What com.apple.madrid? Why is this running?

Question

What com.apple.madrid? Why is this running?

What is

Dec 18 11:26:32 Getoffmymac.local identityservicesd[252]: [Warning] ====== IDS Traffic Usage:

Dec 18 11:26:32 Getoffmymac.local identityservicesd[252]: [Warning] Service: com.apple.private.alloy.sms

Dec 18 11:26:32 Getoffmymac.local identityservicesd[252]: [Warning] outgoing-messages: 1

Dec 18 11:26:32 Getoffmymac.local identityservicesd[252]: [Warning] incoming-messages: 3

Dec 18 11:26:32 Getoffmymac.local identityservicesd[252]: [Warning]

Dec 18 11:26:32 Getoffmymac.local identityservicesd[252]: [Warning] Service: com.apple.madrid

Dec 18 11:26:32 Getoffmymac.local identityservicesd[252]: [Warning] query-requests: 1

Dec 18 11:26:32 Getoffmymac.local identityservicesd[252]: [Warning]

Dec 18 11:26:32 Getoffmymac.local identityservicesd[252]: [Warning] ====== Done

I don't have imessage, chat, or icloud open, so why is identitiyservice running? why is it a "Warning" is this something to be concerned about? Thanks.

Posted on Jan 5, 2015 10:59 AM

Reply

Answer 1

Jan 5, 2015 12:11 PM in response to hoosierchick2012

That's a weird one, do you have any security/firewall/antivirus programs running?

Reply

Answer 2

Jan 5, 2015 7:29 PM in response to chattphotos

Yes -- I have Norton -- but I don't think it's working right, so I enabled Mac's application fw.

I suspect I may have a potential "visitor" on my mac. If it's the authorities --- I'm cool with it. But somehow, I don't think that is the case. I haven't had any apparent money taken from me -- however, I wouldn't want my mac to be used for malicious activity.

There are other oddities on here that make me think this....

Reply

Answer 3

Jan 6, 2015 9:50 AM in response to hoosierchick2012

First problem, installing security software on the Mac, they don't do much good and only make problems later on. http://www.thesafemac.com/mmg/

Second, you should never be cool with someone inside the computer, whether its the NSA, the French underground, or a North Korean spy.

Thirdly, I would recommend backing up your data, erasing the computer and starting over with a fresh installation of Yosemite.

Reply

Answer 4

Jan 7, 2015 6:26 PM in response to chattphotos

Chattphotos -- I'm for no one being on there -- but, I'd rather have the good guys there trying to catch the bad guys -- than having crooks use my machine to bot or scam. Thanks for your link.

Basically, wiping the system does no good. What has happened is there is some automation that netboots the system -- and it re-downloads whatever is on it. This happens before anything -- I've seen it in a dmesg stmt. The netboot loads NVRAM RO so you can't get rid of it. I can't even re-set SMC on this system. Doesn't work. I've thought about pulling apart the laptop and pulling the cable on the battery and resetting the SMC that way. The other thing I've thought about was re-blessing the drive so that it does not netboot.

Any suggestion is helpful!!

Reply

Answer 5

Jan 7, 2015 10:05 PM in response to hoosierchick2012

It doesn't work like that... Unless you're directly working with the FBI/NSA/DHS in a sting operation to catch targeted bad guys on the internet, there is no reason to ever have anyone connected remotely to your computer. (or to feel comfortable with that fact)

Can you erase the drive and run a MacOS re-install from another Mac with your computer in Target disk mode?

If not, boot into recovery mode, erase the hard drive, re-install a fresh the MacOS. That is the fastest way to eradicate anything lurking on a Mac.

From what you've said, are you saying that the Internet Recovery is coming from a different server than Apple?

Or get a big enough USB drive, go here: http://diskmakerx.com/ load the MacOSX installer, erase the hard drive and re-install the MacOS.

Also, try clearing the PRAM, the SMC is hardware management controller and not sure it would resolve the issue. But PRAM reset would fix the default boot settings.

Reply

Answer 6

Jan 9, 2015 1:40 PM in response to chattphotos

Hi Chat, I have tried the PRAM and SMC -- they don't work. I can't get it to "chime" at all with the Pram. I can't get the SMC to work either --Tried it. Whoever it is --- has messed with the firmware. My husband's machine, daughters, and son's machine are all impacted too (they are window boxes). On my husband's, his bios is set for AMD when he has an Intel processor inside. The intruders, I think, used TDM on the bios (remote flashing technology) and essentially trashed the bios (reflashing had NO effect). (that's for another forum)

I know PRAM on my mac reset would fix it -- but it just won't do it. I want to unplug the battery which would reset it -- but I'm hesitant to do so. I read "warnings" about pulling the battery off the mac.

These hackers are "pros." The only way I detected the hack was because I saw an internal ip address that wasn't from my own network and started invesitgating from there. Essentially, I'm on TOR without asking for it. The internet protocols are not standard TCP/IP -- They are a modified version of that -- wireshark shows "errors" and chrome://net-internals shows use of SPDY and QUIC which ride on top of IP.

Trying to prove all of this to my husband and other folks has been a challenge -- because they don't see any problems. But when I saw the incorrect IPs, started tooking into the system, configs and stuff -- it just pointed that way. I want to know if you read this error message -- if it is reflective of someone hacking...

Reply

Answer 7

Jan 9, 2015 3:54 PM in response to hoosierchick2012

I am interested to talk directly with you on this, my apple userID is also my Gmail, please send me your wireshark logs and assorted documentation so we can set up a remote inspection. You may want to contact your SBI (State bureau of investivation)

There really isn't a way to remotely flash the EFI on a Mac. So your case just gets weirder and weirder.

You can try disconnecting the battery, I've removed the logic board in my 15" macbook pro, changed out the magnetic power connector, and hooked up all the wires, everything is running fine.

The TPM doesn't support AMD-based systems, so pushing over something that won't validate with a TPM isn't logical (as Spock would say)

Reply

Answer 8

Jan 10, 2015 7:20 AM in response to chattphotos

What I suspect happened, is that they got a hold of appleid/pw and logged into the mac. I turned the option off after I suspected this (you can use apple id to log into the mac if configured that way). I know in 2012/2013 I have e-mails from comcast stating we were running a bot. I thought I fixed it (my son's machine was the bad one) -- but I don't think I have now.

PS. I have to scrounge for logs etc...they are buried somewhere....

Reply

Answer 9

Jan 11, 2015 7:35 PM in response to hoosierchick2012

http://www.theregister.co.uk/2015/01/08/thunderstrike_shocks_os_x_with_first_fir mware_bootkit/

Reply

Answer 10

Jan 11, 2015 7:36 PM in response to hoosierchick2012

Apple, please, help!

Reply

Answer 11

Jan 12, 2015 9:07 AM in response to hoosierchick2012

That's not good... Will look closer into that.

Reply

Answer 12

Jan 27, 2015 12:28 PM in response to chattphotos

I have similar questions based on this activity, which happens every hour:

1/27/15 12:15:17.003 PM identityservicesd[336]: [Warning] ====== IDS Traffic Usage:

1/27/15 12:15:17.003 PM identityservicesd[336]: [Warning] Service: com.apple.madrid

1/27/15 12:15:17.003 PM identityservicesd[336]: [Warning] incoming-messages: 44

1/27/15 12:15:17.004 PM identityservicesd[336]: [Warning] queries: 5

1/27/15 12:15:17.004 PM identityservicesd[336]: [Warning] outgoing-messages: 4

1/27/15 12:15:17.004 PM identityservicesd[336]: [Warning] query-requests: 1

1/27/15 12:15:17.004 PM identityservicesd[336]: [Warning]

1/27/15 12:15:17.004 PM identityservicesd[336]: [Warning] Service: com.apple.private.alloy.sms

1/27/15 12:15:17.004 PM identityservicesd[336]: [Warning] outgoing-messages: 1

1/27/15 12:15:17.004 PM identityservicesd[336]: [Warning]

1/27/15 12:15:17.004 PM identityservicesd[336]: [Warning] ====== Done

Any progress since Jan 12th?

Reply

Answer 13

Jan 27, 2015 2:12 PM in response to FrankinMinneapolis

I did some digging, Madrid and IDS are tied into iCloud and all of the Handoff/Continuity features between Macs and iDevices.

There's nothing to worry about according to this, I think Madrid is a process for the sending/receiving SMS on the computer.

1/27/15 12:06:55.668 AM identityservicesd[248]: <IMMacNotificationCenterManager: 0x7f95a1735240>:

Updating enabled: YES (Topics: (

"com.apple.private.alloy.icloudpairing",

"com.apple.private.alloy.continuity.encryption",

"com.apple.private.alloy.continuity.activity",

"com.apple.ess",

"com.apple.private.ids",

"com.apple.private.alloy.phonecontinuity",

"com.apple.private.alloy.continuity.activity.public",

"com.apple.madrid",

"com.apple.private.alloy.continuity.auth",

"com.apple.private.ac",

"com.apple.private.alloy.idsremoteurlconnection",

"com.apple.private.alloy.sms",

"com.apple.private.alloy.screensharing",

"com.apple.private.alloy.maps",

"com.apple.private.alloy.callhistorysync",

"com.apple.private.alloy.continuity.tethering"

Reply

Answer 14

jumento

Level 1

0 points

Oct 16, 2015 4:59 AM in response to hoosierchick2012

this is disturbing. why are my number of messages so high?

10/16/15 7:01:52.824 AM identityservicesd[8076]: [Warning] ====== IDS Traffic Usage:

10/16/15 7:01:52.824 AM identityservicesd[8076]: [Warning] Service: com.apple.private.alloy.icloudpairing

10/16/15 7:01:52.824 AM identityservicesd[8076]: [Warning] outgoing-messages: 3

10/16/15 7:01:52.824 AM identityservicesd[8076]: [Warning]

10/16/15 7:01:52.825 AM identityservicesd[8076]: [Warning] Service: com.apple.madrid

10/16/15 7:01:52.825 AM identityservicesd[8076]: [Warning] queries: 4

10/16/15 7:01:52.825 AM identityservicesd[8076]: [Warning] outgoing-messages: 86

10/16/15 7:01:52.825 AM identityservicesd[8076]: [Warning] incoming-messages: 63

10/16/15 7:01:52.825 AM identityservicesd[8076]: [Warning]

10/16/15 7:01:52.825 AM identityservicesd[8076]: [Warning] ====== Done

Reply

Answer 15

Oct 20, 2016 10:02 AM in response to chattphotos

I also have weirder and weirder. Something happens all the time. This sounds like a little example, but when they are cumulative and constant......I sent an e-mail to a person, a few minutes later that pane that comes across the upper right of the screen to alert a new e-mail is coming in, came across and I caught that it was from the person I had e-mailed and a reply to a question I had asked. I went to my Yahoo inbox, and the e-mail was not there. I checked the Junk, Spam, Trash, Archive, etc. To me, this e-mail came in and was remotely deleted. There is a hacker (and like someone said - you ultimately sound paranoid and I hate the word "crazy," but you sound crazy) who is very talented, but has a lot of advantage to take advantage - the hacker is probably reading this, and if I check my e-mail for that that came across my screen, it will now be there. Gosh - I hope you can follow that. Things like Support techs being able to access the computer remotely (yes, you do have to authorize it) and the demonstration of Jesse Eisenberg hacking at Harvard (he did not have authorization) are real. Not paranoid or crazy. If someone knows your username and password to log into the MacBook Air, and have access to one changing them (so that does not help), I would suppose it could be accessed remotely. The funny thing is, I am so boring, not a target for money, and the like. I think there are hackers out there who have fun simply snooping, or the hacker thinks I am more interesting than I am.

Reply