Has my mid-2007 iMac been hacked?

Discussion in 'iMac' started by bayotter, Jul 1, 2015.

  1. bayotter, Jul 1, 2015
    Last edited by a moderator: Jul 1, 2015

    bayotter macrumors newbie

    Joined:
    Jul 1, 2015
    Location:
    San Diego, California USA
    #1
    Just got out of a really bad relationship with someone who knows computers a lot more than I do. Being the suspicious person that I am, I discovered the following in the terminal history:

    Code:
    /Applications/Akamai/netsession_mac_13d7a2d
    env_keep+="HOME MAIL"
    ALL
    sudo -l
    lc_messages
    /Library/DropboxHelperTools/Dropbox_u501/dbfseventsd
    dscl.list/users
    dsl
    mv mm.vob
    /Library/Application\ Support/Apple/Remote\ Desktop/Notify
    /Volumes/Users/Mark/Videos/RealPlayer\ Downloads/0riginal_message
    /usr/bin/tail -n 10 /Users/bayottere/.bash_history
    usr/bin/tail
    mv mm.vob .mm.vob
    echo
    /pictures/com.alice.mac.camerasecurity/
    .bash_history
    /users/bayotter/.bash_history
    cat .bash_history
    ebkit2
    ~/.MacOSX/environment.plist
    #!/bin/sh
    /mach_kernel ; exit;
    /mach_kernel ; exit;
    /sbin/dynamic_pager ; exit;
    /Library/Preferences/com.apple.filesharingui.plist.lockfile ; exit;
    /Library/Messages/PlugIns/AIM.imservice/Contents/MacOS/AIM ; exit;
    /Library/Messages/PlugIns/Jabber.imservice/Contents/MacOS/Jabber ; exit;
    /bin/domainname ; exit;
    /bin/rcp ; exit;
    /bin/bash ; exit;
    /usr/libexec/od_user_homes ; exit;
    /usr/libexec/mdmclient ; exit;
    /usr/libexec/hidd ; exit;
    /usr/libexec/security_authtrampoline ; exit;
    /usr/libexec/apache2/mod_alias.so ; exit;
    /usr/libexec/sharingd ; exit;
    /usr/libexec/UserEventAgent ; exit;
    /usr/sbin/smbd ; exit;
    /usr/sbin/racoon ; exit;
    /usr/sbin/dtrace ; exit;
    /usr/sbin/raidutil ; exit;
    /usr/sbin/chat ; exit;
    /usr/sbin/traceroute6 ; exit;
    /System/Library/Frameworks/WebKit.framework/Versions/A/WebKit ; exit;
    /System/Library/Frameworks/PubSub.framework/Versions/A/PubSub ; exit;
    /Volumes/MBP2000/private/tmp/KSOutOfProcessFetcher.501.r55jifrBu08ZlGAfPLYXKgYad4c\=/ksfetch ; exit;
    Does anything here look suspicious? Thank you.
     
  2. T'hain Esh Kelch macrumors 601

    T'hain Esh Kelch

    Joined:
    Aug 5, 2001
    Location:
    Denmark
    #2
    Well, com.alice.mac.camerasecurity is a bit dodgy. Otherwise no. It would help immensely if you told us why you pasted some random text from the Terminal in here.

    Perhaps Apple Remote Desktop is also questionable. And the fact you have at least two users on the machine.
     
  3. bayotter thread starter macrumors newbie

    Joined:
    Jul 1, 2015
    Location:
    San Diego, California USA
    #3
    More info, I recognize the "alice...camerasecurity" reference from a security app I had a few years ago, but removed. It was popular at the time, and took a photo whenever anyone logged in. I removed it years ago
     
  4. bayotter thread starter macrumors newbie

    Joined:
    Jul 1, 2015
    Location:
    San Diego, California USA
    #4
    Sorry. On iPhone. Hit POST accidentally. Continuing...

    Could that app have been added back and hidden somewhere?

    The reference to MBP2000 is the volume name for my ex's Mac Book Pro.

    There is supposed to be only one user on my Mac. Only one is listed, anyway.

    I am concerned now.
     
  5. yjchua95 macrumors 604

    Joined:
    Apr 23, 2011
    Location:
    GVA, KUL, MEL (current), ZQN
    #5
    Here's what you should do:
    1. Manually back up all your personal files and folders.
    2. List down all the apps you want to reinstall
    3. Clean install OS X and don't restore from a time machine backup.
     
  6. bayotter thread starter macrumors newbie

    Joined:
    Jul 1, 2015
    Location:
    San Diego, California USA
    #6
    Good advice yjchua95. I will have to do that.

    My curiosity still has me, though. The breakup occurred out of fear and lack of trust on my part. My ex was involved in law enforcement and would very easily have been able to arrange something dark. I have never been able to find proof, and I am here hoping that my suspicions were correct and not just unfounded paranoia. There is clearly the reference to MBP2000, my ex's Mac Book Pro. I can't tell if the MBP was accessed from my Mac, or my Mac was accessed from the MBP. Is that obvious from a Terminal command line?

    Are the only commands in Terminal manually entered ones, can they be from running scripts, and and/or can a normal running application insert commands into Terminal?

    Interesting note, several times when standing near my ex while on the MBP, I noticed that the date was incorrect on both the MBP and a laptop PC sometimes used. They were sometimes off by years. Is that a way to disguise yourself accessing another computer or even just on that computer as the file or application/program dates would fall way down on a file list or not appear on logs?

    I really appreciate the answers. It is about more than just fixing a problem. I hope they help others reading this too. Thanks again.
     
  7. yjchua95 macrumors 604

    Joined:
    Apr 23, 2011
    Location:
    GVA, KUL, MEL (current), ZQN
    #7
    It's possible that both Macs were at one point of time, on the same network and were connected to each other through that.

    Commands entered via Terminal can be from scripts.

    Regarding the third paragraph, possibly, but I'm not sure. At this stage, don't trust anything and assume nothing. Do a clean install and manually backup only the items that you need. Don't use a Time Machine backup. Also, download the apps fresh from the developers directly. Chances are that one of the apps could be doctored.

    Enable FileVault as well, along with firmware password protection. Also download the Yosemite installer from the App Store and create a bootable USB stick for re-installation out of it. 10.10.4 applies EFI updates to Macs (not sure whether all Macs will get EFI updates or not with it, but mine did), and so by applying that, you could possibly flush out boot kits too.

    Here's how to create a bootable USB installer:
    1. Download Yosemite from the App Store.
    2. Have an 8GB USB stick or an 8GB partition in an external drive ready.
    3. Download DiskMakerX from http://diskmakerx.com (free app). Use this app to create the bootable USB. It'll guide you.

    After that, back up only the stuff that you need manually. Then, stick the USB stick in and restart the Mac. Upon hearing the chime, hold down on the Option key and boot from the stick. After booting into it, open Disk Utility and erase the internal drive. Then, quit it and reinstall OS X.

    Make sure you enable Filevault 2 and EFI/firmware password protection as well. As Snowden said, encryption does work.
     
  8. bayotter thread starter macrumors newbie

    Joined:
    Jul 1, 2015
    Location:
    San Diego, California USA
    #8
    Your advice is the right course. I will do that and let the suspicions go. I don't want this to become an obsession. Time to move on and leave the past in the past.
     
  9. yjchua95 macrumors 604

    Joined:
    Apr 23, 2011
    Location:
    GVA, KUL, MEL (current), ZQN
    #9
    PS - 10.10.4 does bring EFI security updates. So make sure you apply this update. If you downloaded the installer off the App Store, it'll be 10.10.4 already.
     
  10. fathergll macrumors 6502a

    Joined:
    Sep 3, 2014
    #10
    This is a good reason to always physically block the camera on all computers
     
  11. T'hain Esh Kelch macrumors 601

    T'hain Esh Kelch

    Joined:
    Aug 5, 2001
    Location:
    Denmark
    #11
    There are references to the users "bayotter" and "Mark".
     
  12. yjchua95 macrumors 604

    Joined:
    Apr 23, 2011
    Location:
    GVA, KUL, MEL (current), ZQN
    #12
    Care to elaborate? I'm lost here.
     
  13. T'hain Esh Kelch macrumors 601

    T'hain Esh Kelch

    Joined:
    Aug 5, 2001
    Location:
    Denmark
    #13
     
  14. \-V-/ Suspended

    \-V-/

    Joined:
    May 3, 2012
    #14
    Yep ... clean install. Start fresh. Get your peace of mind back.
     
  15. Beachguy macrumors 6502a

    Beachguy

    Joined:
    Nov 23, 2011
    #15
    I'm not sure enough there's anything suspicious there at all. The two lines in question can easily be examined by looking into the files involved with a viewing of the RealPlayer file "0riginal_message" and a look at the .bash_history file. There is only one other user name- Mark- since bayotter is likely the other users ("bayottere") in the history listed.

    Rebuilding a machine is quite an effort. At this point, I think worry is causing suspicion, but just don't see anything to justify it.
     

Share This Page