How do I prevented the hackers (secret intel) manipulating my terminal again [closed]

How do I prevented the hackers manipulating my terminal again so that my terminal works correct again?

Here in the Netherlands we perform cybertest at the company where we work and the attacks are performed by the Dutch goverment AIVD (the group who also caught the Fancy Bear hackers). A hacker has root access on my MacBook Air. How do I know that(it was announced that we would get hacked)? The hacker is capable of running the:

sudo hostname 192


The hacker explicitly ran the command above. The hacker also manipulates my bash. I executed the command-line

sudo dscl . list /Users | grep -v '^_'


and see four users:

I don’t know where to look at since my bash is manipulated. In my terminal only the commands that I performed two days ago are shown. The commands of yesterday and today are not shown. Even if I perform

Example:

Last login: Mon Aug 27 17:37:19 on ttys001
192:~ jen$ history -c
192:~ jen$ history -w

Last login: Mon Aug 27 17:38:49 on ttys002
192:~ jen$ history
1 nano doc.txt
2 cat doc.txt


How do I prevented the hackers manipulating my terminal again so that my terminal works correct again?

I am not victim of social engineering, I did not opened any links or files via mail or downloaded some application. I use the laptop only to work on highly confidential stuff.
I only uses software delivered by Mac on my system. (I did not download any files via mail and I don't use any browser) I use this laptop to write mails only(Nothing more).

Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.

A hacker penetrated in my system and has root access. How do I know that?

/Volumes/UBUNTU 16_0/ubuntu ; exit;

cat /Volumes/UBUNTU 16_0/ubuntu

3 Answers
3

Most likely you have sprung to an incorrect conclusion - that your Mac was hacked.

The most likely cause of "unwanted" or "surprising" host name changes is that your DHCP server gave your computer a new hostname. The DHCP server could be a router/modem in your own house, a system at your ISP or indeed hardware at anywhere you have connected to a WiFi network (such as a coffee shop, school or whatever).

Removing sudo rights from yours won't help this problem, as the DHCP client on your Mac will still be able to change your hostname.

There is no evidence that you were hacked.

The four users that you are listed don't have "root" access per se and they are all valid accounts:

daemon - a user to handle the background processes that aren't tied to a specific user, the user daemon is given those processes. This is how you can have your Mac turned on, nobody logged in and processes still run.

daemon

daemon

nobody - this is another user that gets assigned processes (like httpd) and has very limited access to the system. Even if someone were to hack it, is exposure would be limited.

nobody

httpd

jen - I'm assuming this is you (SE username is "jennifer ruurs"). If you're an admin user, you have sudo rights which gives you root access

jen

sudo

root - this the root account. This account needs root access especially if you boot into Single User mode for diagnostics or repairs.

root

The command you mentioned only temporarily changes the hostname of your computer.

sudo hostname 192


This only happens if and only if, the user/group it logged in as is in the /etc/sudoers file and they either had the password or /etc/sudoers is configured for no password authentication (very insecure and not default macOS setting).

/etc/sudoers

/etc/sudoers

All of the users above, with the exception of jen, cannot (by default) access your computer remotely. So, if you are convinced that you were "hacked", you need to either find the user account that grants them access or if it was your account, mitigate your risk, change your password.

jen

dscl

To answer the question in the title directly:

You cannot.

Wipe everything, reinstall macOS and restore files from backup (not from the infected machine).

For completeness, it's worth mentioning there exist attacks that e.g. infect the firmware of storage devices, necessitating the entire hardware to be destroyed to ensure 100% safety. Unless you have reason to believe you are being personally targeted by a government, though, this isn't a realistic worry - by contrast, infecting any part of the data actually stored on disk is orders of magnitude easier and a very realistic threat. Even if you were just the victim of an automated, untargeted attack, wiping everything is a necessary precaution.

If an attacker has root access, they can, among other things, replace any binary with their own version that can do whatever they like, meaning that you cannot trust anything on your system anymore. Quite literally anything you try to do might end up doing something completely different. If the hacker wanted, they might make cat return doctored version of files to e.g. hide log entries showing unwanted activity; ls could fail to show files added by the hacker; any text editor could pretend to save what you write but actually silently ignore your edits, etc., etc.

cat

ls

The reason you don't want to copy your files over is that there are plenty of non-executable file types that can exploit some vulnerability or other and reinfect your system. Compressed archives of various types and PDFs are common carriers, but by no means the only danger. You're probably safe copying over a plaintext, non-executable text file (remember to not use the compromised OS to do that, though), but remember that the attacer could have changed absolutely anything in absolutely any way they wanted,so treat everything like you would treat a random file accidentally downloaded from a shady website.

More realistically...

You also have to think about why the hacker would do something like that. Replacing cat and ls with malicious versions is entirely possible, but making the output sophisticated enough to fool you into thinking everything's fine is much more complex. If the hacker just wanted to spy on you, they'd install a keylogger and leave everything else alone. If they wanted to use your machine in a botnet, they'd install the necessary software and leave everything else alone. If they wanted your money specifically, they'd have installed ransomware, and you'd know that already.

cat

ls

None of the above cases involve editing your bash history, or changing the hostname of your machine. A keylogger or similar rootkit can be made virtually undetectable. So while a root attacker can do anything, usually that means you'll never be able to guess they're there, except by e.g. observing your load being higher than usual when your compromised machine participated in a botnet. Or if they didn't mind you knowing they were in, it's much, much easier to just lock a user out (e.g. by changing the account password) than mess with the bash history. (Or, again, ransomware.)

So what happened here and what should you do?

The other answers already describe what I personally agree is the most probable scenario: a few flukes, like the DHCP server changing your hostname. In which case you're uncompromised and fine.
The alternative is that someone manually broke into your machine, and is either clumsily trying to hide it, or intentionally messing with you. This could be a family member, or coworker, or other acquiantance; perhaps they might have shoulder-surfed your password. If that the case and you're certain they didn't install any rootkits or keyloggers in the meantime, then just changing the relevant passwords (root, and your user's) should be enough. But you really can't know what they did or didn't do, and once you already have root access it's utterly trivial to install a ready-made malware package - so if you truly believe someone gained unauthorized root access, then, as explained above, wipe everything.