How do I find log evidence of a screen sharing hacker?

Discussion in 'Community Discussion' started by kmharper, Sep 21, 2011.

  1. kmharper macrumors newbie

    Sep 21, 2011
    Meridian, ID
    I am a long-time Mac user, but not a Unix geek, so I'd like some help sniffing out who or how someone broke into a couple of different computers on my network using screen sharing.

    To avoid getting flamed like other newbies who have asked for help with suspected intruders, here are the facts I've been able to determine so far:
    1. I have two kids with MacBooks on my network, plus an iMac with the rest of my kids individual accounts. No one shares accounts.
    2. I noticed one day that my own MacBook cursor was moving when I was doing something else at my desk. I watched it for a few minutes while it hovered and selected a browser window I had open. It was very clearly someone who was sharing and controlling my screen. After a few minutes, and thinking I knew who it was (my college age son goofing around), I changed my passwords, turned on my firewall, and adjusted my screen sharing settings.
    3. Immediately after this incident (and before I changed the passwords) I saw a Bluetooth device disconnection notice. I have a Bluetooth mouse sitting on my bookshelf in back of my chair, so I initially thought I must have bumped it. When I checked to see where it was, it was not in a position where I could have bumped it.
    4. I talked to my son, who is an extremely trustworthy kid, and he said he knew nothing about screen sharing and had never messed with it.
    5. I asked all of my other kids if they had ever messed around with screen sharing and either attempted or were successful at sharing a screen on my computer. They are all pretty trustworthy kids, and none of them gave me any reason to think they had done it.
    6. Fast forward to today. My oldest son, whom I had at first suspected of the first incident, came in and asked me if I had screen shared his screen a few minutes earlier. I hadn't. No one was physically near the other computers in the house, so it had to be someone outside.
    7. He said he watched as the mouse was controlled for a few seconds, and then "fought" with the mouse to turn off Bluetooth and Airport.

    I noticed a lawn service truck parked on the street. Maybe the guy was on his lunch break with his laptop snooping around?

    Where in the logs can I find out if/how/who someone accessed the screen sharing on my son's computer?
  2. Intell macrumors P6


    Jan 24, 2010
    The hacker, if one exists, must have known two different passwords. If both you and your son have good passwords and the WiFi network is secured with WPA2, then it is my opinion that there is no attacker.
  3. kmharper thread starter macrumors newbie

    Sep 21, 2011
    Meridian, ID
    Not asking for opinions on whether I was hacked

    I am not at all saying that we had good passwords. I have changed them now to be better, and will probably change them once a month in the future.

    But my question is not what someone's opinion is about whether I was attacked based on the info I provided, but where in the logs can I look for evidence of it and what exactly should I look for in the logs?
  4. OutThere macrumors 603


    Dec 19, 2002
    Dig around in Console, look at the firewall log and search for anything to do with VNC. What I would do is intentionally log in with screen sharing and see what kind of records it generates in your log files.

    I would agree, however, that it's quite unlikely that anyone would break into your computer through screen sharing just to move the mouse around and click a window.

Share This Page