Type: _companion-link._tcp.local.

Thank you very much for your answer. I would like to add that I have three MacBooks and this Bonjour service appears only on one device, the most compromised of the fleet.

The cyber security issues are a long story. There is a post on reddit about it, I am not sure if copy/paste the link here is allowed.

In summary an individual who had access to all devices and credentials for an extended extended period of time, informed me that He had been recording and storing all types of data on me, including 289 audio recording and for proof sent me a recording of a phone conversation I had made.

This prompted an audit of my systems (by and Apple agent on the phone and in store) and it was discovered that the MacBooks had been set up to be remotely accessed, users had been created, firewalls turned off, the keychain accessed (and that's only what was visible) etc...

In addition my internet accounts (Google, gmail, Facebook etc,...) had been hacked and my androids would receive unheard missed calls and when I tried once to call back the number, the android where the missed call occur started ringing.

The phones would send and receive text messages to themselves (4 digits codes) and for a while, whenever I would try to reset my Apple ID password, I would request and receive codes on my iPhone and once entered in the browser, they would simply not be recognized. Apple informed that these codes were not sent by them.

There's also a concern about internet spoofing. My network would suffer attacks, and the traffic would be redirected towards an unknown network (not my phones cellular network) with a different SSID than my ISP.

And lately there the discovery that a device I have never seen physically but that was part of my devices connected to the router, and that I thought part of the ISP equipment , is in fact a UPnP device, a virtual Cisco remote wireless controller, that manages and connects the network and the devices, and has several dangerous open ports including port 9999.

I think there's a link between the MacBook pro and the bonjour service and the Cisco WLC.

I changed the router twice since April, and modified all credentials on the router and on the Wi-Fi.It doesn't seem to stop the issue.

If you have any idea of suggestion, please feel free to share.

Best,

Hello and thank you so much for your answer. I have reported the breach to local authorities (to almost no avail).

Now I am looked into the sleeper proxy and I think that is what is happening here. Please check the link below from a capture from Wireshark

fe80::3ebd:c5ff:fe97:280b → ff02::1   ICMPv6 90 Multicast Listener Query

And which device acts as the sleeper proxy? Do you think you could explain to me once again how this would work?

The question I have, is can the sleepy proxy be used for the purpose of monitoring and controlling a network? Again the presence of this Cisco Remote Wireless Controller (that I can't even seem to be able to block from internet is troubling)!

Also I have been noticing more troubling details.

My screen keeps showing that it's being observed (although all my remote access have been disabled). Please see attachment.

And I noticed an unknown user logged into my computer when I checked on who logged. Please see attachment.

Thanks for the advice

P-S: Your advice on wiping everything is right. My online accounts have also been compromised.

Thank you so much for your great explanation. Would it be possible that my MacBook has been set up at an Internet Gateway?

I run the ifconfig and networksetup -listallhardwareports and I would really appreciate if you could tell me if anything leads to that conclusion.

I ll copy paste the extract I find troubling, and in addition two links from Cisco basically explaining how to install a WLC and keep it undetectable.

I'll add the the screenshots of the commands as well.

Thanks a million

Here's the line

id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0

maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200

root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0

ipfilter disabled flags 0x0

This was a capture from wireshark

239.255.255.250 SSDP 218 M-SEARCH * HTTP/1.1

Sorry I forgot to add the links

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116041-solution-apple-osx-00.html

https://superuser.com/questions/1707991/using-macos-as-internet-gateway

Now this is where it gets really interesting:

I can't seem to find it right away, but I will, one my connection showed as a 802.11 I ll add that screenshot shortly!

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-6/config-guide/b_cg86/initial_setup.html

Release 7.6.120.0: This feature was introduced and supported only on Cisco 2500 Series Wireless Controller. It includes an easy-to-use GUI Configuration Wizard, an intuitive monitoring dashboard and several Cisco Wireless LAN best practices enabled by default.

Release 8.0.110.0: The following enhancements were made:

Connect to any port: You can connect a client device to any port on the Cisco 2500 Series Wireless Controller and access the GUI configuration wizard to run Cisco WLAN Express. Previously, you were required to connect the client device to only port 2.

Wireless Support to run Cisco WLAN Express: You can connect an AP to any of the ports on the Cisco 2500 Series Wireless Controller, associate a client device with the AP, and run Cisco WLAN Express. When the AP is associated with the Cisco 2500 Series Wireless Controller, only 802.11b and 802.11g radios are enabled; the 802.11a radio is disabled. The AP broadcasts an SSID named CiscoAirProvision, which is of WPA2-PSK type with the key being password. After a client device associates with this SSID, the client device automatically gets an IP address in the 192.168.x.x range. On the web browser of the client device, go to http://192.168.1.1 to open the GUI configuration wizard.

Note

This feature is not supported on mobile devices such as smartphones and tablet computers.

Hello

I wanted to thank you before closing down this post. I think I figured out the issue. I won't provide anymore picture of captures. The adversary has set up an IMGP Snooping.

Most of the foreign IP addresses on "Listen" state are hidden, but the few I traced, seemed to have ties with a well known dangerous cybercriminal group in France.

All the appropriate measures have been taken.

Thank you again for your great help!

P-S: During my research I found a very bizarre but hilarious post from someone claiming to have been hacked, and your handling of the comments is for the book.

I rolled on the floor when you asked about the presence of someone in the room while the alleged victim was screaming the password out loud.

Best Regards,