Hacked to Death? (A MacBook Mystery)

Posted:
in Genius Bar
For the last several years, I've had some serious quality-of-life issues that I recently learned are due to my devices being hacked for the purpose of spying on me. That was in mid-July 2019. Since then, I've found some troubling signs that jibe with the information I received. Two questions: What's going on here, in the pictures below? And how do I regain control of my devices (MacBook Pro 2011 and iPhone 6)? 

I discovered these folders in July, none of which I have access to. 






In the SHARED folder, I discovered a filed called WONDERSHARE plist. 


The left-side panel also had THUNDERBIRD as an option, though I do not use THUNDERBIRD, or any other kind of external hardware. I also discovered around this time that PARENTAL CONTROLS had been enabled, all of the LOCATION SERVICES had been enabled, and someone was remotely turning on Bluetooth before all of my files, etc., disappeared from the desktop. 

These are the other WIFI/ROUTER settings from mid-July. 





This is a more recent screen grab, but under DEVICE IMAGES, there were numerous items listed when my desktop was remotely wiped about a week after discovering the hack. 


I turned to the router dashboard, which showed 20 devices connected to the network, none of which appeared to belong to me. There are three people in the household and I am the only one who uses Apple products. Further digging revealed that MATTHOME was an alias for both my MacBook (userID: nathancomp) and iPhone (Nathan's iPhone). 

These screen grabs, from my iPhone, show 29 devices connected, but offline. Again, neither of my devices appear. 

I found my iPhone among the offline devices, despite viewing this information on my very-connected phone. So, I changed the network name from Linksys11599 to ATTwire5150. 


I discovered then that both my phone and also my MacBook were represented by the alias MATTHOME, though the MAC addresses are different. The one below is the one that appears in my phone specs. 




MATTHOME often appeared under SHARED in Finder, along with another device named DESKTOP-DNAR9LU, which I soon learned is a Cyberlink Media Server. 



Moving onto my GMAIL accounts, I found that POP3 and IMAP functions had been enabled. As I changed this one account, it appeared as if people were logged in with me. 


The following screen grabs were taken between then and yesterday (Aug. 21, 2019). The locked folders are still there, having only been renamed and relocated. Root User is disabled. I'm using a new router. I've reset both devices, though my information was retained by both. In fact, after using Terminal to try and find any hidden files, the command I used was thereafter disabled. (After my files were swiped, I renamed the MacBook Pro from nathancomp to jamesnathan.)


You can see how the folders in Finder are currently configured in this screen grab showing the message I get when I try to open screen grabs saved to my DESKTOP folder. Saving them to the DOWNLOAD folder, however, leads to a more favorable result. 




In this new scheme, I am EVERYONE. Who the others are, I have a clue, but would like to know for sure. 



I've gone to the police who, without looking at a thing, decided these are signs of a hard drive failure and mental illness. Needless to say, I disagree. Any suggestions for how to wrest myself from the press of this hacker's thumb? I keep thinking DNAR9LU means DO NOT ATTEMPT to RESUSCITATE-9 LIVES UP. What should I do? 

Thank you,

Nathan

Comments

  • Reply 1 of 3
    MarvinMarvin Posts: 14,229moderator
    For the last several years, I've had some serious quality-of-life issues that I recently learned are due to my devices being hacked for the purpose of spying on me. That was in mid-July 2019. Since then, I've found some troubling signs that jibe with the information I received. Two questions: What's going on here, in the pictures below? And how do I regain control of my devices (MacBook Pro 2011 and iPhone 6)? 

    I discovered these folders in July, none of which I have access to. 

    In the SHARED folder, I discovered a filed called WONDERSHARE plist. 

    The left-side panel also had THUNDERBIRD as an option, though I do not use THUNDERBIRD, or any other kind of external hardware. I also discovered around this time that PARENTAL CONTROLS had been enabled, all of the LOCATION SERVICES had been enabled, and someone was remotely turning on Bluetooth before all of my files, etc., disappeared from the desktop. 
    These are the other WIFI/ROUTER settings from mid-July. 

    This is a more recent screen grab, but under DEVICE IMAGES, there were numerous items listed when my desktop was remotely wiped about a week after discovering the hack. 

    I turned to the router dashboard, which showed 20 devices connected to the network, none of which appeared to belong to me. There are three people in the household and I am the only one who uses Apple products. Further digging revealed that MATTHOME was an alias for both my MacBook (userID: nathancomp) and iPhone (Nathan's iPhone). 

    These screen grabs, from my iPhone, show 29 devices connected, but offline. Again, neither of my devices appear. 

    I found my iPhone among the offline devices, despite viewing this information on my very-connected phone. So, I changed the network name from Linksys11599 to ATTwire5150. 

    I discovered then that both my phone and also my MacBook were represented by the alias MATTHOME, though the MAC addresses are different. The one below is the one that appears in my phone specs. 

    MATTHOME often appeared under SHARED in Finder, along with another device named DESKTOP-DNAR9LU, which I soon learned is a Cyberlink Media Server. 

    Moving onto my GMAIL accounts, I found that POP3 and IMAP functions had been enabled. As I changed this one account, it appeared as if people were logged in with me. 

    The following screen grabs were taken between then and yesterday (Aug. 21, 2019). The locked folders are still there, having only been renamed and relocated. Root User is disabled. I'm using a new router. I've reset both devices, though my information was retained by both. In fact, after using Terminal to try and find any hidden files, the command I used was thereafter disabled. (After my files were swiped, I renamed the MacBook Pro from nathancomp to jamesnathan.)

    You can see how the folders in Finder are currently configured in this screen grab showing the message I get when I try to open screen grabs saved to my DESKTOP folder. Saving them to the DOWNLOAD folder, however, leads to a more favorable result. 

    In this new scheme, I am EVERYONE. Who the others are, I have a clue, but would like to know for sure. 

    I've gone to the police who, without looking at a thing, decided these are signs of a hard drive failure and mental illness. Needless to say, I disagree. Any suggestions for how to wrest myself from the press of this hacker's thumb? I keep thinking DNAR9LU means DO NOT ATTEMPT to RESUSCITATE-9 LIVES UP. What should I do? 

    Thank you,

    Nathan

    The first issue with the inaccessible folders is a guest account, which is enabled when you turn on iCloud. That's normal.

    If you bought a used Mac, maybe it's someone else's iCloud that's logged in and they are changing some settings. You can check which iCloud account is logged in with System Preferences > iCloud.

    Your drive partition is called Stolen HD, that's unusual. Could you have purchased a stolen laptop?

    If the people on your wifi aren't people you recognize, change your router wifi passwords.

    If multiple people are accessing your GMail, similarly change your GMail password. Always use different passwords for each service.

    The command you used to show hidden files was entered wrongly, it should be the following:

    https://lifehacker.com/show-hidden-files-in-finder-188892

    but that wouldn't show erased files.

    When you say you renamed the Macbook Pro, it looks like you renamed your home folder. That would probably explain your permissions problems with files. The full steps you need to take to rename your user account are here:

    https://support.apple.com/en-us/HT201548

    The user account "everyone" is every user on the system. "System" is the operating system, "wheel" is another system account. Applications installed by the system have these permissions set.

    The name DNAR9LU is a random name, all Windows systems create random names like this.
  • Reply 2 of 3
    Mike WuertheleMike Wuerthele Posts: 4,876administrator
    Also, if you've got Thunderbolt ports, having a Thunderbolt option in your network control panel is normal, regardless if you use it or not.
  • Reply 3 of 3
    sphericspheric Posts: 1,789member
    I’m not seeing anything in the slightest unusual in any of what you write. 

    Every single thing you describe seems to be perfectly normal, except for files “disappearing” from your desktop. When did this happen? How exactly did it happen? WHAT exactly disappeared? How did you notice? 

    A few points stick out, though: 
    1.) I find it confusing that the hard drive is called “Macintosh HD” in the first few screenshots, and then “Stolen HD” in later ones. 

    2.) The Computer REQUIRES there to be a home folder with the same name as the user that is logged in. It is where is keeps track of everything you do, your settings, Windows, open documents, and everything you save (including the entire desktop, which is just a folder within your home folder). 
    If you rename that while you’re logged in, you will lose access to everything, and stuff may start just disappearing as you lose access to the various folders within your home folder (not sure; haven’t been crazy enough to try it).


    With all respect: You seem rather clueless about what is normal and what isn’t. Rather than figuring out what the issue may have been (if there was an issue), you seem to have taken a number of steps out of ignorance that do nothing but create considerable problems. 

    I suggest you take it to somebody who knows what they are doing. It may be a simple matter of changing the folder’s name back and logging out and back in, but it sounds like it might be better to have someone test that who can identify and deal with other issues that may have resulted from your actions. 
    edited August 25
Sign In or Register to comment.