Remote user that I can’t shake!

Discussion in 'Mac Basics and Help' started by Prplehz76, May 25, 2018.

  1. Prplehz76 macrumors newbie

    Prplehz76

    Joined:
    May 24, 2018
    Location:
    Bay Area
    #1
    I need some heavy duty help to shake a remote user! I’ve tried everything even had professional IT help but he’s sneaky and can disappear as quickly as he appears! I’ve got all the programs he/she is infiltrating and can see the workflow on my console. I have used sudo on my terminal and can trace it to an IP but I can’t stop it and I need to know who it is!! Please help!! It’s been going on for two years and I’m desperate for any help!!!! They are using python, sql, gaining backdoor access by tunneling on the loopback interface! Port 1720 is always open!!! oh and it’s a windows pc they must be using because all the process’s are windows!
     
  2. techwarrior macrumors 6502a

    techwarrior

    Joined:
    Jul 30, 2009
    Location:
    Colorado
    #2
    Disable Screen Sharing, Remote Login, Remote Management, etc. maybe if time goes on for a while and they can't access, they will give up?
     
  3. hobowankenobi, May 25, 2018
    Last edited: May 25, 2018

    hobowankenobi macrumors 6502a

    Joined:
    Aug 27, 2015
    Location:
    on the land line mr. smith.
    #3
    Block all inbound traffic at the firewall. Is there a reason 1720 is open?

    Why do you need to know who it is?

    If you don't have access to the firewall, or can't close all inbound ports, you should consider a commercial product to secure your machine, like:

    https://vallumfirewall.com/index.php
    https://murusfirewall.com/index.php

    You might also want take the machine off line and reset all passwords, and set a robust root password.
     
  4. Prplehz76 thread starter macrumors newbie

    Prplehz76

    Joined:
    May 24, 2018
    Location:
    Bay Area
    #4
    They have locked me out of certain files and directories.... they are using netbios to gain access.... I’m pretty sure it’s someone close to me that’s why I want to know who! I don’t know how to close 1720 honestly!! And it seems if I do shut down all file sharing it seems to unlock. There are all these certificates in my keychain but I can’t delete them they are locked. Two of them are Cisco!! I have found all this stuff in my directory file. I have tried killing the process’s in terminal via command line under as root. But they just
    --- Post Merged, May 25, 2018 ---
    Sorry I got cut off, my keyboard will get taken over or something. I can’t begin to explain how frustrating this is. I’ve thought of everything. Thunderbolt bridge keeps appearing and everyday I have to close it. We suspected this was a network virus that has taken hold of his surface pro, but it’s distinctly location related and I have logs of my calls being listened to... I’ve replaced my phone, new SIM cards, encrypted my MacBook, so see I have been doing a crash course in network admin. So I’m here hopping that for. My own sanity someone here can help me
     
  5. Fishrrman macrumors G5

    Fishrrman

    Joined:
    Feb 20, 2009
    #5
    1. Disconnect old Mac, put it into the closet.
    2. Get a NEW Mac.
    3. Start over.
     
  6. Prplehz76, May 26, 2018
    Last edited by a moderator: May 28, 2018

    Prplehz76 thread starter macrumors newbie

    Prplehz76

    Joined:
    May 24, 2018
    Location:
    Bay Area
    #6
    I was able to do more digging and I can see the user name etc. is there a way to restrict a user profile? And I think I agree with throwing the Mac in the closet. I keep finding reference to USB agent...? I understand what this is but I never configured this? Any hints on how to get it to stop being directed this way?
     
  7. Toutou macrumors 6502a

    Toutou

    Joined:
    Jan 6, 2015
    Location:
    Prague, Czech Republic
    #7
    That doesn't make any sense, any at all. If you're experiencing such things, have you been to an Apple store?
     
  8. BrianBaughn macrumors 603

    BrianBaughn

    Joined:
    Feb 13, 2011
    Location:
    Baltimore, Maryland
    #8
    Did the same person type these two statements?
     
  9. DeltaMac macrumors 604

    DeltaMac

    Joined:
    Jul 30, 2003
    Location:
    Delaware
    #9
    Please share that user name with us (correct spelling is important) - as it may be a normal system account.
     
  10. TiggrToo macrumors demi-goddess

    TiggrToo

    Joined:
    Aug 24, 2017
    Location:
    Out there...way out there
    #10
    I'm calling shenanigans on this. Not least due to the following:

    Once someone has a TCP connection then there's no way you can tell if the remote source is a Windows process or anything else. Sure, by doing packet inspection you may have a clue, but the OP hasn't said a thing about that...
     
  11. hobowankenobi, May 28, 2018
    Last edited: May 28, 2018

    hobowankenobi macrumors 6502a

    Joined:
    Aug 27, 2015
    Location:
    on the land line mr. smith.
    #11
    Yep. It sure sounds like the OP strung together a bunch of tech-ish sounding scary things together....
     
  12. Mr_Brightside_@ macrumors 68030

    Mr_Brightside_@

    Joined:
    Sep 23, 2005
    Location:
    The 6ix
    #12
    Disconnect your wired and wireless networks. What symptoms do you then have?
     

Share This Page