Something's not right in my Network

coldcore wrote:

No not running any of those things. Since I'm a relatively new apple user. I don't understand "key chains" but wondering why in logs "login_renamed_2.keychain-db"is present?

Jonathan Levin (Moxii)'s OS X Internals three-volume book will get you a foundation in internals and how the pieces can fit together in normal usage. And will help you collect info on what "normal" looks like in your particular environment.

Or you can use an approach others have attempted, and try to find needles in infinitely-growing streams of haystacks, when you don't know what the needles look like, or even whether any needles are even present. That's the usual for scanning logs and telemetry. Doable certainly, but works way better when automated tools can scan for known patterns.

Keychains are part of macOS, and accessed via Keychain Access: What is Keychain Access on Mac? - Apple Support

And this PegasusConfiguration, what is that? I read it's spyware.

Something to ponder: why would the some of the most expensive espionage tooling around post its own name somewhere obvious? And if the tooling was that overt about its traces, why wouldn't Apple have detected and flagged or detected and scrubbed it?

Oh, and in this particular case, it's not Pegasus the espionage tool. Pegasus is what Apple called their picture-in-picture support. Utterly mundane stuff, in other words. Or, well, could Pegasus be hiding behind something else also called Pegasus? Or some other exploit tooling that works like Pegasus pretending to be Pegasus hiding behind benign tooling known as Pegasus? We don't know. This tooling changes.

And remote connections are still present on my computer, how do I shut down remote connections in terminal?

Remote connections are ALWAYS present. That's simply the nature of computing in 2024.

Detecting command and control connections for malware or worse can itself be non-trivial, as the malware and the nasty stuff are all using the same connections and the same server hosting vendors and the same network protocols as everything else. You might spot something here, or you might not.

And I'd probably implement network monitoring on your gateway or other external hardware, as exploit tooling can itself target standard and added monitoring tooling. If you're worthwhile target, the tools you use can themselves be compromised.

Sure, you might get lucky and find a command and control connection. But you're probably going to want to start with an understanding of what is normal for your particular and unique combination of installed apps and tools and settings.

And "ZoomClient3rd", tried to delete it, it won't delete, says it's currently in use.

Follow the vendor's directions for deleting the Zoom app.

Thank you for your time and care in this matter.

macOS can be exploited, and can be breached.

If you believe you are a potential target for espionage tooling, you need to fundamentally shift your approach to tooling and use of tools, as well as what data you have around, and what connections and communications channels you use. There are steps specific to macOS, but the bulk of what is involved here is changing how you use and how you expect to use your devices.

Why change? Folks actually targeted by Pegasus can end up in prison. Or worse.

If you are senior in government or private, or with access to sensitive or classified data, participating in a war, a political dissident, an investigative journalist, or somebody that has deeply peeved a very rich entity, you may be headed for a Bad Day. Accordingly, you will want to seek advice with your security, and particularly advice well past investigating PegasusConnection, Keychains, or related. In some contexts, emissions and uploaded photos are more than enough trouble.

Some info from Apple directly: About Apple threat notifications and protecting against mercenary spyware - Apple Support

What one of the better resources suggests: https://citizenlab.ca/category/research/tools-resources/security-planner/

I'm not on OS13 at the moment so translationg my OS12 & earlier directions...

1. 1. On your Mac, choose Apple menu  > System Settings, then click Network  in the sidebar. (You may need to scroll down.)
2. 
   
3. Click the Action pop-up menu  on the right, then choose Set Service Order.
4. Drag services into the order you want.
5. Click OK.

The interface that connects to the Internet should be dragged to the top of the list.

System Settings>Network>choose interface>Advanced>Proxies Tab, make sure none are set, like for HTTP & HTTPS.

System Setttings>Network, click a network service on the right, click Details, then click DNS. (You may need to scroll down.)

Enter these numbers...

8.8.8.8

8.8.4.4

1.1.1.1

9.9.9.9

if you do not intend to be using any proxies, all these boxes should be unchecked, and only the string at the bottom of this window should be present:

That excludes the application of proxies for domains named with anything.local (which is your own network and NOT Routeable, AND

anything with a self-assigned IP address from that same block of numbers mentioned before, 169.254.anything in the last 16 bits.

<< a destination address of 169.254.0.0. >>

That IP address is from a group strictly private, non-routable IP address used exclusively for self-assigned IP address. When any network device starts up, it assigns itself a pseudo-random address from that block of address, so that it will have SOME sort of identifier. Then it broadcasts a request for a Router to give it a "good" local IP address.

The routers on most networks provide a good local IP address via DHCP so quickly, most users have never seen a self-assigned IP address, and would swear they never happened.

<<. when googling 169 ip it says if that's being used "something's not right with network". >>

If a self-assigned IP address persists long enough for you to notice, your router was not able to respond. That DOES indicate trouble on a network, such as a cable not plugged in.

But you are not seeing a device "stuck" with a self-assigned IP address, so this is of no consequence.

Summary:

NOT an Issue.

<< Now and again I'll find that wifi is on and/or connected but I never use wifi so I have it off always. >>

MacOS assumes you will want WiFi, and tends to turn it on when your Mac starts up and when your Mac wakes from sleep. there is no disadvantage to having BOTH ethernet and WiFi on at the same tine, and certain services like some location services depend on location data provided over Wi-Fi.

Packets going toward the internet are sent over the TOPMOST, working interface shown in the ordered list at

settings/system Preferences > network

If ethernet is not already TOPMOST use the gear or (...) icon below the box, choose "set service order' and drag Ethernet TOPMOST. When you go to the coffee shop, Ethernet will not be Working, so the next in line, typically WIFI, will be used instead.

If WiFi turning on annoys you, take pains to shut it off when your Mac turns on.

Summary:

not an issue.

if the pegasus item you have is exactly

group.com.apple.PegasusConfiguration

that is an Apple framework for future Picture in Picture support, not malware

By far the easiest way to cause poor performance, instability, overheating and crashing is to install ANY third-party speeder-uppers, Cleaners, Optimizers, or Virus scanners, Bit Torrent, or a VPN that you installed yourself. The main reason is that they are relentless in scanning your files, non-stop, looking for virus-like patterns in Everything, or looking for files that have changed. When completed, they do it all again.

 Third-party file Sync-ers such as DropBox, BackBlaze, OneDrive, or GoogleDrive can ruin performance, but are not inherently dangerous.

¿Are you running anything like that?

To delete things in use boot into Safe Mode & try deleting it...

On your Mac, choose Apple menu  > Shut Down.

Wait for your Mac to shut down completely. A Mac is completely shut down when the screen is black and any lights (including in the Touch Bar) are off.

Press and hold the power button on your Mac until “Loading startup options” appears.

Select a volume.

Press and hold the Shift key, then click Continue in Safe Mode.

The computer restarts automatically. When the login window appears, you should see “Safe Boot” in the menu bar.

Does the problem occur in Safe Mode? 

Restart normally.

<< And remote connections are still present on my computer. >>

how did you decide that?