Hacking - help reading Console

Question

Hacking - help reading Console

My My apologies for the super newbie post, but I need some help, and if any of you understand the console and can help me out here, it'd be so much appreciated!

I let my boyfriend use my guest account on my macbook while I was away. I found some funny things in Console.. to the untrained eye, it looks like hacking. Of course, I might just be a silly suspicious girlfriend..

But I have no idea if he could be trying to get my password for some reason.

Can anyone tell me, by what is in Console, if he is trying to hack my password?

I'll select in bold the commands that worry me the most..

Thank you so much!

5/15/14 8:00:44.000 PM kernel: MacAuthEvent en1 Auth result for: 00:22:3f:37:7f:3c MAC AUTH succeeded

5/15/14 8:00:44.000 PM kernel: wlEvent: en1 en1 Link UP virtIf = 0

5/15/14 8:00:44.000 PM kernel: AirPort: Link Up on en1

5/15/14 8:00:44.000 PM kernel: en1: BSSID changed to 00:22:3f:37:7f:3c

5/15/14 8:00:44.352 PM com.apple.SecurityServer: Session 100023 created

5/15/14 8:00:44.413 PM configd: network configuration changed.

5/15/14 8:00:44.416 PM [0x0-0x13013].com.spotify.client: 00:00:44.415 I [ap_connection_impl.cpp:911 ] Connecting to AP ap.gslb.spotify.com:4070

5/15/14 8:00:44.440 PM loginwindow: Login Window Started Security Agent

5/15/14 8:00:44.446 PM UserEventAgent: CaptiveNetworkSupport:CaptivePublishState:1211 en1 - Probe

5/15/14 8:00:44.447 PM UserEventAgent: CaptiveNetworkSupport:CaptiveStartDetect:2322 Bypassing probe on NETGEAR because signature is in the known good cache

5/15/14 8:00:44.447 PM UserEventAgent: CaptiveNetworkSupport:CaptivePublishState:1211 en1 - Unknown

5/15/14 8:00:44.449 PM configd: network configuration changed.

5/15/14 8:00:45.705 PM [0x0-0x13013].com.spotify.client: 00:00:45.704 I [ap_connection_impl.cpp:551 ] Connected to AP: 193.182.8.30:4070

5/15/14 8:00:47.072 PM SecurityAgent: Echo enabled

5/15/14 8:00:47.110 PM airportd: _doAutoJoin: Already associated to “NETGEAR”. Bailing on auto-join.

5/15/14 8:00:47.187 PM SecurityAgent: User info context values set for Guest

5/15/14 8:00:48.000 PM kernel: utun_ctl_connect: creating interface utun0

5/15/14 8:00:48.000 PM kernel: utun0: attached with 0 suspended link-layer multicast membership(s)

5/15/14 8:00:48.253 PM [0x0-0x13013].com.spotify.client: 00:00:48.252 I [autoupdate.cpp:462 ] AutoUpdate [448 90800296 0]

5/15/14 8:00:48.253 PM [0x0-0x13013].com.spotify.client: 00:00:48.253 I [autoupdate.cpp:547 ] AutoUpdate initializing [FULL 2227c6de69cf3873cedd01f37fd4d10957380508 91000014 0 0x0]

5/15/14 8:00:48.253 PM [0x0-0x13013].com.spotify.client: 00:00:48.253 I [autoupdate.cpp:441 ] AutoUpdate waiting 0 seconds

5/15/14 8:00:48.389 PM UserEventAgent: CaptiveNetworkSupport:CaptivePublishState:1211 en1 - PreProbe

5/15/14 8:00:48.393 PM configd: network configuration changed.

5/15/14 8:00:48.486 PM [0x0-0x13013].com.spotify.client: 00:00:48.485 I [ad_chooser.cpp:1150 ] Found ad (time = 1400198447, adclass = 'tower', time left = 120, length = 30)

5/15/14 8:00:48.487 PM [0x0-0x13013].com.spotify.client: 00:00:48.486 I [ad_chooser.cpp:1150 ] Found ad (time = 1400198447, adclass = 'tower', time left = 120, length = 30)

5/15/14 8:00:48.784 PM [0x0-0x13013].com.spotify.client: 00:00:48.784 I [autoupdate.cpp:561 ] AutoUpdate starting download

5/15/14 8:00:48.794 PM [0x0-0x13013].com.spotify.client: 00:00:48.793 3 [playlist_be_pl4_context.cpp:400 ] [spotify:user:129770633:playlist:3BSNNw4Sj2eocFZqdwm3Ke] Synchronization starting: DIFF (from revision 15,09f2f61a71877cfcfe8fed9916b09d88732ea3f9)

5/15/14 8:00:48.794 PM [0x0-0x13013].com.spotify.client: 00:00:48.793 3 [playlist_be_pl4_context.cpp:400 ] [spotify:user:m83spotify:playlist:4W2m1FwDU3vLsjd6sYfHaY] Synchronization starting: HEAD (from revision 0,726f6f7400000000000000000000000000000000)

5/15/14 8:00:48.794 PM [0x0-0x13013].com.spotify.client: 00:00:48.793 3 [playlist_be_pl4_context.cpp:400 ] [spotify:user:imaginedragonsofficial:playlist:2hyXzZLirttmHDNsABWTBL] Synchronization starting: DIFF (from revision 26,ed7b3d640ab8e4a67b3735d914f11217bf5fc57f)

5/15/14 8:00:48.794 PM [0x0-0x13013].com.spotify.client: 00:00:48.793 3 [playlist_be_pl4_context.cpp:400 ] [spotify:user:123805322:playlist:7GKy27iOiMxcvF3lK1HA0q] Synchronization starting: DIFF (from revision 13,239af14531e2e2f70ce7f668c2758bd873017da7)

5/15/14 8:00:48.794 PM [0x0-0x13013].com.spotify.client: 00:00:48.793 3 [playlist_be_pl4_context.cpp:400 ] [spotify:user:rhino_records:playlist:7aw20b4F3dYJ0XN2TZQMJX] Synchronization starting: DIFF (from revision 6,ea624438a57ab43853ca1f221cf7d440d491bd36)

5/15/14 8:00:48.800 PM [0x0-0x13013].com.spotify.client: 00:00:48.799 I [ad_chooser.cpp:1150 ] Found ad (time = 1400198447, adclass = 'tower', time left = 120, length = 30)

5/15/14 8:00:50.465 PM awacsd: RouteDiscovery: sendmsg error (6): Device not configured

5/15/14 8:00:54.535 PM configd: network configuration changed.

5/15/14 8:00:54.547 PM [0x0-0x13013].com.spotify.client: 00:00:54.546 I [ap_handler_impl.cpp:2141 ] Forced disconnect from AP

5/15/14 8:00:54.798 PM [0x0-0x13013].com.spotify.client: 00:00:54.798 I [ap_connection_impl.cpp:911 ] Connecting to AP ap.gslb.spotify.com:80

5/15/14 8:00:55.152 PM UserEventAgent: CaptiveNetworkSupport:CaptivePublishState:1211 en1 - Probe

5/15/14 8:00:55.153 PM UserEventAgent: CaptiveNetworkSupport:CaptiveStartDetect:2322 Bypassing probe on NETGEAR because signature is in the known good cache

5/15/14 8:00:55.153 PM UserEventAgent: CaptiveNetworkSupport:CaptivePublishState:1211 en1 - Unknown

5/15/14 8:00:55.154 PM configd: network configuration changed.

5/15/14 8:00:55.466 PM awacsd: RouteDiscovery: sendmsg error (6): Device not configured

5/15/14 8:00:56.749 PM [0x0-0x13013].com.spotify.client: 00:00:56.748 I [ap_connection_impl.cpp:551 ] Connected to AP: 193.182.8.35:80

5/15/14 8:00:58.389 PM [0x0-0x13013].com.spotify.client: 00:00:58.388 I [autoupdate.cpp:462 ] A

5/15/14 8:01:20.990 PM com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B7: creating home directories for (Loreleis-MacBook-Pro.local)

5/15/14 8:01:20.990 PM com.apple.authorizationhost.00000000-0000-0000-0000-0000000186B7: created (/Users/Guest)

5/15/14 8:01:23.690 PM sandboxd: ([54]) applepushservice(54) deny file-read-data /private/etc/master.passwd

5/15/14 8:01:26.163 PM xpchelper: for uid: 501 -- timeout while waiting on FSEvents flush; clearing cache.

5/15/14 8:01:31.798 PM mcxalr_agent: Listener client (pid: 5157) entering listen mode for uid: 201

5/15/14 8:01:31.976 PM loginwindow: Login Window - Returned from Security Agent

5/15/14 8:01:32.000 PM kernel: mcxalr{0} 64-bit Build date: Jun 30 2013 18:58:34

5/15/14 8:01:32.000 PM kernel: mcxalr{1} Started

5/15/14 8:01:32.000 PM kernel: mcxalr{2} Management ENABLED for uid: 201

5/15/14 8:01:32.000 PM kernel: calling mpo_policy_init for mcxalr

5/15/14 8:01:32.000 PM kernel: Security policy loaded: MCX App Launch (mcxalr)

5/15/14 8:01:32.000 PM kernel: mcxalr{3} Auth provider registered. connection: 1 uid: 201 version: 1

5/15/14 8:01:32.609 PM loginwindow: USER_PROCESS: 5083 console

5/15/14 8:01:33.173 PM airportd: _doAutoJoin: Already associated to “NETGEAR”. Bailing on auto-join.

5/15/14 8:01:37.067 PM UserEventAgent: CaptiveNetworkSupport:CNSServerRegisterUserAgent:187 new user agent port: 18839

5/15/14 8:01:55.000 PM kernel: CODE SIGNING: cs_invalid_page(0x10ed2a000): p=5159[parentalcontrols] clearing CS_VALID

5/15/14 8:01:58.000 PM kernel: mcxalr{4} ** Denying execute for uid=201 path=/Applications/Utilities/Adobe Application Manager/UWA/UpdaterStartupUtility

5/15/14 8:01:58.000 PM kernel: mcxalr{5} ** Denying execute for uid=201 path=/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/ Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent

5/15/14 8:01:58.000 PM kernel: mcxalr{6} ** Denying execute for uid=201 path=/Applications/App Store.app/Contents/Resources/appstoreupdateagent

5/15/14 8:02:06.068 PM com.apple.dock.extra: 2014-05-15 20:02:06.064 com.apple.dock.extra[5213:1a07] Could not connect the action buttonPressed: to target of class NSApplication

5/15/14 8:02:06.068 PM com.apple.dock.extra: 2014-05-15 20:02:06.068 com.apple.dock.extra[5213:1a07] Could not connect the action buttonPressed: to target of class NSApplication

5/15/14 8:02:06.069 PM com.apple.dock.extra: 2014-05-15 20:02:06.068 com.apple.dock.extra[5213:1a07] Could not connect the action buttonPressed: to target of class NSApplication

5/15/14 8:02:06.070 PM com.apple.dock.extra: 2014-05-15 20:02:06.068 com.apple.dock.extra[5213:1a07] Could not connect the action buttonPressed: to target of class NSApplication

5/15/14 8:02:14.586 PM [0x0-0x13013].com.spotify.client: 00:02:14.585 E [watchdog.cpp:194 ] High-latency (gui, 1573)

5/15/14 8:02:16.760 PM [0x0-0x13013].com.spotify.client: [0515/200216:ERROR:connection.cc(799)] sqlite error 1802, errno 0: disk I/O error

5/15/14 8:02:16.760 PM [0x0-0x13013].com.spotify.client: [0515/200216:ERROR:connection.cc(799)] sqlite error 1, errno 0: SQL logic error or missing database

5/15/14 8:02:45.124 PM PubSubAgent: SQL Error: SQLITE_CANTOPEN[14.0]: Database file not found

5/15/14 8:03:16.981 PM [0x0-0x13013].com.spotify.client: 00:03:16.980 E [watchdog.cpp:194 ] High-latency (gui, 3969)

5/15/14 8:03:18.673 PM sandboxd: ([5235]) webfilterproxyd(5235) deny job-creation

5/15/14 8:03:56.262 PM com.apple.SecurityServer: Killing auth hosts

5/15/14 8:03:56.262 PM com.apple.SecurityServer: Session 100019 destroyed

5/15/14 8:04:25.000 PM kernel: (default pager): [KERNEL]: ps_select_segment - send HI_WAT_ALERT

5/15/14 8:04:33.000 PM kernel: macx_swapon SUCCESS

5/15/14 8:04:47.797 PM sandboxd: ([5245]) PluginProcess(5245) deny file-read-xattr /Users/Guest/Library/Preferences

5/15/14 8:04:48.000 PM kernel: IOSurface: buffer allocation size is zero

5/15/14 8:05:37.970 PM [0x0-0x13013].com.spotify.client: [0515/200537:ERROR:connection.cc(799)] sqlite error 1802, errno 0: disk I/O error

5/15/14 8:05:37.970 PM [0x0-0x13013].com.spotify.client: [0515/200537:ERROR:connection.cc(799)] sqlite error 1, errno 0: SQL logic error or missing database

5/15/14 8:06:45.000 PM kernel: AppleUSBMultitouchDriver::validateChecksum - 512-byte packet checksum is incorrect (expected 0x8ed, checksum bytes were 0x0)

5/15/14 8:07:45.000 PM kernel: IOSurface: buffer allocation size is zero

5/15/14 8:08:09.776 PM com.apple.SecurityServer: Session 100025 created

5/15/14 8:09:06.168 PM [0x0-0x13013].com.spotify.client: [0515/200906:ERROR:connection.cc(799)] sqlite error 1802, errno 0: disk I/O error

5/15/14 8:09:06.168 PM [0x0-0x13013].com.spotify.client: [0515/200906:ERROR:connection.cc(799)] sqlite error 1, errno 0: SQL logic error or missing database

5/15/14 8:09:36.099 PM SoftwareUpdateCheck: SoftwareUpdateCheck (Launch): user 501 not on-console

5/15/14 8:09:36.100 PM com.apple.launchd.peruser.501: (com.apple.softwareupdateagent) Throttling respawn: Will start in 1497 seconds

5/15/14 8:18:37.000 PM kernel: CODE SIGNING: cs_invalid_page(0x1000): p=5274[GoogleSoftwareUp] clearing CS_VALID

5/15/14 8:21:13.888 PM [0x0-0x13013].com.spotify.client: 00:21:13.888 E [watchdog.cpp:194 ] High-latency (gui, 2905)

5/15/14 8:32:36.860 PM mDNSResponder: ERROR: socket closed prematurely tcpInfo->nread = 0

5/15/14 8:32:36.860 PM mDNSResponder: tcpCallback: stream connection for _printer._tcp.97558637.members.btmm.icloud.com. (PTR) failed, retrying in 900000 ms

5/15/14 8:39:33.181 PM SoftwareUpdateCheck: SoftwareUpdateCheck (Launch): user 501 not on-console

5/15/14 8:39:33.182 PM com.apple.launchd.peruser.501: (com.apple.softwareupdateagent) Throttling respawn: Will start in 1500 seconds

5/15/14 9:00:18.000 PM kernel: mcxalr{7} ** Denying execute for uid=201 path=/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/ Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent

5/15/14 9:05:19.035 PM PluginProcess: kCGErrorIllegalArgument: _CGSFindSharedWindow: WID 2688

5/15/14 9:05:19.035 PM PluginProcess: kCGErrorFailure: Set a breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.

5/15/14 9:05:19.035 PM PluginProcess: kCGErrorIllegalArgument: CGSRemoveSurface: Invalid window 0xa80

5/15/14 9:09:33.908 PM SoftwareUpdateCheck: SoftwareUpdateCheck (Launch): user 501 not on-console

5/15/14 9:09:33.909 PM com.apple.launchd.peruser.501: (com.apple.softwareupdateagent) Throttling respawn: Will start in 1500 seconds

5/15/14 9:17:20.000 PM kernel: CODE SIGNING: cs_invalid_page(0x1000): p=5300[GoogleSoftwareUp] clearing CS_VALID

5/15/14 9:29:12.000 PM kernel: (default pager): [KERNEL]: ps_select_segment - send HI_WAT_ALERT

5/15/14 9:29:13.000 PM kernel: macx_swapon SUCCESS

5/15/14 9:39:34.146 PM SoftwareUpdateCheck: SoftwareUpdateCheck (Launch): user 501 not on-console

5/15/14 9:39:34.147 PM com.apple.launchd.peruser.501: (com.apple.softwareupdateagent) Throttling respawn: Will start in 1500 seconds

5/15/14 9:59:01.000 PM kernel: mcxalr{8} ** Denying execute for uid=201 path=/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/ Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent

5/15/14 10:09:34.463 PM SoftwareUpdateCheck: SoftwareUpdateCheck (Launch): user 501 not on-console

5/15/14 10:09:34.464 PM com.apple.launchd.peruser.501: (com.apple.softwareupdateagent) Throttling respawn: Will start in 1500 seconds

5/15/14 10:16:03.000 PM kernel: CODE SIGNING: cs_invalid_page(0x1000): p=5316[GoogleSoftwareUp] clearing CS_VALID

5/15/14 10:19:10.289 PM PluginProcess: kCGErrorIllegalArgument: _CGSFindSharedWindow: WID 2704

5/15/14 10:19:10.289 PM PluginProcess: kCGErrorIllegalArgument: CGSRemoveSurface: Invalid window 0xa90

5/15/14 10:21:13.346 PM mDNSResponder: ERROR: socket closed prematurely tcpInfo->nread = 0

5/15/14 10:39:34.800 PM SoftwareUpdateCheck: SoftwareUpdateCheck (Launch): user 501 not on-console

5/15/14 10:39:34.801 PM com.apple.launchd.peruser.501: (com.apple.softwareupdateagent) Throttling respawn: Will start in 1500 seconds

5/15/14 10:50:48.560 PM com.apple.launchd.peruser.501: (com.facebook.videochat.Leathur.updater[5323]) Tried to setup shared memory more than once

5/15/14 10:54:16.140 PM mDNSResponder: ERROR: socket closed prematurely tcpInfo->nread = 0

5/15/14 10:54:16.140 PM mDNSResponder: tcpCallback: stream connection for _printer._tcp.97558637.members.btmm.icloud.com. (PTR) failed, retrying in 900000 ms

5/15/14 10:57:44.000 PM kernel: mcxalr{9} ** Denying execute for uid=201 path=/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/ Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent

5/15/14 11:08:42.580 PM mDNSResponder: ERROR: socket closed prematurely tcpInfo->nread = 0

5/15/14 11:08:42.580 PM mDNSResponder: tcpCallback: stream connection for _pdl-datastream._tcp.97558637.members.btmm.icloud.com. (PTR) failed, retrying in 900000 ms

5/15/14 11:09:21.199 PM sandboxd: ([5235]) webfilterproxyd(5235) deny network-inbound 192.168.1.11:50687

5/15/14 11:09:35.132 PM SoftwareUpdateCheck: SoftwareUpdateCheck (Launch): user 501 not on-console

5/15/14 11:09:35.133 PM com.apple.launchd.peruser.501: (com.apple.softwareupdateagent) Throttling respawn: Will start in 1500 seconds

5/15/14 11:09:35.967 PM mDNSResponder: ERROR: socket closed prematurely tcpInfo->nread = 0

5/15/14 11:09:35.967 PM mDNSResponder: tcpCallback: stream connection for _smb._tcp.97558637.members.btmm.icloud.com. (PTR) failed, retrying in 900000 ms

5/15/14 11:14:47.000 PM kernel: CODE SIGNING: cs_invalid_page(0x1000): p=5335[GoogleSoftwareUp] clearing CS_VALID

5/15/14 11:18:50.647 PM sandboxd: ([5235]) webfilterproxyd(5235) deny network-inbound192.168.1.11:50701

5/15/14 11:19:37.160 PM PluginProcess: kCGErrorIllegalArgument: _CGSFindSharedWindow: WID 2716

5/15/14 11:19:37.161 PM PluginProcess: kCGErrorIllegalArgument: CGSRemoveSurface: Invalid window 0xa9c

5/15/14 11:21:04.574 PM PluginProcess: kCGErrorIllegalArgument: _CGSFindSharedWindow: WID 2681

5/15/14 11:21:04.574 PM PluginProcess: kCGErrorIllegalArgument: CGSRemoveSurface: Invalid window 0xa79

5/15/14 11:21:05.298 PM loginwindow: sendQuitEventToApp (EEventManager): AESendMessage returned error -1712

5/15/14 11:21:05.777 PM PluginProcess: kCGErrorIllegalArgument: _CGSFindSharedWindow: WID 2696

5/15/14 11:21:05.777 PM PluginProcess: kCGErrorIllegalArgument: CGSRemoveSurface: Invalid window 0xa88

5/15/14 11:21:07.791 PM loginwindow: Application hardKill returned -600

5/15/14 11:21:08.315 PM mcxalr_agent: Disconnect request received. Reason: unmanage

5/15/14 11:21:08.339 PM loginwindow: DEAD_PROCESS: 5083 console

5/15/14 11:21:08.530 PM loginwindow: Application hardKill returned -600

5/15/14 11:21:09.000 PM kernel: mcxalr{10} Management DISABLED for uid: 201

5/15/14 11:21:11.826 PM WindowServer: _CGXPostKillRequest(): Not implemented; nothing should be calling this anymore.

5/15/14 11:21:12.609 PM UserEventAgent: CaptiveNetworkSupport:UserAgentDied:139 User Agent @port=18839 Died

Posted on May 16, 2014 1:38 AM

Reply

Answer 1

ioyo

Level 1

14 points

Jul 21, 2017 7:18 AM in response to Ghost (In-The-Machine) Buster

did you find out what '...utopia.net' was? i just noticed that in console after i had lost my internet connection.

"having my computer named, identified, and attached to what seems to be a neighbor's network name "utopia".net (unless that is somehow a computer term in this context and it is an unlikely coincidence),"

Reply

Answer 2

ioyo

Level 1

14 points

Jul 21, 2017 8:35 AM in response to Ghost (In-The-Machine) Buster

should i follow these instructions to remove Utopia.net ["an ad-supported domain listed as redirect virus"]?

Reply

Answer 3

Linc Davis

Level 10

209,535 points

May 16, 2014 8:10 AM in response to FenderGuitarPl8r

None of that is evidence of "hacking." However, if you know or suspect that a hostile intruder has either had physical access to the computer, or has been able to log in remotely, then there are some steps you should take to make sure that the computer is safe to use.

First, if there's any chance that the incident will be the subject of legal action, then you should do nothing at all without consulting a lawyer or the police. The computer would be the principal evidence in such a case, and you don't want to tamper with it.

Running any kind of software to scan for "viruses" or "rootkits" is worse than useless. If I broke into a system and wanted to leave a back door, I could do it in a way that would be undetectable by those means—and I don't pretend to any special skill as a hacker. You have to assume that any intruder can do the same. The "anti-virus" software itself will slow down and destabilize the computer with no offsetting benefit.

The only way you can be sure that the computer is not compromised is to erase at least the startup volume and restore it to something like the status quo ante. The easiest approach is to recover the entire system from a backup that predates the attack. Obviously, that's only practical if you know when the attack took place, and it was recent, and you have such a backup. You will lose all changes to data, such as email, that were made after the time of the snapshot. Some of those changes can be restored from a later backup.

If you don't know when the attack happened, or if it was too long ago for a complete rollback to be feasible, then you should erase and install OS X. If you don't already have at least two complete, independent backups of all data, then you must make them first. One backup is not enough to be safe.

When you reboot after the installation, you'll be prompted to go through the initial setup process for a new computer. That’s when you transfer the data from a backup in Setup Assistant.

Select only users in the Setup Assistant dialog—not Applications, Other files and folders, or Computer & Network Settings. Don't transfer the Guest account, if it was enabled.

Reinstall third-party software from original media or fresh downloads—not from a backup, which may be contaminated.

Unless you were the target of an improbably sophisticated attack, this procedure will leave you with a clean system. If you have reason to think that you were the target of a sophisticated attack, then you need expert help.

That being done, change all Internet passwords and check all financial accounts for unauthorized transactions. Do this after the system has been secured, not before.

Reply

Answer 4

Jun 23, 2015 3:12 PM in response to Linc Davis

I share the troublesome overzealousness/paranoia concerning reading too much into what looks like suspicious coding, but having had the origins of my digital Odyssey in a confirmed remote access hack (hacker's ego: of course he(/she?) left a "gotya tag") dating to or before February of this year 2015, and odd behavior/settings/failures in each of the household's phones, computers, and routers since then (all new or hard-wiped for all the good it did me), I can't seem to put this demon to bed and exorcise this ghost from my machines.

After a switch in ISP's, a detailed secure set-up of the new router, and a supposedly hard scrubbing of all devices I couldn't outright replace (including a wipe and reinstall of firmware in my iPhone 4s, and no restore of data or connection to old accounts be they email or apple on any of the devices), my brand new MacBook Pro's Apple Message Log is again filled with suspicious entries (at least they are to me: once bitten, twice cautious paranoia and all that).

---- Mister Linc Davis, you and nbar seem from your posting activity to be well versed in the art of Mac (I am a newcomer, though an iPhone user for several years), enough so as to confirm or assuage my fears, and so I humbly request your aid.

I will resist dumping hundreds of lines of log entries or code, and instead pick out what, however numerous, yet limited, lines my research, intuition, experience and reason point out to me as dubious or worth further investigation.

+++

to begin with, I ran the following lines in my console from nbar's response to a post concerning remote hacking, meant to confirm or refute a potential "in" for remote hacking: "ssh connection" for shell commands

> if [ "SSH_CONNECTION ]; then

> echo I am remote

> else

> echo I am local

> fi

I am remote

* Owner Name?+s *-MacBook-Pro:~ * User Name(taken from user file w/House Icon) *$

(ex. for last line: Johns-MacBook-Pro:~ JohnnyBoy$)

In the word's of nbar: 'A return of "i am local" ensures there is no remote connection to your machine' (through SSH at least)

I received "I am remote", does this mean there IS active remote connection through SSH? How do I stop it? Can I identify its source?

Does the "$" at the end indicate someone using remote Bash commands?

On the Console Window Inspector:

tty: /dev/ttys000

Command: login -pf ReidoBot

Shell: bash

Is this worrisome?

+++++

In the following, from firewall app log:

I am happy that these netbiosd is being blocked as it is an entirely unsolicited sharing attempt (as far as I understand), is this unusual in and of itself?

A netbiosd UDP attempt seems rather invasive, is it directed maliciously or merely knocking randomly at all doors?

Also, having my computer named, identified, and attached to what seems to be a neighbor's network name "utopia".net (unless that is somehow a computer term in this context and it is an unlikely coincidence), and at that it is secured with password that I don't have and which I have never intentionally attempted to connect to) seems strange. As far as I can tell on the previous and confirmed as compromised devices, whatever or whoever the hacking is cycles through all possible data connections "bootstrapping" blue-tooth, wi-fi, and ethernet (the last is rarely successful, never plugged in) connections and "hijacking" endpoints, might it be somehow trying to piggyback onto a neighbor's connection, or is this all completely innocuous network communication?

Jun 22 15:59:35 Rei Reids-MacBook-Pro.local socketfilterfw[332] <Error>: Logging: creating /var/log/appfirewall.log

Jun 22 15:59:35 Reids-MacBook-Pro.local socketfilterfw[332] <Info>: netbiosd: Deny UDP CONNECT (in:1 out:0)

Jun 22 16:00:05 Reids-MacBook-Pro.local socketfilterfw[332] <Info>: netbiosd: Deny UDP CONNECT (in:2 out:0)

(......)

Jun 22 17:24:09 Reids-MBP.utopia.net socketfilterfw[332] <Info>: netbiosd: Deny UDP CONNECT (in:3 out:0)

Jun 22 17:24:32 Reids-MBP.utopia.net socketfilterfw[332] <Info>: Stealth Mode connection attempt to UDP 2 time

---------——

As far as my memory serves, I believe I had yet to even sign on to the new router and internet connection by the listed time on the following logs, the ISP technician was still at the house setting it up, if this was the case, should my computer have been trying to reach something from remoteservice, or accepting NSXPC connections? And the idea of a "listener" logging an array of accountUIDs is disturbing and suspect (or is it normal? I'm sorry for knowing just enough to worry, I appreciate any and all aid and comments in this matter)

Jun 22, 2015, 3:32:47 PM com.apple.preferences.extensions.remoteservice[621]: ### PreferencePaneMain

Jun 22, 2015, 3:32:47 PM com.apple.preferences.extensions.remoteservice[621]: Failed to connect (description) outlet from (NSTableCellView) to (NSTextField): missing setter or instance variable

Jun 22, 2015, 3:32:47 PM storeaccountd[532]: AccountServiceDelegate: Accepting new connection <NSXPCConnection: 0x7f825a61b380> connection from pid 621 with interface <AccountServiceInterface: 0x6s536b828c7> (PID 621) ( *!*!*! This is not the actual value in the "0x...", I thought it could be a sensitive personal identifier and so altered the characters but am unsure, if the original value is useful for problem solving/identifying the foreign element, just let me know)

Jun 22, 2015, 3:32:52 PM com.apple.internetaccounts[623]: Additional Logging , array retured in signedInAccounts is (

)

Jun 22, 2015, 3:32:52 PM com.apple.internetaccounts[623]: Adding listener

Jun 22, 2015, 3:32:52 PM com.apple.internetaccounts[623]: Returning accountUIDs: (

)

----------

In the following code (read if useful, if not it is perhaps superfluous as I am essentially just questioning): why "MacBuddy" loginhelper comes after setting user autologin and needs a SHELL address? I hate anything SHELL, but I could see how this is totally standard ...

Jun 22 11:50:04 Reids-MacBook-Pro.local Setup Assistant[192]: -[HiCloudWindowController _showNextPane] -- DiagnosticsAndUsage

Jun 22 11:50:05 Reids-MacBook-Pro.local Setup Assistant[192]: Performing background setup prior to exiting buddy

Jun 22 11:50:10 Reids-MacBook-Pro.local Setup Assistant[192]: Setting one-time autologin user Reid

Jun 22 11:50:10 Reids-MacBook-Pro.local Setup Assistant[192]: Setting the MacBuddy Cookie

Jun 22 11:50:10 Reids-MacBook-Pro.local Setup Assistant[192]: u 1.00 ic 0.00 bf 0.00 f 0.00

Jun 22 11:50:15 Reids-MacBook-Pro.local Setup Assistant[192]: Skipping iCloud Drive migration...

Jun 22 11:50:15 Reids-MacBook-Pro.local Setup Assistant[192]: Turning off Diagnostic Info

Jun 22 11:50:15 Reids-MacBook-Pro.local Setup Assistant[192]: Turning off Third-Party Diagnostic Info

Jun 22 11:50:15 Reids-MacBook-Pro.local Setup Assistant[192]: Skipping replay keychain item: not minibuddy

Jun 22 11:50:15 Reids-MacBook-Pro.local Setup Assistant[192]: initializing helper with target uid 501

Jun 22 11:50:15 Reids-MacBook-Pro.local mbloginhelper[255]: mbloginhelper[501,501]: {

HOME = "/Users/Reid”;

LOGNAME = Reid;

PATH = "/usr/bin:/bin:/usr/sbin:/sbin";

SHELL = "/bin/bash";

TMPDIR = "/var/folders/l5/pg79mkgs7nxgnv4v_7_7d3mc0000gn/T/";

USER = Reid;

"XPC_FLAGS" = 0x0;

"XPC_SERVICE_NAME" = "com.apple.mbloginhelper.user";

"__CF_USER_TEXT_ENCODING" = "0x1F5:0:0”;

——

-----------

I did turn on FireVault, but other than that I have had no significant operations performed on the disk, and no intentional system migration, is this just a record of the FireVault operation or something more sinister, I feel I should maybe block out or alter some of the UUID values and I am not sure what SKDisk and kSKDIsks are, can these be used against me or are they actually identifying a foreign element or new partition or something? Having the words system migration, mounting, and root so close together is quite disturbing after what I've gone through.

Jun 22 11:44:21 localhost systemmigrationd[206]: Volume Appeared : SKDisk { BSD Name: disk0s1 Mount point: Not Mounted Role: kSKDiskRoleBooter Type: kSKDiskTypeEFI }

Jun 22 11:44:21 localhost systemmigrationd[206]: mountDiskIfNeeded: Disk (SKDisk { BSD Name: disk0s1 Mount point: Not Mounted Role: kSKDiskRoleBooter Type: kSKDiskTypeEFI }) has mountpoint - No Disk is Disk Image - No Disk is locked - No

Jun 22 11:44:21 localhost systemmigrationd[206]: Should attempt disk mount for: SKDisk { BSD Name: disk0s1 Mount point: Not Mounted Role: kSKDiskRoleBooter Type: kSKDiskTypeEFI }

Jun 22 11:44:21 localhost systemmigrationd[206]: Couldn't attempt disk mount as this is not a visible role for: SKDisk { BSD Name: disk0s1 Mount point: Not Mounted Role: kSKDiskRoleBooter Type: kSKDiskTypeEFI }

Jun 22 11:44:21 localhost systemmigrationd[206]: Volume Appeared : SKCSDisk { CSLV UUID: 16172D46-8A85-4B16-9C4B-A3DBC7A5B093 CSLVG UUID: 969323D7-2F4C-45D0-8D34-98DAF4C04BD2 BSD Name: disk1 Mount point: / Role: kSKDiskRoleMacSystem Type: kSKDiskTypeCSLV }

Jun 22 11:44:21 localhost systemmigrationd[206]: mountDiskIfNeeded: Disk (SKCSDisk { CSLV UUID: 16172D46-8A85-4B16-9C4B-A3DBC7A5B093 CSLVG UUID: 969323D7-2F4C-45D0-8D34-98DAF4C04BD2 BSD Name: disk1 Mount point: / Role: kSKDiskRoleMacSystem Type: kSKDiskTypeCSLV }) has mountpoint - Yes Disk is Disk Image - No Disk is locked - No

Jun 22 11:44:21 localhost systemmigrationd[206]: BTMM(root): {(

)}

Jun 22 11:44:21 localhost systemmigrationd[206]: Not attempting disk mount for: SKCSDisk { CSLV UUID: 16172D46-8A85-4B16-9C4B-A3DBC7A5B093 CSLVG UUID: 969323D7-2F4C-45D0-8D34-98DAF4C04BD2 BSD Name: disk1 Mount point: / Role: kSKDiskRoleMacSystem Type: kSKDiskTypeCSLV }

Jun 22 11:44:21 localhost systemmigrationd[206]: connection test:success

----

Thank you all for considering my problem, it has been an exhaustive trial both emotionally and financially and so I appreciate any time and effort the members of my new apple family can invest in helping me resolve these issues. Who knows, I acknowledge that I could just be seeing shapes in shadows, but after how this all started and is continuing to unfold, I find there are too many coincidences to be comfortable. Furthermore, if this actually is an extremely mature clandestine data-mining infection, then we need to have trained eyes turned to address it, because Apple itself sure won't even take a look at the code. They are have been great about "have you tried turning it off and back on" tech support and honestly to their credit they have been quite accommodating for replacing devices purchased within a month or so, but beyond that all my efforts both for my own interest and those of other internet citizens have unfailingly been met with the party line of "We are obliged to say that what you are talking about cannot be done to these Apple devices" i.e. "What is rare or implausible must be impossible if we are told we can't say it is possible".

I could point out all the websites and threads and videos of how Apple security measures can and have been circumvented, though admittedly none well documented as having exactly the same configuration or with the same terrible elegance and tenacity of what I've been experiencing, and I have in fact done just that to representatives, but in effect I get a "The sky is not blue through my red glasses" response. I don't think and I hope it isn't a systemic practice to maximize profits, but I sure have spent more money there each time I go back and forth to the apple store only to have the same problem pop up again.

The scary thing is that even some of the hard-wipes/factory restores weren't taking, leaving little things such as search tabs and custom settings configurations to survive the reset. As far as I could infer/deduce (more of the former I suppose) on this and more obviously on the Window's PC's (with which I am far more familiar with administrative computer operation) the coding replaces system and root files with files identically or similarly named and might even partition and somehow hide itself in the new part of the hard drive to reestablish itself even after a wipe (though maybe not a proper reformatting, I am unsure.

Reply

Answer 5

LuuLu

Level 1

0 points

Aug 30, 2015 12:24 PM in response to Linc Davis

hi mr Linc iv got this from console .. is someone using my mac ?

Reply