Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Prplehz76

macrumors newbie
Original poster
May 24, 2018
8
0
Bay Area
I need some heavy duty help to shake a remote user! I’ve tried everything even had professional IT help but he’s sneaky and can disappear as quickly as he appears! I’ve got all the programs he/she is infiltrating and can see the workflow on my console. I have used sudo on my terminal and can trace it to an IP but I can’t stop it and I need to know who it is!! Please help!! It’s been going on for two years and I’m desperate for any help!!!! They are using python, sql, gaining backdoor access by tunneling on the loopback interface! Port 1720 is always open!!! oh and it’s a windows pc they must be using because all the process’s are windows!
 

techwarrior

macrumors 65816
Jul 30, 2009
1,250
499
Colorado
Disable Screen Sharing, Remote Login, Remote Management, etc. maybe if time goes on for a while and they can't access, they will give up?
 

hobowankenobi

macrumors 68020
Aug 27, 2015
2,116
928
on the land line mr. smith.
Block all inbound traffic at the firewall. Is there a reason 1720 is open?

Why do you need to know who it is?

If you don't have access to the firewall, or can't close all inbound ports, you should consider a commercial product to secure your machine, like:

https://vallumfirewall.com/index.php
https://murusfirewall.com/index.php

You might also want take the machine off line and reset all passwords, and set a robust root password.
 
Last edited:

Prplehz76

macrumors newbie
Original poster
May 24, 2018
8
0
Bay Area
Disable Screen Sharing, Remote Login, Remote Management, etc. maybe if time goes on for a while and they can't access, they will give up?
They have locked me out of certain files and directories.... they are using netbios to gain access.... I’m pretty sure it’s someone close to me that’s why I want to know who! I don’t know how to close 1720 honestly!! And it seems if I do shut down all file sharing it seems to unlock. There are all these certificates in my keychain but I can’t delete them they are locked. Two of them are Cisco!! I have found all this stuff in my directory file. I have tried killing the process’s in terminal via command line under as root. But they just
[doublepost=1527315247][/doublepost]Sorry I got cut off, my keyboard will get taken over or something. I can’t begin to explain how frustrating this is. I’ve thought of everything. Thunderbolt bridge keeps appearing and everyday I have to close it. We suspected this was a network virus that has taken hold of his surface pro, but it’s distinctly location related and I have logs of my calls being listened to... I’ve replaced my phone, new SIM cards, encrypted my MacBook, so see I have been doing a crash course in network admin. So I’m here hopping that for. My own sanity someone here can help me
 

Prplehz76

macrumors newbie
Original poster
May 24, 2018
8
0
Bay Area
I was able to do more digging and I can see the user name etc. is there a way to restrict a user profile? And I think I agree with throwing the Mac in the closet. I keep finding reference to USB agent...? I understand what this is but I never configured this? Any hints on how to get it to stop being directed this way?
 
Last edited by a moderator:

Toutou

macrumors 65816
Jan 6, 2015
1,082
1,575
Prague, Czech Republic
all the programs he/she is infiltrating

I have used sudo on my terminal

can trace it to an IP

using python, sql, gaining backdoor access by tunneling on the loopback interface

they are using netbios to gain access

That doesn't make any sense, any at all. If you're experiencing such things, have you been to an Apple store?
 

DeltaMac

macrumors G5
Jul 30, 2003
13,749
4,572
Delaware
I was able to do more digging and I can see the user name etc. is there a way to restrict a user profile? And I think I agree with throwing the Mac in the closet. I keep finding reference to USB agent...? I understand what this is but I never configured this? Any hints on how to get it to stop being directed this way?
Please share that user name with us (correct spelling is important) - as it may be a normal system account.
 

TiggrToo

macrumors 601
Aug 24, 2017
4,205
8,838
Did the same person type these two statements?
I'm calling shenanigans on this. Not least due to the following:

oh and it’s a windows pc they must be using because all the process’s are windows!

Once someone has a TCP connection then there's no way you can tell if the remote source is a Windows process or anything else. Sure, by doing packet inspection you may have a clue, but the OP hasn't said a thing about that...
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.