My Mac is hacked by OSXvnc server?
 

I don't know what to do. This hacking is costing my big dollars at ebay and paypal. I need it to end. Already have disputes for over $3000 from this hacker. My screen is being controled remotely. I did a console check and the found the following events when I was not at my computer:

1/21/09 2:54:07 PM OSXvnc-server[167] Pixel format for client (mutiple IP numbers in China, Africa and France!!!)

These hackers go to my ebay, buy stuff and wait for me to log into paypal and transfer money.

I've removed the Vine Server app from my computer... but iphone can still log in. I've changed my mac address to change my IP, denied Vine Server incoming through littlesnitch (still do not know if that worked - buy I can still log in from my iphone on my outside IP) I've turned off all sharing except printer sharing. But I still come back in my office and my screen is remotely surfing the internet! How can I protect myself. THanks

Wow, this is nuts.

First of all, un plug your computer from the internet. Do you have another computer that may not be compromised?

Back up any data that you can't live with out.

Wipe out your mac and reload OS X from scratch, then plug it in back online and update it.

The problem is, if you really got hacked, there is no telling exactly what they did to your machine and they could have made so you can't change or control anything.

Then you need to set up some layered network security if you don't already have it set up. Get a router, use NAT, don't use standard ports for certain protocols, and don't use weak passwords.

Wow, I was hoping I could avoid that! I do have a wireless computer. What I want to get rid of the OSXvnc app or files. No way to just do that?

Also, in addition to unplugging the network, backing up data only, no apps, doing an Erase and Install, then updating your OS, make sure to change all of your credit card numbers and online banking, paypal, ebay, etc. passwords.

And as mentioned, make sure all of your new passwords are long passphrases which include numbers and special characters, and not personally matchable to you, and not found in any dictionary.

Trevor

The problem is, if they rooted your machine some how and got access to it then they could have installed all sorts of hidden apps and opened up all kinds of back doors. That is why I strongly suggest no make that ultimately suggest you wipe it out and reload it. Otherwise you may not ever get rid of the problem.

If you get rid of the app, what is to say they can't ssh in and install it from the command line, or create back doors to other apps with their remote access?

You will never know if your computer is clean until you wipe it and reinstall fresh. Don't restore any applications after the wipe/install, just data.

Trevor

Sounds like a complete reinstall - have you guys seen this OSXvnc problem before with remote access? Thanks.

I have used VNC before with many different type of computers, it is a remote desktop of sorts. Did you download and install anything weird lately, or did you notice this happening after you installed something?

Do you own a router?

started when I installed Mocha VNC for my iphone. Yes I have a router. Netgear wired router and subrouter wireless. My computer, one of 6 computers on the network is the only one hacked.

I strongly recommend you disconnect your Mac and use another computer for internet access for the time being.

You should also contact PayPal/eBay's antifraud team, as well as any credit card/banks attached to those accounts if you haven't already. You definitely should not be logging into websites if you know your computer has been compromised, and you should always log off when you are done using the website.

It seems like you were running a VNC server with a weak or blank password, and it was configured incorrectly. Did you "port forward" anything?

If you are using a unsecured wireless connection, anyone could have tapped into your network and accessed your computer.

ADDITIONAL NOTE:
If your computer has indeed been compromised, you generally cannot trust anything it shows you. It's possible the hacker may have modified the system or apps, so your should immediately backup any important files (NOT apps, as they could have been modified by the hacker) and reinstall.

Well, most people don't know this, but most 'free VNC' apps don't send username and password over encryption. You typically have to pay for the encryption.

That is where you could have been compromised, of course we will never know so trying to figure it out is kind of moot to some extent.

I suggest you make sure NAT is enabled on your router, that nothing is forwarded to any machine, like VNC server for example, then make sure that your router supports SPI firewall. If for some reason your router does not support such features, go a buy a new one, the cost is trivial in comparison to being hacked again like this. A decent consumer router should cost you between $40 and $80 no more no less really.

OS X software firewall, while not horrible, is really more of a port filter. Layered defense is best though, so having all of that in place along with very strong passwords will help out in the future.

Thanks - let me answer some questions:

1. I have contacted ebay and paypal and reported them by IP
2. I deleted the Vine Server app all together
3. I'm hard wired to a netgear router
4. change my ebay and paypal passwords. They cannot log into my accounts - they wait until I'm logged in and then take over my screen creating their own transactions. They cannot seem to see/note my keystrokes.

What I want to do is TURN OFF Mocha VNC. Even after the program is gone, I still login from my iphone??

THanks

Apple just released
Mac OS X v10.5 (Leopard)
Mac OS X Security Configuration Guide

Once you've cleaned up your system with a new install, it would be a good idea for you to carefully read and follow the suggestions there.

Trevor

I'm confused.

You have reported them to ebay, but when you log in they take over and make transactions. Do you watch them bid on high priced items or transfer money between accounts with paypal without intervening? I have to be reading what you are writing wrong.

Isn't Moca VNC an iphone app? Delete it from the phone. Don't use it to connect to the computer and you won't see it.

I caught transferring money at one point on paypal to there account, $1200 from an account I manage. On my ebay, they buy outrageous items which I have to cancel because I'm not paying for them - 29 exercise DVDs from france! I cancel what I can catch in action. Most of the hacking goes on when I'm not at my screen and in the late evening west coast. I looked at console and did a reverse IP - the account is in China. Sometimes the IP is different. The person hacking the accounts name is:

Seller Name:
xiaoyan qiu
Seller Email:
Aliciaerrey@hotmail.com
Transaction Amount:
-$1,111.00 USD
Transaction Date:
Jan. 6, 2009

Here's the reverse IP data:

125.90.102.116 - Whois Information

% [whois.apnic.net[whois] node-1]
% Whois data copyright terms http://www.apnic.net[whois]/db/dbcopyright.html

inetnum: 125.88.0.0[whois] - 125.95.255.255[whois]
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: IC83-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-GD
mnt-routes: MAINT-CHINANET-GD
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: [whois] 20050816
source: APNIC

person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: [whois]
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: [whois] 20070416
mnt-by: MAINT-CHINANET
source: APNIC

Others have told you that you need to (right away):
1) disconnect your computer from all networks (wired & wireless)
2) backup the files (not applications) that you care about
3) reinstall OS X via an "erase & install" from the OSX Install DVD
4) restore your files from backup
5) reinstall 3rd-party apps from original media (not backups)

You should probably do the same (or equivalent) with your iPhone.

I repeat these instructions since you haven't said that you have done this.

Do you have ssh (remote login) enabled, and forwarded at your router? If so, and if they can figure out how to get in that way, they can tunnel to any port on your machine, including VNC.

Well, if the computer is disconnected, they shouldn't be able to do that...?

Of course not. :)

Just trying to help troubleshoot the source of the problem, so that once he wipes and reinstalls, it doesn't happen again.

With my job I really can't do this until the weekend. I have found the VineServer in App support and deleted it. Now I cannot log in from my iphone. That's good. I want to put my computer to sleep and use a password to wake it up. Do I need to change my master admin account password to accomplish this? If I do that, what other complications will it cause? Thanks.

You're not reading correctly. You don't need to put your computer to sleep. YOU NEED TO SHUT IT DOWN! Boot it up again on the weekend when you're ready to backup your files, wipe the entire system, reinstall system software and applications from their installer disks, and then restore your data files. In the mean time, use another computer.

Thanks the advice. I think I stopped the peeping by deleting the VineServer, Deleting the VNC log and putting up some more security. When I do connect my computer to the internet and open console, I get this message every 10 seconds:
1/21/09 9:24:10 PM com.apple.launchd[119] (VineServer[1634]) open("/Library/Logs/VineServer.log", ...): Permission denied
1/21/09 9:24:10 PM com.apple.launchd[119] (VineServer[1634]) open("/Library/Logs/VineServer.log", ...): Permission denied
1/21/09 9:24:10 PM com.apple.launchd[119] (VineServer[1634]) posix_spawnp("/Library/Application Support/VineServer/OSXvnc-server", ...): No such file or directory
1/21/09 9:24:10 PM com.apple.launchd[119] (VineServer[1634]) Exited with exit code: 1
1/21/09 9:24:10 PM com.apple.launchd[119] (VineServer[1634]) Exited with exit code: 1
1/21/09 9:24:10 PM com.apple.launchd[119] (VineServer) Throttling respawn: Will start in 10 seconds

You don't seem to get it that if your computer has been compromised, you need to erase everything that is there and start fresh - not try to fix the symptoms.

I WILL ERASE and reinstall ----- BUT, in the interim in case anyone else has this problem. To stop the Vine Server from constantly trying to connect every 10 seconds, I followed these instructions and now it is not doing it. http://discussions.apple.com/thread....8933&tstart=85

Every incident of hacking corresponded to a Vine Server breach in console. By deleting VineServer, it's log files, and the LaunchDaemons and Agents... my computer is no longer being hacked - FOR NOW. I will reinstall this weekend just to be sure. Thanks.