macmacos
About 3 months ago, my windows often suddenly closed and the cursor would move. So I deleted all the team viewer apps and closed all the Share options in System Preference. I checked within Activity Monitor and also used netstat -n in terminal, but I don't know how to use/understand it.
How can I know if my Mac was being remotely viewed?
There is a bug in Activity Monitor v10.8.0 (806). If you select Dock Icon > Show CPU History, is automatically closes the floating window and appears in the dock. If you attempt to switch back to the floating window, sometimes only one core appears.
Solution: - Close floating windows - Dock Icon > Show Memory Usage - Quit and Restart Activity Monitor - Dock Icon > Show Application Icon - Quit and Restart Activity Monitor - Monitors > Show CPU History
Now you should see all of your cores/vccores. :-)
This bug is not always reproducible, but I've experienced it before.
If your computer is being remotely accessed, it will show a little viewer icon in the menu bar. (Note, I've been using screen sharing since OS X Leopard, and I've never seen the icon noted by de_an777 in his answer.
Go into System Preferences > Shared. Make sure that Screen Sharing and Remote Management (for Apple's Remote Desktop) are both unchecked.
Also, check under Security & Privacy > Firewall and turn the Firewall on. Note the warning. "The firewall will block all sharing services, such as file sharing, screen sharing, iChat Bonjour, and iTunes music sharing. If you want to allow sharing services, click Advanced and deselect the “Block all incoming connections” checkbox."
This will block any incoming screen sharing connection (as well as other services).
To check to make sure that you can't connect to your computer via screen sharing, you can use nmap, a free command line tool for "network discovery and security auditing."
To use it, just type nmap [YOUR IP ADDRESS]
You'll see that nmap reports that the vnc (screen sharing) port is open. After turning off screen sharing and turning on the firewall:
(Note that I've explicitly allowed ssh, printer, and afp sharing in the Firewall.)
I hope this helps you!
Best Answer
I would actually use the "last" command.
will output the results to a document on the desktop you can open up and have a look at. Really, you should see your own user, reboot (a pseudo-user that gets activated when rebooting the computer), and just about nothing else. I. personally have a "_mbsetupuser" that has to do with updating my OS, so you may have that as well.
If you see any usernames you don't recognize, that's a red flag. If you see your own user on a tty other than "console" that might be an issue. I'm not really great with netstat nor lsof, but here's an lsof primer. The reason to learn lsof (whether in conjunction with netstat or not) is that linux treats most things as files. lsof (short for "list open files") is a utility that helps you find out which files are open. If someone's watching your system, they're opening "files" to do it, and that utility will show you that, unless there's a rootkit in place and/or the lsof utility itself has been hacked/modified to not show their presence, which is unlikely.
See a primer I quite like here: https://danielmiessler.com/study/lsof/