Munix hacked? Valid files for install of Leopard?

HelloMac · #1 May 20th, 2008, 03:59 PM

First recognized a problem in late February.

The environment:
10.5.2 imac new in Feb 08. 1 gig ram.
Airport Extreme.
Epson PS820 printer.
Cabled mouse and keyboard.
DSL Action Tec 701C modem.
No exotic software installed, just the Apple standards. iLife, iWork.

I've set the following upon intial account setup for the most recent re-do:
No internet connection.
Disable Firewire, Airport, Ethernet and Bluetooth.
Disable IPv6 for all devices.
NO sharing of any sort, file or internet wise.
NO permission for "everybody" or "users" groups to Terminal.
Software firewall - no incoming (essential only).
DSL Modem firewall - port 80 and imap only. Everything else no in or out.
Complex password on DSL modem.
Complex password on admin account on mac.
Complex password on root account on mac.

The problem:
Over time the Mac allows unknown user(s) to log into the computer, change permissions and eventually obtain root authority. Data is sent from the machine to the internet. Using a combination of ssh or telnet logins with AppleScript automation my machine is consistently compromised. Mouse movements are tracked, passwords are detected by a script that dupes me into thinking the system needs my password (though I recognize that one now). To what end I have no idea.

From the logs:
Anonymous logins, "race conditions" errors, random .plist files that seem to belong but upon inspection are made up of chinese or russian language, cups entries that my printer can accept up to one hundred hosts and all sorts of stuff probably unrelated. The machine's time changes randomly by a few seconds. The system performs a "window replay" everynow and again. That's all taken from the Console ALL MESSAGES logs. .plist files in config that reference WoW and other online games.

Action taken:
Several fresh installs of Leopard at the direction of Apple Care and local Apple Genius. From different install discs. It doesn't matter what customize option or exclusion I instruct the installer to make, the actual install is always ALL language options and X11.

Complete head to toe hardware checkout by my local Apple certified geeks. No problems with RAM or other hardware.

My theory:
Initial infection writes itself to discs that are inserted into the optical drive, including installation discs. Three files survive hard drive erasure and update the infection all over again upon a fresh install of Leopard.

The evidence:
Reset NPRAM and NVRAM.
From install DVD, a new one I purchased at retail 2 days ago in shrinkwrap -
1. Disc utility, repartition HD to a new single partition.
2. Erase, Security option Zero out.
Disc utility reports the drive has been erased. 3 folders and 3 files remain on the new \volume\HD using 107mg of space.
Apple tells me I can't see the EFI partition, so these folders can't be part of the EFI, right?

Install runs and reports errors that include not accepting custom options for the installation. Several folders and files related to ILife Media Browser are not overwritten by the install disc because a "newer version exists on the disc". That's from the install log. But we just wiped the drive clean.

How do I defeat this self repeating loop?!

How do I know if my install disc is compromised? Can you compare the following listing to yours?

This is the list of files on a DVD I purchased new at retail two days ago.
Displayed as a result of Terminal, BASH ls -a -l /.

1 root admin (time) ._DS_store
1 root wheel 2007 ._instructions
1 root wheel 2007 ._optional installs
12 _unknown _unknown (time) .fseventsd
2 root wheel 2007 .vol
3 root admin 2007 applications
3 root wheel 2007 install mac OSX.app
10 root wheel (time) Instructions
11 admin admin (time) Library
8 root wheel (time) optional installs
4 root wheel (time) System
40 root wheel (time) bin
2 root wheel (time) dev
1 root admin (time) etc -> private/etc
1 root wheel 2007 mach_kernel
5 root wheel (time) private
65 root wheel (time) sbin
1 root admin (time) tmp -> private/temp
8 root wheel (time) usr
1 root admin (time) var -> private/var

I'm exhausted chasing my tail on this. Any suggestions? My next plan is to say to hell with the hard drive and replace it but I don't know how I picked up the problem in the first place.

The local Apple Genious (s) have looked at my log files once I made them really focus. Even though there were exclamations that "some of that looks fishy", there was no resolution. Level 2 AppleCare techs have simply sent me install discs for a macBOOK to reinstall.

Thanks for taking the time to take a look. I really want to love being a new Mac convert. Really I do.

Dave

**Giaguara** · #2 May 20th, 2008, 04:18 PM

"Over time the Mac allows unknown user(s) to log into the computer, change permissions and eventually obtain root authority. Data is sent from the machine to the internet. Using a combination of ssh or telnet logins with AppleScript automation my machine is consistently compromised. Mouse movements are tracked, passwords are detected by a script that dupes me into thinking the system needs my password (though I recognize that one now). To what end I have no idea. "

Could you post some system log / console log entries where you see this?

If you have ALL options for sharing disabled, NO remote login allowed, and have firewall on (with only services you use), and use Little Snitch, what you describe should not happen. In addition to those, keep passwords secure, don't use back to my mac or screensharing, disable ARD and VNC for ALL users on that Mac, physically lock down USB (from having any keyloggers etc). If there is ANY user that would have VNC/ARD enabled, any user could be seen.. but as said, I'd love to have a look at the logs.

ElDiabloConCaca · #3 May 20th, 2008, 04:35 PM

Just to clear the decks of something:

It is impossible for your system, compromised or not, to write additional data to CD or DVD installation media that you bought at the store -- those discs are not writable at all, and are even physically dissimilar from writable CD-R or DVD-R discs that you would normally purchase to burn stuff on.

Short answer: it's not your installation media that's being compromised.

Can you try installing all the good stuff WITHOUT being connected to the internet? Physically pull the ethernet plug out while you're installing and setting passwords, and do not re-connect it until you're done with setting passwords and locking the system down.

It seems as though you're being quickly compromised... are you setting the same root password each time you reinstall? If so, and you have a static IP address, then it's completely possible that the hacker that obtained your password the first time is simply using it over again to re-compromise your system.

Could there be a machine on your network that is doing this? The speed at which you say you're being compromised leads me to think that perhaps another machine has been compromised on your network, allowing faster "cracks" since there's less delay than going over the internet.

Amavida · #4 May 20th, 2008, 07:40 PM

I can't believe that someone demonstrating this level of detailed knowledge would think that his/her DVD is being written to.. That sounds suspicious to me. Hmmm. However assuming you have some new amazing new super hacker infection of your HDD partition that no one has ever heard of.. 1) Try booting off your MacOS Install disk & use the partitioning tools on it to nuke the partitions OR.. 2) try booting off a Knoppix or other Linux 'Live CD' & use the partitioning tools on it to nuke the partitions.. then reboot off your MacOS Install DVD & reinstall WITH THE ETHERNET CABLE UNPLUGGED. Leave the cable out until you have safely configured your Mac - Firewall on/Sharing Off etc.

HelloMac · #5 May 21st, 2008, 12:07 AM

first, thanks to all for taking the time to consider this issue.

Good to know that my optical drive can't write to the install discs. I've stopped assuming anything at this point. As far as knowledge about the other stuff - I've just been doing a ton of reading about mac specific and unix in general. Lots to learn.

I've used different passwords and user names each time through. No repeats. When I run the erase procedure and the install the Ethernet cable is physically disconnected from the modem. I turn airport off as soon as the os enables it. Bluetooth remains on during the install. I can't figure out how to disable it during the install and there's no physical switch on the iMac, it's software controlled. I disable it as soon as the initial user account is active. I know it's on because I tried to pair my phone during the later phase of one of the installs and was successful. I'e disabled that connection.

VNC? There's something to investigate. I don't understand what that is but by this time tommorrow I will one a lot about it.

I notice that during boot up from the hd a line consistently appears that IPv6 is enabled, default accept, no detail log. I go into the network settings and turn off all IPv6 options I can find. Does that instruction during boot survive setting changes I make later? Is there another place a connection through that ip could live?

I will post some of the interesting log files on Wed.

Dave

HelloMac · #6 May 22nd, 2008, 10:51 AM

Some info from the system...

Description: System events log
Size: 148 KB
Last Modified: 5/21/08 9:51 PM
Location: /var/log/system.log
Recent Contents: ...
May 20 00:31:05 localhost kernel[0]: BSD root: disk0s2, major
14, minor 2
May 20 00:31:05 localhost kernel[0]: Extension
"com.apple.driver.AppleHIDKeyboard" has no explicit kernel
dependency; using version 6.0.
May 20 00:31:05 localhost kernel[0]: Jettisoning kernel linker.
May 20 00:31:05 localhost kernel[0]: Resetting IOCatalogue.
May 20 00:31:05 localhost kernel[0]: Matching service count =
0
May 20 00:31:06: --- last message repeated 5 times ---
May 20 00:31:06 localhost kernel[0]: wl0: Broadcom BCM4328
802.11 Wireless Controller
May 20 00:31:06 localhost kernel[0]: 4.170.25.8.2
May 20 00:31:07 localhost kernel[0]:
CSRHIDTransitionDriver::start []
May 20 00:31:08 localhost kernel[0]:
CSRHIDTransitionDriver::switchToHCIMode legacy
May 20 00:31:08 localhost kernel[0]: USBF:
7.222
CSRHIDTransitionDriver[0x30fa300](IOUSBCompositeDevice)
GetFullConfigDescriptor(0) returned NULL
May 20 00:31:08 localhost kernel[0]: CSRHIDTransitionDriver...
done
May 20 00:31:08 localhost kernel[0]: E:
[AppleUSBBluetoothHCIController][FindInterfaces]
mInt0InterruptMaxPacketSize = 16
May 20 00:31:08 localhost bootlog[50]: BOOT_TIME:
1211257861 0
May 20 00:31:10 localhost DirectoryService[56]: Launched
version 5.0 (v514)
May 20 00:31:10 localhost rpc.statd[38]: statd.notify - no
notifications needed
May 20 00:31:10 localhost /System/Library/CoreServices/
loginwindow.app/Contents/MacOS/loginwindow[43]: Login
Window Application Started
May 20 00:31:10 localhost kernel[0]: yukon: Ethernet address
00:1e:c2:0a:c7:72
May 20 00:31:10 localhost fseventsd[45]: bumping event
counter to: 0x3f72 (current 0x0) from log file
'0000000000003d09'
May 20 00:31:10 localhost kernel[0]: AirPort_Brcm43xx:
Ethernet address 00:1e:52:86:be:17
May 20 00:31:10 localhost kernel[0]: IPv6 packet filtering
initialized, default to accept, logging disabled
May 20 00:31:10 localhost blued[68]: Apple Bluetooth daemon
started.
May 20 00:31:10 localhost /usr/sbin/ocspd[75]: starting
May 20 00:31:10 localhost mDNSResponder
mDNSResponder-164 (Nov 4 2007 13:23:04)[42]: starting
May 20 00:31:11 localhost kernel[0]: E:
[AppleUSBBluetoothHCIController][StartInterruptPipeRead] there
is alredy a pending read, skipping.
May 20 00:31:11 driver207s-imac org.ntp.ntpd[34]: Error :
nodename nor servname provided, or not known
May 20 00:31:11 driver207s-imac ntpdate[82]: can't find host
time.apple.com
May 20 00:31:11 driver207s-imac kernel[0]:
[InterruptReadHandler] Received kIODeviceNotResponding error
- retrying: 1.
May 20 00:31:11 driver207s-imac mDNSResponder[42]:
SetDomainSecrets: mDNSKeychainGetSecrets failed error 0
CFArrayRef 00000000
May 20 00:31:11 driver207s-imac configd[48]: setting
hostname to "driver207s-imac.local"
May 20 00:31:11 driver207s-imac ntpdate[82]: no servers can
be used, exiting
May 20 00:31:16 driver207s-imac loginwindow[43]: Login
Window Started Security Agent
May 20 00:31:16 driver207s-imac SecurityAgent[95]:
NSExceptionHandler has recorded the following exception:
\nNSRangeException -- *** -[NSCFArray objectAtIndex:]: index
(0) beyond bounds (0)\nStack trace: 0x3719a 0x91a2e09b
0x95ec704b 0x95ec708a 0x9014addf 0x900c8cb8 0x6f58a
0x6fdc9 0x594e1 0x6d847 0x615d9 0x6290e 0x6430d
0x62160 0x60c8e 0x663f4 0x76187 0xd648 0x12c40
0x129f3 0xd18a 0x90107f73 0x95e295c5 0x95e4d941
0x95e4dd38 0x913f88a4 0x913f86bd 0x913f8531
0x93ee8d5b 0x93ee86a0 0x93ee16d1 0x10fc7 0x202a 0x1
May 20 00:31:17 driver207s-imac kextd[10]: writing kernel link
data to /var/run/mach.sym
May 20 00:31:42 driver207s-imac authorizationhost[94]:
MechanismInvoke 0x124550 retainCount 2
May 20 00:31:42 driver207s-imac SecurityAgent[95]:
MechanismInvoke 0x103c70 retainCount 1
May 20 00:31:42 driver207s-imac SecurityAgent[95]:
NSSecureTextFieldCell detected a field editor ((null)) that is not
a NSTextView subclass designed to work with the cell.
Ignoring...
May 20 00:31:42 driver207s-imac SecurityAgent[95]:
NSExceptionHandler has recorded the following exception:
\nNSRangeException -- *** -[NSCFArray objectAtIndex:]: index
(0) beyond bounds (0)\nStack trace: 0x3719a 0x91a2e09b
0x95ec704b 0x95ec708a 0x9014addf 0x900c8cb8 0x6f58a
0x6fdc9 0x594e1 0x6d847 0x615d9 0x6d7de 0x66471
0x76187 0xd648 0x12c40 0x129f3 0xd18a 0x90107f73
0x95e295c5 0x95e4d941 0x95e4dd38 0x913f88a4
0x913f86bd 0x913f8531 0x93ee8d5b 0x93ee86a0
0x93ee16d1 0x10fc7 0x202a 0x1
May 20 00:31:42 driver207s-imac SecurityAgent[95]:
MechanismDestroy 0x103c70 retainCount 1
May 20 00:31:42 driver207s-imac loginwindow[43]: Login
Window - Returned from Security Agent
May 20 00:31:42 driver207s-imac authorizationhost[94]:
MechanismDestroy 0x124550 retainCount 2
May 20 00:31:42 driver207s-imac loginwindow[43]:
USER_PROCESS: 43 console
May 20 00:31:42 driver207s-imac com.apple.launchd[1]
(com.apple.UserEventAgent-LoginWindow[89]): Exited:
Terminated
May 20 00:31:45 driver207s-imac Dock[108]:
_DESCRegisterDockExtraClient failed 268435459
May 20 00:31:47 driver207s-imac /System/Library/
CoreServices/coreservicesd[64]:
SFLSharePointsEntry::CreateDSRecord:
dsCreateRecordAndOpen(Driver207's Public Folder) returned
-14135
May 20 00:41:03 driver207s-imac System Preferences[181]:
LSOpenFromURLSpec() returned -43 for application (null) path /
var/log/appfirewall.log.
May 20 00:41:33: --- last message repeated 1 time ---
May 20 00:48:23 driver207s-imac SCHelper[212]: no command
May 20 00:48:23 driver207s-imac SCHelper[198]: no command
May 20 00:48:23 driver207s-imac SCHelper[190]: no command
May 20 00:48:23 driver207s-imac SCHelper[204]: no command
May 20 00:48:23 driver207s-imac SCHelper[186]: no command
May 20 00:48:23 driver207s-imac com.apple.launchd[99]
([0x0-0xe00e].com.apple.systempreferences[181]): Stray
process with PGID equal to this dead job: PID 212 PPID 1
SCHelper
May 20 00:48:23 driver207s-imac com.apple.launchd[99]
([0x0-0xe00e].com.apple.systempreferences[181]): Stray
process with PGID equal to this dead job: PID 204 PPID 1
SCHelper
May 20 00:48:23 driver207s-imac com.apple.launchd[99]
([0x0-0xe00e].com.apple.systempreferences[181]): Stray
process with PGID equal to this dead job: PID 198 PPID 1
SCHelper
May 20 00:48:23 driver207s-imac com.apple.launchd[99]
([0x0-0xe00e].com.apple.systempreferences[181]): Stray
process with PGID equal to this dead job: PID 190 PPID 1
SCHelper
May 20 00:48:23 driver207s-imac com.apple.launchd[99]
([0x0-0xe00e].com.apple.systempreferences[181]): Stray
process with PGID equal to this dead job: PID 186 PPID 1
SCHelper
May 20 01:01:43 driver207s-imac PubSubAgent[294]: SQL
Error: SQLITE_CANTOPEN[14.0]: Database file not found
May 20 01:09:36 driver207s-imac Automator[308]: The action
“Add Movie to iDVD Menu” could not be loaded because the
application “iDVD” was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“Add Photos to Album” could not be loaded because the
application “iPhoto” was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“Apply SQL” could not be loaded because the application
“Xcode” was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“Ask for Photos” could not be loaded because the application
“iPhoto” was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“Build Xcode Project” could not be loaded because the
application “Xcode” was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“CVS Add” could not be loaded because the file “/usr/bin/cvs”
was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“CVS Checkout” could not be loaded because the file “/usr/bin/
cvs” was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“CVS Commit” could not be loaded because the file “/usr/bin/
cvs” was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“CVS Update” could not be loaded because the file “/usr/bin/
cvs” was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“Convert CSV to SQL” could not be loaded because the
application “Xcode” was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“Create Package” could not be loaded because the application
“PackageMaker” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Enable or Disable Tracks” could not be loaded because
QuickTime Pro is required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Execute SQL” could not be loaded because the application
“Xcode” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Export Movies” could not be loaded because QuickTime Pro is
required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Get Specified iPhoto Items” could not be loaded because the
application “iPhoto” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Get iDVD Slideshow Images” could not be loaded because the
application “iDVD” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Hint Movies” could not be loaded because QuickTime Pro is
required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Import Files into iPhoto” could not be loaded because the
application “iPhoto” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Initiate Remote Broadcast” could not be loaded because the
application “QuickTime Broadcaster” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“New Audio Capture” could not be loaded because QuickTime
Pro is required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“New Video Capture” could not be loaded because QuickTime
Pro is required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“New iDVD Menu” could not be loaded because the application
“iDVD” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“New iDVD Movie Sequence” could not be loaded because the
application “iDVD” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“New iDVD Slideshow” could not be loaded because the
application “iDVD” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“New iPhoto Album” could not be loaded because the
application “iPhoto” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Open Keynote Presentations” could not be loaded because the
application “Keynote” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Pause Capture” could not be loaded because QuickTime Pro is
required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Play Movies” could not be loaded because QuickTime Pro is
required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Play iPhoto Slideshow” could not be loaded because the
application “iPhoto” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Print Keynote Presentation” could not be loaded because the
application “Keynote” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Review Photos” could not be loaded because the application
“iPhoto” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Set iDVD Background Image” could not be loaded because the
application “iDVD” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Set iDVD Button Face” could not be loaded because the
application “iDVD” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Show Main iDVD Menu” could not be loaded because the
application “iDVD” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Show Next Keynote Slide” could not be loaded because the
application “Keynote” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Show Previous Keynote Slide” could not be loaded because the
application “Keynote” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Show Specified Keynote Slide” could not be loaded because the
application “Keynote” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Start Capture” could not be loaded because QuickTime Pro is
required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Start Keynote Slideshow” could not be loaded because the
application “Keynote” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Stop Capture” could not be loaded because QuickTime Pro is
required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Stop Keynote Slideshow” could not be loaded because the
application “Keynote” was not found.
May 20 01:14:30 driver207s-imac com.apple.launchd[99]
(0x109e00.Locum[320]): Exited: Terminated
May 20 01:16:26 driver207s-imac Script Editor[282]: -
[SEResultController loadWindow]: failed to load window nib file
'/Applications/AppleScript/Script Editor.app/Contents/
Resources/English.lproj/SEResultWindow.nib'.
May 20 01:16:26: --- last message repeated 5 times ---
May 20 01:16:26 driver207s-imac Script Editor[282]: -
[SEEventLogController loadWindow]: failed to load window nib
file '/Applications/AppleScript/Script Editor.app/Contents/
Resources/English.lproj/SEEventLogWindow.nib'.
May 20 01:16:26: --- last message repeated 5 times ---
May 20 01:16:26 driver207s-imac Script Editor[282]: -
[SEPLibraryController loadWindow]: failed to load window nib
file 'SEPLibraryWindow'.
May 20 01:16:56: --- last message repeated 5 times ---
May 20 01:20:59 driver207s-imac com.apple.launchd[99]
(0x109bc0.Locum[329]): Exited: Terminated
May 20 01:31:07 driver207s-imac com.apple.launchd[99]
([0x0-0x15015].com.apple.speech.synthesis.SpeechSynthesisSe
rver[252]): Exited: Killed
May 20 01:35:31 driver207s-imac loginwindow[43]:
DEAD_PROCESS: 0 console
May 20 01:35:31 driver207s-imac shutdown[358]: halt by
Driver207:
May 20 01:35:31 driver207s-imac shutdown[358]:
SHUTDOWN_TIME: 1211261731 87145
May 20 18:48:05 localhost kernel[0]: npvhash=4095
May 20 18:48:05 localhost com.apple.launchctl.System[2]:
launchctl: Please convert the following to launchd: /etc/
mach_init.d/dashboardadvisoryd.plist
May 20 18:48:05 localhost com.apple.launchd[1]
(org.cups.cupsd): Unknown key: SHAuthorizationRight
May 20 18:48:05 localhost com.apple.launchd[1] (org.ntp.ntpd):
Unknown key: SHAuthorizationRight
May 20 18:48:05 localhost kextd[10]: 395 cached, 0 uncached
personalities to catalog
May 20 18:48:05 localhost kernel[0]: hi mem tramps at
0xffe00000
May 20 18:48:05 localhost kernel[0]: PAE enabled
May 20 18:48:05 localhost kernel[0]: 64 bit mode enabled
May 20 18:48:05 localhost kernel[0]: Darwin Kernel Version
9.1.0: Wed Oct 31 17:46:22 PDT 2007; root:xnu-1228.0.2~1/
RELEASE_I386
May 20 18:48:05 localhost kernel[0]: standard timeslicing
quantum is 10000 us
May 20 18:48:05 localhost kernel[0]: vm_page_bootstrap:
253720 free pages and 8424 wired pages
May 20 18:48:05 localhost kernel[0]: mig_table_max_displ = 79
May 20 18:48:05 localhost kernel[0]: 89 prelinked modules
May 20 18:48:05 localhost kernel[0]: AppleACPICPU:
ProcessorApicId=0 LocalApicId=0 Enabled
May 20 18:48:05 localhost kernel[0]: AppleACPICPU:
ProcessorApicId=1 LocalApicId=1 Enabled
May 20 18:48:05 localhost kernel[0]: Loading security extension
com.apple.security.TMSafetyNet
May 20 18:48:05 localhost kernel[0]: calling mpo_policy_init for
TMSafetyNet
May 20 18:48:05 localhost kernel[0]: Security policy loaded:
Safety net for Time Machine (TMSafetyNet)
May 20 18:48:05 localhost kernel[0]: Loading security extension
com.apple.nke.applicationfirewall
May 20 18:48:05 localhost kernel[0]: Loading security extension
com.apple.security.seatbelt
May 20 18:48:05 localhost kernel[0]: calling mpo_policy_init for
mb
May 20 18:48:05 localhost kernel[0]: Seatbelt MACF policy
initialized
May 20 18:48:05 localhost kernel[0]: Security policy loaded:
Seatbelt Policy (mb)
May 20 18:48:05 localhost kernel[0]: Copyright (c) 1982, 1986,
1989, 1991, 1993
May 20 18:48:05 localhost kernel[0]: The Regents of the
University of California. All rights reserved.
May 20 18:48:05 localhost kernel[0]: MAC Framework
successfully initialized
May 20 18:48:05 localhost kernel[0]: using 5242 buffer headers
and 4096 cluster IO buffer headers
May 20 18:48:05 localhost kernel[0]: devfs_make_node: not
ready for devices!
May 20 18:48:05 localhost kernel[0]: IOAPIC: Version 0x20
Vectors 64:87
May 20 18:48:05 localhost kernel[0]: ACPI: System State [S0 S3
S4 S5] (S3)
May 20 18:48:05 localhost kernel[0]: mbinit: done
May 20 18:48:05 localhost kernel[0]: Security auditing service
present
May 20 18:48:05 localhost kernel[0]: BSM auditing present
May 20 18:48:05 localhost kernel[0]: rooting via boot-uuid
from /chosen: 659F2845-E9B9-3621-A7AE-B4755A01705C
May 20 18:48:05 localhost kernel[0]: Waiting on <dict
ID="0"><key>IOProviderClass</key><string
ID="1">IOResources</string><key>IOResourceMatch</
key><string ID="2">boot-uuid-media</string></dict>
May 20 18:48:05 localhost kernel[0]: FireWire (OHCI) Lucent ID
5901 built-in now active, GUID 001e52fffe63958a; max speed
s800.
May 20 18:48:05 localhost kernel[0]: Got boot device =
IOService:/AppleACPIPlatformExpert/PCI0/AppleACPIPCI/
SATA@1F,2/AppleAHCI/PRT0@0/IOAHCIDevice@0/
AppleAHCIDiskDriver/IOAHCIBlockStorageDevice/
IOBlockStorageDriver/Hitachi HDT725025VLA380 Media/
IOGUIDPartitionScheme/Untitled@2
May 20 18:48:05 localhost kernel[0]: BSD root: disk0s2, major
14, minor 2
May 20 18:48:05 localhost kernel[0]:
CSRHIDTransitionDriver::start []
May 20 18:48:05 localhost kernel[0]:
CSRHIDTransitionDriver::switchToHCIMode legacy
Ma

HelloMac · #7 May 22nd, 2008, 10:53 AM

Quick Look and Command Line?

May 21 13:20:33 driver207s-imac Safari[169]: WARNING: PubSub SCGIProtocol got NetError CFURL error -1009; reporting NSError Error Domain=NSURLErrorDomain Code=-1009 UserInfo=0xd1cd9b0 "no Internet connection"
May 21 13:21:31 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:22:34 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:23:37 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:24:41 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:25:47 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:26:42 driver207s-imac SCHelper[147]: no command
May 21 13:26:42 driver207s-imac SCHelper[127]: no command
May 21 13:26:42 driver207s-imac SCHelper[110]: no command
May 21 13:26:42 driver207s-imac [0x0-0x10010].com.apple.systempreferences[105]: QTAudioDeviceContextCreate: AudioContextInitialize failed
May 21 13:26:43: --- last message repeated 2 times ---
May 21 13:26:42 driver207s-imac com.apple.launchd[81] ([0x0-0x10010].com.apple.systempreferences[105]): Stray process with PGID equal to this dead job: PID 147 PPID 1 SCHelper
May 21 13:26:42 driver207s-imac com.apple.launchd[81] ([0x0-0x10010].com.apple.systempreferences[105]): Stray process with PGID equal to this dead job: PID 127 PPID 1 SCHelper
May 21 13:26:42 driver207s-imac com.apple.launchd[81] ([0x0-0x10010].com.apple.systempreferences[105]): Stray process with PGID equal to this dead job: PID 110 PPID 1 SCHelper
May 21 13:26:52 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:27:57 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:30:06 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:30:00 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: SpeechSynthesis: Failed AUGraph:
May 21 13:30:00 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: SpeechSynthesis: CoreAudio failure!
May 21 13:34:24 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:38:42 driver207s-imac com.apple.quicklook[199]: failed to find start of cross-reference table.
May 21 13:38:42 driver207s-imac com.apple.quicklook[199]: missing or invalid cross-reference trailer.
May 21 13:42:55 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:45:50 driver207s-imac com.apple.quicklook[225]: failed to find start of cross-reference table.
May 21 13:45:50 driver207s-imac com.apple.quicklook[225]: missing or invalid cross-reference trailer.
May 21 13:45:50 driver207s-imac com.apple.quicklook[225]: failed to find start of cross-reference table.
May 21 13:45:50 driver207s-imac com.apple.quicklook[225]: missing or invalid cross-reference trailer.
May 21 13:51:27 driver207s-imac TextEdit[185]: Printing failed because PMSessionBeginCGDocumentNoDialog() returned -30872.
May 21 13:59:58 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 14:00:00 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: SpeechSynthesis: Failed AUGraph:
May 21 14:00:00 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: SpeechSynthesis: CoreAudio failure!
May 21 14:00:14 driver207s-imac SyncServer[267]: SyncServer: Reaping records for inactive clients. Next reap on 2008-07-05 14:00:14 -0400
May 21 14:01:06 driver207s-imac com.apple.quicklook[271]: failed to find start of cross-reference table.
May 21 14:01:06 driver207s-imac com.apple.quicklook[271]: missing or invalid cross-reference trailer.
May 21 14:01:06 driver207s-imac com.apple.quicklook[271]: failed to find start of cross-reference table.
May 21 14:01:06 driver207s-imac com.apple.quicklook[271]: missing or invalid cross-reference trailer.
May 21 14:02:36 driver207s-imac PubSubAgent[274]: SQL Error: SQLITE_CANTOPEN[14.0]: Database file not found
May 21 14:04:42 driver207s-imac com.apple.launchd[81] (0x1099b0.Locum[278]): Exited: Terminated
May 21 14:04:47 driver207s-imac login[280]: USER_PROCESS: 280 ttys000
May 21 14:08:38 driver207s-imac login[280]: DEAD_PROCESS: 280 ttys000May 21 14:08:55 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: AudioUnitGraph 0x81CE1C:
May 21 14:08:55 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: Member Nodes:
May 21 14:08:55 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: node 1: desc uoua fed lppa, instance 0x0
May 21 14:08:55 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: node 2: desc ngua

HelloMac · #8 May 22nd, 2008, 10:58 AM

Display issues? Power controls? X-Grid Agent?

May 21 21:16:27 driver207s-imac com.apple.launchd[116] (0x1082a0.Locum[231]): Exited: Terminated
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/Contrast.monitorPanel/Contents/MacOS/Contrast and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/Geometry.monitorPanel/Contents/MacOS/Geometry. Using implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/Geometry.monitorPanel/Contents/MacOS/Geometry.
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/Geometry.monitorPanel/Contents/MacOS/Geometry and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/VPT.monitorPanel/Contents/MacOS/VPT.
Using implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/VPT.monitorPanel/Contents/MacOS/VPT.
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/VPT.monitorPanel/Contents/MacOS/VPT and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/Bezel.monitorPanel/Contents/MacOS/Bezel. Using
implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/Bezel.monitorPanel/Contents/MacOS/Bezel.
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/Bezel.monitorPanel/Contents/MacOS/Bezel and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/ExtendedTouchSwitch.monitorPanel/Contents/
MacOS/ExtendedTouchSwitch. Using implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/ExtendedTouchSwitch.monitorPanel/Contents/MacOS/
ExtendedTouchSwitch.
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/ExtendedTouchSwitch.monitorPanel/Contents/MacOS/ExtendedTouchSwitch and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/
PowerMode.monitorPanel/Contents/MacOS/PowerMode. Using implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/PowerMode.monitorPanel/
Contents/MacOS/PowerMode.
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/PowerMode.monitorPanel/Contents/MacOS/PowerMode and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/Authorization.monitorPanel/
Contents/MacOS/Authorization. Using implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/Authorization.monitorPanel/Contents/MacOS/Authorization.
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/Authorization.monitorPanel/Contents/MacOS/Authorization and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/TVOptions.monitorPanel/Contents/
MacOS/TVOptions. Using implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/TVOptions.monitorPanel/Contents/MacOS/TVOptions.
May 21 21:20:15 driver207s-imac System Preferences[236]: Admin.xgridAgentControllerPassword: called without first being authenticated.
May 21 21:25:36 driver207s-imac System Preferences[236]: unable to find type: GIF image
May 21 21:25:36 driver207s-imac System Preferences[236]: unable to find type: Flash media
May 21 21:27:25 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236