Stop The Hacking

Discussion in 'Mac OS X System & Mac Software' started by Crapple2015, Nov 8, 2017.

  1. Crapple2015

    Crapple2015
    uix_expand uix_collapse
    Registered

    Joined:
    Nov 8, 2017
    Messages:
    12
    Likes Received:
    0
    Hi, I have trouble with my system MacBook Pro 9,1 various OS's - OSX 10.7.5, 10.8.5, 10.9.5 & macOS 10.11.3 being hacked. I've tried formatting the SDD completely and using remote recovery for fresh install. I unplug the wifi&bluetooth contact, all is well. Until I plug the wifi&bluetooth connection back in then "Kaboom"my system starts acting compromised with verious indications, happenings or options go missing and system playing up. I'm 98% certain there getting in through both wifi&bluetooth,,as I've uninstalled all network devices and deleted the system configurations.plist associated with wifi,,,to eliminate wifi vunrebilities. I'm using Hands Off - firewall,,,without any luck there\its still gaining access to my system. I've tried going to Apple for tech support but it's just a complete inconvenience and mostly unhelpful. So I up for suggestions. ☝️Please only reply with useful ideas\support... Thanks for your help in advanced
     
    #1 Crapple2015, Nov 8, 2017
    Last edited: Nov 8, 2017
  2. Cheryl

    Cheryl
    uix_expand uix_collapse
    Rosie Moderator
    Staff Member Mod

    Joined:
    Dec 26, 2001
    Messages:
    4,408
    Likes Received:
    86
    Have you changed your WiFi password?
     
  3. Crapple2015

    Crapple2015
    uix_expand uix_collapse
    Registered

    Joined:
    Nov 8, 2017
    Messages:
    12
    Likes Received:
    0
    Hi, yes all passwords have been changed on many occasions on all devices as a preventative measure, still gaining access. Though I did try to check the firmware using this -
    https://github.com/duo-labs/EFIgy/

    And was only presented with inconclusive response.
    Most of the web sites I try to visit with fixes or tools is a battle,,,I have 2-3 HDD with verious OS which I randomly swap out,, in an attempt to get fixes\tools,,,but usually blocked\prevented\stoped. This is completely BS, I've had to abandon my system until I gain some help, cause I'm mostly out of answers:(.
     
  4. DeltaMac

    DeltaMac
    uix_expand uix_collapse
    Tech

    Joined:
    Jun 20, 2001
    Messages:
    8,577
    Likes Received:
    107
    Keep in mind that bluetooth is very short range. 10 feet is probably the maximum for that to do much.
    Is there any reason that you could NOT turn bluetooth off, and leave it off? That would help eliminate THAT as a possibility, even if it is highly unlikely vector for anyone to use.

    If you think that you have problems through Wifi, you can log in to your router to see if other users are ALSO logged in...
    Even Wifi would be relatively close range, with 100 feet being maximum in many situations, and that would be a stretch in most locations.

    The ONLY way (and it's the only way) that someone could connect through your wifi network is if your network password is known to others.
    So, you would want to change your WPA2 password now, so only YOU know what that password is.
    Make sure file sharing is turned OFF.

    And, assuming that you leave your MBPro out so others have physical access to it, make sure that you change your account login password to one that you have not used before.

    When you connect to WiFi --- are you at your own house, or in a public place/coffee shop, or at school (including in a univ dorm)?
    If you are at home, with your own internet router, then you have ultimate control over how that connection is set up. Other, more public places may be more challenging to prevent access.

    Finally, what is the result when you try something that will scan for strange access to your files, such as Little Snitch ?
    Then, have you scanned your system with the other good tool that can often discover software challenges - EtreCheck ?
    And, when you are experiencing problems (you haven't really provided any details about your "threats", and what happens on your system, other than generic items like "system playing up"
    Because it doesn't appear to happen until you connect to a network (and ostensibly begin surfing to your familiar websites, whatever they may be), maybe it's nothing more than a bit of malware that immediately is challenging for you, presenting popups, and re-directing you to other sites.
    EtreCheck can ofter find those types of malware, and can remove some. You can even post the results page from EtreCheck, and someone may help interpret those results, if necessary.
    Finally, the other go-to malware tool is MalwareBytes for Mac.
     
  5. Crapple2015

    Crapple2015
    uix_expand uix_collapse
    Registered

    Joined:
    Nov 8, 2017
    Messages:
    12
    Likes Received:
    0
    Hi Delta mac thanks for you info/tips. I've tried to disable Bluetooth but it keeps enabling its self and the "awake on sleep" can't be changed/turned off, sometimes and then keeps reselecting it self back ON after deselected OFF intermittently.. obviously made it not descoverable OFF & there's no devices connected. Though it would help if you could confirm this; in system preferences\Bluetooth\Advanced. I have these Bluetooth serial ports input devices - (As per photo attachment) are these valid, cause I've deleted them and they just keep reinstalling\ON eg; delete, reboot and then there reinstalled..and the Bluetooth serials keep automatically reselecting it self ON after I've deselected and closed widow and exit system preference, to only reopen select Bluetooth\Advanced option for them to been respected back ON....?

    Strange happenings + eg; Verify\info\Burn\unmount\eject,,,, tool bar goes missing from disk utilities , the encryption of my SSD has been turned off without my authorisation or directives,,,I've tried to repair though disk recovery but unable\refused to mount partition. I've tried to turning off FileVault through OS as prompted but face error (As photo).
    These folders with files have been found on my system (System\Library)without me installing these. Python, Rasberry and another that I can't remember? (I deleted) as I think there coding programs. Another folder found (Library\Modem Scripts) not sure if it's valid..? but full of random modem scripts...?
    Most apps keep crashing, not behaving correctly (as per stable system).
    Bluetooth missing from; About This Mac\More info\System Report.
    And I've tried to install MakwaeeBytes but it just prevented or didn't work. Keep in mind this occurs on fresh install eg HDD\SSD removed formatted on another system then using internet recovery to insure clean OS but by the time account have been set,,,, this is complete BS..! Obviously I've tried trial off elimination it's been ongoing for over 3 weeks, usually I'm capable of fixing this type of thing,,though hasn't happen since being on mac for the past 12years and never had issues until now with mac.
    Thanks for you assistance I give those tools ago.
    Hope not to many errors as I've to revert to using iPhone 5, that I've only just updated, due to BS on MacBook and now coincidencley the home button not responding as expected,,,like many others.

    Update
    Just completed EtreCheck,,,Gatekeeper reports"Anywhere [fix Gatekeeper security] - I've tried clicking on to repair asked for administration rights and password provided access - nothing
     
    #5 Crapple2015, Nov 8, 2017
    Last edited: Nov 8, 2017
  6. DeltaMac

    DeltaMac
    uix_expand uix_collapse
    Tech

    Joined:
    Jun 20, 2001
    Messages:
    8,577
    Likes Received:
    107
    Gatekeeper security setting is in System Preferences/Security & Privacy pane.
    You have to click the lock to unlock that pane.
    Then you can change the "Allow apps downloaded from" setting. The default would be App Store, but you can change to "App Store and identified developers" if you like.

    I would suggest if you want to make sure about your erase/reinstall of the system that you download the system installer, then create your own bootable installer, usually on a USB flash drive. That task then allows you to erase and reinstall without connecting to your network at all.

    btw - you likely can't add pictures to your posts yet. I think there is a minimum number of posts before you can do that. But, a good description of what you see should be good enough, most of the time.

    (The external boot installer will ALSO let you erase your drive completely, as you probably continue to keep the original recovery system --- which may be most of your issue, and not something external to your system. Be sure to try an PRAM/NVRAM reset AFTER erasing your hard drive, and BEFORE you begin the reinstall of macOS. Do that by restarting your Mac while holding Command-Option-p-r. You should hear the boot chime. Keep holding the same 4 keys until you hear the boot chime two more times, then release the keys, holding Option so you can choose your external installer boot. THEN reinstall macOS. That should help you avoid some possible file corruption on your hard drive.
     
    #6 DeltaMac, Nov 8, 2017
    Last edited: Nov 8, 2017
  7. Crapple2015

    Crapple2015
    uix_expand uix_collapse
    Registered

    Joined:
    Nov 8, 2017
    Messages:
    12
    Likes Received:
    0
    Yep, check it in preferences and shows "download load App Store only." checked and locked.
    Yes have setup bootable USB and used DVD USB of OS images I made when MtLion was released (fink 2012) used this to reduce cross infection and reset PRAM afew times before reboot to eliminate cross infection,, I've used internet recovery to try best possiable soloution,, I assume during downloading the OS is compromised,,,cause once installed its infected with 3rd party folders in,,,,System\Library eg; Messanger Tracer, Modem Scripts, Perl, Python, Raft, Ruby, TcL and others (I'm sure there coding programs, and the modem scrips folder has an array of different modem not associated with mac,,, but these are the ones that I can quick identify as not ligitement to the original mac Operating System. As for DVD install ,,,,all is clean during install setup, I then setup accounts and settings (basic) mac firewall, administrators account all clean,,,,,, then connect to wifi Kaboom infected....!!!
     
    #7 Crapple2015, Nov 8, 2017
    Last edited: Nov 8, 2017
  8. DeltaMac

    DeltaMac
    uix_expand uix_collapse
    Tech

    Joined:
    Jun 20, 2001
    Messages:
    8,577
    Likes Received:
    107
    I don't think you have much to show any strange issues.
    The various folders (I think you have misspelled some of them) such as Modem Scripts, Perl, Python, Ruby, and Tcl are all quite normal parts of a standard OS X system install.
    For example, the system comes with native support for a variety of different modems, and the Modem Scripts folder is where the connection scripts are stored.
    Even my newest fresh install of High Sierra has a dozen or so different company's (35 files total) modem scripts available for use by the system. Nothing unusual about that.

    So far, you don't have anything that is not part of a normal OS X install.
    What is a "kaboom"? Does that show up in the EtreCheck report, or is it identified in any way? Not ever seen that, at least on a Mac, so that's a bit strange.
    There is an audio utility that I used several years ago, called "Boom". Any chance that you have used that?

    Is there anything else that you think you might have seen that I can help you understand a little more?
    There must be something that makes you so nervous about your system, but the few items that you have listed really aren't anything to cause alarm.
    What really happens when you first connect to your WiFi? Is this your home network (you own it, and you control it)? or a public network, at a cafe, or school, or library?

    Have you tried Little Snitch? That might report some issues with software "calling home" that nothing else will report.
     
  9. Crapple2015

    Crapple2015
    uix_expand uix_collapse
    Registered

    Joined:
    Nov 8, 2017
    Messages:
    12
    Likes Received:
    0
    Hi, I'm frequently unplugging the router so I can mostly do what need without being compromised\mac not playing nice. My router SSID is already set not to broadcast and I'm frequently changing Wifi password and login password. Hears and a few examples of what's been happening. I use virus protection - ClamXAV and Bitdefender free app from App Store, half the time I'm fighting the computer,,to get it to do what I need\want. Downloading malwareBytes was a a hughe effort it would arrive corrupt\broken and not open .dmg file and after I was able to downloaded it completely,,, it won't install\work, like its been blocked from installing...?

    I've installed Hands Off..! And added rules to eliminate all access except firefox and mac ip delivery - not sure of the correct name ATM and that is all that's given access,,,HO is Similar to little snitch.

    1st) System Preferences\Sharing-Remote Apple Events - is deselected and option to only "allow these uses" option is selected and NO profiles are allocated (by me)
    2nd) System Preferences\Sharing\Remote Management - is deselected and option to only "allow these uses" option is selected and NO profiles are allocated (by me)
    At times these are RESELECTED (not by me) to allow administrators access. And sometimes the option in SELECTED and greyed-out preventing me from DESELECTING once agin, but administrator is allocated (not by me)
    3rd) The MacBook Pro Computers Name is "Admins MacBook Pro" this is often deleted (Not by me)during internet usage, and I'm unable to add new computer name, unless I do a OS reinstall across the top
    4th) Bluetooth - Advanced option "Allow Bluetooth device to wake this computer" this is Deselected and Dissabled (by me). Upon recheck due to strange events this option is RESLECTED and ENABLED (Not by me) and sometimes is grey out, preventing me from DESELECTING it once agin. This may explain WHY, after shutting down my computer "the MacBook Pro in question" from the days work,,,,it would miraculously some how be found automatically turned ON during the night (Not by me). I will also point out NO known Bluetooth device has been connected to the MacBook Pro for months due to elimination, and was removed from device list at that time (mac magic mouse).
    5th) Often document that I have developed and verified, some how the documents contence would be modified (Not by me) without acknowledgment or consent into mostly crap.
    6th) While using finder window, the tool bar ("View tool bar" option) would disappear (not by me)on its own.
    7th) Sometimes an IP address would NOT be supplied to the wifi of the mac, even though I just been using the system moments ago without change (coffee break).

    >>>>>This list will be updated as I remember senarios and return<<<<<

    Can anyone PLEASE post A COPY or picture of the file system of there OS/System/Library/ perferably OS MtLion10.8.5 or Mavericks 10.9.5 to enable me to compare, file system...
     
    #9 Crapple2015, Nov 8, 2017
    Last edited: Nov 9, 2017
  10. DeltaMac

    DeltaMac
    uix_expand uix_collapse
    Tech

    Joined:
    Jun 20, 2001
    Messages:
    8,577
    Likes Received:
    107
    Here's two screen shots. First is a Mavericks /System/Library listing. Second is the same Mavericks /Library listing.
    Many of your "suspect" items are there. This is a fresh install, with NO other software installed, other than to fully update a fresh install. It's used as a test system, to discover any compatibility issues with older systems, hence, no need to install other software, until it is necessary for testing. There is NO extra protection of any kind installed, other than that which is part of the basic system install.
    Mavericks system library portion.png

    Mavericks :Library folder list selection.png
     
  11. DeltaMac

    DeltaMac
    uix_expand uix_collapse
    Tech

    Joined:
    Jun 20, 2001
    Messages:
    8,577
    Likes Received:
    107
    I still don't have any idea what "Kaboom" is...?
    Is that software that you have installed?

    I suspect that you have Hands Off configured WAY too tightly.
    One of the problems with that kind of security software is that it can provide you with such good protection that you lock yourself down, and your internet connection may not even work properly, and YOUR OWN software may not work well, as it struggles against your locked-down connection.
    ** consider ** removing (uninstalling) Hands Off, or not installing it on a brand new fresh system, until you use your system normally for a few days.
    THEN, install Hands Off, if you think you need it, and configure it for defaults ONLY. Then tighten it down as you see Hands Off report possible suspicious activity.
    (You can easily cause yourself real problems if you guess about configuration changes, without any reports to support your settings.

    Just a thought --- If you are frequently restarting your internet router, maybe that's an issue for you! Consider replacing with a newer router. I just changed over to an Amplifi mesh system, and very pleased with the connection speed and the quality of the hardware.
    What I am saying is that your router may be getting older, and could be unstable, particularly in a home level system.
    You SHOULD at least check that the router manufacturer has patches in place, or updated firmware for your router to protect against the Krack WPA2 exploit.
     
  12. Crapple2015

    Crapple2015
    uix_expand uix_collapse
    Registered

    Joined:
    Nov 8, 2017
    Messages:
    12
    Likes Received:
    0
    "Kaboom" is the expression that I've used to define the event of when my system is re-infected as I experience mac strange events, app not working, wifi drop outs, other werid crap.....
    As for hands off - I've been using this programme for over 4years and well experienced with its configuration.....
    Though Good point about Krack exploited,,,THANKS...I'm checking for update....
    BUT hear is what I have determined so far.... Each time I've reinstalled OSX on my SDD as soon as I connect to the internet it's infecteded,,,apps not working or as expected and other strange events.
    I've managed to installed OSX on a USB,,, AT time of use I remove the main SDD & the Bluetooth WiFi modual (by removing the clip\ribbin from the MB) at this point system is running smoothly,,,like it's suppose too,,,just a bit of lag from running from USB. I've used this install to format and wipe SSD through USB adaptor to gain a best as practically possiable - clean install onto the SSD.... IT IS possiable that either 1 - Kracks is infected the router. 2 - malware/virus in EFI or BOOT partition of the SSD. 3 - firmware of the SSD is infected. I'm waiting on another SSD dive to help determine this....THANKS FOR YOUR SUPPORT.
     
  13. DeltaMac

    DeltaMac
    uix_expand uix_collapse
    Tech

    Joined:
    Jun 20, 2001
    Messages:
    8,577
    Likes Received:
    107
    1. Your router would not be "infected", simply used as the access for that exploit. Either make sure that there is a firmware update for the router that blocks that exploit, or replace with a newer router. (Do you actually have access to the router that you are using? That is, does it belong to YOU?
    2. (Malware in any partition?) No, but you could reassure yourself about that by doing a full erase of your SSD, then reinstall.
    3. (infected firmware in the SSD) Not possible, as far as I know. If you are that sure about something infecting your system, then replace the SSD.

    I can't think of ANY method that you could use to discover if there is any problem with infected firmware, other than running the normal Apple Diagnostics the next time you restart your Mac: Restart, holding the D key.
    1. Accept the results for that diagnostics test.

    Couple of suggestions... Connect directly to the router with an ethernet cable. Use that instead of Wifi. That would leave you with a connection that would be, as a natural result of the way ethernet protocol works, much more secure than Wifi.
    Make sure the firewall in your router is turned on. If you don't think your router has a built-in firewall, then replace that router with one that does have a firewall, then leave that enabled.
    While you are looking at settings, you can check for other devices connected to your router, where the DHCP clients are listed. That will show any devices that are getting IP addresses through your router.
    And, if you don't need wifi, leave the Wifi card in your Mac turned off, as you don't need the wireless connection when you are connected via ethernet.
    Bluetooth is a non-issue, as it can't be used remotely for connections, only within sight of your computer.
    (DON'T unplug your router, unless you have an actual technical reason to do that. THAT may be where part of your problem happens (sudden network disconnect when your system may be accessing data that you need for using the computer. That would result in errors or popups under certain conditions. NOT an indication that you have an intruder, just your system responding to a sudden disconnect from the network - which is what you do, right?
    + + + + + +

    And, just to repeat what I have said before - there is nothing that you have mentioned up to this point that might not be normal occurrence on your Mac - nothing that would indicate that there is any malicious entry into your network, nothing. Try not to over-think what is going on, and looking outside for other sources for the problems that you might be having with your system, and your own network connection.

    Last questions: What router do you have? How long have you used it?
     
  14. Crapple2015

    Crapple2015
    uix_expand uix_collapse
    Registered

    Joined:
    Nov 8, 2017
    Messages:
    12
    Likes Received:
    0
    censored
     
    #14 Crapple2015, Jan 7, 2018
    Last edited: Jan 10, 2018
  15. Crapple2015

    Crapple2015
    uix_expand uix_collapse
    Registered

    Joined:
    Nov 8, 2017
    Messages:
    12
    Likes Received:
    0
    Sorry for the late reply, I've been destracted by this system hijack. Can someone confirm these setting (photo as attached). After new OSX 10.8.0 install these settings are applied by the mac book pro automatically. Can someone confirm these settings please.
     
  16. Crapple2015

    Crapple2015
    uix_expand uix_collapse
    Registered

    Joined:
    Nov 8, 2017
    Messages:
    12
    Likes Received:
    0
    Bluetooth advance settings,,,via new install,,,but these options are reinstalled after Ive deleted them and restarted,,,,and petty sure they reinstall after log out\log in user account.
     

    Attached Files:

    #16 Crapple2015, Jan 7, 2018
    Last edited: Jan 10, 2018
  17. DeltaMac

    DeltaMac
    uix_expand uix_collapse
    Tech

    Joined:
    Jun 20, 2001
    Messages:
    8,577
    Likes Received:
    107
    I can confirm that those are bluetooth settings. The check boxes are completely default, and normal.
    If you don't feel comfortable with the bluetooth serial ports, as listed in your picture, uncheck the ports.

    If you click out of the advanced settings, what devices are showing up in the Bluetooth pref pane?

    Keep in mind that "bluetooth" is for very close range (less than 30 feet at the MOST), and is for devices, such as game controllers, or iPhone/iPad devices, wireless mouse/keyboard.
    I also think that gaming consoles, such as playstation, or Xbox, will have bluetooth connections built-in.
    THOSE kind of devices won't change your settings from outside, however.

    So, turn those ports off, and click on each line for a serial port, then click the (-) near the bottom left corner of that advanced window. That will DELETE each line.
    Clear the pane of those ports (if you like)
    Close System Preferences, then restart.

    Finally - if you are really nervous about this stuff - move out of your apartment building, to a stand-alone house, at least a kilometer off of public roads, with no neighbors for at least 500m.

    Yeah, that should do it.
     
    Cheryl likes this.
  18. Crapple2015

    Crapple2015
    uix_expand uix_collapse
    Registered

    Joined:
    Nov 8, 2017
    Messages:
    12
    Likes Received:
    0
    Thanks for your help much appreciated...!!


    No Bluetooth devices have been connected as its new install and ive refrained from using Bluetooth due to the hijack..


    I have tried on a number of occasions deleteing\removing those ports devices ((In Advanced options) though the Bluetooth PDA sync seemed worrisome)) ,,from the list,,,,though after each restart they would only return\reinstall them selves. I will also pointout the bluetooth option "Allow Bluetooth devices to wake this computer" option is now ticked and greyed out, preventing even administrator from changing this options. If I exit the Advance option selection or for a period of time,,,, And now I thinking back,,,, this was a major indicator ,,,,theres been afew times,,,when I've woken during the night\early morning I have check on or gone to do further testing,,,only to find my mac powerd ON,,,, knowing full well that i had powerd it off completley at the end of each night. AS i always put it away in my laptop bag,,,obviously powerd off to prevent it from cooking.

    Another indicator, I would switch off WiFi through settings\network\WiFi option and use ethernet port\cable,,, I would the watch to check the network settings window during ethernet conection. And notice that ethernet would connect temporarily and then drop an only provide an inferrior IP address resulting in corrupt\No connection.

    So i would then restart, create a new account, and quickly delete the The advance Bluetooth setting,,that i reffered to,,,, as on first try,,, ALL check boxes and options are avaliable and can change\deselected\deleted as usual (in the Advanced option) so i delete them all and create a new account and after setting up new account ensuring to delete the Bluetooth options agin,,,,in the advanced options. Then ethernet would work as required,,,,,BUT if reboot those options would be back,,,and agin NO suitable IP address would be allocated,,,unitl i repeated those steps....

    Though now i have deleted mostly all kexts related to Bluethooth and unpluged the Bluetooth\WiFi port from the logic board,,,,AND GUESS WHAT.....

    YES all seem to be normal and operating as it should......
     
    #18 Crapple2015, Jan 9, 2018
    Last edited: Jan 10, 2018
  19. DeltaMac

    DeltaMac
    uix_expand uix_collapse
    Tech

    Joined:
    Jun 20, 2001
    Messages:
    8,577
    Likes Received:
    107
    Hmm...
    I think I should point out that my Wifi router needs a bluetooth connection (in addition to the Wifi) for accessing the router and the rest of its mesh network (It's an Ubiquiti Amplifi HD system, best performing router I have had up to now.)
    Your ethernet connection, and its IP address is subject to the router/switch that you are plugged into. That IP address comes from your router (and nowhere else), so you may have a configuration issue on your router. Have someone that you trust, and has more than a few dis-jointed facts
    Maybe your insistence that you have had a "hijack" of some kind is really just the Wifi router that you use. You STILL have not offered any tangible evidence that some kind of hacking or hijack has happened. Other than convincing yourself, you have not really offered any information worth the worry.

    A lot of your struggles only happen after you connect to your network.
    What about your router? Have you had the same router during all this?

    Which brand and model router do you have? Is it combined with a modem, or is it a separate box?
    Do you also have an ethernet switch or hub (for more ethernet connections), or do you only use the ethernet connected to your router/modem?
     
  20. DeltaMac

    DeltaMac
    uix_expand uix_collapse
    Tech

    Joined:
    Jun 20, 2001
    Messages:
    8,577
    Likes Received:
    107
    I did not see any other post from you, since the one posted at 6:45 am this morning. That one was one that you corrected, because I got an email reporting an earlier post (maybe an hour before that) which was the earlier one that you came back and updated (with the 6:45 post)
    Although I don't have much control over this, I will report your post, along with your question about that. Maybe a mod will contact you if there was something deleted.
     

Share This Page