TechTool" to freak you out.
     
  15. deputy_doofy macrumors 65816

    deputy_doofy

    Joined:
    Sep 11, 2002
    #15
    I see others have mentioned it, but I was also going to suggest that perhaps they put a hole in the wall and are looking through with a camera. Sounds strange, but stranger things have happened.
     
  16. CanadaRAM macrumors G5

    CanadaRAM

    Joined:
    Oct 11, 2004
    Location:
    On the Left Coast - Victoria BC Canada
    #16
    But if they did in fact have access to the machine and user password, then they could have installed anything
     
  17. oli2140 macrumors 6502

    Joined:
    Jan 13, 2008
  18. rpaloalto macrumors 6502a

    rpaloalto

    Joined:
    Sep 19, 2005
    Location:
    Palo Alto CA.
    #18
    If they are right on the other side of the wall. They might have spliced in to your phone line.

    One possibility is that your modem or router or even computer is causing interference with something of theirs, and they can tell when your on line or at your computer. If their pissed off, at the interference they might jokingly say things to scare or bother you. If their smart enough to hack a hard wired mac then their smart enough not to talk so loud, so you could here them.

    What did they say they found on your computer, porn and music files?
    thats like 90% of all computers :D
     
  19. DeadSirius thread starter macrumors member

    Joined:
    Sep 16, 2006
    #19
    This is actually a believable scenario, if it can actually work. How would I investigate or solve this? Doesn't my router protect me?
     
  20. Ledgem macrumors 65816

    Ledgem

    Joined:
    Jan 18, 2008
    Location:
    Hawaii, USA
    #20
    If I read that right, you're saying that your computer was completely offline and they were able to tell that you were wiping your hard drive. There is no way that anyone would be able to tell that unless they were able to see into your apartment. My first priority would be to check the apartment carefully. You can check for cameras, but given that these guys are talking loudly they don't really sound like the covert type. See if there's any way they can see into your apartment. Just as an example, I once noted that when I had my window open, I could see my computer's screen reflected pretty clearly in the window's glass - even though the computer was on the opposite side of the room! If it's something easy like that, they may simply be messing with you, looking over and seeing what you're doing before making a noisy remark.

    That aside, let's examine a scenario where they would have system access.

    In order for them to have system access through a trojan, you'd need to have installed it first. Did you install anything unusual recently?

    Check to see what accounts are on your computer. Anything unusual? Is the guest account disabled? Change your user's password to be on the safe side. Make it a long and secure one (use letters and numbers - symbols/punctuation and 12+ characters in length for bonus points!)

    Check your sharing preferences. If everything is off, turn it on and off again to be doubly sure. SSH and Windows sharing are my primary concerns.

    It sounds like you've gone over your firewall settings already, but check that again. Make sure that the minimal amount of services are enabled. As per usual advice, only enable services when you need them, and disable them when you're done. Make sure that your internet sharing is disabled.

    That does it for your main system. Next, let's examine your router:

    You said that it isn't a wireless router, so that already cuts out a ton of attack vectors. Even if they had router access, the worst they could do would be to monitor your net traffic - having access to the router doesn't grant automatic access to the system behind it.

    The main setting I'd care to see with the router is whether web access is enabled or not. Web access lets a person connect to their router and modify the preferences no matter where they are. If this is disabled, then you need to be directly connected to the router (in other words, behind the router). Unless they're breaking into your apartment or if they know of some way to exploit the router, then it's impossible for them to take control of it. Just to be safe, ensure that you have the latest router firmware.

    That should do it. When you're examining your firewall logs you'll want to look for IPs that match the IPs of your area. Assuming that they're using the same ISP as you, look for IPs that are similar to yours (a.b.c.d - a, b, and occasionally c should be the same as yours). Keep in mind that this will be your external IP, not the router-assigned IP. A site like What Is My IP will tell you what your external IP is. If these guys are really big-time hackers, they'd probably be using VPN or a remote system to access your computer and thus the IP would be completely different. If they're really good they'd even be using different computers, making it nearly impossible to figure out where the accesses are coming from. I can't help but picture them as some late-teen/early 20's goofballs, though, so I'm sort of skeptical that they're really high-profile or anything like that...
     

Share This Page