Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Guest User appeared on my Mac - potential hack?


  • Please log in to reply
7 replies to this topic

#1 BustedFlush

BustedFlush

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:38 PM

Posted 25 December 2016 - 02:24 PM

This is a few weeks ago now, and I simply removed it, but it's been bugging me since. I have since performed a factory reset, as I was worried about some other issues, and it was the straw that broke the camels back.

 

It appeared out of nowhere, and I had not recently upgraded or used the Find My Mac feature, which I understand can trigger it. It had three boxes checked 'mail', 'safari' and 'cloud'. My firewall was on, stealth mode active, all sharing denied. Could someone somehow have gotten into my system and set it up remotely? There's no possibility of a hand's on set up. 

 

I checked everything I could think of and just can't see how it could have appeared like that, and it's really bugging me. Any ideas?



BC AdBot (Login to Remove)

 


#2 TarjaTaneli

TarjaTaneli

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 26 December 2016 - 08:34 AM

I have not much knowledge with mac but a guest user appearing is not an indication of your computer having been hacked from what I am aware. However, if you are worried, you could pass some antivirus if you have not do it already (like malwarebytes). That's all I can say really.

Edited by TarjaTaneli, 26 December 2016 - 08:37 AM.


#3 1PW

1PW

  • Members
  • 316 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North of the 38th parallel.
  • Local time:07:38 AM

Posted 26 December 2016 - 08:36 AM

Hello BustedFlush:

 

A penetration, via the Guest User account, is quiet unlikely if the Guest User account is turned off.  A "Factory Reset" probably turned the Guest User account on even if it had been off.  If the penetrator did not know how to elevate themselves to Administrator, I doubt much was revealed, changed or deleted.

 

If running macOS Sierra 10.12.2, go to System Preferences -> Users & Groups, then unlock the screen and turn the Guest User account off.

 

Cheers.


All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.


#4 BustedFlush

BustedFlush
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:38 PM

Posted 26 December 2016 - 09:34 AM

Thanks to you both. 

 

The reset was done AFTER the guest appeared, so couldn't have triggered it. I removed it as soon as I noticed, scanned Malwarebytes and came up with nothing. Just don't understand how or why it appeared like that, and it's still bugging me. I don't see how the boxes of 'email' 'safari' and 'cloud' were checked. As I could see it had no administrative privileges. 

 

Would there be any known attacks that would use this method to get information? More cases of personal hacking, rather than any spam attempts I'm assuming. 



#5 TarjaTaneli

TarjaTaneli

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 26 December 2016 - 10:57 AM

Did you get an update for the operative system or other software back then? That could have make changes to the operative system and therefore make the guest account to appear for one reason or another. If you have not any other problem at the moment though, like the guest account appearing again for no apparent reason then unless you prefer to strength the security of your device now I guess you should not worry much since you made a factory reset. You could check the reuter for insecurities too if you are worried something like that could happen again.
Regarding your last question, though there are probably ways, I bet they would be not something most people would be able to do. Can't answer that question with precision.
Salutes.

Edited by TarjaTaneli, 26 December 2016 - 11:00 AM.


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:38 PM

Posted 27 December 2016 - 05:37 PM

A guest account can't change settings, and it can't access files of other users.

 

Do any of the following scenarios look plausible to you:

1) you logged in with the guest account by mistake

2) someone in your close environment had access to your Mac and tried to use it with the guest account


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 BustedFlush

BustedFlush
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:38 PM

Posted 29 December 2016 - 05:44 AM

Hi Didier,

 

1) I cant remember ever having the option to log onto a guest account. The start up screen would always just show my name. I guess if it appeared one time i may have clicked it by mistake, but as it never was an option before, i assume it was tripped by something, or installed by a remote attack. But then if someone were to install it remotely, they would need my Password, and presumably if they had that why the need for using the Guest account. It's all very confusing... 

 

2) No i cant see there's been any possibility of this. 



#8 BustedFlush

BustedFlush
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:38 PM

Posted 29 January 2017 - 04:21 AM

Still confused about this a month on. I've read up on it, and one possibility that by using Filevault, it can be triggered. However everything i've read on that scenario states that only 'safari' box would be checked, but in my case it was 'safari', 'email' and 'icloud'. Would that mean access to MY email, safari and icloud accounts? 






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users