Hacker

[traceyham]

I have a hacker I can't get rid of by erasing my HD and reinstalling Mac OS. Is it possible a hacker has copied files to my EFI partition? The Format for it is Mac OS Extended and it contains 12 folder and 44 files.

If so, how can I erase this partition? I've tried to do it through Disk Utility with no luck. Can I just delete it and repartition?

 

[simsaladimbamba]

Have you tried to repartition the HDD?
As far as I know, the EFI partition will be left untouched, if it is even visible.

Btw, why do you think, there is a hacker attacking you?

 

[traceyham]

There is a MAC address that doesn't belong to any of my devices on my modem/router ... my internet connection speed is a fraction of what it should be ... along with other suspicious activity. Time Warner replaced my equipment today because they also believe I'm being hacked.

After replacing my equipment my hacker seems to be back ... another MAC address that doesn't belong to the only computer I've reconnected has appeared and my internet connection speed is still terrible.

I have erased my HD and reinstalled Mac OS ... how do I repartition?

Thank you.

 

[ashman70]

Do you have a wireless router? Is security setup on the router? If you have a wireless router, it sounds like a neighbour using your wifi, or another wireless device connecting to your router. You can do a few things, if your router is indeed wireless: You can change the security, strengthen it, turn on MAC Address filtering, or, if you don't require the wireless features and plug in via a network cable, turn on the wireless altogether.

 

[Darby67]

Are you using the routers security software to it's fullest along with a strong password? What form of encryption/wireless security are you using? Do you change your wireless password on a regular basis? Do you have your computer Firewall enabled?

Do you live in an apartment or close neighborhood; sounds just like somebody is utilizing your network. But...better safe than sorry.

 

[Macman45]

Do You Know The Make

And model of your router? As posted here, I think someone is piggybacking your BB. This is illegal, and if TW take it seriously then you would think they would have locked your router down. But if they haven't it should be your first job.

If you post the exact make and model, more help can be provided.....Logging into your wifi router is a little tricky if you have never done it before.

Post the equipment details here and I ( or someone else) can walk you through the process.

 

[traceyham]

My router is locked down ... WPA2, I have DHCP set to 1 lease (for my IP), no remote administration, SSID not broadcasted, etc. The first thing that was done when it was connected was to change the user/password from factory settings.

Today when I was configuring the router with the new settings my computer was kicked off the router and its IP address was changed to 169.254.65.27 and I had to manually change it to connect back to the router. That's when the unknown MAC address showed back up.

When I go into the Partition settings of my HD everything is grayed out and the only option I have is to delete disk0s1 ... will this repartition?

It is an Ambit Ubee router.

 

[ashman70]

Other then the rogue MAC address on your router, what makes you think this 'hacker' has done anything to your computer that would cause you to go to such extremes as formatting your system? A rogue device or connecting to your router is one thing, getting into your computer is another. Why would someone want to hack into your computer in the first place?

 

[Macman45]

This Is Strange

My router is locked down ... WPA2, I have DHCP set to 1 lease (for my IP), no remote administration, SSID not broadcasted, etc. The first thing that was done when it was connected was to change the user/password from factory settings.

Today when I was configuring the router with the new settings my computer was kicked off the router and its IP address was changed to 169.254.65.27 and I had to manually change it to connect back to the router. That's when the unknown MAC address showed back up.

When I go into the Partition settings of my HD everything is grayed out and the only option I have is to delete disk0s1 ... will this repartition?

It is an Ambit Ubee router.

And I understand your concern. You have performed all the correct steps in locking down the router....Can you disable wifi and use an Ethernet cable to connect? If so, try that. If this gets rid of the errant address, I'd contact TW again. This could come to legal action against the party or parties involved, and it's something you should take seriously. ISPs do, and nobody likes a thief. Post back and let us know how you progress.

 

[traceyham]

The hacker was after the 250+ movies on my hard drive along with 30gb of music ... it has all been removed for a few days now but the hacker is still lurking.

 

[ashman70]

How do you know this? Do you have an evidence of any intrusion into your system?

 

[traceyham]

Time Warner informed me data was being sent out when my computer was the only thing connected to the router 2 days ago. I've had a problem with this for quite some time and a while back TW notified me that I was uploading protected content and it was illegal for me to do so. I assumed this was one of my children doing something but it has turned out to be someone else on my system.

 

[ashman70]

It sounds like there are a lot of unknowns here and you may possibly be jumping to conclusions. I want you to know I am trying to help you sort it out, I hope you don't think I am arguing with you.

TW has informed you that you are uploading, ok, someone in the house must be doing it. How many computers are there in the house? How do they connect to the router, wired or wirelessly? Could your children (ages) have possibly given the wifi password to a friend? Do they have friends who come over with laptops and connect to your wifi? Has TW informed you of the times you have supposedly been uploading or is it constant?

 

[traceyham]

Thank you for your help.

Yes there are children in the house and that is most likely how this hacker obtained access. The children have been off of this modem/router for a while now and I restored the router to factory settings and changed the user name/password, WPA2 encryption, etc to ensure that they were not on the network ... only I had access when I started dealing with TW. I am the only one one now. No one has had access except me for almost 3 weeks now.

I'm also pretty sure this hacker is spoofing my MAC addresses as the router showed my iPad was connected when it was turned off. Just FYI.

 

[GGJstudios]

I have a hacker

No, you don't have a hacker. There have been countless threads like this one over the years and in exactly 100% of the cases, no hacker was involved. Something is happening that you don't understand. You need to relax and troubleshoot the issue to learn what is happening and why. It is inaccurate to claim that a hacker is involved, as the odds of any random Mac computer being hacked are astronomically remote. Also, by continuing to blame a nonexistent hacker, you're less likely to take a logical approach and diagnose what is really happening. Forget the possibility of a hacker and work on learning what's happening.

 

[traceyham]

Time Warner said something about my pings being all over the place ... don't know if this helps you. When they saw this and saw the data being uploaded they sent a technician with new equipment and agreed that I have a hacker because of the activity they saw. My computer was the only device connected ... I am assuming here, but what else could they be uploading from?

 

[negativzero]

Try swapping out your router and connect to the internet directly using ur modem. The other thing you can do is swap out your router and get a different one which can monitor LAN traffic and see if you find anything unusual.

 

[Darby67]

Is the FireWall on your computer set? Do you have a common password shared amongst the family?

Guessing that tour MAC address hasn't been spoofed but rather the lease time on the iPad hasn't expired since the last time it accessed the network.

I'm with Ashman regarding neighborhood friends, etc. In that case simple MAC address filtering would probably keep the simple leeches off your network.

 

[McGiord]

TW will see any activity going through your router out to the web, so if another computer connected to the router was uploading such data, that is what happened.
If after controlling the router and only allowing your Mac to connect with it there is still some strange activity going on, then something in your computer is sending the data, and it will be easy to find out what is going on.
Little Snitcher.
Create another user and test.
Create a fresh install in another HDD, or partition, test, etc...
etc...

Maybe the TW techs needed some work hours and found you as a good customer....

Plenty of speculation....gather the facts and avoid opinions (specially our MR biased opinion)

 

[traceyham]

FIREWALL/PASSWORD: Yes my firewall is turned on. I am the only one with the password and my children do not even know what my SSID is to try and connect now that my router has been restored back to factory settings.

SPOOFING: My iPad was turned off, I was monitoring DCHP client list and the iPad was not in it, even though the iPad was off it showed up. Is it possible it was still just an unexpired lease?

To get back to my original question ... I know from reliable sources that there is 8MB or so on a PC that a hacker can use to copy files to ... when they do this they can use remote access to continue to access your computer because reinstalling the OS doesn't touch this 8MB and get rid of the files the hacker uses to remotely access your computer. Can this happen on a Mac?

 

[praetorx]

I too thought I had an outsider connected to my network but after looking up the MAC OUI of the device found it belonged to my Vonage VoIP router.

 

[Macman45]

Returning To My

FIREWALL/PASSWORD: Yes my firewall is turned on. I am the only one with the password and my children do not even know what my SSID is to try and connect now that my router has been restored back to factory settings.

SPOOFING: My iPad was turned off, I was monitoring DCHP client list and the iPad was not in it, even though the iPad was off it showed up. Is it possible it was still just an unexpired lease?

To get back to my original question ... I know from reliable sources that there is 8MB or so on a PC that a hacker can use to copy files to ... when they do this they can use remote access to continue to access your computer because reinstalling the OS doesn't touch this 8MB and get rid of the files the hacker uses to remotely access your computer. Can this happen on a Mac?

Original suggestion......Can you connect via Ethernet cable and disable wifi? This will tell you for sure what's happening. I'm surprised TW didn't check this out.

 

[GGJstudios]

I'm surprised TW didn't check this out.

Really? There are 14 year olds on this forum who are FAR more knowledgeable than any of the TW tech reps I've encountered. (No disrespect to 14 year olds!)

 

[Macman45]

Lol

Really? There are 14 year olds on this forum who are FAR more knowledgeable than any of the TW tech reps I've encountered. (No disrespect to 14 year olds!)

I must admit, I have never encountered TW tech support as I'm in the UK, but trust me.....VM ( Virgin Media) are just as bad.

Fortunately I've never required Thier "help"

 

[theSeb]

F

To get back to my original question ... I know from reliable sources that there is 8MB or so on a PC that a hacker can use to copy files to ... when they do this they can use remote access to continue to access your computer because reinstalling the OS doesn't touch this 8MB and get rid of the files the hacker uses to remotely access your computer. Can this happen on a Mac?

Ummm... I am not even sure where to start with this whole thread, but who told you this? Some guy in the pub?