Mac Hacked

kerowo · #1 06-17-2007, 12:05 PM

So last night I wake up in the wee hours to, well, wee and notice lights coming from my Mac. I go over to see what's up and see some Explorer windows open and the cursor moving around.

Well, that sucks.

So instead of unplugging the network cable so I can see what is up I end up just shutting the thing off. This morning I'm looking at and best I can tell he was on for about a half hour or so. I used Explorer a couple of times last year for some sites that didn't work with Safari and am going to just uninstall it. I think he used it because my Safari window was on my second monitor and when I VNC into my box I only have access to one monitor.

So looking at the history window he went to paltalk and was trying to get into checkfree. There was also a Yahoo Messenger window open but not logged in, probably because I haven't used that for a while and the password doesn't work anymore.

So what should I be looking for now? I could have swore I had shut down the VNC server and it has a password on it so I'm really not sure how he got in. I turned off the DSL modem for a while and refreshed my IP address. I've looked through the logs and don't see anything weird and looked in Applications and Documents for newly created files and don't see anything and will do a Spotlight search for newly created files and see if there is anything weird.

When I was first getting VNC set up there was probably a window where I had the port open to the world and the password not set which is all I can think of how he got in. I'll change the password on the VNC server and probably look for another one. Anything else I should be looking for?

funkyworms · #2 06-17-2007, 07:34 PM

Set your VNC server so that it is only accessible from your local subnet or through a VPN; and give it a strong password. You should never run an unencrypted VNC session over the net and the VNC server should never be open to the net even with a strong password.

wonderwes · #3 06-18-2007, 12:10 AM

Could you contact apple support and they could check your network logs?

goldtoes · #4 06-20-2007, 01:53 PM

First off, VNC is not the safest option to begin with. Second, if you install it you MUST ALWAYS UPDATE IT! Awhile back, there was a bug in a version that allowed outside users to connect without even entering a password. Plus, if you're not using sometype of encryption with it, it can probably be cracked in minutes.

It definitely sounds like a noob hacker though. I would definitely change all passwords, make sure you uninstall VNC, verify the settings on your firewall and/or router, run an anti-virus scan (making sure nothing is excluded). And if you do have a firewall, see what IP the connection came from and report it to their ISP for abuse, maybe even the authorities (although the latter probably won't do anything).

/gold

kerowo · #5 06-20-2007, 01:55 PM

Yea, I uninstalled the one that didn't need a password and haven't run the other one since, I don't really need to get into my Mac from work that much. Looking through my directories he didn't open anything serious so I think I dodged a bullet.

goldtoes · #6 06-20-2007, 02:04 PM

What probably slowed him down is the fact that it was a Mac - like I said, he sounds noobish.

funkyworms · #7 06-20-2007, 06:14 PM

VNC is secure if you limit the IP ranges that are allowed to connect to it. Limit it to your VPN and local subnet. Secure.

goldtoes · #8 06-21-2007, 10:30 AM

[ QUOTE ]
VNC is secure if you limit the IP ranges that are allowed to connect to it. Limit it to your VPN and local subnet. Secure.

[/ QUOTE ]

I agree, but for most users that want to use VNC - they aren't using a VPN and usually are not savvy enough to even know what an IP address is. Or how to find out their WAN address.

funkyworms · #9 06-21-2007, 07:20 PM

[ QUOTE ]
[ QUOTE ]
VNC is secure if you limit the IP ranges that are allowed to connect to it. Limit it to your VPN and local subnet. Secure.

[/ QUOTE ]

I agree, but for most users that want to use VNC - they aren't using a VPN and usually are not savvy enough to even know what an IP address is. Or how to find out their WAN address.

[/ QUOTE ]

Those people should not be left unattended without proper head protection. Kerowo is a smart person other than this little slip up. I wanted to berate him/her but I resisted.

kerowo · #10 06-21-2007, 09:17 PM

Meh. It was mostly a toy and I haven't bothered with it since cleaning up and securing the box. At some point Logmein will allow Mac hosts instead of just clients and I'll use that.