I'm trying to find out if someone has hacked my computer. In case I get the following message in my Terminal window: "Last login: Tue Sep 30 02:02:18 on console" does that mean a person has logged in, or could it be an automatic programme running?
MacOS – Has the computer been hacked
macosSecurity
Related Solutions
Had a similar issue, but I didn't have a backup of the plist file to replace, so I did the following to recreate the SnapshotDates array:
Removed the last couple backups (in Finder; was unable to do it in Terminal likely due to system protection enabled). Then opened terminal and executed the following:
$ cd /Volumes/[Backup Volume]/Backups.backupdb/[hostname]
$ for x in `ls`; do echo -n $x | sed -E "s/^([0-9]+-[0-9]{2}-[0-9]{2})-([0-9]{2})([0-9]{2})([0-9]{2})/<date>\1T\2:\3:\4Z<\/date>/"; done
That outputs all the snapshots in <date>....</date> format; I copied those, then in com.apple.TimeMachine.prefs, found the appropriate backup volume under the Destinations element, and overwrote the contents of the SnapshotDates array (not the <key>SnapshotDates</key>, but everything inside the following <array>...</array> tags) with the copied lines.
Fixed indentation of the elements to match, and saved the file.
I haven't completed a new backup yet, I'm still waiting for the corrupt backups to finish getting deleted, but the date ranges of the existing backups now show properly.
If you are absolutely certain that your Mac has been hacked I'd strongly recommend that you erase your hard drive, reinstall OS X and manually copy you data back from Time Machine:
- Back up your Mac.
- Restart and hold Command+R to enter OS X Recovery (http://support.apple.com/en-us/HT4718).
- Select 'Disk Utility' and reformat your hard drive (http://support.apple.com/kb/PH5849).
- Quit 'Disk Utility' and select 'Reinstall OS X'. Note that (from http://support.apple.com/en-us/HT4718):
Reinstalling OS X using Recovery requires broadband access to the Internet using a Wi-Fi or Ethernet connection. OS X is downloaded over the Internet from Apple when OS X Recovery is used for reinstallation. You must use DHCP on your Wi-Fi or Ethernet network to reinstall OS X using OS X Recovery. If you bought OS X from the Mac App Store, you may be prompted to enter the Apple ID and password you used to purchase OS X.
- When OS X is up and running, plug your external Time Machine drive, open it in Finder, open the folder named after your Mac and then the 'Latest' folder (http://www.macissues.com/2014/04/14/how-to-restore-files-from-time-machine-manually/).
- Browse to 'Applications' and copy non-Mac App Store applications back to '/Applications'. Note that some apps (for example VMware Fusion) won't work properly if copied, you must reinstall them with the installer provided by the manufacturer.
- Install Mac App Store applications from the App Store.
Browse to 'Users/[your username]' and copy Documents, Pictures, Movies, Music, and any other folder that contains important data to your new home folder.
I would refrain from copying 'Library', although that's where your settings are located. If you have iCloud Mail, Contacts, Calendars, Reminders, Safari, Notes and Keychain synchronization enabled most of your settings will rebuild themselves just fine. You may want to selectively copy application settings from 'Library/Application Support' after checking the files' contents.
- If you share your Mac with other people repeat steps 8. and 9. for their accounts.
iCloud synchronization is especially important for Keychain, and I talk from experience: I had a pretty hard time exporting and importing Keychain after installing OS X Yosemite from scratch without restoring from a Time Machine backup.
A piece of advice: It is best practice that the login account you use on a daily basis doesn't have administrative rights. You should create an administrative account instead. I usually call it admin
:
while my account is 'Standard'. The side effect is that OS X will prompt you to type admin
's password every now and then, for example to edit settings in System Preferences:
Good luck!
Related Question
- MacOS – Why doesn’t giving kids more time work
- MacOS – Mac OS Sierra 10.12.1 Dock behaviour and command tab issue
- MacOS – Identifying an accounts username upon login
- Has the MacBook been hacked
- MacOS – Add a user that only has access to computer via ssh
- How to find out which kernel extension has been updated
Best Answer
Popmoi, the last login on console is exactly that: Somebody (likely you) logged into a bash session on your computer at 2:02:18 on Sep 30. Generally, 'console' is shown for the first shell login and then ttys000 would be the next. I see this every login/reboot for my Terminal group, which opens two bash sessions in different tabs.