Has my mid-2007 iMac been hacked?

bayotter

macrumors newbie
Original poster
Jul 1, 2015
5
0
San Diego, California USA
Just got out of a really bad relationship with someone who knows computers a lot more than I do. Being the suspicious person that I am, I discovered the following in the terminal history:

Code:
/Applications/Akamai/netsession_mac_13d7a2d
env_keep+="HOME MAIL"
ALL
sudo -l
lc_messages
/Library/DropboxHelperTools/Dropbox_u501/dbfseventsd
dscl.list/users
dsl
mv mm.vob
/Library/Application\ Support/Apple/Remote\ Desktop/Notify
/Volumes/Users/Mark/Videos/RealPlayer\ Downloads/0riginal_message
/usr/bin/tail -n 10 /Users/bayottere/.bash_history
usr/bin/tail
mv mm.vob .mm.vob
echo
/pictures/com.alice.mac.camerasecurity/
.bash_history
/users/bayotter/.bash_history
cat .bash_history
ebkit2
~/.MacOSX/environment.plist
#!/bin/sh
/mach_kernel ; exit;
/mach_kernel ; exit;
/sbin/dynamic_pager ; exit;
/Library/Preferences/com.apple.filesharingui.plist.lockfile ; exit;
/Library/Messages/PlugIns/AIM.imservice/Contents/MacOS/AIM ; exit;
/Library/Messages/PlugIns/Jabber.imservice/Contents/MacOS/Jabber ; exit;
/bin/domainname ; exit;
/bin/rcp ; exit;
/bin/bash ; exit;
/usr/libexec/od_user_homes ; exit;
/usr/libexec/mdmclient ; exit;
/usr/libexec/hidd ; exit;
/usr/libexec/security_authtrampoline ; exit;
/usr/libexec/apache2/mod_alias.so ; exit;
/usr/libexec/sharingd ; exit;
/usr/libexec/UserEventAgent ; exit;
/usr/sbin/smbd ; exit;
/usr/sbin/racoon ; exit;
/usr/sbin/dtrace ; exit;
/usr/sbin/raidutil ; exit;
/usr/sbin/chat ; exit;
/usr/sbin/traceroute6 ; exit;
/System/Library/Frameworks/WebKit.framework/Versions/A/WebKit ; exit;
/System/Library/Frameworks/PubSub.framework/Versions/A/PubSub ; exit;
/Volumes/MBP2000/private/tmp/KSOutOfProcessFetcher.501.r55jifrBu08ZlGAfPLYXKgYad4c\=/ksfetch ; exit;
Does anything here look suspicious? Thank you.
 
Last edited by a moderator:

T'hain Esh Kelch

macrumors 603
Aug 5, 2001
5,062
4,345
Denmark
Well, com.alice.mac.camerasecurity is a bit dodgy. Otherwise no. It would help immensely if you told us why you pasted some random text from the Terminal in here.

Perhaps Apple Remote Desktop is also questionable. And the fact you have at least two users on the machine.
 

bayotter

macrumors newbie
Original poster
Jul 1, 2015
5
0
San Diego, California USA
Well, com.alice.mac.camerasecurity is a bit dodgy. Otherwise no. It would help immensely if you told us why you pasted some random text from the Terminal in here.

Perhaps Apple Remote Desktop is also questionable. And the fact you have at least two users on the machine.
More info, I recognize the "alice...camerasecurity" reference from a security app I had a few years ago, but removed. It was popular at the time, and took a photo whenever anyone logged in. I removed it years ago
 

bayotter

macrumors newbie
Original poster
Jul 1, 2015
5
0
San Diego, California USA
More info, I recognize the "alice...camerasecurity" reference from a security app I had a few years ago, but removed. It was popular at the time, and took a photo whenever anyone logged in. I removed it years ago
Sorry. On iPhone. Hit POST accidentally. Continuing...

Could that app have been added back and hidden somewhere?

The reference to MBP2000 is the volume name for my ex's Mac Book Pro.

There is supposed to be only one user on my Mac. Only one is listed, anyway.

I am concerned now.
 

bayotter

macrumors newbie
Original poster
Jul 1, 2015
5
0
San Diego, California USA
Good advice yjchua95. I will have to do that.

My curiosity still has me, though. The breakup occurred out of fear and lack of trust on my part. My ex was involved in law enforcement and would very easily have been able to arrange something dark. I have never been able to find proof, and I am here hoping that my suspicions were correct and not just unfounded paranoia. There is clearly the reference to MBP2000, my ex's Mac Book Pro. I can't tell if the MBP was accessed from my Mac, or my Mac was accessed from the MBP. Is that obvious from a Terminal command line?

Are the only commands in Terminal manually entered ones, can they be from running scripts, and and/or can a normal running application insert commands into Terminal?

Interesting note, several times when standing near my ex while on the MBP, I noticed that the date was incorrect on both the MBP and a laptop PC sometimes used. They were sometimes off by years. Is that a way to disguise yourself accessing another computer or even just on that computer as the file or application/program dates would fall way down on a file list or not appear on logs?

I really appreciate the answers. It is about more than just fixing a problem. I hope they help others reading this too. Thanks again.
 

yjchua95

macrumors 604
Apr 23, 2011
6,725
230
GVA, KUL, MEL (current), ZQN
Good advice yjchua95. I will have to do that.

My curiosity still has me, though. The breakup occurred out of fear and lack of trust on my part. My ex was involved in law enforcement and would very easily have been able to arrange something dark. I have never been able to find proof, and I am here hoping that my suspicions were correct and not just unfounded paranoia. There is clearly the reference to MBP2000, my ex's Mac Book Pro. I can't tell if the MBP was accessed from my Mac, or my Mac was accessed from the MBP. Is that obvious from a Terminal command line?

Are the only commands in Terminal manually entered ones, can they be from running scripts, and and/or can a normal running application insert commands into Terminal?

Interesting note, several times when standing near my ex while on the MBP, I noticed that the date was incorrect on both the MBP and a laptop PC sometimes used. They were sometimes off by years. Is that a way to disguise yourself accessing another computer or even just on that computer as the file or application/program dates would fall way down on a file list or not appear on logs?

I really appreciate the answers. It is about more than just fixing a problem. I hope they help others reading this too. Thanks again.
It's possible that both Macs were at one point of time, on the same network and were connected to each other through that.

Commands entered via Terminal can be from scripts.

Regarding the third paragraph, possibly, but I'm not sure. At this stage, don't trust anything and assume nothing. Do a clean install and manually backup only the items that you need. Don't use a Time Machine backup. Also, download the apps fresh from the developers directly. Chances are that one of the apps could be doctored.

Enable FileVault as well, along with firmware password protection. Also download the Yosemite installer from the App Store and create a bootable USB stick for re-installation out of it. 10.10.4 applies EFI updates to Macs (not sure whether all Macs will get EFI updates or not with it, but mine did), and so by applying that, you could possibly flush out boot kits too.

Here's how to create a bootable USB installer:
1. Download Yosemite from the App Store.
2. Have an 8GB USB stick or an 8GB partition in an external drive ready.
3. Download DiskMakerX from http://diskmakerx.com (free app). Use this app to create the bootable USB. It'll guide you.

After that, back up only the stuff that you need manually. Then, stick the USB stick in and restart the Mac. Upon hearing the chime, hold down on the Option key and boot from the stick. After booting into it, open Disk Utility and erase the internal drive. Then, quit it and reinstall OS X.

Make sure you enable Filevault 2 and EFI/firmware password protection as well. As Snowden said, encryption does work.
 

bayotter

macrumors newbie
Original poster
Jul 1, 2015
5
0
San Diego, California USA
Your advice is the right course. I will do that and let the suspicions go. I don't want this to become an obsession. Time to move on and leave the past in the past.
 

yjchua95

macrumors 604
Apr 23, 2011
6,725
230
GVA, KUL, MEL (current), ZQN
Your advice is the right course. I will do that and let the suspicions go. I don't want this to become an obsession. Time to move on and leave the past in the past.
PS - 10.10.4 does bring EFI security updates. So make sure you apply this update. If you downloaded the installer off the App Store, it'll be 10.10.4 already.
 

\-V-/

Suspended
May 3, 2012
3,151
2,619
Yep ... clean install. Start fresh. Get your peace of mind back.
 

Beachguy

macrumors 65816
Nov 23, 2011
1,007
402
Florida, USA
I'm not sure enough there's anything suspicious there at all. The two lines in question can easily be examined by looking into the files involved with a viewing of the RealPlayer file "0riginal_message" and a look at the .bash_history file. There is only one other user name- Mark- since bayotter is likely the other users ("bayottere") in the history listed.

Rebuilding a machine is quite an effort. At this point, I think worry is causing suspicion, but just don't see anything to justify it.