'Remote access' warning

Discussion in 'macOS' started by whooleytoo, Oct 9, 2006.

  1. whooleytoo macrumors 604


    Aug 2, 2002
    Cork, Ireland.
    Someone was remotely accessing my Mac over the weekend, and I'm none too happy about it as I don't know how they managed it.

    What happened
    I was watching TV Sat. evening when some movement grabbed my attention on the Mac's screen. This isn't unusual, as my Mac has a tendency to 'wake' the display periodically for some unknown reason. But then I noticed the traffic lights blinking (close/minimize/zoom buttons colorising due to the mouse moving over them and off again).

    Still no panic, I've an optical mouse and sometimes the cursor jumps due to vibration or due to the surface its on. Then the cursor moved, closed one window, moved up and closed the other. This was no random movement.

    For a few seconds nothing happened, then the cursor moved again towards some files on the desktop (it was as if they closed all the windows to see my desktop, then were scanning the desktop for anything interesting), I reached for the Ethernet cable and pulled it, noticing the activity lights were blinking like crazy until I did so.

    So, now I want to know how they got in.

    Mac Setup
    Remote access was off in System Preferences.
    OSXVnc is on the machine, but it wasn't running.
    Not 10.4, so no built-in VNC server.
    There's no Bluetooth or Wifi on this Mac for wireless access.
    No other machines in the apartment, so it wasn't someone 'local'.

    On the other hand:
    Firewall was off, and I was using an administrative account (I know.. I know..)
    My user password (though I don't think this was needed) was quite weak.

    I don't want to jump to conclusions, but I can only see three possibilities:

    - I am an idiot, and have missed something obvious.
    - Some piece of software on my machine has an undocumented (or poorly documented) feature that allows remote access, which is unsecure.
    - My Mac has some malware on it, most likely a Trojan, which allows remote access.

    I did manage to grab a list of the running processes using Activity Monitor just shortly after I pulled the plug, but there's no guarantee the offending process didn't exit as soon as the connection died. Is there any logfile which contains any history of incoming & outgoing connections?

    I've since changed the password on that account, reduced its privileges to the bare minimum, and am using a different user account, but still, I'm not sure I'm safe.

    Be careful out there.

    Edited, for clarity.
  2. whooleytoo thread starter macrumors 604


    Aug 2, 2002
    Cork, Ireland.
    Anyone have any ideas what this could be? Does anyone know of any other applications that have Remote Desktop/VNC like remote-control ability?

    Or, does anyone know a site that lists typical included OSX processes, so I can try and identify any rogue processes?

  3. knome macrumors 6502


    Sep 7, 2006
    This is slightly disturbing. I would think its a combination of things. Probably lack of firewall, turn it on and make sure you turn on logging. (he may try again.) I would also go and block all your open ports.
  4. whooleytoo thread starter macrumors 604


    Aug 2, 2002
    Cork, Ireland.
    Thanks. The firewall is on since the incident, and all services are off/ports are closed. (I rarely use anything other than mail, browsers or iTMS from home, so I don't need other ports open).

    I think the option of firewall logging is only present in 10.4.x, whereas my Mac has 10.3.9 installed.

    Update - ok, I think I've just found the culprit.

    OSXvnc-server was running on the machine (as root) at the time of the 'break-in' even though it was set NOT to stay running when the main application itself was quit :- a pretty huge security problem with this app!

    The OSXvnc-server process couldn't be stopped from Activity Monitor (can any root process?) but I killed it via the terminal; and trashed the app.

    So, with a VNC server running without my knowledge, someone problably port-scanned my IP address, noticed the VNC port 5900 open and connected, got around my password somehow, and started playing around.

    Scary. :eek:
  5. ddekker macrumors regular

    Sep 23, 2006

    you'd think anyone crafty would have used ssh and been pretty much undected.. and had the thing saying things (little ssh trick)

  6. whooleytoo thread starter macrumors 604


    Aug 2, 2002
    Cork, Ireland.

    Remote login was turned off, so no way in, thankfully! (Once my TV and Mac started talking to each other - via the Mac's speech recognition & synthesis - and it scared the hell out of me.)

    "If I were the hacker", I'd have done things a little differently. If I really wanted to mess about on someone else's machine, I'd have done a traceroute on the IP address to try and determine their timezone, then logged in via VNC during the middle of their night when they wouldn't be monitoring their Mac.

Share This Page