OSX & Network Hacked

15 pts.
Tags:
Apple OSX
Hacking
Networking
All logical remedies explored- I have 4 Macs, 1 less then a month old. Macs 1-3 were compromised via a network attack in December. I took the 3 compromised machines in for service. Hard Drives erased, OS installed from a bootable drive made offsite, new modem, router, long passwords--->hacked again --- steps all repeated. I purchased a new Mac because I had to work. Before I brought it home; all sharing (Bluetooth, active directory, etc) disabled in terminal) Evey security feature enabled and a professional installed a Cisco ADA firewall. All machines hacked and connected to remote local directories evidenced by ; no admin privileges, extra disk partitions, settings changed and relocating home directory. Okay I tried again. I have 12 partitions in my HD not mine. When I begin a fresh install from the USB boot drive, logs indicate repair of programs from hidden partition. I do not have access to unmount, repair permissions or use Suso commands. How do I get rid of this?


Software/Hardware used:
OSX, MacBook Pro, MacBook Air
0

Answer Wiki

Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • TheRealRaven
    Much more is needed before anyone in a forum can help. A professional will need to service your systems.

    An example of what might be related to your problem is called Thunderstrike 2 -- a fairly recent nasty threat that affects Macs, PCs and possibly others. Perhaps more likely would be some variant of BadUSB. And other possibilities exist, but a forum can do nothing about them.
    35,670 pointsBadges:
    report
  • TheRealRaven
    Note that it's unlikely that your Macs or your network was or is being "hacked". It's far more likely that malware was introduced via an infected USB flash drive or other USB device or an e-mail or other malware vehicle.
    35,670 pointsBadges:
    report
  • ElleMish
    Understood. I felt badly dumping tons of details. Thunderstrike is unlikely. The "host" machine was in my possession at all times. Does anything indicate Thubderstrike has evolved beyond physical access? To simplify I'm working on one machine at a time. When I brought my machine in for service they claimed the firmware was ok but they also claimed the hard drive was clean. The potential host machine a 2013 MacBook Air. When I disable all forms of Internet connection (Wifi, Ethernet et. al) in network settings, my VPN remains connected. System logs indicate the machine has not restarted since the fresh install last week. I have attended "reboot" in terminal and I do not have privileges. Yesterday there were additional groups added to users under state preferences and the firewall is consistently disabled. I attempted to install Kapernasky and received an error message. What information would indicate malware? I did find a folder of apple scripts set to execute based on triggers. I have a feeling there is something odd with the kernel but I don't know enough about it. There is no one locally that will touch this. Despite the warrenty Apple will not touch it.
    15 pointsBadges:
    report
  • TheRealRaven
    Certainly agreed that neither Thunderstrike nor any BadUSB variant is likely involved. Those are just two fairly well known examples of how infections can both exist and remain undetected.

    But you're saying (1) "My stuff is infected" and (2) "No infection is detected". It's hard to get beyond those two together.

    Bad news is that there's nothing you can do if local professionals/technicians are unable to help. At least, there's nothing you can do short of beginning a course of study of each programmable device that has contact with any of your networked devices, including each programmable component of each device, e.g., the controllers of all HDDs, of all Ethernet adapters, of all Bluetooth adapters, of any wireless adapters, etc., and not ignoring printers, phones, routers/switches and who knows what else. At some point, you might be able to find a difference between what should be in some firmware (or any small bits of RAM contained in controller circuits) and what is actually in there. (Since a lot of that is proprietary and held by foreign companies, it's hard to learn what should be there.)

    Well, there is the alternative of physically replacing everything and completely isolating all the currently existing devices (including no wireless or Bluetooth or any other kind of communication such as copying via flash drives, etc.)

    If "qualified" technicians can't find any infection, then there isn't much that's useful that can be done.

    Now, for the problem of "Apple will not touch it", various Mac or OSX forums are reasonable venues. You might begin discussions at a MacRumors forum or at a C/NET Mac OS forum or at any other widely known dedicated forum and get other community users involved. You might gather enough interest to force Apple to give useful support. You might even get responses from truly qualified technicians who can communicate with your local ones.

    Really, if it can't be done by local service help, a general internet forum is a very slim chance. But it is possible that a dedicated community can bring contacts together.
    35,670 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: