terminal – hacker gained remote access, after reinstall of operating system they still have access

Spread the love


Advertisement

A known hacker gained access to my new personal Mac, and after wiping the hard drive and reinstalling/updating the operating system, they still have access.

Advertisements

My Mac started on Big Sur, and Apple Support encouraged me to wipe the hard drive and upgrade to Monteray, thinking that this would remove the hacker's remote access, but I'm still seeing evidence of the hacker.

The most recent evidence of the hacker's activity was this morning when I woke up my computer screen, and nettop, which had run overnight, included Terminal in it's list of active network processes. I typed in launchctl procinfo PID to look at the Terminal Process, and shortly after it dissappeared from nettop. I believe that this was the hacker actively using Terminal for remote access, and once they realized that I was on my computer, they disconnected.

A “clean” install of the operating system did not end the hacker's access to my computer, so they have to be using storage to maintain persistance, but what storage? A partition on my hard drive? Cloud storage? Oddly enough, I have iCloud storage, but I've never signed up for an AppleID, and maybe that's Apple collecting ever more data about me, but it seems like that could also be a result of the hacker.

My question is how many ways can a hacker maintain persistance on my Mac running Monteray, and for each way, how can I remove their access?

Author: Subham

Leave a Reply

Your email address will not be published. Required fields are marked *