Mac computer hacked or not?

[Darth.Titan]

I hope the OP doesn't take this personally, but they asked for opinions and here is mine:
The reason Little Snitch is not catching anything untoward is because these mystery files and changes to your computer are a result of user error, not "hacking".

Before you explode, I'll give you an example:
When using Safari, I often use the command-L key combination to type a URL. However, if Safari is merely at the front and not the active application (say I just accidentally clicked an icon on the desktop) what happens instead is the command-L shortcut creates an alias of the selected file in the Finder instead of highlighting the address bar in Safari. It's an easy mistake to make. Sometimes when I quit Safari I can find 2 or 3 accidental aliases on my desktop. It's not a hacker, it's user error.

There are dozens of ways that the duplicate files you mention can be created in OS X. In my opinion you should pay close attention to exactly when these files are appearing and analyze what you were doing beforehand. Also, does anyone besides yourself use this computer? It might not even be you who is accidentally making these changes.

Any hacker talented enough to get through your wireless encryption and hack your Mac would probably do something much more interesting than just copy and rename a few insignificant files, but that's just my $.02

 

[terramir]

What you're describing there is a plaintext attack against AES.

The XLS attack can be used against AES, but with current technology, takes more computing power than a brute force attack (it needs to resolve a huge simultaneous quadratic equation with many many variables.)

Actually I don't know what a plaintext attack is, however the first step to restricting the search is a pattern analysis, because one thing we know is that people have a home page (usually) the data length of the first load could be searched against known common websites at the same times (like the apple startpage msn google yahoo gmail etc) once that is determined the data set could be narrowly restricted and compared against known values. This will make the processing power need shrink dramatically. Once you then have a fair sample of cipher keys which you would get by determining the difference of the datapackets against the known unencrypted ones it can also be more simplified by narrowing the search down even further by using image loads inside the data sets. if you can isolate let's say the load of the yahoo,apple logo etc. then the datasets shrink even more dramatically hence even further reducing the math load needed to gain the keys.
However a multi tasking user could cause this to become almost an impossiblity. someone who is using a messenger right at log on would mean multiple tcp/ip connections and filtering out your startpage or the logo's could become next to impossible. the busier it is the more difficult it would get.
terramir

 

[hustlr]

I have to agree with some of the other people here screaming user error.

 

[joojooyoufather]

Ok people, how do you explain this? Just now all my bookmarks about 50 just disappeared?

 

[angelwatt]

Ok people, how do you explain this? Just now all my bookmarks about 50 just disappeared?

The problems going on are very hard to diagnose and troubleshoot via a forum because we don't know exactly what you're doing. You're best off taking it to a local computer security place and have them check out the machine and talk to you about online activities. I highly doubt you'll get any real help from us here because it's simply too hard to get the critical information needed to properly troubleshoot.

 

[joojooyoufather]

Thanks. I see what you mean. But I am not pressing any keys or doing anything untoward. I was in Safari and the window changed and then I noted the menu bar bookmarks went then I looked in all my bookmarks and they had all disappeared.

 

[hopefull]

For the user with the suspected hacked mac

Thanks. I see what you mean. But I am not pressing any keys or doing anything untoward. I was in Safari and the window changed and then I noted the menu bar bookmarks went then I looked in all my bookmarks and they had all disappeared.

Without intending to be rude, I believe that you have received enough suggestions from the posters to present yourself with a good variety of options. So perhaps it is time to take action rather than attempt to further convince others that untoward things are happening on your machine.

For all it's worth, if you suspect a keylogger, perhaps it's worth reinstalling the Operating System again from scratch - ideally formatting (wiping) your hard disk first.

All the best.

 

[joojooyoufather]

Thank you. Yes, I have wiped the computer now and will post back on here when I have found some better protection. I was just wondering, silly question maybe, but is it possible to put a virus on a router?

 

[Jethryn Freyman]

I was just wondering, silly question maybe, but is it possible to put a virus on a router?

It's possible. Extremely unlikely its happened to you.

 

[willson33]

hack help???

Help.... experts out there.. can you let me know if my system is being hacked? I posted some entries on photo bucket. Ive lost two hard drives on two separate computers.. here are some of the entries:

also, suddenly i cant load attachments (it stays in eternal "uploading") to my hotmail emails and i cant send emails...

6/26/09 3:03:59 PM com.intego.netbarrier.daemon[55] kextload: /Library/StartupItems/NetBarrierKPI/AppBarrierKPI.kext loaded successfully 
6/26/09 3:04:12 PM com.apple.SystemStarter[30] iCal Server Launched! 
6/26/09 3:04:13 PM com.apple.SystemStarter[30] Starting HP IO Monitor 
6/26/09 3:04:13 PM com.apple.SystemStarter[30] Starting HP Trap Monitor 
6/26/09 3:04:14 PM com.apple.launchd[1] (com.apple.UserEventAgent-LoginWindow[90]) Exited: Terminated 
6/26/09 3:04:14 PM com.apple.launchd[1] (com.apple.ScreenSharing.server[89]) Exited: Terminated 
6/26/09 10:45:12 PM com.apple.launchd[1] (org.apache.httpd) Unknown key: SHAuthorizationRight 
6/26/09 10:45:58 PM com.apple.loginwindow[37] Fri Jun 26 22:45:58 Macintosh.local loginwindow[37] <Warning>: CGSShutdownServerConnections: Detaching application from window server 
6/26/09 10:45:58 PM com.apple.launchd.peruser.504[117] Fri Jun 26 22:45:58 Macintosh.local BezelUIServer[1334] <Warning>: CGSShutdownServerConnections: Detaching application from window server 
6/26/09 10:46:14 PM com.apple.launchd[1] (com.apple.UserEventAgent-LoginWindow[1483]) Exited: Terminated 
6/26/09 10:46:14 PM com.apple.launchd[1] (com.apple.ScreenSharing.server[1482]) Exited: Terminated 
6/26/09 10:46:29 PM com.apple.launchd[1454] ([0x0-0x7b07b].SoftwareUpdateCheck[1514]) Exited with exit code: 102 
6/26/09 10:46:35 PM SyncServer[1525] SyncServer: Reaping records for inactive clients. Next reap on 2009-08-10 22:46:35 -0700 
6/26/09 10:46:35 PM SyncServer[1525] SyncServer: Truth vacuumed. Next vacuum date 2009-07-10 22:46:35 -0700 
6/26/09 10:47:40 PM [0x0-0x83083].com.apple.Safari[1530] Debugger() was called! 
6/26/09 10:59:24 PM LCCDaemon[1604] AZTheatre posted an event which matched global settings but wasn't handled: <AZEvent: mouse buttons [0x0]> 
6/27/09 12:41:01 AM [0x0-0x78078].com.apple.systemuiserver[1507] DigiHub:sendChargingCommandToDevice  RequestExtraPower(kUSBPowerDuringWake) returned 500 
6/27/09 12:48:35 AM [0x0-0xaa0aa].com.apple.Safari[1962] Debugger() was called! 
6/27/09 12:49:47 AM Little Snitch Network Monitor[1492] LSOpenFromURLSpec() returned -10814 for application (null) urls x-littlesnitch:add-deny-rule?process=/System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.app/Contents/MacOS/DashboardClient&destination=apple.accuweather.com. 
6/27/09 1:16:49 AM [0x0-0x78078].com.apple.systemuiserver[1507] DigiHub:sendChargingCommandToDevice  RequestExtraPower(kUSBPowerDuringWake) returned 500 
6/27/09 1:17:24 AM com.apple.launchd[1454] ([0x0-0x85085].com.apple.ImageCaptureApp[1570]) Exited abnormally: Segmentation fault 
6/27/09 1:18:44 AM LCCDaemon[1604] AZTheatre posted an event which matched global settings but wasn't handled: <AZEvent: mouse buttons [0x0]>

 

[angelwatt]

Help.... experts out there.. can you let me know if my system is being hacked?

Looks like you have NetBarrier and LittleSnitch installed. None of the logs entries there look suspicious to me. It's possible one of those apps are blocking your upload, but that's just a guess. So no, I don't believe you're being hacked in any sense of the word.

 

[ppc750fx]

Actually I don't know what a plaintext attack is, however the first step to restricting the search is a pattern analysis, because one thing we know is that people have a home page (usually) the data length of the first load could be searched against known common websites at the same times (like the apple startpage msn google yahoo gmail etc) once that is determined the data set could be narrowly restricted and compared against known values. This will make the processing power need shrink dramatically. Once you then have a fair sample of cipher keys which you would get by determining the difference of the datapackets against the known unencrypted ones it can also be more simplified by narrowing the search down even further by using image loads inside the data sets. if you can isolate let's say the load of the yahoo,apple logo etc. then the datasets shrink even more dramatically hence even further reducing the math load needed to gain the keys.
However a multi tasking user could cause this to become almost an impossiblity. someone who is using a messenger right at log on would mean multiple tcp/ip connections and filtering out your startpage or the logo's could become next to impossible. the busier it is the more difficult it would get.
terramir

...

So you're not a cryptographer, eh?

What you're describing is kinda like a known-plaintext attack -- the only problem is that it wouldn't really help when it comes to breaking WPA2-AES. Even if you know what a specific frame contains, you're not really any closer to recovering the key. Yes, in theory it restricts the keyspace -- but you're still gonna be doing a brute force attack on the key. The only thing that knowing some plaintext might help with is determining which candidate key is the right one -- except you can pretty easily determine that since the plaintext is highly structured anyways: if you decrypt a frame and find something that resembles an IP packet, chances are you've got the key. You don't need to know whether the user was visiting Yahoo's homepage or anything like that... basic heuristics will be sufficient to determine whether or not you've found the right key.