Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

iMac Pro firmware virus/malware issue

OK so I've taken my new iMac Pro back to apple 3 times now and I believe it's firmware is hacked. The guys at the "Genius" Bar act all confused about what I'm talking about and don't even real the boot logs or use any other too. I would think they would want to look at it since the stupid thing cost me over 8k. How can I detect it and show apple the problem? At first the connection to the internet was slow then my iCloud accounts had their passwords changed after I logged in and now I have cookies that look like my comp is running all over the web no clue what.


Any help is appreciated


iMac Pro,


Hardware

  • 3.0GHz 10-core Intel Xeon W processor, Turbo Boost up to 4.5GHz
  • 64GB 2666MHz DDR4 ECC memory
  • 2TB SSD
  • Radeon Pro Vega 64 with 16GB of HBM2 memory

iMac Pro, macOS High Sierra (10.13.5), null

Posted on Jun 22, 2018 2:02 PM

Reply
6 replies

Jun 22, 2018 2:45 PM in response to mrs4email

No clue why but I had to add more information and the site made me add it as a reply.


OK so I've taken my new iMac Pro back to apple 3 times now and I believe it's firmware is hacked. The guys at the "Genius" Bar seem confused and don't even read the file system or the logs. I would think they would want to look at it since it cost me over 8k. How can I detect it and show apple the problem? At first the connection to the internet was slow then my iCloud accounts had their passwords changed after I logged in and now I have cookies that look like my comp is running all over the web no clue what these sites listed do but it looks all bad to me. Reinstall does not fix this problem and my 300mb internet runs like I'm on 56k sometimes.


Any help is appreciated


iMac Pro,




Hardware

  • 3.0GHz 10-core Intel Xeon W processor, Turbo Boost up to 4.5GHz
  • 64GB 2666MHz DDR4 ECC memory
  • 2TB SSD
  • Radeon Pro Vega 64 with 16GB of HBM2 memory


Here are the files: Macintosh HD>Users>"User Name">Library>Cookies>

File: Cookies.binarycookies

File: HSTS.plist


HSTS.plist - listed below, start and end are not part of the file I put those there.


-----start-----

Deleted the text because someone said it could show vulnerabilities to my system.

-----end-----

Jun 22, 2018 2:10 PM in response to mrs4email

Believing doesn't make it real.


The only way to hack the firmware itself is someone having direct access to your Mac, and having one of a couple of known not-very-many-out-there hardware devices that attack the hardware.


It is otherwise just short of impossible.

At first the connection to the internet was slow then my iCloud accounts had their passwords changed after I logged in…

It's far, far more likely someone logged into your account because they were able to bypass a weak password.

and now I have cookies that look like my comp is running all over the web

Absolutely nothing unusual about that. You can visit one trusted site and have it generate a dozen cookies whose names are meaningless.


Instead of guessing or assuming, describe the problem.

Jun 22, 2018 2:51 PM in response to mrs4email

You only have a 15 minute window to edit a post. After that, it's fixed. That's why you had to add a reply rather than add on to the initial post.


You'd need an app like BBEdit to view the file HSTS.plist correctly. Regardless, it's nothing but an XML file of cookie data you've picked up around the Internet. In other words, meaningless since cookies cannot do anything harmful.


We're back to where we were. Please stop guessing and assuming. Describe what the Mac is not doing as you expect.


Better yet, download and run EtreCheck. When it's done running, use its option to copy/paste the results in a response here. The app is written and maintained by longtime forum member, etresoft. All personal info is automatically redacted. What it's mainly used for is to see what apps are running on your Mac. From that, users here can see if you have adware, or other unwanted junk running.

Jun 22, 2018 3:00 PM in response to Kurt Lang

Just to add, HSTS.plist is a bit more complicated than just cookie data. If you remove the file, it will be created again.


HSTS.plist is a Safari settings file related to HTTP Strict Transport Security. It is a mandatory setting for Mavericks and newer OS releases. For more information about this security policy mechanism, you can read up about it at Wikipedia:

http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Jun 27, 2018 4:37 PM in response to Kurt Lang

So I read the wiki page and I don't understand the site lists are they being blocked or allowing traffic because this list below I've never even heard of the sites before. Thanks for directing me to the wiki so I could read about it. there are a few of the sites below that I have used such *** google, yahoo ect. but the search info around so google.com is not mine. The link you sent me to talked a lot about man in the middle attacks so am I supposed have all these sites listed or no?


----------------code below-----------------

Wwiz.biz_ www.logentries.com_ mutantmonkey.sexy_ webmail.onlime.ch]itriskltd.com_ passwordbox.com_ no.search.yahoo.com_ www.capitainetrain.com_ hostinginnederland.nlYsouyar.usZairbnb.comZedmodo.com_ inertianetworks.comZsimple.com_ passport.yandex.by^koordinate.netYjelmer.uk_ tv.search.yahoo.com^www.python.org_ su.itunes.apple.com_ braintreegateway.com_ webmail.mayfirst.org_ gm.search.yahoo.comYsouyar.de_ forum.linode.comYbetnet.fr_ sandbox.mydigipass.comYcrypto.isYbaruch.me_ markusueberallassetmanagement.deZstripe.com\api.xero.com]bitbucket.org^torproje ct.org_ de.search.yahoo.com_ blog.cyveillance.comYgmail.com_ www.apollo-auto.comZtoner24.pl_ www.heliosnet.com_ www.irccloud.com_ isitchristmas.com_ business.lookout.com_ fj.search.yahoo.com]loenshotel.de_ www.opsmate.com_ guthabenkarten-billiger.de_ li.search.yahoo.com_ wf-pentest.appspot.com_ gemeinfreie-lieder.de_ sprueche-zur-hochzeit.deXzoo24.de_ pk.search.yahoo.com_ kleidertauschpartys.de[secuvera.de_ strongest-privacy.comYwepay.com]detectify.comZkitsta.comWnpw.net_ www.makeyourlaws.orgYromab.com_ cryptopartyatx.org\www.aclu.org_ www.therapynotes.com[twitter.com[epoxate.com_ jonas-keidel.de_ ssl.google-analytics.com\kardize24.plYimouto.my^www.roddis.net_ mt.search.yahoo.comVs-c.se_ forewordreviews.comZcybozu.comZsquare.com_ login.corp.google.comZjottit.comWbaer.im_ kinderbuecher-kostenlos.de^www.paypal.comYqetesh.de\ottospora.nl_ groups.google.com_ musicgamegalaxy.de_ fr.search.yahoo.comZanycoin.me_ therapynotes.com\certible.com_ history.google.com^it-schwerin.de_ matteomarescotti.name_ piratenlogin.de]m.gparent.orgXtonex.nlVsol.io_ docs.python.org[wildbee.org[lockify.com_ !webfilings-mirror-hrd.appspot.com_ accounts.google.com_ gl.search.yahoo.comXhaste.ch_ get.zenpayroll.com_ check.torproject.org\seifried.org_ mountainroseherbs.com_ passport.yandex.com.tr[jackyyf.comWtent.io_ mail.google.com_ www.intercom.io_ luneta.nearbuysystems.com\konklone.com_ www.zenpayroll.com\squareup.com_ espanol.search.yahoo.com_ fi.search.yahoo.com_ login.persona.org_ goto.google.com_ calyxinstitute.org_ hausverbrauch.de_ paste.linode.comWheha.co_ blog.linode.com^boxcryptor.com_ id.atlassian.com]eurotramp.com[cloudup.com_ pressfreedomfoundation.org_ winhistory-forum.net_ appseccalifornia.org_ sprueche-zum-valentinstag.de_ chromiumcodereview.appspot.comWkura.io_ ro.search.yahoo.com_ ca.search.yahoo.comYderhil.de_ passport.yandex.uaYespra.com_ openshift.redhat.com]simbolo.co.uk]keeperapp.com]addvocate.com[go.xero.comZmedi um.com[gmantra.org_ ferienhaus-polchow-ruegen.de\simpletax.ca_ cr.search.yahoo.com\ethitter.com_ au.search.yahoo.com^getlantern.org]janoberst.com^studydrive.net\bl4ckb0x.com_ webmail.gigahost.dk_ rapidresearch.meZriseup.net_ ecosystem.atlassian.net_ silentcircle.com]www.wepay.com^iop.intuit.com\siammedia.co]browserid.org]bitfac tory.ws^mondwandler.de_ raiseyourflag.com_ mobile.usaa.comYnexth.net_ publications.qld.gov.au_ apn-einstellungen.de_ pa.search.yahoo.com_ blocksatz-medien.de_ market.android.comZwhonix.org_ projektzentrisch.de_ lifeguard.aecom.com\freeshell.deZzotero.org_ ssl.panoramio.comYjitsi.org_ hn.search.yahoo.com_ apis.google.com^mail.yahoo.com]dl.google.com\schwarzer.it_ payroll.xero.com_ pr.search.yahoo.comZtoner24.nl[sherbers.de_ maktoob.search.yahoo.com_ reserve-online.netZscrambl.is_ rw.search.yahoo.comWmail.deYfactor.cc_ pay.gigahost.dkYpalava.tv_ qc.search.yahoo.com_ www.lookout.com\bl4ckb0x.org[f-droid.org]blacklane.com_ webfilings-eu.appspot.com_ idmsa.apple.com_ ng-security.com_ se-edge.itunes.apple.com]tonerklick.deXedyou.eu_ ledgerscope.net_ plus.google.com[gparent.org_ davidlyness.com_ chfr.search.yahoo.com[lavalite.de]www.jitsi.org_ dk.search.yahoo.com_ gamesdepartment.co.ukZsouyar.net\loftboard.eu_ mach-politik.ch_ en-maktoob.search.yahoo.com_ za.search.yahoo.com_ nl.search.yahoo.com[lolicore.ch_ www.cyveillance.com^koop-bremen.de^googleplex.com_ mobilethreatnetwork.net[mailbox.orgWeff.orgYbugzil.la_ platform.lookout.com^cyphertite.comVpdf.yt_ simon.butcher.name_ ch.search.yahoo.com_ blog.gparent.org^googlemail.com\my.onlime.chYazprep.us[mynigma.org_ wf-dogfood-hrd.appspot.com_ www.greplin.com]supplies24.es_ at.search.yahoo.com_ hoerbuecher-und-hoerspiele.de^edit.yahoo.com[bytepark.de_ wiki.python.org]mylookout.com[writeapp.me_ plus.sandbox.google.com_ barcodeberlin.com[entropia.deYdonmez.ws^schokokeks.orgVaie.de_ checkout.google.com[firemail.io_ webcollect.org.uk_ fatzebra.com.au_ www.eternalgoth.co.uk\pajonzeck.deZcrypto.cat[logotype.se_ texte-zur-taufe.de_ ph.search.yahoo.com_ static.wepay.com^gocardless.com\datenkeks.de^api.mega.co.nz]crm.onlime.ch]stock trade.de_ hu.search.yahoo.com\carezone.com]tintenfix.net_ servethecity-karlsruhe.de_ getdigitized.netZcupcake.ioZpython.org]haufschild.deXlinx.net_ appleid.apple.com[mykolab.com^zenpayroll.com_ mandala-ausmalbilder.de_ webfilings-eu-mirror.appspot.com_ passport.yandex.kzZtinte24.de^wunderlist.com_ appengine.google.com^jonaswitmer.ch_ sg.search.yahoo.com_ clapping-rhymes.com]otakuworld.de_ wf-bigsky-master.appspot.com[uprotect.it_ login.yahoo.com_ be.search.yahoo.com_ encircleapp.com_ api.intercom.io[my.xero.com_ wf-trial-hrd.appspot.com_ lists.mayfirst.org_ netzpolitik.org_ hstspreload.tlstestwebkit.org\oversight.io\tomfisher.eu_ portal.tirol.gv.at_ julian-kipka.deZtoner24.es[neonisi.com]fj.simple.com_ webfilings.appspot.com_ hostedtalkgadget.google.comXaclu.org_ accounts.firefox.comYpasswd.io_ nachsenden.info_ bigshinylock.minazo.net_ glass.google.comZdedimax.deXnexth.us_ tr.search.yahoo.com_ config.schokokeks.org^ub3rk1tten.com_ chart.apis.google.com_ py.search.yahoo.com_ cg.search.yahoo.com_ riesenmagnete.de\hasilocke.de\getcloak.com_ code-poets.co.ukUed.gs^www.airbnb.com^www.linode.com_ www.dropcam.com_ wf-training-hrd.appspot.com_ www.banking.co.at_ docs.google.comXusaa.com]www.gmail.comZtoner24.at_ gr.search.yahoo.com\p.linode.com_ silentcircle.org_ mathiasbynens.be_ www.neonisi.comZwww.gov.uk\fairbill.com_ www.getcloak.com]kinsights.com^www.icloud.com_ simplystudio.com[robteix.com]conformal.com_ domains.google.com_ serverdensity.ioZtageau.com[tonerjet.at^www.elanex.biz_ apadvantage.com_ id.mayfirst.org_ manageprojects.com_ tatort-fanpage.de_ irische-segenswuensche.info_ braintreepayments.com^tonerjet.co.uk_ zh.search.yahoo.com]hackerone.com\picksin.club^brunosouza.org_ lv.search.yahoo.com_ tinfoilsecurity.com\rad-route.de_ ru.search.yahoo.com_ tonermonster.de_ wallet.google.comXk-dev.de_ sprueche-zur-konfirmation.de_ co.search.yahoo.com_ www.braintreepayments.com_ in.search.yahoo.com_ www.tinfoilsecurity.com_ wf-staging-hr.appspot.com_ errors.zenpayroll.com_ api.lookout.com^api.simple.com_ api.recurly.com\lastpass.com^cartouche24.eu\mikewest.org_ cloud.google.com^cloudns.com.au^ca.gparent.orgZmega.co.nz[ansdell.net]xps2pdf.c o.uk_ business.medbank.com.mt[lookout.com_ wf-demo-eu.appspot.com_ data.qld.gov.au^greensolid.biz_ search.yahoo.com_ discovery.lookout.comWlumi.do[www.grc.com_ best-wedding-quotes.com_ developer.mydigipass.com_ rws-vertriebsportal.de_ chrome.google.com[opsmate.com_ wf-demo-hrd.appspot.com^miskatonic.org\arivo.com.brZnetzbit.deZtoner24.it_ members.mayfirst.org\keyerror.com_ ve.search.yahoo.com_ hk.search.yahoo.com_ forodeespanol.com_ www.googlemail.com_ app.simpletax.ca_ auf-feindgebiet.de_ vn.search.yahoo.com_ www.schokokeks.org_ app.lookout.com_ www.noisebridge.net_ www.torproject.org]benjamins.comWpult.coWiban.is_ ie.search.yahoo.comTz.ai\irccloud.com_ play.google.com_ mattmccutchen.netWcube.de\bl4ckb0x.net_ skydrive.live.com_ app.manilla.com_ tipps-fuer-den-haushalt.de_ www.ledgerscope.net_ email.lookout.comZroddis.net_ my.alfresco.com_ uk.search.yahoo.com_ encrypted.google.comYbassh.net_ makeyourlaws.orgVrme.li_ drive.google.com[adsfund.org_ mx.search.yahoo.com]vmoagents.com]neilwynne.com_ translate.googleapis.com_ fischer-its.com[jfreitag.de_ salaervergleich.comZmnsure.org]cartucce24.it_ faq.lookout.com_ manager.linode.comYpubkey.is[vocaloid.my_ sprueche-zur-geburt.info_ webmail.schokokeks.org]howrandom.org\surfeasy.com_ ni.search.yahoo.com\noexpect.org\zeropush.com_ mobilethreat.net_ profiles.google.com^tonerkurier.deXsah3.net_ cloudsecurityalliance.org_ th.search.yahoo.com^carlolly.co.uk_ blog.torproject.orgZoptimus.io_ promecon-gmbh.de_ lu.search.yahoo.com_ rippleunion.comYmalnex.de_ passport.yandex.ru_ app.recurly.com\www.usaa.com_ id.search.yahoo.com_ emailprivacytester.com_ cn.search.yahoo.com_ securityheaders.com_ cybershambles.com_ aladdinschools.appspot.com]www.cueup.com_ se.search.yahoo.com_ sakaki.anime.my_ dillonkorman.com_ www.developer.mydigipass.comZpaymill.de_ az.search.yahoo.com^munich-rage.deWcert.se_ kr.search.yahoo.comXfiken.no_ codereview.appspot.com\grepular.com_ die-besten-weisheiten.de[viennan.net]bl4ckb0x.info^login.xero.com[helichat.de_ sv.search.yahoo.comXnexth.de_ wf-training-master.appspot.com_ pierre-schmitz.com_ talkgadget.google.com^harvestapp.comZbohramt.de_ unterfrankenclan.de[prodpad.com_ xa.search.yahoo.com]beastowner.liZpaypal.com_ keepersecurity.com_ sunshinepress.org[lb-toner.de]launchkey.com_ data-abundance.com_ www.evernote.com_ chit.search.yahoo.comZtoner24.frZhelpium.de_ nz.search.yahoo.com_ www.entropia.de_ keymaster.lookout.com_ www.gamesdepartment.co.uk_ giacomopelagatti.itZwww.rme.li]tonerdepot.de[hex2013.comYludwig.im_ ua.search.yahoo.com[ihrlotto.deZbcrook.comXtonex.de_ trauertexte.info_ es.search.yahoo.comYy-o-w.com_ script.google.com]login.sapo.pt[intercom.io_ malaysia.search.yahoo.com_ activiti.alfresco.com\redports.org\surkatty.org_ mw.search.yahoo.com_ kz.search.yahoo.com_ sdsl-speedtest.deXflynn.io[bl4ckb0x.de^logentries.comYklaxn.com_ itunes.apple.comZcupcake.is_ gernert-server.de_ support.mayfirst.org_ pe.search.yahoo.com\onedrive.com_ admin.google.com_ blog.lookout.com_ app.yinxiang.com_ celltek-server.de_ www.moneybookers.com\archlinux.de_ lt.search.yahoo.com_ www.mylookout.com]cloudcert.org_ miku.hatsune.my_ energy-drink-magazin.de\tonermaus.de_ cd.search.yahoo.com]toner24.co.uk_ saturngames.co.uk_ lagerauftrag.infoYkraken.io[mediacru.shYhostix.de_ help.simpletax.ca_ klatschreime.de_ www.calyxinstitute.orgXcrate.io\explodie.org\jelmer.co.uk_ roundcube.mayfirst.org_ members.nearlyfreespeech.net_ library.linode.com]packagist.org_ it.search.yahoo.com_ codereview.chromium.org_ welches-kinderfahrrad.de]webandmore.deZlinode.com_ buddhistische-weisheiten.org_ csawctf.poly.edu[feedbin.com[dropbox.com_ thepaymentscompany.com_ honeytracks.com_ uz.search.yahoo.com_ w-spotlight.appspot.com_ janus-engineering.de_ security.google.comXneg9.org_ do.search.yahoo.com_ bayrisch-fuer-anfaenger.de]beneathvt.com[greplin.com[tektoria.de_ xbrlsuccess.appspot.com[paymill.com^mydigipass.com_ lasst-uns-beten.de_ dist.torproject.orgZsubrosa.ioYbedeta.de_ stage.wepay.com^alexsexton.com_ np.search.yahoo.com_ download.jitsi.org[websenat.deXmig5.net_ myinfo.apple.com_ bank.simple.com_ www.sandbox.mydigipass.comVmwe.st_ bugzilla.mozilla.orgYposteo.de_ manage.zenpayroll.com\prowhisky.de_ cl.search.yahoo.com_ www.lastpass.com_ onedrive.live.comZmovlib.org]supplies24.atYshodan.io]tittelbach.at_ www.mydigipass.com_ www.twitter.comYguphi.net^globalcs.co.uk_ kernel-error.de_ $chrome-devtools-frontend.appspot.com_ passport.yandex.com_ alpha.irccloud.comZubertt.org_ conrad-kostecki.de_ hackerone-user-content.com_ !daphne.informatik.uni-freiburg.de^dm.lookout.com_ oplop.appspot.com_ globuli-info.deWgrc.com_ www.paycheckrecords.com_ stationary-traveller.eu_ controlcenter.gigahost.dkYriccy.org_ security-carpet.com_ br.search.yahoo.com_ code.google.com_ www.simbolo.co.uk_ iforgot.apple.com^beastowner.com_ pl.search.yahoo.com_ sites.google.com_ talk.google.com_ rosenkeller.org[dropcam.comXbccx.com_ tw.search.yahoo.com_ pypi.python.org]ukrainians.chWpixi.me_ shops.neonisi.com[kiwiirc.com_ liberty.lavabit.com_ crowdcurity.com_ ct.search.yahoo.com\tunebitfm.de_ pastebin.linode.com_ ebanking.indovinabank.com.vn_ mbp.banking.co.at_ www.surfeasy.com_ mu.search.yahoo.com_ spreadsheets.google.com]reedloden.com_ adamkostecki.de_ www.dropbox.com_ reviews.anime.myYcrbug.com_ bi.search.yahoo.comZmudcrab.us_ uy.search.yahoo.com[in.xero.com^www.simple.com_ semenkovich.com‘

Jun 27, 2018 4:50 PM in response to mrs4email

The OS grades each site you visit and assigns a value to it. That’s what you’ll see in the HSTS.plist file if you view it in BBEdit. Attempting to read it as plain text results in a jumbled mess, as you posted here.


There’s nothing you need to know, or do about the HSTS.plist file. The OS handles it and knows what the entries mean.


The man-in-the-middle attack is thwarted by HSTS. That is its main reason for being. The article describes that in the same paragraph.


I’m not sure what you’re trying to find or uncover, but looking at the HSTS.plist file as a source is a waste of your time.

iMac Pro firmware virus/malware issue

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.