crayfish55

Q: iRat - remote control client?

MacBook Air (13-inch, Early 2014)

OSX El Capitan 10.11.3 (15D21)

Intel HD Graphics 5000 1536 MB

Hardware Overview:

  Model Name:    MacBook Air

  Model Identifier:    MacBookAir6,2

  Processor Name:    Intel Core i7

  Processor Speed:    1.7 GHz

  Number of Processors:    1

  Total Number of Cores:    2

  L2 Cache (per Core):    256 KB

  L3 Cache:    4 MB

  Memory:    8 GB

  Boot ROM Version:    MBA61.0099.B21

  SMC Version (system):    2.13f15

-----------

 

Seeing some odd activity in my logs and wanted to get feedback and whether I should be concerned.

--------

 

The below logs are appearing in a folder in Console called CoreTelephonyTraceScratch > CSI.scratch >

in filesnames like 0x00000000-csi.txt, 0x00000001-csi.txt, 0x00000002-csi.txt.

 

The files appear to be generating temporarily when I am connecting, disconnecting, and then being iteratively removed. I do not have an iOS device that I connect to this machine. The logs are running whether I am hard-wired or connected by Wifi, at my home network. I am not a programmer but it looks off and Google has done nothing to reassure me. I did find this - Hacked OS EL CAPITAN

 

Thanks in advance.

 

-------

 

  0.052 [I] evt: Firing event 'recalculateConnectionAvailability': with params= 0, Wifi Changed
  0.052 [I] DATA:TechDriver:handleWifiAvailable_sync: fWifiInterfaceName changes from en0 to
  0.052 [I] DATA:TechDriver:TechDataDriver: <0x7fa3baf2a450> created
  0.052 [I] DATA:ServiceController:DataServiceController: <0x7fa3bae150b0> created
  0.052 [I] DATA:ServiceController:recalculateConnectionAvailability: fRadioModuleCreated is false, bailing for now (Wifi Changed)
  0.052 [I|17+] ent.ctr: Initializing Carrier Entitlements Controller
  0.052 [I] NOBB:NoBBRegistration_NOSUPPORT:NoBBRegistrationController: Object constructed <----------
  0.053 [I|17] ent.ctr: ================================================================================================
  0.053 [I|17] ent.ctr: Reset called upon with update: false and reason CheckEntitlementsReason::kSelfInitiated
  0.053 [I|17] ent.ctr: ================================================================================================
  0.053 [I|17] ent.ctr: Potentially instantiating Entitlements Command Driver
  0.053 [I|18+] ent.psh: Reset Push Listener
  0.053 [I|15+] csi.session: handleLoginSessionStateChange_sync(): Session is logged in
  0.053 [I|15] evt: Firing event 'loginSessionStateChange': with params= 1
  0.053 [I|15] csi.session: initialize(): loginSessionActive: true
  0.053 [I] evt: Firing event 'recalculateConnectionAvailability': with params= 1, Login session state changed to true
  0.053 [I] evt: Firing event 'recalculateConnectionAvailability': with params= 1, Login session state changed to true
  0.053 [I] DATA:iRatController:handleLoginSessionStateChanged_sync: Session is logged in. Start iRatClient
  0.053 [I] DATA:ServiceController:recalculateConnectionAvailability: fRadioModuleCreated is false, bailing for now (Login session state changed to true)
  0.053 [I] DATA:ServiceController:recalculateConnectionAvailability: fRadioModuleCreated is false, bailing for now (Login session state changed to true)
  0.053 [I] DATA:iRatClient:start_sync: Starting iRat Client
  0.053 [I] DATA:iRatClient:register_sync: register with server: {
  "kMessageId": 1u,
  "kMessageArgs": {
  "kWCMRegisterProcess_ProcessId": 7u
  }
}
  0.054 [I] 5wi: Constructor: fCountrySetFlag set to false
  0.055 [I|24+] sysobs: Polling for the states of screen, lock, reachability status, and battery saver mode
  0.055 [I|22+] 5wi: No retrieved value for SystemDeterminationManager::ConnectivityHelperType
  0.056 [I|22] 5wi: No retrieved value for kEnableIMSUserPreference, using default false
  0.056 [I|17] ent.ctr: No Entitlements Driver
  0.056 [I|17] ent.ctr: Adding FaceTimeOverCellular to not supported
  0.056 [I|25+] max: Switch support retrieved ----- 3G switch support: DataRateSwitchSupport::kUnknown, LTE switch support: DataRateSwitchSupport::kUnknown
  0.056 [I|25] max: User preference for Enable 3G: DataRateUserPreference::kUnknown with 3G switch support: DataRateSwitchSupport::kUnknown
  0.056 [I|25] max: User preference for Enable LTE: DataRateUserPreference::kUnknown with LTE switch support: DataRateSwitchSupport::kUnknown
  0.056 [I|17] ent.ctr: Adding Tethering to not supported
  0.056 [I|17] ent.ctr: Adding Agent to not supported
  0.056 [I|17] ent.ctr: Adding VoWiFi to not supported
  0.056 [I|17] ent.ctr: Adding Thumper to not supported
  0.056 [I|17] ent.ctr:
  0.056 [I|17] ent.ctr: Generating entitlement changed events
  0.056 [I|17] ent.ctr:
  0.056 [I|17] evt: Firing event 'entitlement_changed': with params= 0000000000, 0000000000, 0111001100, EntitlementResults(Phone Number:Unknown, SubscriptionAndUsageStatus:Unknown, FaceTimeOverCellular:Unknown, Tethering:Unknown, Update Push Token:Unknown, Perform Auth-Only:Unknown, Agent:Unknown, VoWiFi:Unknown, Thumper:Unknown, VVM:Unknown, )
  0.056 [I|25] max: User Preference evaluated ----- 3G switch user preference: DataRateUserPreference::kUnknown, LTE switch user preference: DataRateUserPreference::kUnknown
  0.057 [I|17] ent.ctr: Invalidating Entitlements State with reason CheckEntitlementsReason::kSelfInitiated
  0.057 [I|24] DisplayStateModel:changeFlag: DisplayIsOn, from true to true
  0.057 [I|24] evt: Firing event 'statusBarVisible': with params= 1

MacBook Air, OS X El Capitan (10.11.3)

Posted on Feb 19, 2016 6:03 PM

Close

Q: iRat - remote control client?

  • All replies
  • Helpful answers

  • by crayfish55,

    crayfish55 crayfish55 Feb 19, 2016 6:06 PM in response to crayfish55
    Level 1 (1 points)
    Feb 19, 2016 6:06 PM in response to crayfish55

    And then a while a bunch of this in the logs

     

    ----

     

    1622.591 [I] xpc.watchdog: Server Watchdog: checkin

    1637.610 [I] xpc.watchdog: Callback Watchdog: checkin

    1637.610 [I] xpc.watchdog: Server Watchdog: checkin

    1652.593 [I] xpc.watchdog: Callback Watchdog: checkin

    1652.593 [I] xpc.watchdog: Server Watchdog: checkin

    1656.015 [I] csiapp.info: Application launched: AppInfo[Google Chrome, com.google.chrome, true, 837, 0]

    1667.594 [I] xpc.watchdog: Callback Watchdog: checkin

    1667.594 [I] xpc.watchdog: Server Watchdog: checkin

     

    -----

    then stuff like this

     

    ----

     

    49669.223 [I] DATA:ServiceController:recalculateConnectionAvailability: nothing changed due to Wifi Changed

    49669.223 [I] DATA:TechDriver:refreshAllDataSettings:

    49669.223 [I] data: no TechSettings dictionary can be found

    49669.223 [I] DATA:TechDriver:refreshAllDataSettings: for 0

    49669.223 [I] DATA:TechDriver:refreshAllDataSettings: APN info not present

    49669.223 [I] DATA:TechDriver:refreshAllDataSettings: APN info not present

    49669.223 [I] DATA:TechContext:0:stopUsing:

    49669.223 [I] DATA:TechDriver:refreshAllDataSettings: for 1

    49669.223 [I] DATA:TechDriver:refreshAllDataSettings: APN info not present

    49669.223 [I] DATA:TechDriver:refreshAllDataSettings: APN info not present

    49669.223 [I] DATA:TechContext:1:stopUsing:

    49669.223 [I] DATA:TechDriver:refreshAllDataSettings:

    49669.223 [I] DATA:iRatController:subscribeLineTypes_sync: with app Types ()

    49669.223 [I] DATA:iRatController:subscribeLineTypes_sync: Subscribe app Types not changed

    49669.223 [I] evt: Firing event 'recalculateConnectionAvailability': with params= 0, Tech setup reconfigured

    49669.223 [I] evt: Firing event 'recalculateConnectionAvailability': with params= 1, DataServiceController activation

    49669.223 [I] DATA:Connection:Bootstrap:canActivateTrigger:

    49669.223 [I] DATA:Connection:BootstrapRoamingInternetBypass:canActivateTrigger: isRoaming: false, canActivate: false

    49669.223 [I] NOBB:NoBBRadioModule_NOSUPPORT:getCellularDataIsEnabled:

    49669.223 [I] NOBB:NoBBRadioModule_NOSUPPORT:getCellularDataIsEnabled:

    49669.223 [I] NOBB:NoBBRadioModule_NOSUPPORT:getCellularDataIsEnabled:

    49669.223 [I] NOBB:NoBBRadioModule_NOSUPPORT:getCellularDataIsEnabled:

    49669.223 [I] NOBB:NoBBRadioModule_NOSUPPORT:getCellularDataIsEnabled:

     

    and this...

     

    52013.383 [I] xpc.watchdog: Server Watchdog: checkin

    52020.321 [I] DATA:Collocation_NoBB:0:dataCollocationAssertionUpdate: tearDownNow = true

    52020.322 [I] DATA:Collocation_NoBB:1:dataCollocationAssertionUpdate: tearDownNow = true

    52020.322 [I] DATA:ServiceController:___ZN21DataServiceController21deactivateNonAssertedEv_bl ock_invoke: nothing to wait for

    52020.322 [I] DATA:ServiceController:waitForDeactivateNonAsserted: result code 0

    52020.322 [I] pwr: Telling CSI to go low power

    52020.322 [I] NOBB:NoBBRadioModule_NOSUPPORT:canEnterLowPower:

    52020.322 [I] pwr: CSI can enter low power, so now telling to do so

    52020.322 [I] NOBB:NoBBRadioModule:enterLowPower:

    52020.322 [I] pwr: Will sleep.  Heard from CSI in 0.000131011 seconds

    52020.322 [I] NOBB:NoBBRadioModule:enterLowPower_sync:

    52020.322 [I] evt: Sending internal notification kEventEnteringLowPower (17) params={0, 0, 0x0}

    52020.322 [I] evt: Firing event 'enterLowPower'

    52020.322 [I] DATA:TechDriver:enterLowPower: Entering low power mode

    52020.322 [I] DATA:TechDriver:callbackEnteredLowPower: Calling Low Power call back

    52020.322 [I] NOBB:NoBBRadioModule:finishEnterLowPower:

    52020.322 [I] NOBB:NoBBRadioModule:finishEnterLowPower_sync:

    52020.322 [I] NOBB:NoBBRadioModule:finishEnterLowPower_sync: calling low power callback, result is 1

    52028.361 [I] xpc.watchdog: Callback Watchdog: checkin

    52028.362 [I] xpc.watchdog: Server Watchdog: checkin

    52045.721 [I] pwr: Telling CSI to exit low power

    52045.721 [I] NOBB:NoBBRadioModule:exitLowPower:

    52045.724 [I] NOBB:NoBBRadioModule:exitLowPower_sync:

    52045.724 [I] evt: Sending internal notification kEventExitingLowPower (18) params={0, 0, 0x0}

    52045.724 [I] evt: Firing event 'exitLowPower'

    52045.724 [I] DATA:TechDriver:handleExitLowPower_sync: Exiting low power mode

    52045.766 [I] DataNetworkMonitorOSX:handleNetworkStateChanged_sync: nwi_state: 0x7fbb12771c50

    52045.766 [I] DataNetworkMonitorOSX:checkIPConnectivity_sync: ***** ipConnectivityAvailable: false

    52045.766 [I] DataNetworkMonitorOSX:checkIPConnectivity_sync: fCurrentIfName: 'en0'

    52045.766 [I] DataNetworkMonitorOSX:checkIPConnectivity_sync: ipConnectivity DOWN. Previous primary interface: 'en0'

    52045.766 [I] evt: Firing event 'dataWifiAvailable': with params= 0, {}

    52045.766 [I|22+] 5wi: handleWifiAvailable_sync : currently available=true, new value=false

    52045.766 [I] DATA:TechDriver:handleWifiAvailable_sync: available = false

    52045.766 [I] NOBB:NoBBRadioModule:handleWifiAvailable: available = false

    52045.766 [I] evt: Firing event 'recalculateConnectionAvailability': with params= 0, Wifi Changed

    52045.766 [I] evt: Firing event 'bearerAvailable': with params= 0, kNoData

    52045.766 [I] DATA:TechContext:0:handleWifiAvailable_sync: Looking for en0 in updated interface list

    52045.766 [I] evt: Firing event 'dataModeChanged': with params= kNoData, kNoData

    52045.766 [I] DATA:TechContext:0:handleWifiAvailable_sync: Interface en0 is gone, clear fActiveInterfaceName

    52045.766 [I] evt: Firing event 'dataNotAttached'

    52045.766 [I] DATA:TechContext:1:handleWifiAvailable_sync: Looking for en0 in updated interface list

    52045.766 [I] DATA:TechContext:1:handleWifiAvailable_sync: Interface en0 is gone, clear fActiveInterfaceName

  • by Linc Davis,

    Linc Davis Linc Davis Feb 19, 2016 8:44 PM in response to crayfish55
    Level 10 (207,926 points)
    Applications
    Feb 19, 2016 8:44 PM in response to crayfish55

    1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.

    The test works on OS X 10.8 ("Mountain Lion") and later. I don't recommend running it on older versions of OS X. It will do no harm, but it won't do much good either.

    Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.

    2. If you don't already have a current backup, please back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.

    There are ways to back up a computer that isn't fully functional. Ask if you need guidance.

    3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.

    You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.

    In this case, however, there are ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone who understands the code can verify what it does.

    You may not be able to understand the script yourself. But variations of it have been posted on this website many times over a period of years. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message. See, for example, this discussion.

    Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.

    4. Here's a general summary of what you need to do, if you choose to proceed:

    ☞ Copy the text of a particular web page (not this one) to the Clipboard.

    ☞ Paste into the window of another application.

    ☞ Wait for the test to run. It usually takes a few minutes.

    ☞ Paste the results, which will have been copied automatically, back into a reply on this page.

    These are not specific instructions; just an overview. The details are in parts 7 and 8 of this comment. The sequence is: copy, paste, wait, paste again. You don't need to copy a second time.

    5. Try to test under conditions that reproduce the problem, as far as possible. For example, if the computer is intermittently slow, run the test during a slowdown.

    You may have started up in safe mode. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual before running it. If you can only test in safe mode, do that.

    6. If you have more than one user, and only one user is affected by the problem,, and the affected user is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.

    7. Load this linked web page (on the website "Pastebin.") Press the key combination command-A to select all the text, then copy it to the Clipboard by pressing command-C.

    8. Launch the built-in Terminal application in any one of the following ways:

    ☞ Enter the first few letters of its name ("Terminal") into a Spotlight search. Select it in the results (it should be at the top.)

    ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

    ☞ Open LaunchPad and start typing the name.

    Click anywhere in the Terminal window to activate it. Paste from the Clipboard into the window by pressing command-V, then press return. The text you pasted should vanish immediately.

    9. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. If you don't know the password, or if you prefer not to enter it, just press return three times at the password prompt. Again, the script will still run.

    If the test is taking much longer than usual to run because the computer is very slow, you might be prompted for your password a second time. The authorization that you grant by entering it expires automatically after five minutes.

    If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.

    10. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, a series of lines will appear in the Terminal window like this:

        Test started
            Part 1 of 4 done at: … sec
            …
            Part 4 of 4 done at: … sec
        The test results are on the Clipboard.
        Please close this window.

    The intervals between parts won't be exactly equal, but they give a rough indication of progress.

    Wait for the final message "Please close this window" to appear—again, usually within a few minutes. If you don't see that message within about 30 minutes, the test probably won't complete in a reasonable time. In that case, press the key combination control-C or command-period to stop it. Then go to the next step. You'll have incomplete results, but still something.

    In order to get results, the test must either be allowed to complete or else manually stopped as above. If you close the Terminal window while the test is still running, the partial results won't be saved.

    11. When the test is complete, or if you stopped it manually, quit Terminal. The results will have been saved to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.

    At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "close this window" message. Please wait for it and try again.

    If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.

    12. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "The message contains invalid characters." That's a bug in the software that runs this website. Please post the test results on Pastebin, then post a link here to the page you created.

    If you have an account on Pastebin, please don't select Private from the Paste Exposure menu on the page, because then no one but you will be able to see it.

    13. When you're done with the test, it's gone. There is nothing to uninstall or clean up.

    14. This is a public forum, and others may give you advice based on the results of the test. They speak for themselves, not for me. The test itself is harmless, but whatever else you do may not be. For others who choose to run it, I don't recommend that you post the test results on this website unless I asked you to.

    15. The linked UNIX shell script bears a notice of copyright. Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

  • by crayfish55,Solvedanswer

    crayfish55 crayfish55 Feb 26, 2016 1:21 PM in response to Linc Davis
    Level 1 (1 points)
    Feb 26, 2016 1:21 PM in response to Linc Davis

    Thanks for the response, Linc. I've been advised that this is IOS code running in OSX, relating to coretelephony, and is not malicious.

  • by jopaki,

    jopaki jopaki Apr 10, 2016 11:08 AM in response to crayfish55
    Level 1 (4 points)
    Apr 10, 2016 11:08 AM in response to crayfish55

    You've been "advised"?  By whom?  Why didn't Linc know this at the outset?

     

    BTW, this: http://pastebin.com/raw/SycVPm7F

    I would never run this set of highly obfuscated commands.  C'mon now!

  • by MSGCarini,

    MSGCarini MSGCarini May 7, 2016 11:39 AM in response to Linc Davis
    Level 1 (8 points)
    Mac OS X
    May 7, 2016 11:39 AM in response to Linc Davis

    I have this issue too. 

     

    http://pastebin.com/HtdLqYfn

  • by MSGCarini,

    MSGCarini MSGCarini May 7, 2016 11:53 AM in response to Linc Davis
    Level 1 (8 points)
    Mac OS X
    May 7, 2016 11:53 AM in response to Linc Davis

    I have had consistent issues with:

    • My shared settings changing
    • Beach balling
    • Public keychains and not being able to reset keychains
    • Wrong locations on maps
    • iCloud aliases not working
    • Remote screen sharing turning off and on
    • LinkedIn beachballing
    • Numbers (or Excel, which I am not longer using) not being able to download other than into a .CVS file


    In Single User mode:

    • Flags cannot be fixed on a /dev/rdisk0s2
    • Eight ACPI enabled and 18 devices
    • VMWare that comes and goes
    • An unknown iMac attached (gone and then not)
    • My internal hard drive turning into a Logical Volume Group and then, the hard drive missing

     

    Apple engineers have looked at this time and time again.  My Macbook Pro Retina has been replaced.  Repaired. I have done more reinstalls than any human should have to.

     

    I believe these issues have also impacted by iPhone, since I have synced my iPhone with my computer.

     

    I tried to remove the remote users today and hopefully that was successful.  That said, any idea on what in the **** is happening here?

     

    Linc - I have been reading your materials for months and really would be grateful for any help.  The issues is that despite reinstalls, I can't seem to shake what this is.  I believe is some kind of Open Sourced code or Linux system that keeps attaching itself to me despite routers, passwords and all the obvious being addressed. 

     

    Do you think there is a hole in Ubiquity that is causing some kind of doorway in?  Its the only common denominator I can think of...

    Thank you again,

     

    MSGCarini

  • by Eric Root,

    Eric Root Eric Root May 7, 2016 4:22 PM in response to MSGCarini
    Level 9 (69,956 points)
    iTunes
    May 7, 2016 4:22 PM in response to MSGCarini

    You might want to consider starting a new discussion. Since this one is marked solved, less people are likely to look at it. You can link to this one.

  • by GreenMamba,

    GreenMamba GreenMamba Jun 25, 2016 7:30 AM in response to crayfish55
    Level 1 (13 points)
    Desktops
    Jun 25, 2016 7:30 AM in response to crayfish55

    I have a similar question. I just did a re-install of OS X due to some strange activity. During my reinstall while in the disk utility to erase my disk i noticed a disk image called Apple Disk Image > OS X Base Systems. 1.3 GB was used and 713mb was available. The files were labeled as "other".

     

    Apple SSD SD0128F Media - 121.33 GB PCI - Internal physical disk had a child count of 3, even after I erased it and renamed it.

     

    I could NOT eject the "Apple Disk Image" and whatever it is or whatever it does. I am not sure if it is just some kind of version of OS X you had when you first bought my MacBook Pro. I am totally confused.

     

    Also during this last reinstall it asked me for my password to my MBP when it had it's old name.

     

    Right now I am running the command sudo fs_usage -w | grep nsurl in terminal and nsurlstoraged.33*** [port changes] keeps trying to send or is sending /library/cookies/HSTS.plist

     

    Is all of this stuff normal? I don't feel like it is.

     

    I have done a reinstall before and do not remember having to enter my old password to my last login before logging into my new installation. I feel like someone has remote access to my desktop. Or some kind of root access. Maybe not though.

     

    Please help Linc or anyone else.

     

    Thanks...

  • by Drew Reece,

    Drew Reece Drew Reece Jun 25, 2016 12:58 PM in response to GreenMamba
    Level 5 (7,485 points)
    Notebooks
    Jun 25, 2016 12:58 PM in response to GreenMamba

    Start by making your own thread if you want actual help & follow up. 

    I'm adding numbers to try to make some sense out of all the questions…

    GreenMamba wrote:

     

    1)

    During my reinstall while in the disk utility to erase my disk i noticed a disk image called Apple Disk Image > OS X Base Systems. 1.3 GB was used and 713mb was available. The files were labeled as "other".

     

    2)

    Apple SSD SD0128F Media - 121.33 GB PCI - Internal physical disk had a child count of 3, even after I erased it and renamed it.

     

    3)

    I could NOT eject the "Apple Disk Image" and whatever it is or whatever it does. I am not sure if it is just some kind of version of OS X you had when you first bought my MacBook Pro. I am totally confused.

     

    4)

    Also during this last reinstall it asked me for my password to my MBP when it had it's old name.

     

    5)

    Right now I am running the command sudo fs_usage -w | grep nsurl in terminal and nsurlstoraged.33*** [port changes] keeps trying to send or is sending /library/cookies/HSTS.plist

     

    6)

    Is all of this stuff normal? I don't feel like it is.

     

    I have done a reinstall before and do not remember having to enter my old password to my last login before logging into my new installation. I feel like someone has remote access to my desktop. Or some kind of root access. Maybe not though. 

     

     

    1. OS Base System is part of the installer - stop assuming everything you do not understand is bad. You cannot unmount the installer disk or any of it's partitions when running from that OS. That is normal.

     

    2. OS X will partition a disk however it feels is appropriate for that Mac. 3 partitions are probably normal. By default OS X creates a recovery partition & an EFI boot partition (both are normally hidden) in addition to the main system partition. Frankly if you do not know how to interpret these parts of the OS (or cannot find explanations on apple.com) you should not be digging around with tools that reveal them.

     

    3. See point 1 - once again probably normal.

     

    4. It's unclear when you were prompted for the old password - it is normal to require a password to begin the installer (otherwise anyone could just wipe your data without your admin password). I don't understand your point about the MBP having an old name - maybe you didn't actually erase the disk before reinstalling. You have to specifically erase the disk before reinstalling OS X otherwise all the old data will remain on the system. It is also possible for iCloud to interact & bring back old settings & data if you enable certain features. If you restore from a backup or from Time Machine it will also bring back old files & can reset the 'computer name' too.

     

    5. Why on earth are you running that command? If you do not trust Apple, why are you running their OS? Assuming you have clean installed (if you actually erased the disk) it should be normal. If you enable Safari bookmark syncing via iCloud it could be normal to send your cookie list to Apple. I believe HTST is related to https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

    I don't think the fs_usage command lists the port, the digits are the PID (process ID, as far as I can tell) try reading the manual, once again you may not be seeing what you think you are seeing…

    https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPag es/man1/fs_usage.1.html#//apple_ref/doc/…

     

    6. It seems normal to me, however I cannot see what you have done or what services you have enabled. You have made a lot of assumptions that things are bad when they are simply normal parts of OS X. I think you are just misreading how computers work these days – Macs depend on the internet for so much. If you trust Apple and have clean installed the OS your Mac has not been compromised so it is probably all normal. If you don't trust Apple try Windows, Linux or something else.

     

    If you still think someone has remote access to your Mac go and see a genius at an Apple store or find a local Mac service centre and ask for the Mac to be erased. It can be incredibly difficult & costly to diagnose an actual attack via computer forensics, you really need to avoid making assumptions especially when simple hardware errors can cause many suspicious looking problems. Get it checked by someone who knows more than you, ideally at an Apple store so they can check the hardware is working correctly.

     

     

    P.S. If you make your own thread post details on why you think it was compromised in the first place, you can link this thread to your new post.

  • by GreenMamba,

    GreenMamba GreenMamba Jun 26, 2016 7:47 AM in response to Drew Reece
    Level 1 (13 points)
    Desktops
    Jun 26, 2016 7:47 AM in response to Drew Reece

    Yes I am sorry, a lot of that post is like a rant. I did not take my time and explain each issue. But your post was very helpful.

     

    I have been using Apple products for about 10 years now. My paranoia is due to my debit card being compromised 3 weeks ago. It's also coming from using an open Xfinity WiFi hotspot for a few weeks while waiting for Comcast to come and run lines in my new apartment. *The debit card being compromised was due to the site I visited not my machine after further research.*

     

    I did a fresh install BUT then installed Little Snitch to see exactly what OS X frameworks were making outbound connections. I then researched each one of them to see why. I think my paranoia is also do to having "Little Snitch" installed.

     

    1. I knew the Base Installer was most likely a part of the OS. Thank you for clarifying.

     

    2-4. Apple asked me for my old login password after the installation then allowed me to go to my "new" login home page. Your above description makes sense.

     

    5. I was running that command because I want to know why Safari's User Agent has a reply of this: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17 - even after a fresh install. I did read this:

    https://en.wikipedia.org/wiki/User_agent#User_agent_spoofing

    It explains browsers may spoof themselves due to some sites working better with some browsers as opposed to others.

     

    6. I do trust Apple. Little Snitch is now gone. I uninstalled it.

     

    In closing; I believe everything is running just fine. Using my SurfEasy VPN was creating a lot of lag and issues (I knew this before I posted)... I'm not using it unless I feel like I will be surfing the web and looking up weird stuff like 2 girls one cup. <--- joke The VPN isn't worth the hassle. I just did a system and spotlight diagnostics scan. The results were sent to Apple to see if something is running in my memory or a firmware is corrupted. (My closest Apple store is 3 hours away.)

     

    Thanks for your time and the advice.