Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

HELP Hacked??

Status
Not open for further replies.
I

imacdave1

macrumors newbie
Original poster
Feb 1, 2015
13
1
iMac 2013 27"

Someone severely hacked into my imac, they had accessed every email account I used on my iMac including my FB account and my iCloud account. I deactivated my FB account 4 times only to see it reactivated by someone else. It got so bad that I took my imac to an Apple approved service repair center and had them install a new hard drive but the idiot technician transferred the data from the compromised HD to the new HD.

According to my modem/router log I configured on the modem my system is being used to send out "TCP- or UDP-based Port Scan" or "SYN Flood" packets. How do I stop this? I have the firewall on the modem/router to high and Ive got my the firewall on my imac set up so it doesnt accept any incoming connections to programs that could be used by a hacker but the TCP- or UDP-based Port Scan or SYN Flood still exists.

I check my system resources and it looks normal but when I run an IP scanner on my system I can see that my system is being accessed by telnet and or open ssh but yet I've never configured my system for such use.

On my com.apple.applefileserver plist file Im supposedly using LKDC:SHA1.5488DD95F4D70CC7EE141AF1C9CC1EFBECC28819@LKDC:SHA1.5488DD95F4D70CC7EE141AF1C9CC1EFBECC28819 (Kerberos) as a server and have a hidden LDAPv3 configuration running that I knew nothing about till last night. Ive disabled the wi-fi in system preferences so now I only connect to the internet via ethernet

I have deleted and reformated every partition on my harddrive but yet the problem still exists.

Any suggestions would be greatly appreciated.
 
Last edited:
imacdave1 said:
On my com.apple.applefileserver plist file Im supposedly using LKDC:SHA1.5488DD95F4D70CC7EE141AF1C9CC1EFBECC28819@LKDC:SHA1.5488DD95F4D70CC7EE141AF1C9CC1EFBECC28819 (Kerberos) as a server and have a hidden LDAPv3 configuration running
Click to expand...

This is 100% normal. It's what OS X uses internally to manage user accounts and other aspects of the system.
 
Are you reusing passwords between accounts? How strong are your passwords? Unless you're installing pirated software or visiting sketchy websites it's more likely that someone has stolen your login credentials than that your computer has been hacked. Did you try changing your passwords?
 
26139 said:
Is it like this?

http://community.linksys.com/t5/Cab...and-Syn-Flood-and-a-few-questions/td-p/346851
Click to expand...
Somewhat, only difference is my router is showing my ip as the source and someone else is the target.

chrfr said:
This is 100% normal. It's what OS X uses internally to manage user accounts and other aspects of the system.
Click to expand...
I use a port scanning program called fing (downloaded from the Apple store) on my iphone and ipad and it shows that someone has been using port 62078 to back up my iphone. The link is http://code.google.com/p/iphone-elite/source/browse/wiki/62708.wiki. I'll use the sudo command on my imac to shut that port down. The port is associated with a program on my computer called lockdownd but I cant seem to locate it so I can either delete it or put it in my firewall and disable it from receiving any incoming messages

Ledgem said:
Are you reusing passwords between accounts? How strong are your passwords? Unless you're installing pirated software or visiting sketchy websites it's more likely that someone has stolen your login credentials than that your computer has been hacked. Did you try changing your passwords?
Click to expand...

I've changed my passwords literally hundreds of times but now their more complex using symbols, numbers and letters. Because of all the problems this has caused and the money I've spent to put this crap to a stop Im very careful about the web sites I go to and only download from the apple store.
 
I feel like you should go to the police, and maybe get in touch with some nice investigation agency.
 
Natzoo said:
I feel like you should go to the police, and maybe get in touch with some nice investigation agency.
Click to expand...

Been there done that.

The police wont get involved till there's been money taken even than they drag their feet. Because they had taken complete control of my iMac the hackers could hear me and see everything that I was doing while I was in front of the computers camera.

Calling Apple is pointless, they'll only tell you to wipe your hard drive and start out fresh. What they fail to realize is there's an EFI partition (fat32) that contains the computers OS that doesn't get deleted even though you've formatted the hard drive. I had to get creative and figure out how to delete that partition to an avail.

The way I see it is third party software in the form of a firewall and a malware scanner that works. I could definitely use more suggestions.
 
imacdave1 said:
The way I see it is third party software in the form of a firewall and a malware scanner that works. I could definitely use more suggestions.
Click to expand...
Your Mac was not hacked. In over 7 years of reading "My Mac was hacked!" claims in this forum and elsewhere, not a single one ever was hacked. You can safely put that possibility out of your mind and move on to basic troubleshooting.

Email and Facebook accounts can be compromised even if you don't own a computer. Change all of your online passwords again, including all email accounts. Make sure the new passwords are long and complex, so they're more difficult to guess.

Launch Activity Monitor and make note of all processes running. You can post a screen capture here or simply report any processes you don't recognize.

You can check the following locations for apps that automatically launch on startup and delete any you don't need/want:
  • System Preferences > Users & Groups > yourusername > Login Items (SL and older: System Preferences > Accounts > yourusername > Login Items)
  • In Finder, click Go > Go to Folder > /Library/LaunchAgents
  • In Finder, click Go > Go to Folder > ~/Library/LaunchAgents
  • In Finder, click Go > Go to Folder > /Library/StartupItems
After you delete items from the list, restart your Mac and those processes should not be running.

If you think you may have installed a Trojan, install ClamXAV and run a complete system scan. Your router's firewall and the firewall included with OS X should be sufficient. You don't need to install a 3rd party firewall.
 
imacdave1 said:
What they fail to realize is there's an EFI partition (fat32) that contains the computers OS that doesn't get deleted even though you've formatted the hard drive. I had to get creative and figure out how to delete that partition to an avail.
Click to expand...
Unless you're thinking that someone malicious had physical access to your computer, it's very unlikely that the EFI or recovery partition have been tampered with.
 
Ledgem said:
Unless you're thinking that someone malicious had physical access to your computer, it's very unlikely that the EFI or recovery partition have been tampered with.
Click to expand...

And even then, unlikely. Unless you live in Russia and have been saying bad things about Putin, I think you can rule that out.
 
Thanks for replying, I checked all the folders that have been suggested and they all looked ok. I came across a file concerning a hidden LDAPv3 connection that I knew nothing about, it reads as follows it has a hidden registration, locked, AppleODC client, it uses DNS replicas and a "altServer replica". I wasnt aware of an alternate server being installed on my hard drive, that being said is this a legitimate file?

When I go to system preferences>users&groups>login items>Network Account Server>Join>Open Directory Utility> click on LDAPv3 the only option I have is to make a new account.
 
imacdave1 said:
Thanks for replying, I checked all the folders that have been suggested and they all looked ok. I came across a file concerning a hidden LDAPv3 connection that I knew nothing about, it reads as follows it has a hidden registration, locked, AppleODC client, it uses DNS replicas and a "altServer replica". I wasnt aware of an alternate server being installed on my hard drive, that being said is this a legitimate file?

When I go to system preferences>users&groups>login items>Network Account Server>Join>Open Directory Utility> click on LDAPv3 the only option I have is to make a new account.
Click to expand...

Yes, this is all totally normal. As I said, it's how OS X manages user accounts, even if there's only one user account on the computer.
 
imacdave1 said:
Maybe your right and Im just gun shy right now. Im still trying to understand how the port scanner detected my iphone using port 62078 and was backed up. I just googled port 62078 hack on, heres what I came up with

https://www.google.com/search?q=port+62078+exploit&ie=utf-8&oe=utf-8
Click to expand...

Your searches are making you unnecessarily paranoid. Port 62078 is how the phone connects to iTunes for wifi sync. While it may be possible to exploit that port, again, you're not seeing any evidence at all that this is actually happening.
I assume that you have secured your wifi network at home with a WPA2 password. If not, you should do that right away, even if your computer is connected to that network over ethernet.
Every month or two a new poster comes on the forum stating that their Mac has been "hacked." There has never been actual evidence that this is the case. It's all but certain that your email/Facebook/whatever accounts were compromised by a bad password or passwords somewhere rather than a hack on your specific Mac.
Where you should be focusing your attention is on your accounts themselves. Implement 2-factor authentication where possible, and where it's not possible, be sure you're using strong and unique passwords for each account.
 
Status
Not open for further replies.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back