Somebody hacked my iMac...

Discussion in 'macOS' started by moofthestoof, Oct 14, 2015.

  1. moofthestoof macrumors newbie


    Feb 25, 2013
    Recently somebody made some gift card purchases on with my paypal and without my knowledge or consent. Paypal contacted me about the suspicious charges and I changed my password, etc., but as I was looking into what had happened I found some extremely weird stuff.

    First, I was asleep when these transactions occurred, and when I first looked at my iMac after getting up, there was a weird website in a safari window. I think it was some subpage of the Arris website (a site I had never heard of, before, but I remember seeing the "Arris" logo). I closed the window/tab without thinking about it. A few hours later paypal calls and I start looking into "gyft" (another website I had never heard of). I started to get worried when I went to the gyft site and I was already logged in.

    I called the gyft corporate support line and they said they have seen a rash of instances where fraudulent purchases were made my people actually taking over the victims' computers. Except that's a Windows thing, not a Mac thing, right? I looked in my browser history, and, sure enough, there were all the steps where somebody had gone to gyft, created an account, verified it using my google+ profile (and a google subscriber phone number), and then authorized the payments with my paypal. Once they had access to my iMac screensharing, they didn't need to know my google or paypal passwords because the keychain automatically put them into the fields.

    I've turned off screensharing and remote access in the sharing system preferences, and changed my admin password. I've installed Avira and scanned for known malware. I've also set up OS X to require password on screensaver/sleep and set the screensaver to activate after just a few minutes, but my son swears he saw somebody move the mouse pointer and activate the login window today when I was sleeping (I take care of his disabled sister and keep odd hours). They didn't get past the login screen, but I don't understand how they could even start a screensharing session now that I've turned that off in the system preferences.

    Now I'm paranoid that there is some sort of daemon running on my system that allows them access despite me turning off my services, and if there's a key logger or something similar active that they might be getting my new passwords as I scramble around trying to make sure everything is secure.

    My iMac is one of three Macs behind an AirPort administered LAN with NAT and DHCP and I've set a different IP address from my iMac as the default host, but I'm terrified that this is going to happen again. I already had my AirPort locked down to where only devices with known MAC addresses can connect (and WPA2), but I don't think this is somebody accessing my wifi network (I live very rural with my closest neighbor at least a few thousand feet away). I think the most likely way I was compromised was by looking for a Doctor Who episode via while I had forgotten my adblocker/ghostery were temporarily turned off. I remember being bombarded by a bunch of sketchy pop-ups before I realized I needed to reenable them.

    My paypal is tied to my bank account, and I'm currently waiting on the funds to trickle their way back from gyft to paypal so I can transfer them back to my bank. Everybody involved was kind enough to undo the damage, but I'm still going to be out some banking fees, and I don't know if the merchants and banks involved would be so kind if this happened, again.

    The help I'm looking for is this: Are there any particular clues I can look for as to key loggers or hidden screensharing processes? Are there any settings I should be looking at on my AirPort to make it more secure?
    And finally, are there any logs I can look at to try to get an IP address or something that can point to the asshats that did this?
  2. Fishrrman macrumors P6


    Feb 20, 2009
    OP wrote:
    "First, I was asleep when these transactions occurred, and when I first looked at my iMac after getting up, there was a weird website in a safari window."

    I realize this response may be overly simplistic, but if you've had problems with the iMac "while you were asleep" -- why don't you just SHUT DOWN the computer during that time?

    Do that, and no one can hack it -- at least, while you're sleeping!

    Also -- unless you absolutely, positively have reason to do so, why don't you "UN-tie" your paypal account from your bank account?

    As a personal user, I would never, NEVER, N-E-V-E-R give ANYONE access to my bank accounts. Ever.
  3. moofthestoof thread starter macrumors newbie


    Feb 25, 2013
    I do contract and freelance work. On some jobs I get paid via paypal.

    I don't turn it off because I have have Air Video Server HD running on it so I can stream media from it to my iPhone/iPad within my LAN. Also other services I need. I hated having to turn off screensharing because it was nice to be able to remote control it from my iPad and do work while I was away from my desk.
  4. sibcc macrumors member


    Oct 5, 2015
    La Jolla CA
    I'd make sure the router is secured and change ALL the passwords to my accounts. If someone gained access to your machine, then I'd not trust that machine. Hence, I'd do a clean install. On the other hand, you could throw the dice and hope it was some script kiddie playing around and that they have since moved on. You could look at logs, but if they were good they know about the log files. Further, any IP addresses are likely not going to actually point to them. I also concur that you ought keep your bank account and Paypal separate. If need be, set up a separate bank account just for Paypal. Good luck.
  5. ocabj, Oct 18, 2015
    Last edited: Oct 18, 2015

    ocabj macrumors 6502a


    Jul 2, 2009
    Use netstat to see what open ports are on each interface and see which one's don't line up to expected ports. Then use lsof to see what process is opening that port.

    One possible scenario is that someone was able to get into your computer via the remote desktop service you run, then installed their own remote desktop daemon (e.g. vnc) or something of that nature to get back in.

    You didn't mention if you checked for other user accounts on the computer. Be sure to check the Open Directory user store, and not just users in System Preferences -> Users and Groups. One other possible scenario is that whomever breached your system set a password and valid shell for one of the default system accounts (e.g. _www). These accounts are by default set to a locked password field ("!") and bin falsed. But setting a valid password and changing the shell for that account to something valid (e.g. /bin/sh), will give them another account to get in as.

Share This Page

4 October 14, 2015