is my MacBook hacked?

Discussion in 'macOS Sierra (10.12)' started by newlifer, Apr 3, 2017.

  1. newlifer macrumors member

    Joined:
    Jun 7, 2014
    #1
    hello guys, this is the greatest apple site ever!

    so my question is about security on the latest macOS sierra. you see sometimes hackers get physical access to the phone or the laptop and this is when things get nasty. on my iPhone I check diagnostics and I can tell if the iPhone has been hacked through physical access, I'm not talking about a jailbroken phone. I have even seen panic.ips in the diagnostics through physical access...

    what about sierra? how can I read diagnostics in sierra like in iOS? how can I tell if my laptop has been hacked through physical access? you see I might leave my laptop unattended for a while...

    cheers!
     
  2. DeltaMac macrumors 604

    DeltaMac

    Joined:
    Jul 30, 2003
    Location:
    Delaware
    #2
    The Console, where you can view the logs in macOS, would be the closest that you would get to something like that, I think.

    But, even if you leave it unattended, you can always protect it. At least log out, so no one can log in without a password.
    You can set it so even if you sleep your Macbook, a password is always required. Or shut it off when you have to leave it.
    It's a good use case for File Vault, as another user would need both the unlocking code, and your user login, too.
    You can ALSO enable the EFI password, so your MacBook cannot be booted from another device, without typing in the firmware password.

    But, aren't you concerned about theft? If you are leaving it out in the open, where anyone can walk off with your laptop, they can do anything they like, including just selling it for parts...
     
  3. newlifer, Apr 3, 2017
    Last edited: Apr 3, 2017

    newlifer thread starter macrumors member

    Joined:
    Jun 7, 2014
    #3
    thanks for your answer!

    I always leave both the phone & the laptop logged out... in the case of the iPhone, it was locked and I made the mistake to leave it unattended for a while and the hacker was able to do it on a locked phone... I was so silly to think that a locked iPhone is useless if gets stolen and can be traced.

    now the laptop is easier to leave it unattended for a while, e.g. I cannot carry the laptop to the toilet with me everytime...

    anyway the first step is to have a look if sierra has been hacked, how do I do this? then format & take the other steps you have described

    I've checked out the console system.log and found a term "DirtyJetsamMemoryLimit"
    is that suspicious?
    I also get jetsam memory errors on my iPhone 6s plus...

    here is part of the macOS sierra log:

    Apr 4 00:17:55 --- last message repeated 2 times ---
    Apr 4 00:17:55 192 com.apple.Safari.SearchHelper[538]: libcoreservices: _dirhelper: 660: mkdir: path=/var/folders/0m/d9mp0txj0mg68wszz711zcb00000gn/0/com.apple.Safari.SearchHelper/ modes[0]=0755: Operation not permitted
    Apr 4 00:17:56 192 com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit
    Apr 4 00:18:26 --- last message repeated 2 times ---
    Apr 4 00:19:02 192 com.apple.xpc.launchd[1] (com.apple.WebKit.Networking.8BD17976-DE2A-4BC1-8835-8AA4DCB61236[534]): Service exited with abnormal code: 1
    Apr 4 00:19:42 192 com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit
    Apr 4 00:20:14 --- last message repeated 2 times ---
    Apr 4 00:22:05 192 syslogd[35]: ASL Sender Statistics
    Apr 4 00:27:36 192 com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit
    Apr 4 00:28:17 --- last message repeated 2 times ---
    Apr 4 00:28:37 192 com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit
    Apr 4 00:28:39 192 com.apple.xpc.launchd[1] (com.apple.WebKit.Networking.EE6C86BE-0CAC-4953-845A-57D3C95C6647[556]): Service exited with abnormal code: 1
    Apr 4 00:28:42 192 com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit
     
  4. Yahooligan macrumors 6502a

    Yahooligan

    Joined:
    Aug 7, 2011
    Location:
    Illinois
    #4
    Not to be rude, but if you have to ask then you're unlikely to be able to discern between a normal and suspect message. Posting log entries that you don't understand and asking if they're suspicious would take forever to go through.

    I appreciate you wanting to find out if your laptop has been compromised, but reading this thread reads like someone that wants to know how to rebuild a Ferrari engine with a screwdriver and a pair of pliers and has never worked on a car in their life. Intrusion detection isn't easy and at the very least you have to have an understanding of the underlying system so that you can determine on your own what is normal and not.

    If you are THAT concerned, restore your laptop from a known-good backup and take measures to prevent physical access to the laptop. That is much easier and quicker than trying to wade through the system and logs for a sign of intrusion. Perhaps you could simply put the laptop in a backpack and lock the zipper...or just take the backpack with you.

    Good luck...
     
  5. DeltaMac macrumors 604

    DeltaMac

    Joined:
    Jul 30, 2003
    Location:
    Delaware
    #5
    No, I suppose you don't want to take a laptop to the toilet. But you can log out, and have a password protecting your account that NO ONE else knows except you. Makes it extraordinarily challenging to do anything during the time you go to the toilet. And, of course, if you are gone longer, you would know, and secure your laptop so that it would not be easy to walk out, nor would it be easy to hack, because the "hacker" can't log in to your laptop when you have taken some care with a strong password to protect it.

    What do you believe that a "hacker" can do with your locked iPhone - using a strong passcode (that no one else knows), and the "hacker" has, at most a few minutes to "do something.
    And, yes, you are still correct - a locked iPhone, since iOS 9, not knowing the passcode, and connected to your AppleID account, with FindMyPhone activated, with two factor authentication, can't be used by someone else (no hacking).
    Jailbreak that iPhone, and all bets are off, however. If you don't wish to have your iPhone "hacked", then don't jailbreak it, Use the normal security protection that Apple provides - and you will be safe as a locked safe.
    You've been reading too many science fiction stories.
     
  6. Tech198 macrumors G4

    Joined:
    Mar 21, 2011
    Location:
    Australia, Perth
    #6
    That's the thing too... Console logs may *not* be easy to understand hence the question. Not everyone can get what causes a crash or what process was used either..

    But the best effort is never let it out of your site, and if u do, and share it with others, use good password, and set up MacOS to "ask for password immediately" upon returning..

    You can do that from "Security & Preferences, General"
     

    Attached Files:

Share This Page