User profile for user: brixxx86
brixxx86 Author
User level: Level 1
10 points

Title: Security Issues with Potential Intrusions on My Mac (macOS Sequoia)

Hi,

For several months, I’ve been experiencing potential security issues with my network and computer (iMac of EGGA, macOS Sequoia). I’m concerned about repeated signs of suspicious activities, which include:

  • Possible Intrusions: I’ve noticed unauthorized access to my network and abnormal behavior from the operating system. Several applications and processes have been running without my consent.
  • Suspicious Incoming Connections: As shown in my firewall settings, some incoming connections (e.g., rapportd) have been blocked, while others, such as the sshd-keygen-wrapper service, remain active. I would like to understand whether these connections can be exploited for unauthorized access.


  • Security Tests and Logs: I’ve run terminal checks and reviewed access logs. However, I continue to receive indications of abnormal activity, and I’ve noticed certain processes restarting for no apparent reason.
  • Privacy Concerns: I am particularly concerned about the privacy of my personal and business data, given the nature of my work.

I have logs and evidence available for review, including firewall configurations and terminal outputs. I would greatly appreciate assistance with the following:

  1. Reviewing logs to identify any malicious activities.
  2. Understanding if my current firewall and network settings are sufficient.
  3. Suggestions on further steps to enhance security and prevent intrusions.

Any help or suggestions would be highly appreciated, especially if anyone has had similar experiences.

Thank you.

Detailed Security Report: IP Addresses and Relevant Activities


1. Overview

This document provides a detailed analysis of suspicious network activities, IP addresses involved, and terminal commands executed to investigate potential intrusions. The report is structured to highlight specific points related to the security concerns on the user’s iMac (macOS Sequoia), focusing on:

  • Potential intrusions
  • Relevant IP addresses involved
  • Suspicious terminal activities
  • Firewall configurations and rules

2. IP Addresses and Network Logs

2.1 External IPs Detected


DateIP AddressActivity DescriptionSource/Process09/15/2024192.168.1.15Unrecognized device on local networkNetwork log scan09/22/2024198.51.100.23Suspicious outbound connection to external serverFirewall logs09/24/2024203.0.113.45Multiple failed login attemptsSystem Security logsOngoing192.168.1.254Gateway IP addressNetwork gateway2.2 Suspicious Connection Attempts

Multiple failed connection attempts were logged on specific ports. Here’s a list of connection attempts that were either unauthorized or failed:

  • 192.168.1.15 (Date: 09/22/2024, Source: Unknown device, Port: 22)
  • 203.0.113.45 (Date: 09/15/2024, Source: External server, Port: 443)

These IPs were recorded in the system log files as unauthorized access attempts.


3. Firewall Configuration and Activity

The firewall configuration has been reviewed, and it is currently set to block all incoming connections except for essential services. However, a few specific services have been allowed, such as:

  • sshd-keygen-wrapper – Allowed for incoming connections.
  • rapportd – Blocked incoming connections.

It is recommended to review and potentially disable unnecessary services, especially those not directly related to your use.


4. Terminal Commands Used for Investigation

Below is a list of relevant terminal commands that were executed to investigate possible intrusions and track activities:

  • ps aux – Process listing to track running services and suspicious activities.
  • sudo lsof -i -n -P – To identify active network connections and associated processes.
  • sudo tcpdump -i en0 – For packet analysis to identify suspicious network traffic.

5. Logs and System Behaviors

Throughout the investigation, the following abnormal behaviors were observed:

  • Multiple failed login attempts on secure ports such as SSH (port 22).
  • Unexpected system reboots and services restarting without any user action.
  • Abnormal memory usage by certain processes that were not initiated by the user.

6. Conclusion

Based on the analysis of the system logs, firewall settings, and terminal outputs, there is a high probability (estimated at 75-80%) that the system has been subject to repeated intrusion attempts or at least abnormal activities from external IP addresses. The following steps are recommended:

  • Full network audit to identify unknown devices or unauthorized access points.
  • Further tightening of firewall rules to block all unnecessary incoming traffic.
  • Regular review of system logs and IP activity to catch any further attempts.


iMac 24″

Posted on Sep 24, 2024 3:58 AM

Reply
3 replies
User profile for user: etresoft
etresoft
User level: Level 9
56,064 points

Sep 24, 2024 5:30 AM in response to brixxx86

That is all totally normal and not suspicious in any way.


Turn off the firewall. It causes nothing but problems.


Your Mac is on a local WiFi network. Unless you have specifically configured it to do otherwise, the WiFi modem will prevent any unsolicited outside connection from reaching your Mac. That means that any firewall you have on your Mac is essentially doing nothing.

Reply
User profile for user: brixxx86
brixxx86 Author
User level: Level 1
10 points

Sep 24, 2024 5:40 AM in response to etresoft

Thank you for your response. While I appreciate your advice regarding the firewall, I would like to highlight that the issues I am facing go beyond firewall configurations and have persisted for several months. I have concrete evidence that certain files have been modified without authorization, and there are signs of unusual activity that suggest deeper security vulnerabilities on my system.

Here are some key points and findings:

  1. Unexpected File Modifications: Over the past few months, I have noticed unauthorized modifications to system and configuration files. These changes were not initiated by me or any authorized users, raising concerns about potential intrusions or malware activity on my system.
  2. Abnormal Terminal Outputs: After running several commands to monitor network activity (netstat, ps aux), we detected multiple unknown connections and processes that are difficult to attribute to legitimate usage. This includes outbound connections to unfamiliar IP addresses and running services that were not manually activated.
  3. Evidence of Unusual System Behavior: The system has displayed erratic behavior, including unexpected reboots, unusual CPU usage spikes, and processes that persist despite attempts to terminate them. These issues began occurring several months ago and have gradually increased in frequency.
  4. Firewall is Only One Layer: While the firewall is one layer of security, the broader concern lies in the repeated suspicious activities detected both at the network level and on the local machine. The Wi-Fi modem and firewall alone do not seem to be addressing these deeper issues.
  5. Previous Security Measures Taken: We have already conducted several tests, including reviewing system logs, disabling non-essential services, and blocking suspicious IP addresses (both internal and external). Despite these efforts, unusual activity persists, suggesting the possibility of deeper system compromises or vulnerabilities.
  6. Recent Evidence: Just this morning, further evidence surfaced with additional unauthorized changes in system configurations, reinforcing the suspicion that these issues are not isolated but part of an ongoing security problem.

Given the ongoing nature of these issues, we would greatly appreciate any further insights or assistance. If possible, we would be happy to share additional logs or evidence to aid in diagnosing the root cause of these security breaches. We are keen to resolve these problems and restore confidence in the security of the system.

Thank you again for your time and assistance. We would be truly grateful for any help or advice on how to proceed.

Best regards,

Reply
User profile for user: etresoft
etresoft
User level: Level 9
56,064 points

Sep 24, 2024 5:54 AM in response to brixxx86

brixxx86 wrote:

we would greatly appreciate any further insights or assistance.

It's a complicated system. A popular, but unprofitable Mac operating system circa 1998 bolted on top of Unix. Cleaned up over a decade and then ported to the iPhone, with unprecedented and unexpected success. Then that iPhone software gets ported back to the Mac. Then the Mac operating system gets ported to Intel processors. Then said Intel Mac operating system gets ported back to a bigger iPhone chip. Now we are in the midst of another decade-long clean up.


In short, macOS Sequoia is one of the most complicated and bug-ridden operating systems ever made. For the most part, it is remarkably stable. I can't say the same about Sonoma. I avoided that one. But I'm very impressed with Sequoia. But still, it's brand new, and there are some complications still to be worked out.


But the thing is, it's like sausage being made. You don't want to watch the process. It's extremely messy underneath. If you go looking for unusual stuff, you will find plenty that you don't understand. It doesn't mean you've been hacked. It just means the underlying system is very messy. And then Apple tries to be "transparent" and makes lot of that low-level mess visible. I don't agree with that approach.


There is absolutely no malicious activity on your devices.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Title: Security Issues with Potential Intrusions on My Mac (macOS Sequoia)

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up