Computer Hijacked?

I have a macbook pro with latest OSX, and I was browsing when all of a sudden it seemed like someone was steering my cursor around.  I tried to turn off the macbook real quick via the apple icon at the top left and when the window prompted to shutdown or cancel the cursor clicked cancel!

I then held the power button on the macbook until it turned off.

What happened?  What can I do to prevent this?

There is no antivirus installed and we are behind an Airport Extreme router.

Let me know if you need anything else.
LVL 19
Kyle SantosQuality AssuranceAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Check your file sharing preferences and make sure all the boxes are unchecked, particularly screen sharing.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kyle SantosQuality AssuranceAuthor Commented:
Unchecked the boxes.  I will give it 24 hours or so and see if anything weird happens again.  Thanks, strung!
If you want to check it before 24 hours, turn on the Macbook and disconnect all your network connections to check the settings and logs before you connect back to the network.

You can check you system.log files for screensharingd, which is the process for Apple Remote Desktop(ARD - encrypted VNC) and Screen Sharing (unencrypted VNC).  If someone connected, you will see an entry as well as the IP address they connected from.

Type the following into
if your log files end in .gz (gzip)
zgrep screensharingd /var/log/system.log*
if you log files end in .bz (bzip)
bzgrep screensharingd /var/log/system.log*

I prefer the command line for remote access, but you can also search in the GUI for screensharingd.

If someone has access to your Screen Sharing or ARD, then they likely also have access to an admin account password.  Without knowing the exact settings that were in your Screen Sharing or Remote Adiminstration setups, I'd assume the worst.  You should change your passwords on all your admin accounts on that Mac.

Install some free for personal use AV and scan the external disk before you copy that data back.  In fact install several AV and run scans from each one to be sure.  They don't always overlap in the viruses they detect.  Then install rootkit scanners and scan for rootkits.

You can very easily backdoor a Mac with an admin account and password, so if you really see someone connecting through screen sharing or detect rootkits, it's time to back up your data off the network to an external drive, wipe the disk and fully reinstall your OS to a fully erased disk.
web_trackerComputer Service TechnicianCommented:
when this happens I would right away disable your wireless connection and unplug any network cables. The person who is trying to remotely control your system can not control your systems if you no longer have a network connection
Kyle SantosQuality AssuranceAuthor Commented:
Thanks for the additional feedback!  I have some spare time this weekend that I will consider trying these suggestions out.  (Its overdue for sure haha).

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Laptops Notebooks

From novice to tech pro — start learning today.