How do I prevented the hackers (secret intel) manipulating my terminal again [closed]

How do I prevented the hackers (secret intel) manipulating my terminal again [closed]



How do I prevented the hackers manipulating my terminal again so that my terminal works correct again?



Here in the Netherlands we perform cybertest at the company where we work and the attacks are performed by the Dutch goverment AIVD (the group who also caught the Fancy Bear hackers). A hacker has root access on my MacBook Air. How do I know that(it was announced that we would get hacked)? The hacker is capable of running the:


sudo hostname 192



The hacker explicitly ran the command above. The hacker also manipulates my bash. I executed the command-line


sudo dscl . list /Users | grep -v '^_'



and see four users:



I don’t know where to look at since my bash is manipulated. In my terminal only the commands that I performed two days ago are shown. The commands of yesterday and today are not shown. Even if I perform



Example:


Last login: Mon Aug 27 17:37:19 on ttys001
192:~ jen$ history -c
192:~ jen$ history -w

Last login: Mon Aug 27 17:38:49 on ttys002
192:~ jen$ history
1 nano doc.txt
2 cat doc.txt



How do I prevented the hackers manipulating my terminal again so that my terminal works correct again?



I am not victim of social engineering, I did not opened any links or files via mail or downloaded some application. I use the laptop only to work on highly confidential stuff.
I only uses software delivered by Mac on my system. (I did not download any files via mail and I don't use any browser) I use this laptop to write mails only(Nothing more).



Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.





A hacker penetrated in my system and has root access. How do I know that? The two statements are contradictory. Please edit the question and clarify.
– Nimesh Neema
Aug 27 at 12:16


A hacker penetrated in my system and has root access. How do I know that?





Ah the old hack your computer and do absolutely nothing waiting to be found out by the owner.
– JBis
Aug 27 at 12:33





It will help if you can add an explanation as to what makes you think a hacker ran the command /Volumes/UBUNTU 16_0/ubuntu ; exit; to unmount the USB stick.
– Nimesh Neema
Aug 27 at 13:06


/Volumes/UBUNTU 16_0/ubuntu ; exit;





What's your output of the following command cat /Volumes/UBUNTU 16_0/ubuntu
– Allan
Aug 27 at 13:36


cat /Volumes/UBUNTU 16_0/ubuntu





Sometimes my Macbook Pro's hostname also changes to 192. I think it's just parsing the IP address as a domain and then grabbing the first "segment" as your hostname.
– Daniel Gray
Aug 27 at 15:01




3 Answers
3



Most likely you have sprung to an incorrect conclusion - that your Mac was hacked.



The most likely cause of "unwanted" or "surprising" host name changes is that your DHCP server gave your computer a new hostname. The DHCP server could be a router/modem in your own house, a system at your ISP or indeed hardware at anywhere you have connected to a WiFi network (such as a coffee shop, school or whatever).



Removing sudo rights from yours won't help this problem, as the DHCP client on your Mac will still be able to change your hostname.





The hackers also runned the command to remove my usb stick>> 76 sudo tcpdump 77 /Volumes/UBUNTU 16_0/ubuntu ; exit; >>
– jennifer ruurs
Aug 27 at 13:03




There is no evidence that you were hacked.



The four users that you are listed don't have "root" access per se and they are all valid accounts:



daemon - a user to handle the background processes that aren't tied to a specific user, the user daemon is given those processes. This is how you can have your Mac turned on, nobody logged in and processes still run.


daemon


daemon



nobody - this is another user that gets assigned processes (like httpd) and has very limited access to the system. Even if someone were to hack it, is exposure would be limited.


nobody


httpd



jen - I'm assuming this is you (SE username is "jennifer ruurs"). If you're an admin user, you have sudo rights which gives you root access


jen


sudo



root - this the root account. This account needs root access especially if you boot into Single User mode for diagnostics or repairs.


root



The command you mentioned only temporarily changes the hostname of your computer.


sudo hostname 192



This only happens if and only if, the user/group it logged in as is in the /etc/sudoers file and they either had the password or /etc/sudoers is configured for no password authentication (very insecure and not default macOS setting).


/etc/sudoers


/etc/sudoers



All of the users above, with the exception of jen, cannot (by default) access your computer remotely. So, if you are convinced that you were "hacked", you need to either find the user account that grants them access or if it was your account, mitigate your risk, change your password.


jen





The hackers runned the command 77 /Volumes/UBUNTU 16_0/ubuntu ; exit; in my terminal to unmount my usb stick
– jennifer ruurs
Aug 27 at 13:05






What makes you think that?
– Allan
Aug 27 at 13:14





I saw this command in my terminal.Thank you for your answer how do if find the account that grants them the access?
– jennifer ruurs
Aug 27 at 13:15






The dscl command in your orig question lists the users. Which one(s) don't you recognize? Secondly, what user context did the hostname and command run as? If it was you, then change your password.
– Allan
Aug 27 at 13:20



dscl





I was logged on as jen. The commands where run via my account but they are also manipulating my bash. So I am not capable of seeing which commands they run.
– jennifer ruurs
Aug 27 at 13:22



To answer the question in the title directly:



You cannot.



Wipe everything, reinstall macOS and restore files from backup (not from the infected machine).



For completeness, it's worth mentioning there exist attacks that e.g. infect the firmware of storage devices, necessitating the entire hardware to be destroyed to ensure 100% safety. Unless you have reason to believe you are being personally targeted by a government, though, this isn't a realistic worry - by contrast, infecting any part of the data actually stored on disk is orders of magnitude easier and a very realistic threat. Even if you were just the victim of an automated, untargeted attack, wiping everything is a necessary precaution.



If an attacker has root access, they can, among other things, replace any binary with their own version that can do whatever they like, meaning that you cannot trust anything on your system anymore. Quite literally anything you try to do might end up doing something completely different. If the hacker wanted, they might make cat return doctored version of files to e.g. hide log entries showing unwanted activity; ls could fail to show files added by the hacker; any text editor could pretend to save what you write but actually silently ignore your edits, etc., etc.


cat


ls



The reason you don't want to copy your files over is that there are plenty of non-executable file types that can exploit some vulnerability or other and reinfect your system. Compressed archives of various types and PDFs are common carriers, but by no means the only danger. You're probably safe copying over a plaintext, non-executable text file (remember to not use the compromised OS to do that, though), but remember that the attacer could have changed absolutely anything in absolutely any way they wanted,so treat everything like you would treat a random file accidentally downloaded from a shady website.



More realistically...



You also have to think about why the hacker would do something like that. Replacing cat and ls with malicious versions is entirely possible, but making the output sophisticated enough to fool you into thinking everything's fine is much more complex. If the hacker just wanted to spy on you, they'd install a keylogger and leave everything else alone. If they wanted to use your machine in a botnet, they'd install the necessary software and leave everything else alone. If they wanted your money specifically, they'd have installed ransomware, and you'd know that already.


cat


ls



None of the above cases involve editing your bash history, or changing the hostname of your machine. A keylogger or similar rootkit can be made virtually undetectable. So while a root attacker can do anything, usually that means you'll never be able to guess they're there, except by e.g. observing your load being higher than usual when your compromised machine participated in a botnet. Or if they didn't mind you knowing they were in, it's much, much easier to just lock a user out (e.g. by changing the account password) than mess with the bash history. (Or, again, ransomware.)



So what happened here and what should you do?



The other answers already describe what I personally agree is the most probable scenario: a few flukes, like the DHCP server changing your hostname. In which case you're uncompromised and fine.
The alternative is that someone manually broke into your machine, and is either clumsily trying to hide it, or intentionally messing with you. This could be a family member, or coworker, or other acquiantance; perhaps they might have shoulder-surfed your password. If that the case and you're certain they didn't install any rootkits or keyloggers in the meantime, then just changing the relevant passwords (root, and your user's) should be enough. But you really can't know what they did or didn't do, and once you already have root access it's utterly trivial to install a ready-made malware package - so if you truly believe someone gained unauthorized root access, then, as explained above, wipe everything.





I just heard that it was a training at work and that I failed. No one had physically access to the laptop. Read how my bash is manipulated. The command sudo hostname was shown in my terminal. the part of the usb popping up to.
– jennifer ruurs
Aug 27 at 14:55





Oh, if it was an artifical scenario (for training) that explains the unusual actions. I'm not sure what kind of training it is, but most of my answer still applies for a realistic scenario: if you know someone has root access to your account, EVERYTHING is off the table. If they would expect you to do something different for training, then it's bad training. In this case, if you kept everything updated and didn't do anything to expose yourself to vulnerabilities (like running old/unsafe software), you might have fallen victim to a social engineering attack. It's hard to say without more info.
– temp
Aug 27 at 15:03





I am not a victim of social engineering and I have no old software. I only uses software delivered by Mac on my system.
– jennifer ruurs
Aug 27 at 15:32

Popular posts from this blog

𛂒𛀶,𛀽𛀑𛂀𛃧𛂓𛀙𛃆𛃑𛃷𛂟𛁡𛀢𛀟𛁤𛂽𛁕𛁪𛂟𛂯,𛁞𛂧𛀴𛁄𛁠𛁼𛂿𛀤 𛂘,𛁺𛂾𛃭𛃭𛃵𛀺,𛂣𛃍𛂖𛃶 𛀸𛃀𛂖𛁶𛁏𛁚 𛂢𛂞 𛁰𛂆𛀔,𛁸𛀽𛁓𛃋𛂇𛃧𛀧𛃣𛂐𛃇,𛂂𛃻𛃲𛁬𛃞𛀧𛃃𛀅 𛂭𛁠𛁡𛃇𛀷𛃓𛁥,𛁙𛁘𛁞𛃸𛁸𛃣𛁜,𛂛,𛃿,𛁯𛂘𛂌𛃛𛁱𛃌𛂈𛂇 𛁊𛃲,𛀕𛃴𛀜 𛀶𛂆𛀶𛃟𛂉𛀣,𛂐𛁞𛁾 𛁷𛂑𛁳𛂯𛀬𛃅,𛃶𛁼

Crossroads (UK TV series)

ữḛḳṊẴ ẋ,Ẩṙ,ỹḛẪẠứụỿṞṦ,Ṉẍừ,ứ Ị,Ḵ,ṏ ṇỪḎḰṰọửḊ ṾḨḮữẑỶṑỗḮṣṉẃ Ữẩụ,ṓ,ḹẕḪḫỞṿḭ ỒṱṨẁṋṜ ḅẈ ṉ ứṀḱṑỒḵ,ḏ,ḊḖỹẊ Ẻḷổ,ṥ ẔḲẪụḣể Ṱ ḭỏựẶ Ồ Ṩ,ẂḿṡḾồ ỗṗṡịṞẤḵṽẃ ṸḒẄẘ,ủẞẵṦṟầṓế