Hmm. Three replies and I'm still no more enlightened.
Kurt Lang wrote:
A .plist is just a preference file, not an app. It can't do anything by itself.
Sure, but by the same token, an app can't do anything by itself; it needs an OS to run on. :-)
Later, you say,
It also appears to be a default part of Mountain Lion.
But I don't know what you mean by 'It'.
- /System/Library/LaunchDaemons/com.apple.racoon.plist ?
- A /System/Library/LaunchDaemons/com.apple.racoon.plist that connects to "secure.onavo.com"? or
- racoon itself?
Obviously, I already knew that racoon is part of OS X, as the page I said I'd read shows that to be true.
As for your contention that
Often, a lowercase and uppercase switch mean the same thing, they just don't note it.
I think it's rare that options aren't case sensitive. The last five commands I used are all case sensitive.
The few if any of the core UNIX commands aren't.
Next,
Linc Davis wrote:
The domain "secure.onavo.com" is on a security blacklist:
IP Blacklist Check Status: Suspicious, Comment Spammer | IP-Tracker.org
and has been associated with rogue activity:
Probable Picscout or Image scanner
Someone from there tried to connect to your VPN server.
secure.onavo.com has moved to another IP, but neither the new or old IP are currently blacklisted. (107.6.95.9 or 107.6.95.22)t
On the other hand, ONAVO's IP space appears to be a rat's nest, according to Cisco!
http://www.senderbase.org/lookup?search_string=107.6.95.0/24 says all hosts sending mail claim to be secure.onavo.com, and either have no reputation, or a poor reputation. For example:
IP Address 107.6.95.102 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2013-07-22 04:00 GMT (+/- 30 minutes), approximately 23 hours ago.
This IP is infected (or NATting for a computer that is infected) with a spam-sending infection. In other words, it's participating in a botnet. If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.
IP Address 107.6.95.58 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2013-07-22 03:00 GMT (+/- 30 minutes), approximately 23 hours, 30 minutes ago.
IP Address 107.6.95.55 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2013-07-22 03:00 GMT (+/- 30 minutes), approximately 1 days, 29 minutes ago.
IP Address 107.6.95.56 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2013-07-22 14:00 GMT (+/- 30 minutes), approximately 13 hours ago.
IP Address 107.6.95.57 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2013-07-22 04:00 GMT (+/- 30 minutes), approximately 23 hours, 30 minutes ago.
IP Address 107.6.95.102 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2013-07-22 04:00 GMT (+/- 30 minutes), approximately 23 hours, 30 minutes ago.
The last line,
Someone from there tried to connect to your VPN server.
doesn't seem justified.
First, we don't have an active VPN server at the moment, and didn't have one when this error was coming up.
(We have one, but it's in a cardboard box, unplugged.)
Secondly, Little Snitch caught an OUTGOING connection.
This applies also to the last comment, from one-time poster 'Onavo'.
This alert came up on a Mac OS X client, not a server, and definitely not a VPN server. And the client wasn't running an iOS simulator/VM .
We have some iOS devices, but no Onavo apps on them.
We have no reason to be running racoon - no legit VPN connections to establish, so for now, I did a
sudo mv /System/Library/LaunchDaemons/com.apple.racoon.plist /System/Library/LaunchDaemons-INACTIVE/com.apple.racoon.plist
and so far so good.
One possible exception is an Time Capsule I connect to remotely from time to time. I don't use it as a VPN server, but perhaps the management protocols run over racoon.
The rogue activity (March 26) wasn't very old, and there's current activity to boot.
The snitched on activity remains troubling and unexplained, IMO.