Help needed with security audit
I have been dealing with odd behavior on my MBP which I attribute to external hacking and not from OS or application bugs. My assumptions are that information is being remotely accessed.
I have run various diagnostic scripts as posted by Linc Davis (you are a great resource, thanks so much) which have pointed out problems and which I have corrected.
Two syslog entries midway through the remediation process included the following:
Jul 31 06:48:48 MacBook-Pro.local mds[55]: (DiskStore.Error:1417) Unexpected file dev:754974722 storeDev:16777220 mode:416d hint:811014 oid:811014 ino:5 fsEvents:0 /home -- /home
Jul 31 06:48:48 MacBook-Pro.local mds[55]: (DiskStore.Error:1417) Unexpected file dev:754974721 storeDev:16777220 mode:416d hint:811013 oid:811013 ino:3 fsEvents:0 /net -- /net
Start time: 07:28:52 08/03/15
In the context of a security audit could anyone help me understand the following diag report, in particular the log entries?
The SATA WARNING seems to indicate a problem.
The log entries "…The specified service did not ship in the requestor's bundle…" implies compromised packages.
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/libexec;clear;cd;p=(Software Hardware Memory Diagnostics Power FireWire Thunderbolt USB Fonts SerialATA 4 1000 25 5120 KiB/s 1024 85 \\b%% 20480 1 MB/s 25000 ports ' com.clark.\* \*dropbox \*genieo\* \*GoogleDr\* \*k.AutoCAD\* \*k.Maya\* vidinst\* ' DYLD_INSERT_LIBRARIES\ DYLD_LIBRARY_PATH -86 "` route -n get default|awk '/e:/{print $2}' `" 25 N\\/A down up 102400 25600 recvfrom sendto CFBundleIdentifier 25 25 25 1000 MB com.apple.AirPortBaseStationAgent 464843899 51 5120 files );N5=${#p[@]};p[N5]=` networksetup -listnetworkserviceorder|awk ' NR>1 { sub(/^\([0-9]+\) /,"");n=$0;getline;} $NF=="'${p[26]}')" { sub(/.$/,"",$NF);print n;exit;} ' `;f=('\n%s: %s\n' '\n%s\n\n%s\n' '\nRAM details\n%s\n' %s\ %s '%s\n-\t%s\n' );S0() { echo ' { q=$NF+0;$NF="";u=$(NF-1);$(NF-1)="";gsub(/^ +| +$/,"");if(q>='${p[$1]}') printf("%s (UID %s) is using %s '${p[$2]}'",$0,u,q);} ';};s=(' s/[0-9A-Za-z._]+@[0-9A-Za-z.]+\.[0-9A-Za-z]{2,4}/EMAIL/g;/\/Shared/!s/(\/Users\/)[^ /]+/\1USER/g;s/[-0-9A-Fa-f]{22,}/UUID/g;' ' s/^ +//;/de: S|[nst]:/p;' ' {sub(/^ +/,"")};/er:/;/y:/&&$2<'${p[10]} ' 1s/://;3,6d;/[my].+:/d;s/^ {4}//;H;${ g;s/\n$//;/s: [^EO]|x([^08]|02[^F]|8[^0])/p;} ' ' 5h;6{ H;g;/P/!p;} ' ' ($1~/^Cy/&&$3>'${p[11]}')||($1~/^Cond/&&$2!~/^N/) ' ' /:$/{ N;/:.+:/d;s/ *://;b0'$'\n'' };/^ *(V.+ [0N]|Man).+ /{ s/ 0x.... //;s/[()]//g;s/(.+: )(.+)/ (\2)/;H;};$b0'$'\n'' d;:0'$'\n'' x;s/\n\n//;/Apple[ ,]|Genesy|Intel|SMSC/d;s/\n.*//;/\)$/p;' ' s/^.*C/C/;H;${ g;/No th|pms/!p;} ' '/= [^GO]/p' '{$1=""};1' ' /Of/!{ s/^.+is |\.//g;p;} ' ' $0&&!/ / { n++;print;} END { if(n<200) print "com.apple.";} ' ' $3~/[0-9]:[0-9]{2}$/ { gsub(/:[0-9:a-f]{14}/,"");} { print|"tail -n'${p[12]}'";} ' ' NR==2&&$4<='${p[13]}' { print $4;} ' ' END { $2/=256;if($2>='${p[15]}') print int($2) } ' ' NR!=13{next};{sub(/[+-]$/,"",$NF)};'"`S0 21 22`" 'NR!=2{next}'"`S0 37 17`" ' NR!=5||$8!~/[RW]/{next};{ $(NF-1)=$1;$NF=int($NF/10000000);for(i=1;i<=3;i++){$i="";$(NF-1-i)="";};};'"`S0 19 20`" 's:^:/:p' '/\.kext\/(Contents\/)?Info\.plist$/p' 's/^.{52}(.+) <.+/\1/p' ' /Launch[AD].+\.plist$/ { n++;print;} END { print "'${p[41]}'";if(n<200) print "/System/";} ' '/\.xpc\/(Contents\/)?Info\.plist$/p' ' NR>1&&!/0x|\.[0-9]+$|com\.apple\.launchctl\.(Aqua|Background|System)$|'${p[41]}'/ { print $3;} ' ' /\.(framew|lproj)|\):/d;/plist:|:.+(Mach|scrip)/s/:[^:]+//p ' '/^root$/p' ' !/\/Contents\/.+\/Contents|Applic|Autom|Frameworks/&&/Lib.+\/Info.plist$/ { n++;print;} END { if(n<1100) print "/System/";} ' '/^\/usr\/lib\/.+dylib$/p' ' /Temp|emac/{next};/(etc|Preferences|Launch[AD].+)\// { sub(".(/private)?","");n++;print;} END { print "'${p[41]}'.plist\t'${p[42]}'";if(n<500) print "Launch";} ' ' /\/(Contents\/.+\/Contents|Frameworks)\/|\.wdgt\/.+\.([bw]|plu)/d;p;' 's/\/(Contents\/)?Info.plist$//;p' ' { gsub("^| |\n","\\|\\|kMDItem'${p[35]}'=");sub("^...."," ") };1 ' p '{print $3"\t"$1}' 's/\'$'\t''.+//p' 's/1/On/p' '/Prox.+: [^0]/p' '$2>'${p[43]}'{$2=$2-1;print}' ' BEGIN { i="'${p[26]}'";M1='${p[16]}';M2='${p[18]}';M3='${p[31]}';M4='${p[32]}';} !/^A/{next};/%/ { getline;if($5<M1) a="user "$2"%, system "$4"%";} /disk0/&&$4>M2 { b=$3" ops/s, "$4" blocks/s";} $2==i { if(c) { d=$3+$4+$5+$6;next;};if($4>M3||$6>M4) c=int($4/1024)" in, "int($6/1024)" out";} END { if(a) print "CPU: "a;if(b) print "I/O: "b;if(c) print "Net: "c" (KiB/s)";if(d) print "Net errors: "d" packets/s";} ' ' /r\[0\] /&&$NF!~/^1(0|72\.(1[6-9]|2[0-9]|3[0-1])|92\.168)\./ { print $NF;exit;} ' ' !/^T/ { printf "(static)";exit;} ' '/apsd|BKAg|OpenD/!s/:.+//p' ' (/k:/&&$3!~/(255\.){3}0/ )||(/v6:/&&$2!~/A/ ) ' ' $1~"lR"&&$2<='${p[25]}';$1~"li"&&$3!~"wpa2";' ' BEGIN { FS=":";p="uniq -c|sed -E '"'s/ +\\([0-9]+\\)\\(.+\\)/\\\2 x\\\1/;s/x1$//'"'";} { n=split($3,a,".");sub(/_2[01].+/,"",$3);print $2" "$3" "a[n]$1|p;b=b$1;} END { close(p);if(b) print("\n\t* Code injection");} ' ' NR!=4{next} {$NF/=10240} '"`S0 27 14`" ' END { if($3~/[0-9]/)print$3;} ' ' BEGIN { L='${p[36]}';} !/^[[:space:]]*(#.*)?$/ { l++;if(l<=L) f=f"\n "$0;} END { F=FILENAME;if(!F) exit;if(!f) f="\n [N/A]";"file -b "F|getline T;if(T!~/^(AS.+ (En.+ )?text$|(Bo|PO).+ sh.+ text ex)/) F=F" ("T")";printf("\nContents of %s\n%s\n",F,f);if(l>L) printf("\n ...and %s more line(s)\n",l-L);} ' ' s/^ ?n...://p;s/^ ?p...:/-'$'\t''/p;' 's/0/Off/p' ' END{print NR} ' ' /id: N|te: Y/{i++} END{print i} ' ' / / { print "'"${p[28]}"'";exit;};1;' '/ en/!s/\.//p' ' NR!=13{next};{sub(/[+-M]$/,"",$NF)};'"`S0 39 40`" ' $10~/\(L/&&$9!~"localhost" { sub(/.+:/,"",$9);print $1": "$9;} ' '/^ +r/s/.+"(.+)".+/\1/p' 's/(.+\.wdgt)\/(Contents\/)?Info\.plist$/\1/p' 's/^.+\/(.+)\.wdgt$/\1/p' ' /l: /{ /DVD/d;s/.+: //;b0'$'\n'' };/s: /{ /V/d;s/^ */- /;H;};$b0'$'\n'' d;:0'$'\n'' x;/APPLE [^:]+$/d;p;' ' /^find: /d;p;' "`S0 44 45`" ' BEGIN{FS="= "} /Path/{print $2} ' ' /^ *$/d;s/^ */ /;' );c1=(system_profiler pmset\ -g nvram fdesetup find syslog df vm_stat sar ps sudo\ crontab sudo\ iotop top pkgutil 'PlistBuddy 2>&1 -c "Print' whoami cksum kextstat launchctl sudo\ launchctl crontab 'sudo defaults read' stat lsbom mdfind ' for i in ${p[24]};do ${c1[18]} ${c2[27]} $i;done;' defaults\ read scutil sudo\ dtrace sudo\ profiles sed\ -En awk /S*/*/P*/*/*/C*/*/airport networksetup mdutil sudo\ lsof test osascript\ -e );c2=(com.apple.loginwindow\ LoginHook '" /L*/P*/loginw*' "'tell app \"System Events\" to get properties of login items'|tr , \\\n" 'L*/Ca*/com.ap*.Saf*/E*/* -d 1 -name In*t -exec '"${c1[14]}"' :CFBundleDisplayName" {} \;|sort|uniq' '~ $TMPDIR.. \( -flags +sappnd,schg,uappnd,uchg -o ! -user $UID -o ! -perm -600 \)' '.??* -path .Trash -prune -o -type d -name *.app -print -prune' :${p[35]}\" :Label\" '{/,}L*/{Con,Pref}* -type f ! -size 0 -name *.plist -exec plutil -s {} \;' "-f'%N: %l' Desktop L*/Keyc*" therm sysload boot-args status " -F '\$Time \$Message' -k Sender kernel -k Message Req 'bad |Beac|caug|corru|dead[^bl]|FAIL|fail|GPU |hfs: Ru|inval|jnl:|last value [1-9]|n Cause: -|NVDA\(|pagin|proc: t|Roamed|rror|ssert|Thrott|tim(ed? ?|ing )o|WARN' -k Message Rne 'Goog|ksadm|SMC:| VALI|xpma' -o -k Sender fseventsd -k Message Req 'SL' " '-du -n DEV -n EDEV 1 10' 'acrx -o comm,ruid,%cpu' '-t1 10 1' '-f -pfc /var/db/r*/com.apple.*.{BS,Bas,Es,J,OSXU,Rem,up}*.bom' '{/,}L*/Lo*/Diag* -type f -regex .\*[cght] ! -name .?\* ! -name \*ag \( -exec grep -lq "^Thread c" {} \; -exec printf \* \; -o -true \) -execdir stat -f:%Sc:%N -t%F {} \;|sort -t: -k2 |tail -n'${p[38]} '/S*/*/Ca*/*xpc* >&- ||echo No' '-L /{S*/,}L*/StartupItems -type f -exec file {} +' '-L /S*/L*/{C*/Sec*A,Ex}* {/,}L*/{A*d,Ca*/*/Ex,Co{mpon,reM},Ex,In{p,ter},iTu*/*P,Keyb,Mail/B,Pr*P,Qu*T,Scripti,Sec,Servi,Spo,Widg}* -path \\*s/Resources -prune -o -type f -name Info.plist' '/usr/lib -type f -name *.dylib' `awk "${s[31]}"<<<${p[23]}` "/e*/{auto,{cron,fs}tab,hosts,{[lp],sy}*.conf,mach_i*/*,pam.d/*,ssh{,d}_config,*.local} {,/usr/local}/etc/periodic/*/* /L*/P*{,/*}/com.a*.{Bo,sec*.ap}*t {/S*/,/,}L*/Lau*/*t .launchd.conf" list getenv /Library/Preferences/com.apple.alf\ globalstate --proxy '-n get default' -I --dns -getdnsservers\ "${p[N5]}" -getinfo\ "${p[N5]}" -P -m\ / '' -n1 '-R -l1 -n1 -o prt -stats command,uid,prt' '--regexp --only-files --files com.apple.pkg.*|sort|uniq' -kl -l -s\ / '-R -l1 -n1 -o mem -stats command,uid,mem' '+c0 -i4TCP:0-1023' com.apple.dashboard\ layer-gadgets '-d /L*/Mana*/$USER&&echo On' '-app Safari WebKitDNSPrefetchingEnabled' "+c0 -l|awk '{print(\$1,\$3)}'|sort|uniq -c|sort -n|tail -1|awk '{print(\$2,\$3,\$1)}'" );N1=${#c2[@]};for j in {0..9};do c2[N1+j]=SP${p[j]}DataType;done;N2=${#c2[@]};for j in 0 1;do c2[N2+j]="-n ' syscall::'${p[33+j]}':return { @out[execname,uid]=sum(arg0) } tick-10sec { trunc(@out,1);exit(0);} '";done;l=(Restricted\ files Hidden\ apps 'Elapsed time (s)' POST Battery Safari\ extensions Bad\ plists 'High file counts' User Heat System\ load boot\ args FileVault Diagnostic\ reports Log 'Free space (MiB)' 'Swap (MiB)' Activity 'CPU per process' Login\ hook 'I/O per process' Mach\ ports kexts Daemons Agents XPC\ cache Startup\ items Admin\ access Root\ access Bundles dylibs Apps Font\ issues Inserted\ dylibs Firewall Proxies DNS TCP/IP Wi-Fi Profiles Root\ crontab User\ crontab 'Global login items' 'User login items' Spotlight Memory Listeners Widgets Parental\ Controls Prefetching SATA Descriptors );N3=${#l[@]};for i in 0 1 2;do l[N3+i]=${p[5+i]};done;N4=${#l[@]};for j in 0 1;do l[N4+j]="Current ${p[29+j]}stream data";done;A0() { id -G|grep -qw 80;v[1]=$?;((v[1]==0))&&sudo true;v[2]=$?;v[3]=`date +%s`;clear >&-;date '+Start time: %T %D%n';};for i in 0 1;do eval ' A'$((1+i))'() { v=` eval "${c1[$1]} ${c2[$2]}"|'${c1[30+i]}' "${s[$3]}" `;[[ "$v" ]];};A'$((3+i))'() { v=` while read i;do [[ "$i" ]]&&eval "${c1[$1]} ${c2[$2]}" \"$i\"|'${c1[30+i]}' "${s[$3]}";done<<<"${v[$4]}" `;[[ "$v" ]];};A'$((5+i))'() { v=` while read i;do '${c1[30+i]}' "${s[$1]}" "$i";done<<<"${v[$2]}" `;[[ "$v" ]];};';done;A7(){ v=$((`date +%s`-v[3]));};B2(){ v[$1]="$v";};for i in 0 1;do eval ' B'$i'() { v=;((v['$((i+1))']==0))||{ v=No;false;};};B'$((3+i))'() { v[$2]=`'${c1[30+i]}' "${s[$3]}"<<<"${v[$1]}"`;} ';done;B5(){ v[$1]="${v[$1]}"$'\n'"${v[$2]}";};B6() { v=` paste -d: <(printf "${v[$1]}") <(printf "${v[$2]}")|awk -F: ' {printf("'"${f[$3]}"'",$1,$2)} ' `;};B7(){ v=`grep -Fv "${v[$1]}"<<<"$v"`;};C0() { [[ "$v" ]]&&sed -E "$s"<<<"$v";};C1() { [[ "$v" ]]&&printf "${f[$1]}" "${l[$2]}" "$v"|sed -E "$s";};C2() { v=`echo $v`;[[ "$v" != 0 ]]&&C1 0 $1;};C3() { v=`sed -E "${s[63]}"<<<"$v"`&&C1 1 $1;};for i in 1 2;do for j in 0 2 3;do eval D$i$j'(){ A'$i' $1 $2 $3; C'$j' $4;};';done;done;{ A0;D20 0 $((N1+1)) 2;D10 0 $N1 1;B0;C2 27;B0&&! B1&&C2 28;D12 15 37 25 8;A1 0 $((N1+2)) 3;C0;D13 0 $((N1+3)) 4 3;D23 0 $((N1+4)) 5 4;D13 0 $((N1+9)) 59 50;for i in 0 1 2;do D13 0 $((N1+5+i)) 6 $((N3+i));done;D13 1 10 7 9;D13 1 11 8 10;D22 2 12 9 11;D12 3 13 10 12;D23 4 19 44 13;D23 5 14 12 14;D22 6 36 13 15;D22 7 37 14 16;D23 8 15 38 17;D22 9 16 16 18;B1&&{ D22 35 49 61 51;D22 11 17 17 20;for i in 0 1;do D22 28 $((N2+i)) 45 $((N4+i));done;};D22 12 44 54 45;D22 12 39 15 21;A1 13 40 18;B2 4;B3 4 0 19;A3 14 6 32 0;B4 0 5 11;A1 17 41 20;B7 5;C3 22;B4 4 6 21;A3 14 7 32 6;B4 0 7 11;B3 4 0 22;A3 14 6 32 0;B4 0 8 11;B5 7 8;B1&&{ A2 19 26 23;B7 7;C3 23;};A2 18 26 23;B7 7;C3 24;D13 4 21 24 26;B4 4 12 26;B3 4 13 27;A1 4 22 29;B7 12;B2 14;A4 14 6 52 14;B2 15;B6 14 15 4;B3 0 0 30;C3 29;A1 4 23 27;B7 13;C3 30;D13 24 24 32 31;D13 25 37 32 33;A2 23 18 28;B2 16;A2 16 25 33;B7 16;B3 0 0 34;B2 21;A6 47 21&&C0;B1&&{ D13 21 0 32 19;D13 10 42 32 40;D22 29 35 46 39;};D23 14 1 62 42;D12 34 43 53 44;D12 22 20 32 25;D22 0 $((N1+8)) 51 32;D13 4 8 41 6;D12 26 28 35 34;D13 27 29 36 35;A2 27 32 39&&{ B2 19;A2 33 33 40;B2 20;B6 19 20 3;};C2 36;D23 33 34 42 37;B1&&D23 35 45 55 46;D23 32 31 43 38;D12 36 47 32 48;D13 20 42 32 41;D13 37 2 48 43;D13 4 5 32 1;D13 4 3 60 5;D12 26 48 49 49;B3 4 22 57;A1 26 46 56;B7 22;B3 0 0 58;C3 47;D22 4 4 50 0;D23 22 9 37 7;A7;C2 2;} 2>/dev/null|pbcopy;exit 2>&-
Model Identifier: MacBookPro11,2
System Version: OS X 10.10.4 (14E46)
Kernel Version: Darwin 14.4.0
Time since boot: 2 minutes
Bluetooth
Apple Wireless Trackpad
FileVault: On
Diagnostic reports
2015-07-31 XPCKeychainSandboxCheck crash
2015-07-31 cloudd crash
2015-07-31 com.apple.WebKit.WebContent crash
Log
Jul 31 10:21:34 com.apple.xpc.launchd.domain.pid.quicklookd.400: Path not allowed in target domain: type = pid, path = /Library/Frameworks/iTunesLibrary.framework/Versions/A/XPCServices/com.apple.iT unesLibraryService.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /System/Library/Frameworks/QuickLook.framework/Versions/A/Resources/quicklookd. app
Jul 31 12:14:49 com.apple.xpc.launchd.domain.pid.quicklookd.592: Path not allowed in target domain: type = pid, path = /Library/Frameworks/iTunesLibrary.framework/Versions/A/XPCServices/com.apple.iT unesLibraryService.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /System/Library/Frameworks/QuickLook.framework/Versions/A/Resources/quicklookd. app
Jul 31 17:01:53 SATA WARNING: IDENTIFY DEVICE checksum not implemented.
Jul 31 17:01:56 com.apple.xpc.launchd.domain.pid.om.apple.photostream-agent.269: Path not allowed in target domain: type = pid, path = /Applications/Aperture.app/Contents/Frameworks/PhotoFoundation.framework/Versio ns/A/XPCServices/com.apple.PhotoApps.DevicePropertyReader.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /Applications/Aperture.app/Contents/Library/LoginItems/PhotoStreamAgent.app
Jul 31 17:01:56 com.apple.xpc.launchd.domain.pid.om.apple.photostream-agent.269: Path not allowed in target domain: type = pid, path = /Applications/Aperture.app/Contents/Frameworks/PhotoFoundation.framework/Versio ns/A/XPCServices/com.apple.PhotoApps.DevicePropertyReader.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /Applications/Aperture.app/Contents/Library/LoginItems/PhotoStreamAgent.app
Aug 1 06:47:22 SATA WARNING: IDENTIFY DEVICE checksum not implemented.
Aug 1 06:47:26 com.apple.xpc.launchd.domain.pid.om.apple.photostream-agent.294: Path not allowed in target domain: type = pid, path = /Applications/Aperture.app/Contents/Frameworks/PhotoFoundation.framework/Versio ns/A/XPCServices/com.apple.PhotoApps.DevicePropertyReader.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /Applications/Aperture.app/Contents/Library/LoginItems/PhotoStreamAgent.app
Aug 1 06:47:26 com.apple.xpc.launchd.domain.pid.om.apple.photostream-agent.294: Path not allowed in target domain: type = pid, path = /Applications/Aperture.app/Contents/Frameworks/PhotoFoundation.framework/Versio ns/A/XPCServices/com.apple.PhotoApps.DevicePropertyReader.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /Applications/Aperture.app/Contents/Library/LoginItems/PhotoStreamAgent.app
Aug 1 06:49:18 com.apple.spindump: Service exited with abnormal code: 75
Aug 1 14:15:40 SATA WARNING: IDENTIFY DEVICE checksum not implemented.
Aug 1 14:15:44 com.apple.xpc.launchd.domain.pid.om.apple.photostream-agent.294: Path not allowed in target domain: type = pid, path = /Applications/Aperture.app/Contents/Frameworks/PhotoFoundation.framework/Versio ns/A/XPCServices/com.apple.PhotoApps.DevicePropertyReader.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /Applications/Aperture.app/Contents/Library/LoginItems/PhotoStreamAgent.app
Aug 1 14:15:44 com.apple.xpc.launchd.domain.pid.om.apple.photostream-agent.294: Path not allowed in target domain: type = pid, path = /Applications/Aperture.app/Contents/Frameworks/PhotoFoundation.framework/Versio ns/A/XPCServices/com.apple.PhotoApps.DevicePropertyReader.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /Applications/Aperture.app/Contents/Library/LoginItems/PhotoStreamAgent.app
Aug 1 15:55:58 [BNBTrackpadDevice::getExtendedReport][85.3] ERROR: [BNBTrackpadDevice] getReport returned error e00002d7 for reportID 0x0047
Aug 2 14:58:44 process WindowServer[133] caught causing excessive wakeups. Observed wakeups rate (per sec): 162; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 167800
Aug 2 15:32:57 com.apple.xpc.launchd.domain.pid.BKAgentService.851: Path not allowed in target domain: type = pid, path = /Library/Frameworks/iTunesLibrary.framework/Versions/A/XPCServices/com.apple.iT unesLibraryService.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /System/Library/PrivateFrameworks/BookKit.framework/Versions/A/XPCServices/com. apple.BKAgentService.xpc
Aug 2 15:32:57 com.apple.xpc.launchd.domain.pid.BKAgentService.851: Path not allowed in target domain: type = pid, path = /Library/Frameworks/iTunesLibrary.framework/Versions/A/XPCServices/com.apple.iT unesLibraryService.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /System/Library/PrivateFrameworks/BookKit.framework/Versions/A/XPCServices/com. apple.BKAgentService.xpc
Aug 2 16:31:52 SATA WARNING: IDENTIFY DEVICE checksum not implemented.
Aug 2 16:31:57 com.apple.xpc.launchd.domain.pid.om.apple.photostream-agent.303: Path not allowed in target domain: type = pid, path = /Applications/Aperture.app/Contents/Frameworks/PhotoFoundation.framework/Versio ns/A/XPCServices/com.apple.PhotoApps.DevicePropertyReader.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /Applications/Aperture.app/Contents/Library/LoginItems/PhotoStreamAgent.app
Aug 2 16:31:57 com.apple.xpc.launchd.domain.pid.om.apple.photostream-agent.303: Path not allowed in target domain: type = pid, path = /Applications/Aperture.app/Contents/Frameworks/PhotoFoundation.framework/Versio ns/A/XPCServices/com.apple.PhotoApps.DevicePropertyReader.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /Applications/Aperture.app/Contents/Library/LoginItems/PhotoStreamAgent.app
Aug 3 05:47:02 SATA WARNING: IDENTIFY DEVICE checksum not implemented.
Aug 3 05:47:06 com.apple.xpc.launchd.domain.pid.om.apple.photostream-agent.295: Path not allowed in target domain: type = pid, path = /Applications/Aperture.app/Contents/Frameworks/PhotoFoundation.framework/Versio ns/A/XPCServices/com.apple.PhotoApps.DevicePropertyReader.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /Applications/Aperture.app/Contents/Library/LoginItems/PhotoStreamAgent.app
Aug 3 05:47:06 com.apple.xpc.launchd.domain.pid.om.apple.photostream-agent.295: Path not allowed in target domain: type = pid, path = /Applications/Aperture.app/Contents/Frameworks/PhotoFoundation.framework/Versio ns/A/XPCServices/com.apple.PhotoApps.DevicePropertyReader.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /Applications/Aperture.app/Contents/Library/LoginItems/PhotoStreamAgent.app
Aug 3 07:26:34 SATA WARNING: IDENTIFY DEVICE checksum not implemented.
Aug 3 07:26:39 com.apple.xpc.launchd.domain.pid.om.apple.photostream-agent.295: Path not allowed in target domain: type = pid, path = /Applications/Aperture.app/Contents/Frameworks/PhotoFoundation.framework/Versio ns/A/XPCServices/com.apple.PhotoApps.DevicePropertyReader.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /Applications/Aperture.app/Contents/Library/LoginItems/PhotoStreamAgent.app
Aug 3 07:26:39 com.apple.xpc.launchd.domain.pid.om.apple.photostream-agent.295: Path not allowed in target domain: type = pid, path = /Applications/Aperture.app/Contents/Frameworks/PhotoFoundation.framework/Versio ns/A/XPCServices/com.apple.PhotoApps.DevicePropertyReader.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /Applications/Aperture.app/Contents/Library/LoginItems/PhotoStreamAgent.app
Daemons
com.apple.installer.osmessagetracing
Agents
com.apple.photostream-agent
com.spotify.webhelper
com.apple.AirPortBaseStationAgent
Bundles
/Library/PreferencePanes/TeXDistPrefPane.prefPane
- comp.text.tex.distribution.preference
/Library/Printers/Xerox/Filters/commandtoxbds.app
- com.xerox.commandtoxbds
/Library/Printers/Xerox/PDEs/XeroxFeatures.plugin
- com.xerox.xeroxfeatures.pde
/Library/TeX/Distributions/TeXLive-2015-Basic.texdist
- null
/Library/TeX/Distributions/TeXLive-2015.texdist
- null
/Users/USER/Documents/Archive/Personal/XXXXXXX.dvdproj
- null
/Users/USER/Library/Application Support/eSellerate/XXXXXX/EWSMac.framework
- com.eSellerate.EWSMac67108870
/Users/USER/Library/Frameworks/EWSMac.framework
- com.eSellerate.EWSMacXXXXXXX
/Users/USER/Library/Printers/ColorQube 8570DN (XX-XX-XX-XX-XX-XX).app
- com.apple.print.PrinterProxy
/Users/USER/Library/Printers/ColorQube 8570DN.app
- com.apple.print.PrinterProxy
dylibs
/Users/USER/Library/Application Support/Firefox/Profiles/vrexezsw.default/extensions/fxdevtools-EMAIL/tools/mac 64/libcrypto.1.0.0.dylib
/Users/USER/Library/Application Support/Firefox/Profiles/vrexezsw.default/extensions/fxdevtools-EMAIL/tools/mac 64/libimobiledevice.4.dylib
/Users/USER/Library/Application Support/Firefox/Profiles/vrexezsw.default/extensions/fxdevtools-EMAIL/tools/mac 64/libplist.2.dylib
/Users/USER/Library/Application Support/Firefox/Profiles/vrexezsw.default/extensions/fxdevtools-EMAIL/tools/mac 64/libssl.1.0.0.dylib
/Users/USER/Library/Application Support/Firefox/Profiles/vrexezsw.default/extensions/fxdevtools-EMAIL/tools/mac 64/libusbmuxd.2.dylib
/Users/USER/Library/Application Support/Firefox/Profiles/vrexezsw.default/extensions/fxdevtools-EMAIL/tools/mac 64/libxml2.2.dylib
/Users/USER/Library/Application Support/Firefox/Profiles/vrexezsw.default/gmp-gmpopenh264/1.4/libgmpopenh264.dy lib
Contents of /System/Library/LaunchDaemons/org.apache.httpd.plist (checksum 3012644940)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<true/>
<key>Label</key>
<string>org.apache.httpd</string>
<key>EnvironmentVariables</key>
<dict>
<key>XPC_SERVICES_UNAVAILABLE</key>
<string>1</string>
</dict>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/httpd-wrapper</string>
<string>-D</string>
<string>FOREGROUND</string>
</array>
<key>OnDemand</key>
<false/>
</dict>
</plist>
Contents of Library/LaunchAgents/com.spotify.webhelper.plist (checksum 735375535)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.spotify.webhelper</string>
<key>KeepAlive</key>
<dict>
<key>NetworkState</key>
<true/>
</dict>
<key>RunAtLoad</key>
<true/>
<key>Program</key>
<string>/Users/USER/Library/Application Support/Spotify/SpotifyWebHelper</string>
<key>SpotifyPath</key>
<string>/Applications/Spotify.app</string></dict>
</plist>
Firewall: On
Safari extensions
Adblock Plus
- org.adblockplus.adblockplussafari
Elapsed time (s): 195