|
|
Someone gained control using VNC, Howto look for IP
|
|
|
|
Mac Elite
Join Date: Jun 2005
Status:
Offline
|
|
My sister's Mac had Apple Remote Desktop enabled so that I could troubleshoot it from my house via the Internet. It was password protected. However, she said her apps began to close and her mouse cursor was hijacked. This person also started downloading movies via bittorrent.
I had her immediately shut the Mac down and she is bringing it over to my house so that I can look at it.
What I need to know is where can I look to see what the IP is that connected and ganined control over her Mac? It is running 10.4.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jul 2002
Status:
Offline
|
|
Tell her to get a better password.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jun 2005
Status:
Offline
|
|
That sure answered my question, thanks for helping.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jul 2002
Status:
Offline
|
|
Logs won't do you much good if her password is so bad it can be guessed. But the only log that could have info is secure.log (use Console to view it), but I don't know for sure whether it logs ARD traffic. If her firewall was on, that may have a log as well.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jun 2005
Status:
Offline
|
|
Originally Posted by Thinine
Logs won't do you much good if her password is so bad it can be guessed. But the only log that could have info is secure.log (use Console to view it), but I don't know for sure whether it logs ARD traffic. If her firewall was on, that may have a log as well.
Found what I'm looking for. Logs helped out alot actually.
I forgot I wasn't using Apple Remote Desktop but instead installed OSXvnc server. OSXvnc was password protected, however, it was starting two VNC servers, one password one not. I was not able to determine why it was starting two OSXvnc-server.
Some dude in Brazil is who was connecting and was the only person to connect to it during the course of one day.
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Nov 2000
Location: in front of my Mac
Status:
Offline
|
|
Originally Posted by baw
Some dude in Brazil is who was connecting and was the only person to connect to it during the course of one day.
Keep in mind that 'some dude in Brazil' could have been sitting in New York for all you know. A smart hacker (which this guy might or might not be) will use relays to cover his tracks. We recently had an incident at the university where I work where one of our old IRIX workstations got hacked from a system in Korea, but after a lengthy investigation it turned out the hacker was actually a university member that had gone through four (!) different systems until he tried to install the rootkit on our machine.
|
•
|
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Oct 2002
Location: the end of the world
Status:
Offline
|
|
Hi
Please post information on your sleuting for others to refer to for the future. Which logs, what entries to look for etc.
Thanks
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|