Someone was remotely accessing my Mac over the weekend, and I'm none too happy about it as I don't know how they managed it.
What happened
I was watching TV Sat. evening when some movement grabbed my attention on the Mac's screen. This isn't unusual, as my Mac has a tendency to 'wake' the display periodically for some unknown reason. But then I noticed the traffic lights blinking (close/minimize/zoom buttons colorising due to the mouse moving over them and off again).
Still no panic, I've an optical mouse and sometimes the cursor jumps due to vibration or due to the surface its on. Then the cursor moved, closed one window, moved up and closed the other. This was no random movement.
For a few seconds nothing happened, then the cursor moved again towards some files on the desktop (it was as if they closed all the windows to see my desktop, then were scanning the desktop for anything interesting), I reached for the Ethernet cable and pulled it, noticing the activity lights were blinking like crazy until I did so.
So, now I want to know how they got in.
Mac Setup
Remote access was off in System Preferences.
OSXVnc is on the machine, but it wasn't running.
Not 10.4, so no built-in VNC server.
There's no Bluetooth or Wifi on this Mac for wireless access.
No other machines in the apartment, so it wasn't someone 'local'.
On the other hand:
Firewall was off, and I was using an administrative account (I know.. I know..)
My user password (though I don't think this was needed) was quite weak.
Summary
I don't want to jump to conclusions, but I can only see three possibilities:
- I am an idiot, and have missed something obvious.
- Some piece of software on my machine has an undocumented (or poorly documented) feature that allows remote access, which is unsecure.
- My Mac has some malware on it, most likely a Trojan, which allows remote access.
I did manage to grab a list of the running processes using Activity Monitor just shortly after I pulled the plug, but there's no guarantee the offending process didn't exit as soon as the connection died. Is there any logfile which contains any history of incoming & outgoing connections?
I've since changed the password on that account, reduced its privileges to the bare minimum, and am using a different user account, but still, I'm not sure I'm safe.
Be careful out there.
Edited, for clarity.
What happened
I was watching TV Sat. evening when some movement grabbed my attention on the Mac's screen. This isn't unusual, as my Mac has a tendency to 'wake' the display periodically for some unknown reason. But then I noticed the traffic lights blinking (close/minimize/zoom buttons colorising due to the mouse moving over them and off again).
Still no panic, I've an optical mouse and sometimes the cursor jumps due to vibration or due to the surface its on. Then the cursor moved, closed one window, moved up and closed the other. This was no random movement.
For a few seconds nothing happened, then the cursor moved again towards some files on the desktop (it was as if they closed all the windows to see my desktop, then were scanning the desktop for anything interesting), I reached for the Ethernet cable and pulled it, noticing the activity lights were blinking like crazy until I did so.
So, now I want to know how they got in.
Mac Setup
Remote access was off in System Preferences.
OSXVnc is on the machine, but it wasn't running.
Not 10.4, so no built-in VNC server.
There's no Bluetooth or Wifi on this Mac for wireless access.
No other machines in the apartment, so it wasn't someone 'local'.
On the other hand:
Firewall was off, and I was using an administrative account (I know.. I know..)
My user password (though I don't think this was needed) was quite weak.
Summary
I don't want to jump to conclusions, but I can only see three possibilities:
- I am an idiot, and have missed something obvious.
- Some piece of software on my machine has an undocumented (or poorly documented) feature that allows remote access, which is unsecure.
- My Mac has some malware on it, most likely a Trojan, which allows remote access.
I did manage to grab a list of the running processes using Activity Monitor just shortly after I pulled the plug, but there's no guarantee the offending process didn't exit as soon as the connection died. Is there any logfile which contains any history of incoming & outgoing connections?
I've since changed the password on that account, reduced its privileges to the bare minimum, and am using a different user account, but still, I'm not sure I'm safe.
Be careful out there.
Edited, for clarity.
