How to Tell If Your Mac Computer Has Been Hacked

A hacker can gain access to your Mac by a variety of means, including social engineering and security vulnerabilities in the Mac OS X operating system or in installed applications. However, all of these methods result in Mac OS X keeping a log of the usage of each user account in the computer -- legitimate or illegitimate. You can access those system logs to determine whether your Mac has been used (locally or remotely) without your authorization.

...
You can determine whether your Mac has been accessed without your authorization.

Step

Log in to your Mac OS computer using your regular user account.

Step

Click "Applications" and then "Utilities."

Step

Double-click on "Terminal." A new window will open, with a prompt for text-mode commands.

Step

Type the following command into the Terminal window:

Step

sudo -l

Step

Press "Enter," type your password and press "Enter" again.

Step

List all accounts existing on your Mac by typing the following command into the Terminal:

Step

dscl . list /users

Step

Press "Enter." Mac OS X will list all existing accounts on the computer.

Step

Check whether any account has been created without your permission by verifying that all accounts in the output of "dscl" have been created legitimately. If there are additional accounts, they probably have been created by a hacker.

Step

Check whether an account has been misused by typing the following command into the Terminal:

Step

last

Step

Press "Enter." For each account, Mac OS X will list the time and date of the last login to all existing accounts. If the most recent login to any of the accounts happened at an abnormal time, it probably was done by a hacker masquerading as a legitimate user.