This is sooo strange. I installed a Vine VNC server on my desktop (dual 2.7gh G5 PowerMac) and opened the appropriate port in my firewall so that I could use it remotely. I set a good password. Well a few days later, my mouse started moving on it's own and opening and closing windows... So freaking out, I shut off the VNC server. It's been off ever since, but I never closed the port in the router/firewall.

That was a few weeks ago - jump to yesterday. I was out shooting and my sister was at my house using the computer and called to tell me that someone was remotely using my computer. They had logged into Ebay as me and were getting ready to 'sell' a convertible Corvette with my account!! She unplugged the internet cable and left it till I got home....

The VNC server was off and nothing was in the log files. Just a 'ghost' using my computer!!!

So what was happening?? What's the best way to make this more secure so that it doesn't happen again??

I already deleted all my browser passwords and created a non-admin login account to work in. I find both of those things to be a pain in my @ss but they certainly are more 'secure'. Anything else I should do or check?

Wow, that's crazy! And to catch a hacker in the act too! Man, I would have flipped a kidney!
I am sorry that I don't have any advice for you but I will certainly be watching this thread with great interest.

...good thing you traded that convertible corvette in for that K-car years ago eh?

Good luck!
trevor

How can this happen? The Apple commercial says it's not possible.

Sorry, that was tongue and cheek comment. We use VNC here on windows all the time. So, it's really not the exact same server. Not sure how they get in if the server is off. I'm interested in hearing what you find out.

My guess may be that they installed a back door when they got into your system the first time.

If you go to the System Preferences>Sharing panel. make sure that Apple Remote Desktop is UNchecked under the services tab. And that the firewall is enabled under the firewall tab.

Then open up Applications>Utilities>Activity Monitor to see if there is any random software running that doesn't seem normal.

Hi JT, thanks for the tips!

I just double checked the sharing options and I had remote login and remote desktop disabled already. I also have the firewall on with only file sharing, windows sharing and web sharing enabled.

I do check the activity monitor frequently, but mostly just to see what apps are using a lot of ram or cpu cycles (FYI Canon's scanner software is an amazing system hog if it's left on). I'll look there for anything I don't recognize...

Anyone else ever heard of this problem or have ideas?

Thanks in advance.

I've never heard of this... kinda scary!!

I got upset when I read that initially.
--

Bill:

Good luck with finding the hole in your system. If it were me I'd probably go Windows XP-style and format/reinstall everything on a clean/new drive and try it all over again. A bit extreme, I know.

It gets worse.....

They logged in as me to my web hosting company (1and1) and redirected all my incoming email to a yahoo mailbox that isn't mine... I haven't gotten any email in about a day and now I know why....

I'm busy Changing Passwords on EVERYTHING

aaaaarrrrrgggggg.....

Dang, that sucks!
Let us know where the hole is.

Sorry to hear that. I would recommend changing all the passwords and credit cards ASAP and even faster. Put a lock on your credit report.

In the future: get a good hardware firewall with MAC address filtering. MAC address is the address of your network card. Most wireless network routers have that feature. Set the MAC addresses of the computers you let to access your network. It is the most fastest way to protect your network from accessing.

At the risk of stating the obvious, you are running software update and installing all the security updates, right? They're not really well-known until they're updated, which is why it's important to apply the updates.

I think, they knew how to hack the VNC server and get the access to the computer via that door. It doesn't matter how secure is the OS since the software it is running (VNC in our case) is not secure.

Thanks Alex. I did have the VNC port open on the router's firewall, but it's closed now. So that part was my fault.




Yup, all up to date.

OK, so on JT's advice, I checked the activity monitor and presto, there is a rogue copy of OSXVNC running... not affected by the VNC control panel and not logging in the log file. It looks like this is primarily a Vine VNC problem. Now to just get it all of my computer.... I stopped that service, but I'm guessing it will come back when I reboot, so I'll need to clean it all off.

Don't think a reformat is in my near future. Even with this being the slow time of year I don't have to time for that (unless it becomes totally required). I've changed all my online passwords and pin numbers, and I've been watching my accounts closely for strange activity, but so far the only thing affected is my email. It seems they also had designs to use my ebay account, but no new activity is posted and I've changed the password.

I also notified Yahoo about the email box that my mail was directed to, but who knows if they'll even care...

Anything I'm not thinking of??

Thanks everyone for the help.

does MAC (not MAC as Apple's computer) address filtering make sense to you?

Yes, it does. But in this case, it was a remote attack, not one of my roommates or neighbors... And I have several people around here who I let use my wireless access point (roommates and friends) so I don't want to lock down the local access with a MAC filter list. I really think the issue was a combination of that port being open and the rogue VNC server still running on my machine even though I had disabled it in the Vine control panel.

Thanks!

Yeah, MAC address filtering wouldn't fix the issues here. That will only effect who can connect directly to that router, not who can access info through the router's ports.

I don't suggest using any third party software for VNC access. There are a few tricks with OSX that make it a lot easier without this software.

No it will not. It will let access to the network, ports, etc only from computers from the MAC address list. This is what you want. You want only trusted computers to connect to your network and you list them in MAC addresses filter list. It will reject all the others not in the list. That is what the firewalls are for.

Bill, if you have a few friends who you trust and want to grand the access to your network, just add thier MAC addresses to the list - that's it.

Bill, we use VNC but only after a VPN connection is established. You might want to consider that if you still need to poke a hole to your computer from outside.

Click to view attachment



couldn't resist


(OK, I know yours wasn't a 'virus', but still....)

be careful, there's sensitive people as you can see from a response to my post earlier in this thread.

That's funny. I have been using the Mac ads as examples in the marketing class I teach, this will make a great slide for this week's class.

I'm an equal-oppotunity basher! I just thought my favorite comic was a good fit here
I'm bi, too, got my Dell here in front of me and my 17" MacBook Pro off to my left. I've got a love/hate relationship with BOTH of them.

Thanks Alex, I don't have a LAN security issue, but I do appreciate the help!




Good tip! But I think I've been scared off of using VNC, didn't really need it anyway.. ;-)




They both have ups and downs for sure... but can anyone remember life without them?

And you'd also be giving yourself a false sense of security. It takes ~2 seconds to change the MAC address of any computer, and then I'm on your network. Sure, this might slow down someone just poking around, but for a determined attacker, they won't even notice this "defense".

Especially if you have *anything* wireless on your network, then MAC address filtering is really easy to bypass. Someone simply has to sniff the traffic, pull off the first MAC address they see, and they are in. If everything were wired, it would be a bit different, but still possible.

Hi Bill, sorry to hear about your freaky ghost. Last year, I had someone hack my eBay account and before I knew it I was selling a Harley. It was only an eBay thing. I just had to change all my account security info. was all. I wonder if the 2 events of yours were 2 unrelated events. ? Just a thought...

Oh, and I was on a pc then. I'm Mac now...

It's UNIX. Once they got root they added their own account and shared out the Xserver to access your desktop. My guess anyways. Are there any extra root users in your /etc/passwd file. There may also be a /etc/master.passwd file to look in. You can open a shell and do a "cat /etc/passwd" to see what pops up. I think that's the right name. Haven't done any real UNIX in a little while. You're looking for
root:characters:0:0:more stuff This is the root users account. If another account has the user IDs of :0:0: they have root access.

UNIX has it's own built in way of remotely accessing the desktop built into the screen manager. It doesn't need a separate program. I used to teach UNIX and showed students how to do this to access servers remotely. They would log into each others computer remotely and make eyeballs pop up on the screen and other such fun stuff.

The thing about UNIX is that it's not inherently secure. It wasn't designed to be. It was designed to be open until the internet came along and people started cracking into them. Hackers program, crackers break into systems! The reason Apple doesn't have a lot of problems is because Windows has about a 95% share of all desktops in the world. Linux is next with Apple being third. That may have changed recently between Linux and Apple. Point is, you get a lot more attention if you break into Windows boxes and write viruses for them. The biggest issue is hidden trojan files on the system that if they run could give these people access to your system again. There are programs that can monitor your system for changes and ways to monitor for someone trying to hack into your system but unless you want to be a system administrator it can be a lot of work. If you can't trust the files on the system anymore the best thing is to replace all of them. Sucks but it's the best way to go about it. Good luck.

Good point. I used to have a Fluke network analyzer that would give the mac address, IP, relative traffic and more for each node on the network it was plugged into. And it would gather all that information in seconds. I'm sure most hackers can gather all that type of info just as easily. And MAC addresses are easy to spoof.

It's a rough world out there....




I think Mac's have the root login account disabled for just that reason, but I know so very little about it that I should probably check anyway. Anyone else ever have their root account hacked or duplicated on a Mac???

Open up a terminal and type "su". Enter your password and you are root.

(Granted, the ability to do su might be disabled by default, I'm not sure, I know I would have turned it on if it was disabled, so you could be right on this one)

Dang it, quit quoting me before I can go back and fix my grammar ...

You had a good 6 minutes. Plenty of time by my count

Dude it's been a long hard day, so maybe during the daytime that would be enough, but not during Millertime.... Besides that 6 minutes included the time you took to write your post and submit it... ;-)

At the risk of sounding all Tom Hanks in Big: "I don't get it."

Why are Mac users suffering? What's the point of the cartoon?

I'll be the first to admit that the Mac ads are a tad snarky and that I think the "PC" guy is more likeable than the "Mac" in the campaign. At the same time I use PCs all day at the 8-5 and use Macs at home and prefer the Macs. I do a lot less fighting with settings and haven't cracked the case open in months (and that was only to install a host card). If only QuickBooks for Mac wasn't a complete piece of junk we'd be 100% Apple at the house.

Have you tried MYOB? I use their FirstEdge product because I don't have any employees. But ya the QB thing is lame. If they're not going to do it for real, why bother?

Our CPA prefers QuickBooks. Since it's the de-facto standard I suspect we'll keep our current config and down the road we'll get an Intel Mac, load XP and QuickBooks, and use BootCamp, Parallels, or VMWare to do the whole accounting thing.

We made the mistake of buying QuickBooks for Mac 2006 thinking it would allow us to transition to an all-Mac shop. Unfortunately our bank doesn't offer up .QBO files or DirectConnect for the Mac version of QB.

BTW, that thread I linked to is a perfect example of horrible IT management and software development. I felt embarrassed for the Intuit employees who responded with explanations for why the feature set of QB Mac is so incomplete.

Releasing two products of the same name and use with two completely different feature sets should be a crime. QB for Mac is so crippled and worthless compared to QB for PC it's not even funny. The question I always ask in regard to QB for Mac is why Intuit didn't just port over the entire QB PC application and allow users to seamlessly pass their .QBW files back and forth between platforms. Why would a bank need to have a separate Mac-only version of .QBO export or DirectConnect/WebConnect? That's ludicrous.

From what my wife tells me it's not terribly painful to run QB on the Dell. It's kind of lame to have a computer taking up space for one application, but then again it's not bad to have a PC around if we need to do something PC-only (which was a long time ago!).

Which is what Parallels is for now! (as you mentioned).

Especially using Coherence, makes it veryyyyy easy to use Windows apps those few times you need to.