GreenMamba
Level 1 (13 points)
Desktops

Q: grep nsurl - compromised?

I have a similar question to something I saw about CSI.scratch, but now I am realizing it goes much further than that.

 

I just did a re-install of OS X due to some strange activity. During my reinstall while in the disk utility to erase my disk i noticed a disk image called Apple Disk Image > OS X Base Systems. 1.3 GB was used and 713mb was available. The files were labeled as "other". 

 

Apple SSD SD0128F Media - 121.33 GB PCI - Internal physical disk had a child count of 3, even after I erased it and renamed it.

 

I could NOT eject the "Apple Disk Image" and whatever it is or whatever it does. I am not sure if it is just some version of OS X you had when you first bought your MacBook Pro. I am totally confused.

 

Also during this last reinstall it asked me for my password to my MBP when it had it's old name. That was new.

 

Right now I am running the command sudo fs_usage -w | grep nsurl in terminal and nsurlstoraged.33*** [port changes] keeps trying to send or is sending /library/cookies/HSTS.plist

 

Is all of this stuff normal? I don't feel like it is.

 

I have done a reinstall before and do not remember having to enter my old password to my last login before logging into my new installation. I feel like someone has remote access to my desktop. Or some kind of root access. Maybe not though.


I feel like this may be related to my phone. I think either the phone is compromised and keeps compromising the laptop or vise versa. I downloaded SurfEasy VPN about 4 weeks ago to try and help with security while on the web. But that is causing issues sometimes too. I have Xfinity and due to Comcast having their own VPN service I think they may throttle any other VPN's but their own (just a theory).


Do these look normal:

 

private/var/folders/ql/sxcp0v6n0wl8f5pk54pn5h_80000gn/T//etilqs_DbpVmyv5VWuqJIc -- using unlink, stat, fstat64, fcntl, HFS_update, and access .. basically everything.


/private/var/folders/ql/sxcp0v6n0wl8f5pk54pn5h_80000gn/T/etilqs_8tfU8R5ug8B0zJF

/private/var/folders/ql/sxcp0v6n0wl8f5pk54pn5h_80000gn/T/etilqs_p92KBdsqNmewkYg

 

Doing the same thing^

 

Please help Linc or anyone else.

 

Thanks...

MacBook Pro (Retina, 13-inch, Mid 2014), OS X El Capitan (10.11.3)

Posted on Jun 25, 2016 7:46 AM

Close
GreenMamba

Q: grep nsurl - compromised?

  • All replies
  • Helpful answers

  • by Barney-15E,Helpful

    Barney-15E Barney-15E Jun 26, 2016 8:19 AM in response to GreenMamba
    Level 8 (49,645 points)
    Mac OS X
    Jun 26, 2016 8:19 AM in response to GreenMamba

    It's part of the installer.

    I don't know anything about nsurl.

  • by GreenMamba,

    GreenMamba GreenMamba Jun 25, 2016 7:55 AM in response to Barney-15E
    Level 1 (13 points)
    Desktops
    Jun 25, 2016 7:55 AM in response to Barney-15E

    Thanks Barney-15E

     

    So the disk image is part of the installer. Good to know. Now I am just wondering about these variations and if they are normal (description above):

     

    private/var/folders/ql/sxcp0v6n0wl8f5pk54pn5h_80000gn/T//etilqs_DbpVmyv5VWuqJIc -- using unlink, stat, fstat64, fcntl, HFS_update, and access .. basically everything.


  • by etresoft,Helpful

    etresoft etresoft Jun 26, 2016 8:20 AM in response to GreenMamba
    Level 7 (29,046 points)
    Jun 26, 2016 8:20 AM in response to GreenMamba

    Hello GreenMamba,

    Everything is completely normal. There is nothing to worry about. If you go looking for mysterious log files, you will be guaranteed to find them. If you are seeing anything you don't expect, describe what you are seeing and what you expected to see that is different.

     

    I wrote a little diagnostic program to help show what is running in all of these hidden directories. Download EtreCheck from http://www.etrecheck.com, run it, and paste the results here. EtreCheck is perfectly safe to run, does not ask for your password to install, and is signed with my Apple Developer ID.

     

    EtreCheck tries hard to highlight only things that aren't normal. Even if it doesn't report anything unusual, that may still be helpful for you to see that there isn't anything unusual.

     

    Disclaimer: Although EtreCheck is free, there are other links on my site that could give me some form of compensation, financial or otherwise.

  • by Drew Reece,

    Drew Reece Drew Reece Jun 26, 2016 6:25 AM in response to GreenMamba
    Level 5 (7,456 points)
    Notebooks
    Jun 26, 2016 6:25 AM in response to GreenMamba

    I answered lots of these questions in the other post you created before you posted this one…

    Re: iRat - remote control client?

    Please link to your other posts when you decide to make duplicate posts on the forums with the same question.

     

    As I said there, I can't see anything abnormal with your Mac aside from lots of misunderstandings on how OS X works. I also have to wonder how many services you use that can restore data (like Time Machine, iCloud syncing or a failed 'erase install'). It can explain why you can see things from an older installation.

     

    If you want to throw your phone into the equation, good luck with it. Simply having vague issues is not a sign of any compromise - it could simply be broken hardware,  software or even issues on the network. It would help if you tried to troubleshoot each issue individually or at the very least remove the VPN & see if it behaves better.  Take it all to an Apple store or to the police if you truly believe it is compromised, I really don't think that is the case.

     

    The log files seem normal too despite the fact I really don't understand what you are asking with them (is that from the output of 'stat' ?). OS X logs a ton of data, it is normal that some of those log files are given complex access controls.

  • by GreenMamba,

    GreenMamba GreenMamba Jun 26, 2016 8:20 AM in response to Drew Reece
    Level 1 (13 points)
    Desktops
    Jun 26, 2016 8:20 AM in response to Drew Reece

    I replied to your other answer Drew and thank you.