Someone else took control of my mac?!?!

[thenbagis]

This morning, I was running late for work and while getting ready, I glanced over at my mac and noticed windows moving around. I initially thought that maybe it was a fluke, but then I looked closer and there were some deliberate actions taking place:, folders opening, folder being created on the desktop... I watched for a few seconds to try to figure out what was going on, but then I got freaked out and try to see if I could control the cursor, nothing... So I held the power button down and hard shut down my computer. I started it back up to see if everything was alright... I looked in the trashbin to see if anything was deleted recently, nothing... I shut down my computer and went to work.

- Does anyone have any ideas what this could have been? A trojan? A program installed by an untrusting girlfriend? etc?

- What can I do to protect/secure my computer?

- Are there any network log files on the computer that I could find an IP address of whoever this was?

- I have updated my computer recently (when itunes 8.1 came out), so I should have the most up to date security patches (for 10.5).

Thank you for your help.
-Brian

 

[mcavjame]

Remote desktop can do this if remote sharing is on. Timbuktu is a third party program used by help desks to remotely fixed and install to client computers. There are other solutions out there. If this is your own personal machine, make sure remote sharing is off. Look for recently installed software. At the very least, lock the account when it is not in use.

 

[kornyboy]

Wirelessly posted (iPhone: Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11 Safari/525.20)

It sounds like someone has set up back to my mac on your computer and is jumping in. Check your MobileMe settings.

 

[neonblue2]

Do you have Screen Sharing turned on? Check the "Sharing" preference pane in System Preferences.

 

[r0k]

You can disable back to my mac in system preferences. If you have logmein installed, delete it. The advantage of leaving back to my mac enabled is if you go to the apple store for a genius bar appointment, you can log in to your machine from the apple store and get help. Still, you could shut it off all the time and only enable it when you know you will be needing it.

Another issue is vnc. Are you on a wifi without a password? If so, your neighbor could be coming in using vnc. You can disable vnc in the same system preferences panel that handles remote desktop and screen sharing. I keep my screen sharing and vnc shut down to keep the kids out of my macbook. I will have to re-enable my vnc so I can use my macbook using vnc from my Ubuntu Aspire One.

If you suspect a security problem, the first thing to do is pull the plug. Work offline with no ethernet or wifi until you are sure you have your system set up properly. For now, I would recommend switching on the firewall in system preferences->security. Use the bottom setting. It allows some things to work. The middle setting is the most severe and a lot of things won't work. The top setting is like not having a firewall. Whenever you get prompted whether to accept incoming connections from an application, make sure you know what it does before you click "allow". Once you have your firewall switched on, go ahead and plug your ethernet back in or enable your wifi.

If your home wifi has no password, change it to wpa-psk or wpa2-psk. It's a fair amount of work, depending on your brand of router. And you will have to do some troubleshooting to type the key in on each machine to get them working again, but it's worth it for reasonable protection against the neighbors using your bandwidth or browsing through your files (if they figure out your mac passwords, etc).

 

[kastenbrust]

Has someone been naughty and downloaded iWork '09?

Its unlikely you'll be able to find out how it was even with their IP address because IP addresses change every day or every time you restart your modem. (dynamic IP's)

 

[thenbagis]

Everyone, thanks for the quick replies. I am not home right now, so I'll have to try the tips when I get home.

- mcavjame, you mentioned recently installed software. Where can I find that?

- kornyboy & neonblue2, I will check those settings when I get home.

- r0k, are logmein and back to my mac one and the same? or are they two different things I should be looking at? I will check VNC, when I get home. I think I have "allow only essential services" selected, but I will have to double check when I get home. Either way, selecting the last option will give me more control and is probably a good idea.

- kastenbrust, no iWork '09 shenanigans here...

Thanks everyone! If you have any more ideas, they are appreciated as well.

 

[thenbagis]

Just got back on my computer...

kornyboy - I don't have a mobile me account, so I can seem to get to any settings...

neoblue2 - I went into the the sharing pane and nothing was checked

rOk - I can't find back to my mac (it's mobile me, isn't it...? and i don't have a mobile me account). I can't find logmein using spotlight.

- Also while looking at the sharing pane I found that vnc is disabled.

- *** This is the most interesting thing I've found, r0k... I switched to the last setting for firewall and have started up firefox and ichat and haven't been asked about their access.... hmmm...

- I have also enabled stealth mode.


*** Is there anything I should look for in log files? Maybe shed some more light on the subject.

 

[Consultant]

Firewall in OSX blocks external access, not apps from pre-installed apps.

Check your startup items. What's there?

Do you have logmein installed?

 

[thenbagis]

i am searching finder for "startup," "start up," and "logmein" and i can't find anything except the startup folder for MS office. In there I found 3 empty folders (excel, word, powerpoint).

 

[Consultant]

i am searching finder for "startup," "start up," and "logmein" and i can't find anything except the startup folder for MS office. In there I found 3 empty folders (excel, word, powerpoint).

System Preferences / Accounts / Login Items

 

[thenbagis]

thanks...

no logmein... just itunes helper and homerunner (tomtom gps). i unchecked the homernner.

 

[angelwatt]

Check to see if you have this on your system,

/System/Library/StartupItems/iWorkServices

Also, do you have any virus software installed? There's a potential this came about via a trojan and virus software should be able to detect it. I personally use ClamXAV (free), but there's other software to choose from. Even if you don't have the above mentioned file, you may want to give this iServices removal tool a go just to be sure.

 

[Jethryn Freyman]

You could look in your system log around the time you saw your screen being controlled. Do you have screen sharing or remote access enabled?

ClamXAV doesn't detect OS X threats.

 

[Consultant]

Look under
System Preferences / Services

Anything checked?

thanks...

no logmein... just itunes helper and homerunner (tomtom gps). i unchecked the homernner.

Unchecking unchecks the "hide" which means shows it (described under that screen), if you want to delete something from login items you have to click on it, hit delete to remove it.

 

[SwiftLives]

Does someone have a bluetooth mouse and keyboard that they paired with your computer somehow?

 

[Jethryn Freyman]

It definitely sounds like some kind of Remote Desktop app. Could be Screen Sharing, Apple Remote Desktop, VNC, or a few other tools.

Do you have any other computers on your network?
What exactly did you see? Were windows moving on their own, or was the cursor dragging them?

If the cursor was doing it, it's going to be a remote control app. If not, it's possible it's a strange application. I don't know of any trojans that move windows around on OS X.

 

[sawmaster]

LOL yeah, the trojan must want to organize your desktop. LOL!!!

This situation is creepy, and once on my iMac (old iMac, the snow iMac kind) I was browsing the internet, then the window (safari window) shook. It just moved in little tiny circles. Kinda creepy, huh? It did it and got smaller and smaller like it was going toward the center. Then it stoped. That was the only time my window was gettin' moved. I dunno if it was a ghost, or a nice javascript code. Either way, it was creepy. The window was dark also.

Ok, let me get to the point. If your safari window shakes, it maybe javascript. The "You got rick rolled" thing has some javascript that moves the window around and makes that web kit groove.

 

[BlueRevolution]

Ok, let me get to the point. If your safari window shakes, it maybe javascript. The "You got rick rolled" thing has some javascript that moves the window around and makes that web kit groove.

JavaScript can't create folders on your desktop, or interact with the system outside of the browser window at all.

 

[angelwatt]

ClamXAV doesn't detect OS X threats.

Apparently you haven't seen this. Though admittedly it isn't kept up-to-date as it could be. A free alternative is iAntiVirus.

 

[kastenbrust]

Apparently you haven't seen this. Though admittedly it isn't kept up-to-date as it could be. A free alternative is iAntiVirus.

1) iAntiVirus is an anti virus, not a trojan removal tool

2) That isn't a real trojan

3) I already talked about it 20 posts ago.

 

[angelwatt]

1) iAntiVirus is an anti virus, not a trojan removal tool

2) That isn't a real trojan

3) I already talked about it 20 posts ago.

1. Never claimed it was a trojan removal tool, and it does detect the iService trojan.
2. The first link pointed out ClamXAV does detect some OSX threats. I claimed nothing of trojans.
3. 20 posts ago was the OP message, not yours, and your posts didn't mention trojans at all.

In short, ssshhh.

 

[BlueRevolution]

1. 20 posts ago was the OP message, not yours, and your posts didn't mention trojans at all.

You haven't been watching the news.

 

[angelwatt]

You haven't been watching the news.

That doesn't relate to what you quoted me on at all Blue. And yes I'm quite aware of that old news as I posted information about it. That's part of the iService trojan which I made comment to on my number one item, as well as from my earlier post linking to a trojan removal tool for the iService trojan.

 

[thenbagis]

consultant, I couldn't find the services pane, but if you were talking about sharing, nothing is checked.

(i'm sorry, I'm also switched to mac back in october and am still learning the finer details)

Swiftlives, I like the way you think... good thought, but I have my bluetooth turned off since i don't use it and wanted to save battery life.

Jethryn Freyman, to clarify what I saw... There was the use of expose, moved all windows off the screen, then a secondary click to create a new folder. There was also some use of finder. So definitely very deliberate actions. Very freaky/scary.

- I have scanned with iAntivirus and found nothing. I am in the process of scanning with ClamXAV, but it's very tedious since you can't select your whole hard drive.