User profile for user: rstemp
rstemp Author
User level: Level 1
8 points

Is my iMac Hacked? System Logs

I have atttached sections of my system log files below. Specifically, I found the wireless country code being reset. The system is creating 'shield windows' and generating screenshots. Finally there are some entries relating to 'frequent transitions' on the ethernet interface. I am running the most recent version of Mountain Lion on a new iMac. Is there any valid reason while these processes should be taking place?


Much thanks in advance...



8/22/13 9:17:33.000 AM kernel[0] en0: 802.11d country code set to 'X0'.

8/22/13 9:17:34.000 AM kernel[0] en0: 802.11d country code set to 'US'.

8/22/13 4:21:30.000 PM kernel[0] en0: 802.11d country code set to 'X0'.


8/23/13 12:48:31.707 PM WindowServer[90] Created shield window 0x25b for display 0x003f003d

8/23/13 12:48:31.707 PM WindowServer[90] handle_will_sleep_auth_and_shield_windows: releasing authw 0x7fcac2890ea0(2004), shield 0x7fcac2930a60(2001), lock state 3

8/23/13 12:48:31.708 PM WindowServer[90] handle_will_sleep_auth_and_shield_windows: err 0x0

8/23/13 12:48:31.708 PM WindowServer[90] Created shield window 0x25c for display 0x003f003e

8/23/13 12:48:31.708 PM WindowServer[90] handle_will_sleep_auth_and_shield_windows: releasing authw 0x7fcac2890ea0(2002), shield 0x7fcac2930a60(2001), lock state 3

8/23/13 12:48:31.708 PM WindowServer[90] handle_will_sleep_auth_and_shield_windows: err 0x0

8/23/13 12:48:31.708 PM WindowServer[90] Created shield window 0x25d for display 0x003f003f

8/23/13 12:48:31.709 PM WindowServer[90] handle_will_sleep_auth_and_shield_windows: releasing authw 0x7fcac2890ea0(2002), shield 0x7fcac2930a60(2001), lock state 3

8/23/13 12:48:31.709 PM WindowServer[90] handle_will_sleep_auth_and_shield_windows: err 0x0

8/23/13 12:48:31.716 PM WindowServer[90] handle_will_sleep_auth_and_shield_windows: releasing authw 0x7fcac2890ea0(2002), shield 0x7fcac2930a60(2001), lock state 3

8/23/13 12:48:31.716 PM WindowServer[90] handle_will_sleep_auth_and_shield_windows: err 0x0

8/23/13 1:37:07.033 PM WindowServer[90] Created shield window 0x2ba for display 0x04280380

8/23/13 1:37:07.033 PM WindowServer[90] device_generate_desktop_screenshot: authw 0x7fcac282f430(2000), shield 0x7fcac1454b30(2001)

8/23/13 1:37:07.127 PM WindowServer[90] device_generate_lock_screen_screenshot: authw 0x7fcac282f430(2000), shield 0x7fcac1454b30(2001)

8/23/13 2:26:34.708 PM WindowServer[90] Created shield window 0x2bb for display 0x003f003d

8/23/13 2:26:34.708 PM WindowServer[90] handle_will_sleep_auth_and_shield_windows: releasing authw 0x7fcac282f430(2004), shield 0x7fcac1454b30(2001), lock state 3


8/23/13 1:35:28.037 AM configd[17] network changed: v4(en0-:172.16.42.4) DNS- Proxy- SMB

8/23/13 1:35:28.043 AM mDNSResponder[57] DeregisterInterface: Frequent transitions for interface en0 (172.16.42.4)

8/23/13 1:35:29.770 AM com.apple.launchd[1] (com.symantec.errorreporting.periodic) Throttling respawn: Will start in 2000 seconds

8/23/13 1:35:29.000 AM kernel[0] MacAuthEvent en0 Auth result for: 12:9a:dd:84:09:79 MAC AUTH succeeded

8/23/13 1:35:29.000 AM kernel[0] wlEvent: en0 en0 Link UP virtIf = 0

8/23/13 1:35:29.000 AM kernel[0] AirPort: Link Up on en0

8/23/13 1:35:29.000 AM kernel[0] en0: BSSID changed to 12:9a:dd:84:09:79

8/23/13 1:35:29.000 AM kernel[0] en0::IO80211Interface::postMessage bssid changed

8/23/13 1:35:29.000 AM kernel[0] AirPort: RSN handshake complete on en0

8/23/13 1:35:29.797 AM configd[17] network changed: v4(en0+:172.16.42.4) DNS+ Proxy+ SMB

8/23/13 1:35:29.801 AM mDNSResponder[57] mDNS_RegisterInterface: Frequent transitions for interface en0 (FE80:0000:0000:0000:2ACF:E9FF:FE16:569B)

8/23/13 1:35:29.801 AM mDNSResponder[57] mDNS_RegisterInterface: Frequent transitions for interface en0 (172.16.42.4)

8/23/13 1:35:29.807 AM UserEventAgent[11] Captive: en0: Not probing 'GAP5Hh12%s' (protected network)

8/23/13 1:35:29.809 AM configd[17] network changed: v4(en0!:172.16.42.4) DNS Proxy SMB

iMac, OS X Mountain Lion (10.8.4)

Posted on Aug 26, 2013 10:07 AM

Reply
3 replies
User profile for user: BDAqua
BDAqua
User level: Level 10
250,259 points

Aug 26, 2013 3:51 PM in response to rstemp

Hello,


The only real problem I see there is Norton/symantec.


Do you know who owns this Base Staion or SSID?


GAP5Hh12%s


Where do you see the screenshos being taken?

8/22/13 9:17:33.000 AM kernel[0] en0: 802.11d country code set to 'X0'.

8/22/13 9:17:34.000 AM kernel[0] en0: 802.11d country code set to 'US'.

8/22/13 4:21:30.000 PM kernel[0] en0: 802.11d country code set to 'X0'.

I think the difference in those is whether it's getting a response from querying he Router/Modem for a country code or not.


Witing for more info, but it looks like either your Aorport/Wifi is trying to join 2 different Routers, or the same Router with 2 different logins, maybe an older one?

Reply
User profile for user: rstemp
rstemp Author
User level: Level 1
8 points

Aug 26, 2013 7:33 PM in response to BDAqua

The SSID is our own. We are concerned about the references to shield windows and related references to system generated screenshots. We do not see these on our other macs, and do not see them after this machine was reformatted and reinstalled over the last couple of days. These log events happened around the same time a script was run to de-install Norton NIS.

Reply
User profile for user: BDAqua
BDAqua
User level: Level 10
250,259 points

Aug 26, 2013 11:44 PM in response to rstemp

Uhhg, Norton! 😟


Make a New Location, Using network locations in Mac OS X ...


http://support.apple.com/kb/HT2712


old... http://docs.info.apple.com/article.html?artnum=106653


Hi, this has worked for a few...


Though all of these steps may or may not be needed, I'm including them all.


Make a New Location, Using network locations in Mac OS X ...


http://support.apple.com/kb/HT2712


10.5, 10.6, 10.7 & 10.8…


System Preferences>Network, top of window>Locations>Edit Locations, little plus icon, give it a name.



10.5.x/10.6.x/10.7.x instructions...


System Preferences>Network, click on the little gear at the bottom next to the + & - icons, (unlock lock first if locked), choose Set Service Order.


The interface that connects to the Internet should be dragged to the top of the list.

If using Wifi/Airport...


Instead of joining your Network from the list, click the WiFi icon at the top, and click join other network. Fill in everything as needed.


For 10.5/10.6/10.7/10.8, System Preferences>Network, unlock the lock if need be, highlight the Interface you use to connect to Internet, click on the advanced button, click on the DNS tab, click on the little plus icon, then add these numbers...


208.67.222.222

208.67.220.220


(There may be better or faster DNS numbers in your area, but these should be a good test).

Click OK.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Is my iMac Hacked? System Logs

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up