I think I've been hacked - constant USER_PROCESS/END_PROCESS entries in Console

Question

spring2002 Author

Level 1

10 points

I think I've been hacked - constant USER_PROCESS/END_PROCESS entries in Console

Hi everyone,

I've been on high alert since a couple of months ago, I was really stupid and downloaded cracked software on an old Macbook and a couple of days later one of my social networking accounts was logged into from a completely different nation I live in.

Today, I did a complete erase of my hard drive and reinstalled the OS through Internet Recovery. I have three third-party extensions on my Macbook - Chrome, Little Snitch and the Spotify desktop client. App firewall settings set to the strictest, disabled all sharing options.

I noticed under my admin's Console system logs, there has been a constant stream of:

[date] [name of my Macbook] loginwindow [number]: USER_PROCESS: [number] console

[date] [name of my Macbook] sessionlogoutd [number]: DEAD_PROCESS: [number] console

The time between the a lot of USER_PROCESS and DEAD_PROCESS vary anywhere between 10 seconds and a couple of minutes. These messages were logged when I was changing all my passwords and kept going when I was just doing regular internet surfing afterwards.

Are these normal or am I right in believing there's malware on my Macbook? I've erased/reinstalled so many times and everytime there's a change that arouses enough suspicion.

Something that aroused my suspicion this time as well: when I checked sharing options after I changed all my passwords, I noticed that the highlighted box was left over Apple Remote Events, rather than what I remembered leaving it over. Nothing was ticked, but if it was like someone else checked my sharing options. No one else has physical access to this Macbook.

MacBook Pro with Retina display, OS X El Capitan (10.11.1)

Posted on Dec 2, 2015 6:22 AM

Reply

Answer 1

spring2002 Author

Level 1

10 points

Dec 2, 2015 6:42 AM in response to JimmyCMPIT

I am on a private wifi network - updated firmware/changed default passwords and disabled remote management, WPS, uPnP etc. I no longer pirate software/frequent torrent sites, I know better now. This is a new Macbook that I bought a couple of weeks ago.

This is my Etre Check report:

EtreCheck version: 2.6.6 (226)

Report generated 3/12/2015, 1:41 AM

Runtime 1:26

Download EtreCheck from http://etrecheck.com

Click the [Click for support] links for help with non-Apple products.

Click the [Click for details] links for more information about that line.

Hardware Information: (What does this mean?)

MacBook Pro (Retina, 13-inch, Early 2015)

[Click for Technical Specifications]

[Click for User Guide]

MacBook Pro - model: MacBookPro12,1

1 2.7 GHz Intel Core i5 CPU: 2-core

8 GB RAM Not upgradeable

BANK 0/DIMM0

4 GB DDR3 1867 MHz ok

BANK 1/DIMM0

4 GB DDR3 1867 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n/ac

Battery: Health = Normal - Cycle count = 2 - SN = C0154330KTYFY5QBF

Video Information: (What does this mean?)

Intel Iris Graphics 6100

Color LCD 2560 x 1600

System Software: (What does this mean?)

OS X El Capitan 10.11.1 (15B42) - Time since boot: less than an hour

Disk Information: (What does this mean?)

APPLE SSD SM0128G disk0 : (121.33 GB) (Solid State - TRIM: Yes)

EFI (disk0s1) <not mounted> : 210 MB

Macintosh HD (disk0s2) / : 120.47 GB (95.47 GB free)

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

USB Information: (What does this mean?)

Broadcom Corp. Bluetooth USB Host Controller

Thunderbolt Information: (What does this mean?)

Apple Inc. thunderbolt_bus

Gatekeeper: (What does this mean?)

Mac App Store and identified developers

Kernel Extensions: (What does this mean?)

/Library/Extensions

[loaded] at.obdev.nke.LittleSnitch (4356 - SDK 10.8) [Click for support]

Launch Agents: (What does this mean?)

[running] at.obdev.LittleSnitchUIAgent.plist [Click for support]

[loaded] com.google.keystone.agent.plist [Click for support]

Launch Daemons: (What does this mean?)

[running] at.obdev.littlesnitchd.plist [Click for support]

[loaded] com.google.keystone.daemon.plist [Click for support]

User Login Items: (What does this mean?)

None

Other Apps: (What does this mean?)

[running] com.apple.xpc.launchd.oneshot.0x1000000a.Little Snitch Network Monitor

[running] com.apple.xpc.launchd.oneshot.0x1000000d.EtreCheck

Internet Plug-ins: (What does this mean?)

Default Browser: Version: 601 - SDK 10.11

QuickTime Plugin: Version: 7.7.3

Safari Extensions: (What does this mean?)

Adblock Plus

Ghostery

3rd Party Preference Panes: (What does this mean?)

None

Time Machine: (What does this mean?)

Mobile backups: OFF

Auto backup: NO - Auto backup turned off

Volumes being backed up:

Destinations:

Backup! [Local]

Total size: 15.67 GB

Total number of backups: 1

Oldest backup: 2/12/2015, 1:30 PM

Last backup: 2/12/2015, 1:30 PM

Size of backup disk: Excellent

Backup size 15.67 GB > (Disk size 0 B X 3)

Top Processes by CPU: (What does this mean?)

2% fontd

2% kernel_task

1% WindowServer

1% Little Snitch Agent

0% com.apple.WebKit.WebContent(3)

Top Processes by Memory: (What does this mean?)

638 MB kernel_task

532 MB com.apple.WebKit.WebContent(3)

311 MB Safari

180 MB mdworker(9)

164 MB Console

Virtual Memory Information: (What does this mean?)

2.17 GB Free RAM

5.82 GB Used RAM (2.30 GB Cached)

0 B Swap Used

Diagnostics Information: (What does this mean?)

Dec 3, 2015, 01:23:42 AM /Library/Logs/DiagnosticReports/com.apple.AddressBook.InternetAccountsBridge_20 15-12-03-012342_[redacted].crash

Dec 3, 2015, 12:44:35 AM Self test - passed

Dec 2, 2015, 09:25:52 PM ~/Library/Logs/DiagnosticReports/Little Snitch Network Monitor_2015-12-02-212552_[redacted].crash

Dec 2, 2015, 05:32:58 PM /Library/Logs/DiagnosticReports/Google Chrome_2015-12-02-173258_[redacted].hang

Reply

Answer 2

Linc Davis

Level 10

209,739 points

Dec 2, 2015 6:49 AM in response to spring2002

1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.

The test works on OS X 10.7 ("Lion") and later. I don't recommend running it on older versions of OS X. It will do no harm, but it won't do much good either.

Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.

2. If you don't already have a current backup, back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.

There are ways to back up a computer that isn't fully functional. Ask if you need guidance.

3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.

You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.

In this case, however, there are ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone with the requisite skill can verify what it does.

You may not be able to understand the script yourself. But variations of it have been posted on this website thousands of times over a period of years. The site is hosted by Apple, which does not allow it to be used to distribute harmful software. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message. See, for example, this discussion.

Another indication that the test is safe can be found in this thread, and this one, for example, where the comment in which I suggested it was recommended by one of the Apple Community Specialists, as explained here.

Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.

4. Here's a general summary of what you need to do, if you choose to proceed:

☞ Copy a particular line of text to the Clipboard.

☞ Paste into the window of another application.

☞ Wait for the test to run. It usually takes a few minutes.

☞ Paste the results, which will have been copied automatically, back into a reply on this page.

These are not specific instructions; just an overview. The details are in parts 7 and 8 of this comment. The sequence is: copy, paste, wait, paste again. You don't need to copy a second time.

5. Try to test under conditions that reproduce the problem, as far as possible. For example, if the computer is intermittently slow, run the test during a slowdown.

You may have started up in safe mode. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual before running it. If you can only test in safe mode, do that.

6. If you have more than one user, and only one user is affected by the problem,, and the affected user is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.

7. Load this linked web page (on the website "Pastebin.") The title of the page is "Diagnostic Test." Below the title is a text box headed by three small icons. The one on the right represents a clipboard. Click that icon to select the text, then copy it to the Clipboard on your computer by pressing the key combination command-C.

If the text doesn't highlight when you click the icon, select it by triple-clicking anywhere inside the box. Don't select the whole page, just the text in the box.

8. Launch the built-in Terminal application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad and start typing the name.

Click anywhere in the Terminal window to activate it. Paste from the Clipboard into the window by pressing command-V, then press return. The text you pasted should vanish immediately.

9. If you see an error message in the Terminal window such as "Syntax error" or "Event not found," enter

exec bash

and press return. Then paste the script again.

10. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. If you don't know the password, or if you prefer not to enter it, just press return three times at the password prompt. Again, the script will still run.

If the test is taking much longer than usual to run because the computer is very slow, you might be prompted for your password a second time. The authorization that you grant by entering it expires automatically after five minutes.

If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.

11. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, a series of lines will appear in the Terminal window like this:

[Process started]

Part 1 of 4 done at … sec
…
Part 4 of 4 done at … sec

The test results are on the Clipboard.

Please close this window.

[Process completed]

The intervals between parts won't be exactly equal, but they give a rough indication of progress.

Wait for the final message "Process completed" to appear. If you don't see it within about 15 minutes, the test probably won't complete in a reasonable time. In that case, press the key combination control-C or command-period to stop it. Then go to the next step. You'll have incomplete results, but still something. If you close the Terminal window while the test is still running, the partial results won't be saved and you'll have to start over.

12. When the test is complete, or if you stopped it because it was taking too long, quit Terminal. The results will have been saved to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.

At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "Process completed" message to appear in the Terminal window. Please wait for it and try again.

If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.

13. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "The message contains invalid characters." That's a bug in the software that runs this website. Please post the test results on Pastebin, then post a link here to the page you created.

If you have an account on Pastebin, please don't select Private from the Paste Exposure menu on the page, because then no one but you will be able to see it.

14. This is a public forum, and others may give you advice based on the results of the test. They speak for themselves, not for me. The test itself is harmless, but whatever else you're told to do may not be. For others who choose to run it, I don't recommend that you post the test results on this website unless I asked you to.

______________________________________________________________

Copyright © 2014, 2015 by Linc Davis. As the sole author of this work (including the referenced "Diagnostic Test"), I reserve all rights to it except as provided in the Use Agreement for the Apple Support Communities website ("ASC"). Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

Reply

Answer 3

spring2002 Author

Level 1

10 points

Dec 2, 2015 6:56 AM in response to Linc Davis

Hi Linc,

These are my results:

1 Start time: 01:53:14 12/03/15

2

3 Revision: 1377

4

5 Model Identifier: MacBookPro12,1

6 System Version: OS X 10.11.1 (15B42)

7 Kernel Version: Darwin 15.0.0

8 Time since boot: 1:09

9

10 Root access: No

11

12 CPU usage (%)

13

14 WindowServer (UID 0): 15.2

15

16 DNS: 208.67.222.222 (static)

17

18 Diagnostic reports

19

20 2015-12-02 Google Chrome hang

21 2015-12-02 Little Snitch Network Monitor crash

22 2015-12-03 com.apple.AddressBook.InternetAccountsBridge crash

23

24 HID errors: 6

25

26 Kernel log

27

28 Dec 2 21:12:50 Limiting closed port RST response from 252 to 250 packets per second

29 Dec 2 21:12:52 Limiting closed port RST response from 252 to 250 packets per second

30 Dec 2 21:12:54 Limiting closed port RST response from 252 to 250 packets per second

31 Dec 2 21:12:56 Limiting closed port RST response from 252 to 250 packets per second

32 Dec 2 21:12:58 Limiting closed port RST response from 252 to 250 packets per second

33 Dec 2 21:13:00 Limiting closed port RST response from 252 to 250 packets per second

34 Dec 2 21:13:02 Limiting closed port RST response from 252 to 250 packets per second

35 Dec 2 21:13:04 Limiting closed port RST response from 252 to 250 packets per second

36 Dec 2 21:13:06 Limiting closed port RST response from 252 to 250 packets per second

37 Dec 2 21:13:08 Limiting closed port RST response from 252 to 250 packets per second

38 Dec 2 21:13:10 Limiting closed port RST response from 252 to 250 packets per second

39 Dec 2 21:13:12 Limiting closed port RST response from 252 to 250 packets per second

40 Dec 2 21:13:14 Limiting closed port RST response from 252 to 250 packets per second

41 Dec 2 21:13:16 Limiting closed port RST response from 252 to 250 packets per second

42 Dec 2 21:13:18 Limiting closed port RST response from 252 to 250 packets per second

43 Dec 2 21:13:20 Limiting closed port RST response from 252 to 250 packets per second

44 Dec 2 21:13:22 Limiting closed port RST response from 252 to 250 packets per second

45 Dec 2 21:13:24 Limiting closed port RST response from 252 to 250 packets per second

46 Dec 2 21:13:26 Limiting closed port RST response from 252 to 250 packets per second

47 Dec 2 21:13:29 Limiting closed port RST response from 252 to 250 packets per second

48 Dec 3 00:44:15 Process launchd [1] disabling system-wide I/O Throttling

49 Dec 3 00:44:15 Process launchd [1] disabling system-wide CPU Throttling

50 Dec 3 00:44:35 IO80211ControllerMonitor::configureSubscriptions() failed to add subscriptionIO80211Controller::start _controller is 0xc21e53c07a6c479b, provider is 0xc21e53bfbb24209b

51 Dec 3 00:44:35 init: error getting PHY_MODE; using MODE_UNKNOWN

52 Dec 3 00:44:37 [IGPU] Scheduler Throttle Cap = 100ms.

53

54 System log

55

56 Dec 3 01:26:48 storeaccountd: tcp_connection_destination_perform_socket_connect 11 connectx to 23.63.10.38:443@0 failed: [64] Host is down

57 Dec 3 01:26:48 WindowServer: _CGXRemoveWindowFromWindowMovementGroup: window 0x43 is not attached to window 0x44

58 Dec 3 01:26:50 storeaccountd: tcp_connection_destination_perform_socket_connect 12 connectx to 184.84.220.49:80@0 failed: [64] Host is down

59 Dec 3 01:26:50 storeaccountd: tcp_connection_destination_perform_socket_connect 12 connectx to 184.84.220.40:80@0 failed: [64] Host is down

60 Dec 3 01:26:51 storeaccountd: tcp_connection_destination_perform_socket_connect 13 connectx to 17.154.66.38:80@0 failed: [64] Host is down

61 Dec 3 01:26:51 storeaccountd: tcp_connection_destination_perform_socket_connect 14 connectx to 23.63.10.38:443@0 failed: [64] Host is down

62 Dec 3 01:26:51 storeaccountd: tcp_connection_destination_perform_socket_connect 15 connectx to 23.63.10.38:443@0 failed: [64] Host is down

63 Dec 3 01:26:51 storeaccountd: tcp_connection_destination_perform_socket_connect 16 connectx to 184.84.220.49:80@0 failed: [64] Host is down

64 Dec 3 01:26:51 storeaccountd: tcp_connection_destination_perform_socket_connect 16 connectx to 184.84.220.40:80@0 failed: [64] Host is down

65 Dec 3 01:26:51 storeaccountd: tcp_connection_destination_perform_socket_connect 17 connectx to 17.154.66.38:80@0 failed: [64] Host is down

66 Dec 3 01:26:54 WindowServer: _CGXRemoveWindowFromWindowMovementGroup: window 0x43 is not attached to window 0x44

67 Dec 3 01:26:59 WindowServer: _CGXRemoveWindowFromWindowMovementGroup: window 0x43 is not attached to window 0x44

68 Dec 3 01:27:44 com.apple.WebKit.Networking: tcp_connection_destination_perform_socket_connect 40 connectx to 75.98.93.51:443@0 failed: [64] Host is down

69 Dec 3 01:29:05 WindowServer: _CGXRemoveWindowFromWindowMovementGroup: window 0x43 is not attached to window 0x44

70 Dec 3 01:29:08 WindowServer: _CGXRemoveWindowFromWindowMovementGroup: window 0x43 is not attached to window 0x44

71 Dec 3 01:30:25 WindowServer: _CGXRemoveWindowFromWindowMovementGroup: window 0x43 is not attached to window 0x44

72 Dec 3 01:32:06 WindowServer: _CGXRemoveWindowFromWindowMovementGroup: window 0x43 is not attached to window 0x44

73 Dec 3 01:44:36 WindowServer: _CGXRemoveWindowFromWindowMovementGroup: window 0x43 is not attached to window 0x44

74 Dec 3 01:46:48 WindowServer: _CGXRemoveWindowFromWindowMovementGroup: window 0x43 is not attached to window 0x44

75 Dec 3 01:52:10 com.apple.WebKit.Networking: tcp_connection_destination_perform_socket_connect 212 connectx to 204.11.109.76:80@0 failed: [64] Host is down

76 Dec 3 01:52:10 com.apple.WebKit.Networking: tcp_connection_destination_perform_socket_connect 212 connectx to 204.11.109.75:80@0 failed: [64] Host is down

77 Dec 3 01:52:10 com.apple.WebKit.Networking: tcp_connection_destination_perform_socket_connect 212 connectx to 204.11.109.78:80@0 failed: [64] Host is down

78 Dec 3 01:52:10 com.apple.WebKit.Networking: tcp_connection_destination_perform_socket_connect 212 connectx to 204.11.109.77:80@0 failed: [64] Host is down

79 Dec 3 01:52:11 com.apple.WebKit.Networking: tcp_connection_destination_perform_socket_connect 213 connectx to 94.31.29.218:80@0 failed: [64] Host is down

80 Dec 3 01:52:12 com.apple.WebKit.Networking: tcp_connection_destination_perform_socket_connect 214 connectx to 31.13.70.1:80@0 failed: [64] Host is down

81

82 launchd log

83

84 Dec 2 15:06:53 com.apple.airplaydiagnostics.server: Unrecognized MachService property: ResetAtClose

85 Dec 2 16:52:20 com.apple.airplaydiagnostics.server: Unrecognized MachService property: ResetAtClose

86 Dec 2 16:55:51 com.apple.airplaydiagnostics.server: Unrecognized MachService property: ResetAtClose

87 Dec 2 17:02:47 com.apple.airplaydiagnostics.server: Unrecognized MachService property: ResetAtClose

88 Dec 2 17:10:00 com.apple.airplaydiagnostics.server: Unrecognized MachService property: ResetAtClose

89 Dec 2 23:21:19 com.apple.iCloudHelper: GUI session does not exist for service to join. It will be spawned without access to the GUI.

90 Dec 3 00:02:29 com.apple.iCloudHelper: GUI session does not exist for service to join. It will be spawned without access to the GUI.

91 Dec 3 00:03:08 com.apple.iCloudHelper: GUI session does not exist for service to join. It will be spawned without access to the GUI.

92 Dec 3 00:06:17 com.apple.iCloudHelper: GUI session does not exist for service to join. It will be spawned without access to the GUI.

93 Dec 3 00:10:35 com.apple.iCloudHelper: GUI session does not exist for service to join. It will be spawned without access to the GUI.

94 Dec 3 00:44:35 : Failed to remove file or directory: name = dyld_shared_cache_x86_64h, error = 1: Operation not permitted. Further logging suppressed.

95 Dec 3 00:44:35 com.apple.airplaydiagnostics.server: Unrecognized MachService property: ResetAtClose

96

97 Console log

98

99 Dec 2 15:11:20 fontd: Failed to open read-only database, regenerating DB

100

101 Loaded kernel extensions

102

103 at.obdev.nke.LittleSnitch (4356)

104

105 System services loaded

106

107 at.obdev.littlesnitchd

108 com.apple.logd

109 - status: 1

110 com.apple.watchdogd

111 com.google.keystone.daemon

112

113 System services disabled

114

115 com.apple.mtmfs

116

117 Login services loaded

118

119 at.obdev.LittleSnitchUIAgent

120 com.google.keystone.system.agent

121

122 Contents of /Library/LaunchAgents/at.obdev.LittleSnitchUIAgent.plist

123 - mod date: Dec 2 12:15:53 2015

124 - size (B): 464

125 - checksum: 2014742307

126

127 <?xml version="1.0" encoding="UTF-8"?>

128 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

129 <plist version="1.0">

130 <dict>

131 <key>KeepAlive</key>

132 <true/>

133 <key>Label</key>

134 <string>at.obdev.LittleSnitchUIAgent</string>

135 <key>ProgramArguments</key>

136 <array>

137 <string>/Library/Little Snitch/Little Snitch Agent.app/Contents/MacOS/Little Snitch Agent</string>

138 </array>

139 <key>RunAtLoad</key>

140 <true/>

141 </dict>

142 </plist>

143

144 Contents of /Library/LaunchDaemons/at.obdev.littlesnitchd.plist

145 - mod date: Dec 2 12:15:53 2015

146 - size (B): 631

147 - checksum: 4174275850

148

149 <?xml version="1.0" encoding="UTF-8"?>

150 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

151 <plist version="1.0">

152 <dict>

153 <key>KeepAlive</key>

154 <true/>

155 <key>Label</key>

156 <string>at.obdev.littlesnitchd</string>

157 <key>ProgramArguments</key>

158 <array>

159 <string>/Library/Little Snitch/Little Snitch Daemon.bundle/Contents/MacOS/Little Snitch Daemon</string>

160 </array>

161 <key>RunAtLoad</key>

162 <true/>

163 <key>StandardErrorPath</key>

164 <string>/Library/Logs/LittleSnitchDaemon.log</string>

165 <key>StandardOutPath</key>

166 <string>/Library/Logs/LittleSnitchDaemon.log</string>

167 </dict>

168 </plist>

169

170 Safari extensions

171

172 Adblock Plus

173 - org.adblockplus.adblockplussafari

174 Ghostery

175 - com.betteradvertising.ghostery

176

177 iCloud errors

178

179 comapple.CloudPhotosConfiguration 53

180 cloudphotosd 26

181 comapple.InputMethodKit.TextReplacementService 23

182 cloudd 23

183 Finder 10

184

185 Continuity errors

186

187 sharingd 44

188

189 Bad permissions: 2

190

191 Extensions

192

193 /Library/Extensions/LittleSnitch.kext

194 - at.obdev.nke.LittleSnitch

195

196 Modifications

197

198 file modified: /Applications/Chess.app/Contents/Resources/Game.icns

199

200 Bad kernel extensions

201

202 /System/Library/Extensions/AppleOSXUSBNCM.kext

203

204 Elapsed time (sec): 147

Reply

Answer 4

spring2002 Author

Level 1

10 points

Dec 2, 2015 7:46 AM in response to Linc Davis

Thanks for getting back to me Linc. I've run the test again with my admin password entered. (I also don't do regular internet browsing with my admin account, I stick to a standard account).

This is your script run with the admin password entered:

1 Start time: 02:41:43 12/03/15

2

3 Revision: 1377

4

5 Model Identifier: MacBookPro12,1

6 System Version: OS X 10.11.1 (15B42)

7 Kernel Version: Darwin 15.0.0

8 Time since boot: 1:57

9

10 DNS: 208.67.222.222 (static)

11

12 Diagnostic reports

13

14 2015-12-02 Google Chrome hang

15 2015-12-02 Little Snitch Network Monitor crash

16 2015-12-03 com.apple.AddressBook.InternetAccountsBridge crash

17

18 HID errors: 6

19

20 Kernel log

21

22 Dec 2 21:12:50 Limiting closed port RST response from 252 to 250 packets per second

23 Dec 2 21:12:52 Limiting closed port RST response from 252 to 250 packets per second

24 Dec 2 21:12:54 Limiting closed port RST response from 252 to 250 packets per second

25 Dec 2 21:12:56 Limiting closed port RST response from 252 to 250 packets per second

26 Dec 2 21:12:58 Limiting closed port RST response from 252 to 250 packets per second

27 Dec 2 21:13:00 Limiting closed port RST response from 252 to 250 packets per second

28 Dec 2 21:13:02 Limiting closed port RST response from 252 to 250 packets per second

29 Dec 2 21:13:04 Limiting closed port RST response from 252 to 250 packets per second

30 Dec 2 21:13:06 Limiting closed port RST response from 252 to 250 packets per second

31 Dec 2 21:13:08 Limiting closed port RST response from 252 to 250 packets per second

32 Dec 2 21:13:10 Limiting closed port RST response from 252 to 250 packets per second

33 Dec 2 21:13:12 Limiting closed port RST response from 252 to 250 packets per second

34 Dec 2 21:13:14 Limiting closed port RST response from 252 to 250 packets per second

35 Dec 2 21:13:16 Limiting closed port RST response from 252 to 250 packets per second

36 Dec 2 21:13:18 Limiting closed port RST response from 252 to 250 packets per second

37 Dec 2 21:13:20 Limiting closed port RST response from 252 to 250 packets per second

38 Dec 2 21:13:22 Limiting closed port RST response from 252 to 250 packets per second

39 Dec 2 21:13:24 Limiting closed port RST response from 252 to 250 packets per second

40 Dec 2 21:13:26 Limiting closed port RST response from 252 to 250 packets per second

41 Dec 2 21:13:29 Limiting closed port RST response from 252 to 250 packets per second

42 Dec 3 00:44:15 Process launchd [1] disabling system-wide I/O Throttling

43 Dec 3 00:44:15 Process launchd [1] disabling system-wide CPU Throttling

44 Dec 3 00:44:35 IO80211ControllerMonitor::configureSubscriptions() failed to add subscriptionIO80211Controller::start _controller is 0xc21e53c07a6c479b, provider is 0xc21e53bfbb24209b

45 Dec 3 00:44:35 init: error getting PHY_MODE; using MODE_UNKNOWN

46 Dec 3 00:44:37 [IGPU] Scheduler Throttle Cap = 100ms.

47

48 System log

49

50 Dec 3 02:31:05 symptomsd: -[NetworkAnalyticsEngine _writeJournalRecord:fromCellFingerprint:key:atLOI:ofKind:lqm:isFaulty:] Hashing of the primary key failed. Dropping the journal record.

51 Dec 3 02:31:05 symptomsd: __73-[NetworkAnalyticsEngine observeValueForKeyPath:ofObject:change:context:]_block_invoke unexpected switch value 2

52 Dec 3 02:31:10 configd: RTADV en0: send Router Solicitation: failed, Host is down

53 Dec 3 02:31:14 networkd: nw_path_query_lqm Tried to query LQM on path with no interfaces

54 Dec 3 02:31:14 networkd: nw_path_query_lqm Tried to query LQM on path with no interfaces

55 Dec 3 02:31:14 networkd: nw_path_query_lqm Tried to query LQM on path with no interfaces

56 Dec 3 02:31:14 symptomsd: -[NetworkAnalyticsEngine _writeJournalRecord:fromCellFingerprint:key:atLOI:ofKind:lqm:isFaulty:] Hashing of the primary key failed. Dropping the journal record.

57 Dec 3 02:31:14 symptomsd: __73-[NetworkAnalyticsEngine observeValueForKeyPath:ofObject:change:context:]_block_invoke unexpected switch value 2

58 Dec 3 02:31:14 configd: RTADV en0: send Router Solicitation: failed, Host is down

59 Dec 3 02:31:26 mDNSResponder: mDNS_RegisterInterface: Frequent transitions for interface en0 (192.168.230.8)

60 Dec 3 02:31:26 Safari: tcp_connection_destination_perform_socket_connect 3 connectx to 23.63.20.224:443@0 failed: [64] Host is down

61 Dec 3 02:31:26 symptomsd: -[NetworkAnalyticsEngine _writeJournalRecord:fromCellFingerprint:key:atLOI:ofKind:lqm:isFaulty:] Hashing of the primary key failed. Dropping the journal record.

62 Dec 3 02:31:26 symptomsd: __73-[NetworkAnalyticsEngine observeValueForKeyPath:ofObject:change:context:]_block_invoke unexpected switch value 2

63 Dec 3 02:31:27 com.apple.geod: tcp_connection_destination_perform_socket_connect 12 connectx to 23.63.14.64:443@0 failed: [64] Host is down

64 Dec 3 02:31:27 com.apple.geod: tcp_connection_destination_perform_socket_connect 13 connectx to 23.63.14.64:443@0 failed: [64] Host is down

65 Dec 3 02:31:32 com.apple.geod: tcp_connection_destination_perform_socket_connect 13 connectx to 23.216.56.254:443@0 failed: [64] Host is down

66 Dec 3 02:31:32 com.apple.geod: tcp_connection_destination_perform_socket_connect 14 connectx to 23.216.56.254:443@0 failed: [64] Host is down

67 Dec 3 02:34:36 WindowServer: _CGXRemoveWindowFromWindowMovementGroup: window 0x43 is not attached to window 0x44

68 Dec 3 02:36:16 WindowServer: _CGXRemoveWindowFromWindowMovementGroup: window 0x43 is not attached to window 0x44

69 Dec 3 02:41:05 com.apple.WebKit.Networking: tcp_connection_destination_perform_socket_connect 547 connectx to 204.11.109.78:80@0 failed: [64] Host is down

70 Dec 3 02:41:05 com.apple.WebKit.Networking: tcp_connection_destination_perform_socket_connect 547 connectx to 204.11.109.75:80@0 failed: [64] Host is down

71 Dec 3 02:41:05 com.apple.WebKit.Networking: tcp_connection_destination_perform_socket_connect 547 connectx to 204.11.109.77:80@0 failed: [64] Host is down

72 Dec 3 02:41:05 com.apple.WebKit.Networking: tcp_connection_destination_perform_socket_connect 547 connectx to 204.11.109.76:80@0 failed: [64] Host is down

73 Dec 3 02:41:05 com.apple.WebKit.Networking: tcp_connection_destination_perform_socket_connect 549 connectx to 31.13.70.1:80@0 failed: [64] Host is down

74 Dec 3 02:41:06 com.apple.WebKit.Networking: tcp_connection_destination_perform_socket_connect 548 connectx to 94.31.29.218:80@0 failed: [64] Host is down

75

76 launchd log

77

78 Dec 2 15:06:53 com.apple.airplaydiagnostics.server: Unrecognized MachService property: ResetAtClose

79 Dec 2 16:52:20 com.apple.airplaydiagnostics.server: Unrecognized MachService property: ResetAtClose

80 Dec 2 16:55:51 com.apple.airplaydiagnostics.server: Unrecognized MachService property: ResetAtClose

81 Dec 2 17:02:47 com.apple.airplaydiagnostics.server: Unrecognized MachService property: ResetAtClose

82 Dec 2 17:10:00 com.apple.airplaydiagnostics.server: Unrecognized MachService property: ResetAtClose

83 Dec 2 23:21:19 com.apple.iCloudHelper: GUI session does not exist for service to join. It will be spawned without access to the GUI.

84 Dec 3 00:02:29 com.apple.iCloudHelper: GUI session does not exist for service to join. It will be spawned without access to the GUI.

85 Dec 3 00:03:08 com.apple.iCloudHelper: GUI session does not exist for service to join. It will be spawned without access to the GUI.

86 Dec 3 00:06:17 com.apple.iCloudHelper: GUI session does not exist for service to join. It will be spawned without access to the GUI.

87 Dec 3 00:10:35 com.apple.iCloudHelper: GUI session does not exist for service to join. It will be spawned without access to the GUI.

88 Dec 3 00:44:35 : Failed to remove file or directory: name = dyld_shared_cache_x86_64h, error = 1: Operation not permitted. Further logging suppressed.

89 Dec 3 00:44:35 com.apple.airplaydiagnostics.server: Unrecognized MachService property: ResetAtClose

90

91 Console log

92

93 Dec 2 15:11:20 fontd: Failed to open read-only database, regenerating DB

94

95 Loaded kernel extensions

96

97 at.obdev.nke.LittleSnitch (4356)

98

99 System services loaded

100

101 at.obdev.littlesnitchd

102 com.apple.logd

103 - status: 1

104 com.apple.watchdogd

105 com.google.keystone.daemon

106

107 System services disabled

108

109 com.apple.mtmfs

110

111 Login services loaded

112

113 at.obdev.LittleSnitchUIAgent

114 com.google.keystone.system.agent

115

116 Contents of /Library/LaunchAgents/at.obdev.LittleSnitchUIAgent.plist

117 - mod date: Dec 2 12:15:53 2015

118 - size (B): 464

119 - checksum: 2014742307

120

121 <?xml version="1.0" encoding="UTF-8"?>

122 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

123 <plist version="1.0">

124 <dict>

125 <key>KeepAlive</key>

126 <true/>

127 <key>Label</key>

128 <string>at.obdev.LittleSnitchUIAgent</string>

129 <key>ProgramArguments</key>

130 <array>

131 <string>/Library/Little Snitch/Little Snitch Agent.app/Contents/MacOS/Little Snitch Agent</string>

132 </array>

133 <key>RunAtLoad</key>

134 <true/>

135 </dict>

136 </plist>

137

138 Contents of /Library/LaunchDaemons/at.obdev.littlesnitchd.plist

139 - mod date: Dec 2 12:15:53 2015

140 - size (B): 631

141 - checksum: 4174275850

142

143 <?xml version="1.0" encoding="UTF-8"?>

144 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

145 <plist version="1.0">

146 <dict>

147 <key>KeepAlive</key>

148 <true/>

149 <key>Label</key>

150 <string>at.obdev.littlesnitchd</string>

151 <key>ProgramArguments</key>

152 <array>

153 <string>/Library/Little Snitch/Little Snitch Daemon.bundle/Contents/MacOS/Little Snitch Daemon</string>

154 </array>

155 <key>RunAtLoad</key>

156 <true/>

157 <key>StandardErrorPath</key>

158 <string>/Library/Logs/LittleSnitchDaemon.log</string>

159 <key>StandardOutPath</key>

160 <string>/Library/Logs/LittleSnitchDaemon.log</string>

161 </dict>

162 </plist>

163

164 Safari extensions

165

166 Adblock Plus

167 - org.adblockplus.adblockplussafari

168 Ghostery

169 - com.betteradvertising.ghostery

170

171 iCloud errors

172

173 comapple.CloudPhotosConfiguration 53

174 cloudphotosd 26

175 comapple.InputMethodKit.TextReplacementService 23

176 cloudd 23

177 Finder 10

178

179 Continuity errors

180

181 sharingd 44

182

183 Bad permissions: 2

184

185 Extensions

186

187 /Library/Extensions/LittleSnitch.kext

188 - at.obdev.nke.LittleSnitch

189

190 Modifications

191

192 file modified: /Applications/Chess.app/Contents/Resources/Game.icns

193

194 Bad kernel extensions

195

196 /System/Library/Extensions/AppleOSXUSBNCM.kext

197

198 Elapsed time (sec): 169

Reply

Answer 5

spring2002 Author

Level 1

10 points

Dec 2, 2015 8:04 AM in response to Linc Davis

I was wondering: would the results of running your script and finding any potential clues of compromise be affected by the fact that I might've shut down my Macbook once between the time I noticed the log and the time I started posting on the forum?

Also, under normal circumstances, what sort of events causes loginwindow USER_PROCESS AND DEAD_PROCESS to log in the Console?

As per your instructions in your original response, I've run the script while logged into my standard account as well:

1 Start time: 02:59:42 12/03/15

2

3 Revision: 1377

4

5 Model Identifier: MacBookPro12,1

6 System Version: OS X 10.11.1 (15B42)

7 Kernel Version: Darwin 15.0.0

8 Time since boot: 2:15

9

10 Admin access: No

11

12 UID: 502

13

14 DNS: 208.67.222.222 (static)

15

16 Console log

17

18 Dec 2 15:07:26 fontd: Failed to open read-only database, regenerating DB

19

20 Loaded kernel extensions

21

22 at.obdev.nke.LittleSnitch (4356)

23

24 System services loaded

25

26 at.obdev.littlesnitchd

27 com.apple.logd

28 - status: 1

29 com.apple.watchdogd

30 com.google.keystone.daemon

31

32 System services disabled

33

34 com.apple.mtmfs

35

36 Login services loaded

37

38 at.obdev.LittleSnitchUIAgent

39 com.google.keystone.system.agent

40

41 Login services disabled

42

43 com.spotify.webhelper

44

45 User services loaded

46

47 com.apple.ViewBridgeAuxiliary

48 - status: -9

49

50 User services disabled

51

52 com.spotify.webhelper

53

54 Contents of /Library/LaunchAgents/at.obdev.LittleSnitchUIAgent.plist

55 - mod date: Dec 2 12:15:53 2015

56 - size (B): 464

57 - checksum: 2014742307

58

59 <?xml version="1.0" encoding="UTF-8"?>

60 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

61 <plist version="1.0">

62 <dict>

63 <key>KeepAlive</key>

64 <true/>

65 <key>Label</key>

66 <string>at.obdev.LittleSnitchUIAgent</string>

67 <key>ProgramArguments</key>

68 <array>

69 <string>/Library/Little Snitch/Little Snitch Agent.app/Contents/MacOS/Little Snitch Agent</string>

70 </array>

71 <key>RunAtLoad</key>

72 <true/>

73 </dict>

74 </plist>

75

76 Contents of /Library/LaunchDaemons/at.obdev.littlesnitchd.plist

77 - mod date: Dec 2 12:15:53 2015

78 - size (B): 631

79 - checksum: 4174275850

80

81 <?xml version="1.0" encoding="UTF-8"?>

82 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

83 <plist version="1.0">

84 <dict>

85 <key>KeepAlive</key>

86 <true/>

87 <key>Label</key>

88 <string>at.obdev.littlesnitchd</string>

89 <key>ProgramArguments</key>

90 <array>

91 <string>/Library/Little Snitch/Little Snitch Daemon.bundle/Contents/MacOS/Little Snitch Daemon</string>

92 </array>

93 <key>RunAtLoad</key>

94 <true/>

95 <key>StandardErrorPath</key>

96 <string>/Library/Logs/LittleSnitchDaemon.log</string>

97 <key>StandardOutPath</key>

98 <string>/Library/Logs/LittleSnitchDaemon.log</string>

99 </dict>

100 </plist>

101

102 User login items

103

104 iTunesHelper

105 - /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app

106

107 Safari extensions

108

109 Adblock Plus

110 - org.adblockplus.adblockplussafari

111 Ghostery

112 - com.betteradvertising.ghostery

113 WOT

114 - com.wotservicesoy.wot

115

116 Continuity errors

117

118 sharingd 65

119

120 Bad permissions: 2

121

122 Extensions

123

124 /Library/Extensions/LittleSnitch.kext

125 - at.obdev.nke.LittleSnitch

126

127 Applications

128

129 /Users/USER/Applications/Chrome Apps.localized/Default apdfllckaahabafndbhieahigkjlhalf.app

130 - com.google.Chrome.app.Default-apdfllckaahabafndbhieahigkjlhalf

131 /Users/USER/Applications/Chrome Apps.localized/Default blpcfgokakmgnkcojhhkbfbldkacnbeo.app

132 - com.google.Chrome.app.Default-blpcfgokakmgnkcojhhkbfbldkacnbeo

133 /Users/USER/Applications/Chrome Apps.localized/Default coobgpohoikkiipiblmjeljniedjpjpf.app

134 - com.google.Chrome.app.Default-coobgpohoikkiipiblmjeljniedjpjpf

135 /Users/USER/Applications/Chrome Apps.localized/Default pjkljhegncpnkpknbcohdijeoejaedia.app

136 - com.google.Chrome.app.Default-pjkljhegncpnkpknbcohdijeoejaedia

137 /Users/USER/Library/Application Support/Google/Chrome/Default/Web Applications/_crx_apdfllckaahabafndbhieahigkjlhalf/Default apdfllckaahabafndbhieahigkjlhalf.app

138 - com.google.Chrome.app.Default-apdfllckaahabafndbhieahigkjlhalf-internal

139 /Users/USER/Library/Application Support/Google/Chrome/Default/Web Applications/_crx_blpcfgokakmgnkcojhhkbfbldkacnbeo/Default blpcfgokakmgnkcojhhkbfbldkacnbeo.app

140 - com.google.Chrome.app.Default-blpcfgokakmgnkcojhhkbfbldkacnbeo-internal

141 /Users/USER/Library/Application Support/Google/Chrome/Default/Web Applications/_crx_coobgpohoikkiipiblmjeljniedjpjpf/Default coobgpohoikkiipiblmjeljniedjpjpf.app

142 - com.google.Chrome.app.Default-coobgpohoikkiipiblmjeljniedjpjpf-internal

143 /Users/USER/Library/Application Support/Google/Chrome/Default/Web Applications/_crx_pjkljhegncpnkpknbcohdijeoejaedia/Default pjkljhegncpnkpknbcohdijeoejaedia.app

144 - com.google.Chrome.app.Default-pjkljhegncpnkpknbcohdijeoejaedia-internal

145

146 Library paths

147

148 /Users/USER/Library/Application Support/Google/Chrome/WidevineCDM/1.4.8.865/_platform_specific/mac_x64/libwidev inecdm.dylib

149

150 Modifications

151

152 file modified: /Applications/Chess.app/Contents/Resources/Game.icns

153

154 Bad kernel extensions

155

156 /System/Library/Extensions/AppleOSXUSBNCM.kext

157

158 Elapsed time (sec): 143

Reply

Answer 6

JimmyCMPIT

Level 7

29,306 points

Dec 2, 2015 6:35 AM in response to spring2002

your system does not sound like it was hacked and unless you are on a public network your firewall is not necessary.

Little snitch is a very resource intensive network utility, and chrome has been cited on these forums as being very system intensive and RAM hungry.

If you don't need these applications remove them and see if the behavior stops.

in the interim please run a report from this and post your results here

http://www.etresoft.com/etrecheck

additionally if you are running cracked software on your mac you don't need someone else sitting at your computer to cause a problem, you are doing all that work for them.

Reply

Answer 7

spring2002 Author

Level 1

10 points

Dec 2, 2015 6:35 AM in response to spring2002

Here's an example from Console:

Around the time I started the process of changing all passwords:

Dec 2 15:07:25 [Name's]-MacBook-Pro loginwindow[67]: USER_PROCESS: 67 console

Dec 2 15:11:05 [Name's]-MacBook-Pro sessionlogoutd[405]: DEAD_PROCESS: 67 console

Dec 2 15:11:19 [Name's]-MacBook-Pro loginwindow[407]: USER_PROCESS: 407 console

Dec 2 15:13:40 [Name's]-MacBook-Pro sessionlogoutd[566]: DEAD_PROCESS: 407 console

Dec 2 15:14:10 [Name's]-MacBook-Pro loginwindow[568]: USER_PROCESS: 568 console

Dec 2 15:25:35 [Name's]-MacBook-Pro sessionlogoutd[795]: DEAD_PROCESS: 568 console

Dec 2 15:25:49 [Name's]-MacBook-Pro loginwindow[797]: USER_PROCESS: 797 console

Dec 2 15:26:29 [Name's]-MacBook-Pro sessionlogoutd[922]: DEAD_PROCESS: 797 console

Dec 2 15:26:43 [Name's]-MacBook-Pro loginwindow[924]: USER_PROCESS: 924 console

Dec 2 15:30:01 [Name's]-MacBook-Pro sessionlogoutd[1120]: DEAD_PROCESS: 924 console

Dec 2 15:30:15 [Name's]-MacBook-Pro loginwindow[1125]: USER_PROCESS: 1125 console

Dec 2 15:31:20 [Name's]-MacBook-Pro sessionlogoutd[1265]: DEAD_PROCESS: 1125 console

Around the time I was just doing regular internet surfing:

Dec 2 21:25:21 [Name's]-MacBook-Pro sessionlogoutd[1648]: DEAD_PROCESS: 88 console

Dec 2 21:25:41 [Name's]-MacBook-Pro loginwindow[1650]: USER_PROCESS: 1650 console

Dec 2 21:26:34 [Name's]-MacBook-Pro sessionlogoutd[1796]: DEAD_PROCESS: 1650 console

Dec 2 21:26:47 [Name's]-MacBook-Pro loginwindow[1798]: USER_PROCESS: 1798 console

Dec 2 21:41:12 [Name's]-MacBook-Pro sessionlogoutd[2044]: DEAD_PROCESS: 1798 console

Dec 2 21:41:34 [Name's]-MacBook-Pro loginwindow[2046]: USER_PROCESS: 2046 console

Dec 2 21:42:12 [Name's]-MacBook-Pro sessionlogoutd[2180]: DEAD_PROCESS: 2046 console

Dec 2 21:42:27 [Name's]-MacBook-Pro loginwindow[2182]: USER_PROCESS: 2182 console

Dec 2 21:45:23 [Name's]-MacBook-Pro sessionlogoutd[2360]: DEAD_PROCESS: 2182 console

Dec 2 21:45:46 [Name's]-MacBook-Pro loginwindow[2362]: USER_PROCESS: 2362 console

Dec 2 21:46:12 [Name's]-MacBook-Pro sessionlogoutd[2484]: DEAD_PROCESS: 2362 console

Dec 2 21:46:26 [Name's]-MacBook-Pro loginwindow[2486]: USER_PROCESS: 2486 console

Dec 2 23:20:45 [Name's]-MacBook-Pro sessionlogoutd[3084]: DEAD_PROCESS: 2486 console

Dec 2 23:21:15 [Name's]-MacBook-Pro loginwindow[3086]: USER_PROCESS: 3086 console

Reply

Answer 8

spring2002 Author

Level 1

10 points

Dec 2, 2015 6:51 AM in response to JimmyCMPIT

The frequency of this issue went quiet between 5pm - 9pm, started back up and now seems to have died down (it's currently around 1am the next day where I am).

I've got a couple of questions:

Does my Etre Check report seem suspicious in any way?

In what way could Little Snitch be the potential cause of these issues?

Reply

Answer 9

Linc Davis

Level 10

209,739 points

Dec 2, 2015 7:36 AM in response to spring2002

You ran the test without entering an administrator password, which somewhat limits the information it can produce. Within that limitation, there's no evidence that the system is compromised. If I were you, I'd get rid of "Little Snitch," which in my opinion is not useful and can cause problems.

Reply

Answer 10

spring2002 Author

Level 1

10 points

Dec 2, 2015 7:55 AM in response to Linc Davis

Hmm, the script I ran that I entered my admin password with looks pretty much the same as the first one where I just pressed enter three times when prompted for my password. Did I do something wrong? I definitely typed my admin password carefully and did not get any wrong password warnings.

But does it seem, according to the output from the script I ran in Terminal with my admin password, there doesn't seem to be any evidence of compromise?

Should I also run your script under my standard account as well?

Reply

Answer 11

spring2002 Author

Level 1

10 points

Dec 2, 2015 5:49 PM in response to Linc Davis

Thanks Linc. But under what regular circumstances would cause the Console to log a USER_PROCESS/DEAD_PROCESS sequence? When you actually log in and out of an account, I assume? I wonder what caused so many short logins/logouts...

Reply

Answer 12

JimmyCMPIT

Level 7

29,306 points

Dec 2, 2015 6:37 AM in response to spring2002

that link again because your console dumps are not helpful:

http://www.etresoft.com/etrecheck

Reply

Answer 13

JimmyCMPIT

Level 7

29,306 points

Dec 2, 2015 6:46 AM in response to spring2002

remove little snitch following the developers instructions and see if the behavior continues

https://www.obdev.at/support/index.html?product=LS&topic=faq

Reply

Answer 14

Linc Davis

Level 10

209,739 points

Dec 2, 2015 7:52 AM in response to spring2002

That doesn't change my conclusion.

Reply

Answer 15

Linc Davis

Level 10

209,739 points

Dec 2, 2015 8:47 AM in response to spring2002

But does it seem, according to the output from the script I ran in Terminal with my admin password, there doesn't seem to be any evidence of compromise?

That's right.

Reply