Jump to content
reifreak

Suspect someone trying to get into my system

6 posts in this topic

Recommended Posts

I have a Mac Mini running Yosemite 10.10.3. It's in a generally open area, so physical security is a bit of a concern. I'm the only user with an account on the system. I have guest access disabled. I have set a password on recovery mode. 

 

Recently I've become suspicious that someone may be trying to get some files off my machine or gain access to install remote/spy software. I found that this had happened on one of my Windows-based PC's in the past, which is why I went with a Mac this time. I'll attach a log file that shows activity from the time I logged out of it yesterday until the time I logged in next (this morning at 8:35).

 

I'm a noob to the Apple universe, so some parts of the log may look alarming to me but be harmless. I would be grateful to the community and anyone who could review the log file for anything out of the usual. I would like to call attention to a few entries:

 

6/30/15 5:45:01.017 AM com.apple.xpc.launchd[1]: (com.apple.quicklook[56530]) Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook

 

And this series:

6/30/15 5:45:24.000 AM kernel[0]: hfs: mounted Recovery HD on device disk0s3

6/30/15 5:45:24.864 AM mds[58]: (Volume.Normal:2464) volume:0x7fd628881000 ********** Bootstrapped Creating a default store:0 SpotLoc:(null) SpotVerLoc:(null) occlude:0 /Volumes/Recovery HD

6/30/15 5:45:24.866 AM mdworker[56249]: (ImportBailout.Error:1325) Asked to exit for Diskarb

6/30/15 5:45:24.868 AM mdworker[56398]: (ImportBailout.Error:1325) Asked to exit for Diskarb

6/30/15 5:45:24.871 AM mdworker[56496]: (ImportBailout.Error:1325) Asked to exit for Diskarb

6/30/15 5:45:24.873 AM mdworker[56397]: (ImportBailout.Error:1325) Asked to exit for Diskarb

6/30/15 5:45:24.903 AM fseventsd[45]: Logging disabled completely for device:1: /Volumes/Recovery HD

6/30/15 5:45:25.000 AM kernel[0]: hfs: unmount initiated on Recovery HD on device disk0s3

6/30/15 5:45:26.920 AM softwareupdate_download_service[46785]:  securityd_message_with_reply_sync Failed to talk to secd after 4 attempts.

6/30/15 5:45:26.920 AM softwareupdate_download_service[46785]:  SecOSStatusWith error:[-25291] The operation couldn’t be completed. (com.apple.security.xpc error 3 - <connection: 0x7f9ad3c45880> { name = com.apple.securityd.xpc, listener = false, pid = 0, euid = 4294967295, egid = 4294967295, asid = 4294967295 }: Connection invalid)
 
Another set of eyes on the log as a whole would be great. I know this is asking a lot of the community. All my techie colleagues that I usually go over these things with are strictly MS. Thank you in advance for the help!
 

2015 06-29 to 06-30 night log.rtf

Share this post


Link to post
Share on other sites
Advertisement

I guess the root of my question would be this... Unless someone brute-force hacks my user password and the recovery password, is my machine safe from data theft or malicious software? With our Windows machine in the past, we figured out someone just plugged a drive in and it auto-executed some code even though they weren't logged in. Another time, they used a Linux Live CD to boot up and access files on the Windows partition.

 

I bought Mac because of its reputation for security, so thought it was the best for our shared-space situation. An underlying question I have is whether there's a way someone can still get to things?

 

I'll check out FileVault - thank you for that tip!

Share this post


Link to post
Share on other sites

What's on /Library/PrivilegedHelperTools/ ?

 

this seem to me a privileged helper tool used by an app, off course that fail to acquire root privileges

Share this post


Link to post
Share on other sites

Thanks Micky - there are 3 items:

 

com.microsoft.office.licensing.helper (Office 2013)

com.microsoft.office.licensingV2.helper (Office 2016 preview I believe)

com.teamviewer.Helper

 

Only interesting thing to note is that the two Microsoft items have a "Date Modified" of 1/16/15 12:00am & 5/8/15 12:42am. I don't know how updates on the Mac work entirely yet - whether it's possible for these to be modified with my screen locked and me away. I know I haven't been at this machine at all past 10pm as long as I've had it. I do have Microsoft Office 2013 and 2016 (preview) installed, as well as TeamViewer.

 

Thank you for taking the time to look at the logs.

Share this post


Link to post
Share on other sites

You have also AirMedia installed? It is usually used to make presentations with MS Office tools.

 

6/30/15 5:45:26.920 AM softwareupdate_download_service[46785]:  securityd_message_with_reply_sync Failed to talk to secd after 4 attempts.

 

...something like that: http://www.crestron.com/resources/product_and_programming_resources/catalogs_and_brochures/online_catalog/default.asp?jump=1&model=am-100


Apparently you have also an Antivirus installed on this Hack (or Mac???) ...Sophos?? :thumbsdown_anim:

EDIT

Hey Bro, launchd (OSX program) is telling you:

 launchd[1]: (com.sophos.scan) This service is defined to be constantly running and is inherently inefficient.

....please remove it!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By MacWiesel
      Hi there,
       
      I'm using a hackintosh for quite some time and I know that FileVault is near impossible to ever be ported but encryption should be essential these times.
       
      What are the best options for encrypting at least the user data (if not the whole system) without losing usability?
       
      In my case it goes even deeper: I want to use ZFS on an second HDD, encrypt that drive and move most of my user data there. Not the whole User Folder but only /Downloads, /Documents and stuff like that.
      Options I am aware of but do not now the best way of implementing it:
      TrueCrypt/VeraCrypt
      needs second user for decryption (?)
        Legacy Filevault
      considered unsafe(?)
        EncFS
      this would lose file versioning
        My setup: 120 GB SSD for System, 2 TB HDD for user data.
       
      Thank you very much for your consideration.
       
      / ONE SOLUTION IN POST #9
    • By Uptown_J
      I have come across some articles and doing my best to avoid a flame war. I am not trolling here. I love hackintoshing, custom macs, etc. I have been doing this since 2007. What I read recently from fireeye is disturbing. In case anyone is unaware, APT28 is a possible Russian cyber infiltration unit responsible for much of our enterprise data breeches.
       
      Before I continue, I do not nor would I never use a hackintosh in a corporate environment. I do not wear a tin foil hat on my head. I do know that fighting malware is daily occurrence on Windows PCs from my own personal experience.
       
      What I would like to know is if anyone has bothered to verify the tools we use for security? Let's face it. I love all of developers but an unusually high number are coming from Russia. Does that mean all Russians are bad? Not at all. Is it something that keeps me up at night? No. Do I have a cause for concern? Absolutely. I am slowly moving toward actual Apple laptops and Desktops especially after reading about the spying that is going on.
       
      Does that mean my own country in which I love is innocent? No way. I love my country but I know "it goes on" everywhere. I don't want to go down that road. I am merely putting this out there: Have we tested these tools for security?
    • By The_Moves
      Does anyone know when Apple will stop releasing Security Updates for OS X 10.7 (Latest 10.7.5 of course)?
       
      I've just setup an 2007 Macbook for a friend and 10.7 was the latest release I could put on there without hacking the OS. In my quick google searches, different terms, I couldn't find anything that pointed to a date for when OS X Lion would stop receiving security updates. The only hits were for Snow Leopard, one idiot blogger, and the WOW forum - nothing looking Apple official.
       
      Here is the latest security update from Apple:
       
      http://support.apple.com/kb/HT6207
    • By WhiteWitch
      Has anyone update to Security Update 2011-006 from 10.6.8 i've worked hard on my hackintosh hate to start again!
×