Factory reset macmini M1 2020 is not like the others

If you are subject to the sorts of exploitation tools that would involved here, you will need direct, formal assistance from a security and forensics provider, a d device access and related information will be required.

holymoly767 wrote:

I am, and have been for a couple years, experiencing almost the same thing and was wondering what to do. Most everyone says it impossible but looks like the community is showing otherwise. Is there a way to get everyone's data together and start compiling the info in one place? Or at least connecting everyone together since Apple is not addressing anything? With all the money spent on new devices, iclopud data lost, etc., the fact that they continue to deny any issue or put out security warnings is opening them up for class action, which I am happy to initiate. Their denial and lack of direction is a complete violation of consumer protection (what little the US supplies). anyway, Im beyond trying to troubleshoot devices and more into the next steps of getting this more public attention.

What to do? Learn about exploit tooling and about digital forensics and security, and collect evidence.

Evidence I’ve never seen posted around here, among the myriad “I’m hacked” threads.

Nobody is going to do digital forensics for free. Not at the scale involved. Apple is undoubtedly doing forensics analysis with their telemetry, and at a scale few here can imagine.

There are vastly more people claiming to be hacked than can possibly ever be examined, too. As many analysts as there might exist, there are far more claimants. Most of whom are not hacked. Not without some strong evidence of an exploit. Many of which would be unwilling to accept a “no” finding.

And there can be no certainty here too, as trying to prove a negative—that any particular configuration is not somehow compromised—is a fool’s errand.

Posting screen shots of, well, nothing is not the path.

PS: “Stealth” is a waste of time and network resources. Learn about ICMP, and about proper operation of IP networks, and then decide. Dropping parts of ICMP traffic makes the network less efficient, and for no added benefits. If an IP host is connected to an IP network, that IP host is inherently visible to at least ARP traffic, and almost certainly has some ports active.

The first thing you need to do is uninstall Total Virus. AV programs are totally unnecessary and are known to cause issues.

The more important parts of the EtreCheck report are the installed kexts, Launch Daemons, Startup Items, AntiVirus, and CPU usage. All of which could be the source of what you are seeing.

I'm not sure how there was a nuke and pave during this year and the configuration is running a Ventura version prior to 13.1, when CVE-2022-46689 was patched per Apple.

gravityfed wrote:

My scan of the executable file within the Calculator.app was tagged by Total Virus and OSX Sandbox as matching two 2019 CVE exploits. Wasn't sure if external links were allowed so haven't posted a link.

Presumably, you are uploading random files to some website to scan then, as a website cannot scan a Mac.

Which CVEs, please?

macOS protects itself against corruptions. Much of the system is write-protected, as are backups. That is all part of the built-in anti-malware. The built-in anti-malware which has blocked add-on anti-malware from corrupting macOS with a (hilariously wrong) false positive, too.

Absolutely nothing you have posted here so far is evidence of any issues. Which CVE, BTW?

Backups are a central part of system security. Quite possible rotating and maybe permanently-archived backups, if the data is sufficiently valuable.

Neither CVE-2019-12259 nor CVE-2019-12265 are applicable here; a false positive.

You do have one obvious issue, if there is any user data here: no backups.

Otherwise, nada. WebKit (some Safari tab) got busy, and TextEdit got tangled once.

I would not be concerned about the log reports on the machine you posted the EtreCheck Report from. It is not unusual to see a log where a deprecated command was given. You will also see attempts to run a process that fail, networks getting disconnected, and write errors multiple times. It does not mean that your computer is not working correctly. There are no nefarious processes running at startup. Having network activity while an app is running is not always a sign that something bad is happening.

Just do your Factory Reset and enjoy, if a problem comes up, we are here to help.

gravityfed wrote:

Well, it seems an issue that won't be solved here, was hoping for some more clarity around some of these processes. Thanks for your time anyway.

There’s seemingly nothing to solve here; no evidence of anything untoward, no remote management, no (applicable) CVE.

If you’ve already done a nuke and pave of macOS, have enabled two-factor and new passwords all around, then there’s either malware far above the norm, or there’s hardware junk or other not-involving-macOS problems, or somebody local with direct access, or you’ll need some (better) evidence of something untoward.

To learn more about macOS internals as a foundation for your investigation, the three volumes of the New OS X book”, by Levin, are a good start. That will help you learn what is normal activity on macOS.

And few folks (nobody?) will perform digital forensics for free, absent some evidence of an interesting exploit.

Teaching forensics, or performing forensics on a remote system via a text box, or teaching IP networking, one observation at a time, is not something that can reasonably happen here.

There are no UDP connections, as UDP is a datagram protocol. DHCP client (per RFC 2131) uses UDP 68, and your Mac likely has DHCP client enabled.

TCP 137 is tied in with NBNS and SMB network services. While NBNS usually uses UDP 137, it can use TCP 137.

etc…

macOS server was retired a while back, with many parts deprecated, and some parts moved into base macOS.

The rest here, do your research, as you have the computer locally, and you can look up what is in use, and what is currently active. Your follow-on replies here show deeper knowledge of networking and protocols, so I fully believe you are both best positioned to investigate and quite able resolve your own curiosity here, and to gather the necessary evidence.