Screen Sharing Hacked?

Discussion in 'macOS' started by Brendon Bauer, Jan 10, 2008.

  1. Brendon Bauer macrumors 6502

    May 14, 2007
    Good 'ol USofA
    My girlfriend just got completely freaked out tonight, and is wondering...

    "So tonight I'm browsing the internet and reading a medical article. While scrolling down the page with my mouse, my mouse starts traveling upwards and I fight it. It insists on going up and clicks on the back button on Safari. It then goes to the google search field and clicks, and then deletes my search... It was just like the feeling of screen sharing when you're fighting over the mouse... I have screen sharing enabled in system preferences, and I'm wondering if someone has gotten on my wireless network and hacked my password to use screen sharing. If so, that's pretty freaky. I admit the password on my wireless network is not that secure (my phone number). Do you think this is possible? Someone has broken into my network, cracked the password for my computer and was using screen sharing? I don't see how else this could be possible... It's not like an advertisement, popup, or website could do this? I really think Apple should have some sort of warning while screen sharing is enabled. I know it tells you in iChat, but when using it over your local network there is no indication what-so-ever which is very frightening. Everyone in my house has windows pcs so none of them could have possibly done this. I don't know anyone else with a mac that could have done this... Any thoughts on the matter?"

    Any ideas guys? I've convinced her that her computer is not possessed and that it has to be a hacker of some sort. She wont even turn on her computer right now...
  2. EricNau Moderator emeritus


    Apr 27, 2005
    San Francisco, CA
    In Leopard, when someone is connected to your computer via screen sharing, this icon should appear in the menu bar, so you can disconnect them.

    Attached Files:

  3. TheStu macrumors 65816

    Aug 20, 2006
    Carlisle, PA
    When ScreenSharing is currently being used an icon appears in your menu bar.
  4. Brendon Bauer thread starter macrumors 6502

    May 14, 2007
    Good 'ol USofA
    Hmm... Ok that's good. I'll have her watch for that in the future. Is there anything else it could possibly be if that ever happened again and the icon was not there in the menu bar? I'd have a hard time convincing her then that her computer wasn't possessed....
  5. richard.mac macrumors 603


    Feb 2, 2007
    51.50024, -0.12662
    theres no way someone can screen share with your mac without an icon showing in the menu bar. even using vnc on pc will make the icon show. its probably someone with a mac around your neighbourhood playing a practical joke. ;)

    my advice would be to change your wireless network password and make a screen sharing password by clicking "Computer settings..." under file sharing in system preferences.
  6. Brendon Bauer thread starter macrumors 6502

    May 14, 2007
    Good 'ol USofA
    My understanding of that settings was that it would allow VNC users, but without the box checked, VNC is not enabled. Does screen sharing use VNC in the first place? If so, does that checkbox only enable more security, or does it allow another service along with more security? I'd rather have the bare minimum enabled... My girlfriend doesn't really need it, and I can always have her turn it on if need be.
  7. richard.mac macrumors 603


    Feb 2, 2007
    51.50024, -0.12662
    yep screen sharing uses vnc which is open source. microsft hates open source so windows uses Remote Desktop Protocol (RDP) so thats why screen sharing in windows sucks.

    the password enables both security and vnc compatibility with windows vnc clients. for instance i cannot connect to my mac using a vnc client on my pc without setting that password.
  8. theLimit macrumors 6502a


    Jan 30, 2007
    up tha holler, acrost tha crick
    If someone remotely took control of her computer and she now thinks it possessed, she needs the extra security...
  9. psonice macrumors 6502a

    Jul 22, 2005
    It does sound like screen sharing, although it could have been just a hair under the mouse causing it to go a little crazy. It would be a very big coincidence if it moved the way you describe though!

    If it was screen sharing, I think it's more likely that somebody got in through the internet. If you have a firewall on your router or modem, make sure it's on and denying everything you don't need, and if there's any access at all through the firewall, make sure your mac has a secure password. If a hacker sees they can get access to a computer, it's easy to leave a program running that works its way through a list of passwords until it gets access. I use an 8 character (or more) password, with letters, numbers, capitals and sometimes other characters - that's enough to stop pretty much everything unless you use something really obvious like Password123.

    If you want to secure your wireless a bit more, make sure you're using WPA encryption, and not WEP (even with the world's best password, even a total beginner hacker could get into WEP in a few minutes), and make sure the password is not guessable.
  10. jim.arrows macrumors regular

    Dec 11, 2006
    Quite possibly the most absurd statement I've seen yet on MR...
  11. Justinerator macrumors 6502


    Jun 26, 2007
    Redondo Beach, CA
    I laughed so hard at this.:D
  12. SawTooth500 macrumors member

    Nov 9, 2007
    Florence, Arizona
    If you or she don't need screen sharing, turn it off.:D
    If you or she don't need Remote Desktop sharing turn it off.:D
    Set your firewall so that it allows only essential services.:cool:
    go to advanced and enable stealth mode, and firewall logging. Then you will know when some one is trying to run your computer.:rolleyes:
    Go to Sharing and turn off any items you don't want running. I turn them all off.
    Especially remote login, remote management, and remote Apple events.:apple:

    I'm sorry, but Steve Jobes does not need to know what my computer is doing at any time.:eek::apple:
  13. killmoms macrumors 68040


    Jun 23, 2003
    Washington, DC
    Probably better that you turned them off, considering you clearly have NO IDEA WHAT THEY ARE ACTUALLY FOR. :rolleyes:
  14. SawTooth500 macrumors member

    Nov 9, 2007
    Florence, Arizona
    Plus one I forgot:
    Remote Desktop Client. If you haven't updated this one, don't!:eek:
    In Software Update go to update in the menu bar and choose Ignore This Update for remote desktop, so it won't keep bugging you to install it.:apple:
  15. Brendon Bauer thread starter macrumors 6502

    May 14, 2007
    Good 'ol USofA
    Thanks for getting back to me. Sorry I haven't come back here in awhile. I'm pretty sure someone did manage to figure out the password and start screen sharing without her knowing. We've found that the router at her house has been constantly attacked in the last few weeks and we've had to up the encryption to wpa2. It was wep when the takeover occured, so that might be it. That plus the fact that her password was very easy... Kinda scary that someone was watching what she was doing! Anyhow, we upped the security and turned off extra things we don't need. And we made her password stronger. Hope to keep the buggers out now!

    Thanks again,
  16. GirthP macrumors regular

    Oct 1, 2007
    aaahh ha ha ha... i did this to my friend's son last night.

    I configured hamachi and vnc on her dell laptop that she leaves at home. I just sold her my black macbook, which she adores like i did, and i was setting up the dell so she could remote into it.

    I was logged into the dell, trying different functions when I got into some threads here, and was doing other things. I checked back in, and someone was on there. They were looking at a myspace page. I looked online to see if I could route the mic input to my computer, but couldn't find anything easy. So, i waited until the activity on the computer died down and then i pulled up iTunes and started some soft Barry Manilow Chistmas music.

    I was laughing so hard at my house, wondering what they were thinking.

    The mouse started moving again and they turned off the music. I waited a bit, and then jacked the volume, routed the music to their upstairs apple Hi-Fi, and started up the Manilow. I was in tears. Oh man, I only wish I could have heard them all talking about what the hell was going on.

    I talked to him today, and cracked up again, when he told me what his side of the experience was like. He told me at some point, he just slammed the lid down on the computer, as he thought it was possessed.

    Good times I tell you. Good times.
  17. l8to89 macrumors newbie

    Jul 5, 2004
    In My Home
    Another Possibility

    If your girlfriend has a .mac account there is another possibility.
    If some one has her .mac password, and she has enabled bactomac on her computer, they could have gotten in that way. However, you did say that she had her base-station attacked so that makes this not a really likely scenario but just might want to double check that to be sure.
  18. motulist macrumors 601


    Dec 2, 2003
    Maybe an automator script got triggered? That same thing you described happens to the mouse when you're trying to fight an automator script's action.
  19. vansouza macrumors 68000


    Mar 28, 2006
    West Plains, MO USA Earth
    I am trying to get it to work... no joy... I am searching the forum for how to but if some kind soul knows please clue me in. Thanks... I have turned on everything I can think of and I can see the other computer in Finder but as I said, no joy.
  20. killmoms macrumors 68040


    Jun 23, 2003
    Washington, DC
    Easy to guess passwords (plus weak, easily-crackable encryption like WEP) continue to be the weakest link of computer security. WPA (or WPA2) with a strong password is hard to break though. I find OS X's "Memorable" password generator in the Keychain utility is excellent for making very strong, but still easy-to-remember passwords. I have a total of 8 passwords created this way (six tiers of security, two of which have 8-character passwords in addition to 12-character ones, in case I need them on certain websites) and I have no problem remembering all of them. And if I ever need to check, they're all in Keychain utility, protected by a 9th password that's equally strong. Needless to say, I've never had any problems when it comes to security. :)
  21. wintertime1 macrumors newbie

    Jul 23, 2008
    Hacked Mac? Virus? Whats going on?

    It may be a false alarm but this seems very strange to me. No matter what I do I always have "Macintosh" listed under "Shared" in my finder window. I've tried turning sharing on and off - doesn't help at all. But what really concerned me was that I was able to access my Mac using VNC from my PC laptop. I just typed in the IP address and had full access to the Mac. Again switching sharing off and on did nothing. How can that be? How do I unshare/remove my Mac from the Finder window?

    I am using Leopard.
  22. IH8SPMRSNJUNK macrumors newbie

    Apr 22, 2009
    Ok, so apparently you have been hacked:

    1. Take the machine off the network ENTIRELY!
    2. Change all administrative passwords
    3. Login to ALL accounts and make sure that sharing is turned off
    4. Set firewall to Essential services ONLY
    5. Find a competent friend to look at your launchd and running processes for "bad" processes
    6. Run a rootkit finder, Unix based
    7. Look for the file: "/System/Library/CoreServices/Menu Extras"
    8. If said file is missing then you have certainly been attacked, as it controls if you can see the built-in screensharing icon
    9. Change all wireless keys and use at "least" WPA2 TKIP. If your wireless cannot do that.. time to upgrade.
    10. Add a mac address filter to your wireless network device to allow ONLY your computers, etc.

    Should clean up 'most' of your problem. If you have a deeper hack, you will have to get a professional take a look. Barring that, wipe the machine clean and reinstall. Virus scan all of your personal files, and stop opening attachments, that you add to the machine.
  23. Jethryn Freyman macrumors 68020

    Jethryn Freyman

    Aug 9, 2007
    I think this thread was dead long ago.

    WPA is TKIP,
    WPA2 is AES-CCMP.
  24. jnathansonmac macrumors newbie

    Dec 14, 2009
    heres some help

    i am an apple intern and to protect hacking you can simply go to system preferences, sharing and uncheck the screen sharing box. this will disable it till u would like to retry it or simply visit us at an apple store

    hopes this helps JN

    P.S not really work at apple but a computer whizkid
  25. temhawk macrumors member

    Jun 22, 2010
    OMG I am freaked out

    Please help guys, I am in a state of shock.

    I was just reading something on Yahoo answers and suddenly my mouse cursor moves on its own, and then the tab gets switched without me pressing any buttons. It took me a few seconds to realize what was going on and so I looked at the menu bar, saw the Screen Sharing icon (which is normally never there), clicked it and just barely was able to disconnect the remote person (I had to struggle with the cursor).


    And I am so stupid to just disconnect him without writing down (or better taking a quick screenshot of) the IP address. So now I can't even find out who it was that tried to put himself in control of my life (cause that's what the computer is to me right now). Does someone know if the IP address could be logged anywhere on my computer? I seriously want that address. You can't imagine how desperately I want it.

    I am so distressed about this that I am now constantly looking at the menu bar to make sure that I don't get hijacked again. I am freakin out here!!!!!

    I can tell you that I did have Screen Sharing enabled in System Preferences, and I had both options checked (to "allow anyone to request permission to control my screen" and set a 8-character alpha-numeric password). I actually never use Screen Sharing but a couple months ago I was planning on using it for the first time, although I didn't know how to set it up. So I asked for help on IRC and this person instructed me. I gave him my VNC address at the end for a quick test, and that was it, I thanked him. I suspect that he is the hacker, although I find it odd since he has helped me with a lot of issues before and seems to be a "regular" on the channel.

    Btw, I got hijacked about half an hour ago and I'm still freaked out.

    Anyway, I remember that when me and him tested Screen Sharing, I got a confirmation popup asking me if I want to allow him to view/control (not sure which anymore) my screen. But today I didn't get such a message (or I accidentally hit enter at the exact moment it popped up, which I consider HIGHLY unlikely) so I am pretty sure that he hacked himself in some way.

    Could he have been brute-forced my password for the last couple weeks without me noticing it?

    Another reason why I think that he is the hacker is that when I logged on to IRC about 10 minutes after the crime (cause I wanted to see if he is in the channel and confront him) he wasn't there (and remember, this guy is in the channel a lot afaik). I did "/ns info <his_nick>" and it said that he was last seen 12 minutes ago. So he might have disconnected in anticipation of me coming to hunt for him.

    Also, after I disconnected him from my comp, I immediately went into System Preferences to disable Screen Sharing completely. But I quickly turned it on again (and enabled both options and set the same password) because I hope that he will hack himself into my Mac again, only that next time I will take note of his IP address.

    But how could this have happened? I feel like I'm gonna have to disconnect from the Internet to protect myself from such hacking. What if next time he manages to hack himself into my comp without activating the Screen Sharing icon, and then just waits until I go afk for lunch, and then does whatever he PLEASES?!?!??!!

Share This Page