# Munix hacked? Valid files for install of Leopard?



## HelloMac (May 20, 2008)

First recognized a problem in late February.

The environment:
10.5.2 imac new in Feb 08. 1 gig ram. 
Airport Extreme. 
Epson PS820 printer.
Cabled mouse and keyboard. 
DSL Action Tec 701C modem. 
No exotic software installed, just the Apple standards. iLife, iWork.

I've set the following upon intial account setup for the most recent re-do:
No internet connection.
Disable Firewire, Airport, Ethernet and Bluetooth.
Disable IPv6 for all devices.
NO sharing of any sort, file or internet wise.
NO permission for "everybody" or "users" groups to Terminal.
Software firewall - no incoming (essential only).
DSL Modem firewall - port 80 and imap only. Everything else no in or out.
Complex password on DSL modem.
Complex password on admin account on mac.
Complex password on root account on mac.


The problem:
Over time the Mac allows unknown user(s) to log into the computer, change permissions and eventually obtain root authority. Data is sent from the machine to the internet. Using a combination of ssh or telnet logins with AppleScript automation my machine is consistently compromised. Mouse movements are tracked, passwords are detected by a script that dupes me into thinking the system needs my password (though I recognize that one now). To what end I have no idea. 

From the logs:
Anonymous logins, "race conditions" errors, random .plist files that seem to belong but upon inspection are made up of chinese or russian language, cups entries that my printer can accept up to one hundred hosts and all sorts of stuff probably unrelated. The machine's time changes randomly by a few seconds. The system performs a "window replay" everynow and again. That's all taken from the Console ALL MESSAGES logs. .plist files in config that reference WoW and other online games. 

Action taken:
Several fresh installs of Leopard at the direction of Apple Care and local Apple Genius. From different install discs. It doesn't matter what customize option or exclusion I instruct the installer to make, the actual install is always ALL language options and X11.

Complete head to toe hardware checkout by my local Apple certified geeks. No problems with RAM or other hardware.

My theory:
Initial infection writes itself to discs that are inserted into the optical drive, including installation discs. Three files survive hard drive erasure and update the infection all over again upon a fresh install of Leopard.

The evidence:
Reset NPRAM and NVRAM.
From install DVD, a new one I purchased at retail 2 days ago in shrinkwrap -
1. Disc utility, repartition HD to a new single partition. 
2. Erase, Security option Zero out.
Disc utility reports the drive has been erased. 3 folders and 3 files remain on the new \volume\HD using 107mg of space.
Apple tells me I can't see the EFI partition, so these folders can't be part of the EFI, right?

Install runs and reports errors that include not accepting custom options for the installation. Several folders and files related to ILife Media Browser are not overwritten by the install disc because a "newer version exists on the disc". That's from the install log. But we just wiped the drive clean.

How do I defeat this self repeating loop?!

How do I know if my install disc is compromised? Can you compare the following listing to yours?

This is the list of files on a DVD I purchased new at retail two days ago.
Displayed as a result of Terminal, BASH ls -a -l /.

1 root admin (time) ._DS_store
1 root wheel  2007 ._instructions
1 root wheel 2007 ._optional installs
12 _unknown _unknown (time) .fseventsd
2 root wheel 2007 .vol
3 root admin 2007 applications
3 root wheel 2007 install mac OSX.app
10 root wheel (time) Instructions
11 admin admin (time) Library
8 root wheel (time) optional installs
4 root wheel (time) System
40 root wheel (time) bin
2 root wheel (time) dev
1 root admin (time) etc -> private/etc
1 root wheel 2007 mach_kernel
5 root wheel (time) private
65 root wheel (time) sbin
1 root admin (time) tmp -> private/temp
8 root wheel (time) usr
1 root admin (time) var -> private/var

I'm exhausted chasing my tail on this. Any suggestions? My next plan is to say to hell with the hard drive and replace it but I don't know how I picked up the problem in the first place.

The local Apple Genious (s) have looked at my log files once I made them really focus. Even though there were exclamations that "some of that looks fishy", there was no resolution. Level 2 AppleCare techs have simply sent me install discs for a macBOOK to reinstall.

Thanks for taking the time to take a look. I really want to love being a new Mac convert. Really I do.

Dave


----------



## Giaguara (May 20, 2008)

"Over time the Mac allows unknown user(s) to log into the computer, change permissions and eventually obtain root authority. Data is sent from the machine to the internet. Using a combination of ssh or telnet logins with AppleScript automation my machine is consistently compromised. Mouse movements are tracked, passwords are detected by a script that dupes me into thinking the system needs my password (though I recognize that one now). To what end I have no idea. "

Could you post some system log / console log entries where you see this?

If you have ALL options for sharing disabled, NO remote login allowed, and have firewall on (with only services you use), and use Little Snitch, what you describe should not happen. In addition to those, keep passwords secure, don't use back to my mac or screensharing, disable ARD and VNC for ALL users on that Mac, physically lock down USB (from having any keyloggers etc). If there is ANY user that would have VNC/ARD enabled, any user could be seen.. but as said, I'd love to have a look at the logs.


----------



## ElDiabloConCaca (May 20, 2008)

Just to clear the decks of something:

It is _impossible_ for your system, compromised or not, to write additional data to CD or DVD installation media that you bought at the store -- those discs are not writable at all, and are even physically dissimilar from writable CD-R or DVD-R discs that you would normally purchase to burn stuff on.

Short answer: it's not your installation media that's being compromised.

Can you try installing all the good stuff WITHOUT being connected to the internet?  Physically pull the ethernet plug out while you're installing and setting passwords, and do not re-connect it until you're done with setting passwords and locking the system down.

It seems as though you're being quickly compromised... are you setting the same root password each time you reinstall?  If so, and you have a static IP address, then it's completely possible that the hacker that obtained your password the first time is simply using it over again to re-compromise your system.

Could there be a machine on your network that is doing this?  The speed at which you say you're being compromised leads me to think that perhaps another machine has been compromised on your network, allowing faster "cracks" since there's less delay than going over the internet.


----------



## Amavida (May 20, 2008)

I can't believe that someone demonstrating this level of detailed knowledge would think that his/her DVD is being written to.. That sounds suspicious to me. Hmmm.  However assuming you have some new amazing new super hacker infection of your HDD partition that no one has ever heard of..   1) Try booting off your MacOS Install disk & use the partitioning tools on it to nuke the partitions OR.. 2) try booting off a Knoppix or other Linux 'Live CD' & use the partitioning tools on it to nuke the partitions..  then reboot off your MacOS Install DVD & reinstall WITH THE ETHERNET CABLE UNPLUGGED.  Leave the cable out until you have safely configured your Mac - Firewall on/Sharing Off etc.


----------



## HelloMac (May 21, 2008)

first, thanks to all for taking the time to consider this issue. 

Good to know that my optical drive can't write to the install discs. I've stopped assuming anything at this point. As far as knowledge about the other stuff - I've just been doing a ton of reading about mac specific and unix in general. Lots to learn. 

I've used different passwords and user names each time through. No repeats. When I run the erase procedure and the install the Ethernet cable is physically disconnected from the modem. I turn airport off as soon as the os enables it. Bluetooth remains on during the install. I can't figure out how to disable it during the install and there's no physical switch on the iMac, it's software controlled. I disable it as soon as the initial user account is active. I know it's on because I tried to pair my phone during the later phase of one of the installs and was successful. I'e disabled that connection. 

VNC? There's something to investigate. I don't understand what that is but by this time tommorrow I will one a lot about it. 

I notice that during boot up from the hd a line consistently appears that IPv6 is enabled, default accept, no detail log. I go into the network settings and turn off all IPv6 options I can find. Does that instruction during boot survive setting changes I make later? Is there another place a connection through that ip could live?

I will post some of the interesting log files on Wed. 

Dave


----------



## HelloMac (May 22, 2008)

Some info from the system...

Description: System events log
Size: 148 KB
Last Modified: 5/21/08 9:51 PM
Location: /var/log/system.log
Recent Contents: ...
May 20 00:31:05 localhost kernel[0]: BSD root: disk0s2, major
14, minor 2
May 20 00:31:05 localhost kernel[0]: Extension
"com.apple.driver.AppleHIDKeyboard" has no explicit kernel
dependency; using version 6.0.
May 20 00:31:05 localhost kernel[0]: Jettisoning kernel linker.
May 20 00:31:05 localhost kernel[0]: Resetting IOCatalogue.
May 20 00:31:05 localhost kernel[0]: Matching service count =
0
May 20 00:31:06: --- last message repeated 5 times ---
May 20 00:31:06 localhost kernel[0]: wl0: Broadcom BCM4328
802.11 Wireless Controller
May 20 00:31:06 localhost kernel[0]: 4.170.25.8.2
May 20 00:31:07 localhost kernel[0]:
CSRHIDTransitionDriver::start []
May 20 00:31:08 localhost kernel[0]:
CSRHIDTransitionDriver::switchToHCIMode legacy
May 20 00:31:08 localhost kernel[0]: USBF:
7.222
CSRHIDTransitionDriver[0x30fa300](IOUSBCompositeDevice)
GetFullConfigDescriptor(0) returned NULL
May 20 00:31:08 localhost kernel[0]: CSRHIDTransitionDriver...
done
May 20 00:31:08 localhost kernel[0]: E:
[AppleUSBBluetoothHCIController][FindInterfaces]
mInt0InterruptMaxPacketSize = 16
May 20 00:31:08 localhost bootlog[50]: BOOT_TIME:
1211257861 0
May 20 00:31:10 localhost DirectoryService[56]: Launched
version 5.0 (v514)
May 20 00:31:10 localhost rpc.statd[38]: statd.notify - no
notifications needed
May 20 00:31:10 localhost /System/Library/CoreServices/
loginwindow.app/Contents/MacOS/loginwindow[43]: Login
Window Application Started
May 20 00:31:10 localhost kernel[0]: yukon: Ethernet address
00:1e:c2:0a:c7:72
May 20 00:31:10 localhost fseventsd[45]: bumping event
counter to: 0x3f72 (current 0x0) from log file
'0000000000003d09'
May 20 00:31:10 localhost kernel[0]: AirPort_Brcm43xx:
Ethernet address 00:1e:52:86:be:17
May 20 00:31:10 localhost kernel[0]: IPv6 packet filtering
initialized, default to accept, logging disabled
May 20 00:31:10 localhost blued[68]: Apple Bluetooth daemon
started.
May 20 00:31:10 localhost /usr/sbin/ocspd[75]: starting
May 20 00:31:10 localhost mDNSResponder
mDNSResponder-164 (Nov 4 2007 13:23:04)[42]: starting
May 20 00:31:11 localhost kernel[0]: E:
[AppleUSBBluetoothHCIController][StartInterruptPipeRead] there
is alredy a pending read, skipping.
May 20 00:31:11 driver207s-imac org.ntp.ntpd[34]: Error :
nodename nor servname provided, or not known
May 20 00:31:11 driver207s-imac ntpdate[82]: can't find host
time.apple.com
May 20 00:31:11 driver207s-imac kernel[0]:
[InterruptReadHandler] Received kIODeviceNotResponding error
- retrying: 1.
May 20 00:31:11 driver207s-imac mDNSResponder[42]:
SetDomainSecrets: mDNSKeychainGetSecrets failed error 0
CFArrayRef 00000000
May 20 00:31:11 driver207s-imac configd[48]: setting
hostname to "driver207s-imac.local"
May 20 00:31:11 driver207s-imac ntpdate[82]: no servers can
be used, exiting
May 20 00:31:16 driver207s-imac loginwindow[43]: Login
Window Started Security Agent
May 20 00:31:16 driver207s-imac SecurityAgent[95]:
NSExceptionHandler has recorded the following exception:
\nNSRangeException -- *** -[NSCFArray objectAtIndex:]: index
(0) beyond bounds (0)\nStack trace: 0x3719a 0x91a2e09b
0x95ec704b 0x95ec708a 0x9014addf 0x900c8cb8 0x6f58a
0x6fdc9 0x594e1 0x6d847 0x615d9 0x6290e 0x6430d
0x62160 0x60c8e 0x663f4 0x76187 0xd648 0x12c40
0x129f3 0xd18a 0x90107f73 0x95e295c5 0x95e4d941
0x95e4dd38 0x913f88a4 0x913f86bd 0x913f8531
0x93ee8d5b 0x93ee86a0 0x93ee16d1 0x10fc7 0x202a 0x1
May 20 00:31:17 driver207s-imac kextd[10]: writing kernel link
data to /var/run/mach.sym
May 20 00:31:42 driver207s-imac authorizationhost[94]:
MechanismInvoke 0x124550 retainCount 2
May 20 00:31:42 driver207s-imac SecurityAgent[95]:
MechanismInvoke 0x103c70 retainCount 1
May 20 00:31:42 driver207s-imac SecurityAgent[95]:
NSSecureTextFieldCell detected a field editor ((null)) that is not
a NSTextView subclass designed to work with the cell.
Ignoring...
May 20 00:31:42 driver207s-imac SecurityAgent[95]:
NSExceptionHandler has recorded the following exception:
\nNSRangeException -- *** -[NSCFArray objectAtIndex:]: index
(0) beyond bounds (0)\nStack trace: 0x3719a 0x91a2e09b
0x95ec704b 0x95ec708a 0x9014addf 0x900c8cb8 0x6f58a
0x6fdc9 0x594e1 0x6d847 0x615d9 0x6d7de 0x66471
0x76187 0xd648 0x12c40 0x129f3 0xd18a 0x90107f73
0x95e295c5 0x95e4d941 0x95e4dd38 0x913f88a4
0x913f86bd 0x913f8531 0x93ee8d5b 0x93ee86a0
0x93ee16d1 0x10fc7 0x202a 0x1
May 20 00:31:42 driver207s-imac SecurityAgent[95]:
MechanismDestroy 0x103c70 retainCount 1
May 20 00:31:42 driver207s-imac loginwindow[43]: Login
Window - Returned from Security Agent
May 20 00:31:42 driver207s-imac authorizationhost[94]:
MechanismDestroy 0x124550 retainCount 2
May 20 00:31:42 driver207s-imac loginwindow[43]:
USER_PROCESS: 43 console
May 20 00:31:42 driver207s-imac com.apple.launchd[1]
(com.apple.UserEventAgent-LoginWindow[89]): Exited:
Terminated
May 20 00:31:45 driver207s-imac Dock[108]:
_DESCRegisterDockExtraClient failed 268435459
May 20 00:31:47 driver207s-imac /System/Library/
CoreServices/coreservicesd[64]:
SFLSharePointsEntry::CreateDSRecord:
dsCreateRecordAndOpen(Driver207's Public Folder) returned
-14135
May 20 00:41:03 driver207s-imac System Preferences[181]:
LSOpenFromURLSpec() returned -43 for application (null) path /
var/log/appfirewall.log.
May 20 00:41:33: --- last message repeated 1 time ---
May 20 00:48:23 driver207s-imac SCHelper[212]: no command
May 20 00:48:23 driver207s-imac SCHelper[198]: no command
May 20 00:48:23 driver207s-imac SCHelper[190]: no command
May 20 00:48:23 driver207s-imac SCHelper[204]: no command
May 20 00:48:23 driver207s-imac SCHelper[186]: no command
May 20 00:48:23 driver207s-imac com.apple.launchd[99]
([0x0-0xe00e].com.apple.systempreferences[181]): Stray
process with PGID equal to this dead job: PID 212 PPID 1
SCHelper
May 20 00:48:23 driver207s-imac com.apple.launchd[99]
([0x0-0xe00e].com.apple.systempreferences[181]): Stray
process with PGID equal to this dead job: PID 204 PPID 1
SCHelper
May 20 00:48:23 driver207s-imac com.apple.launchd[99]
([0x0-0xe00e].com.apple.systempreferences[181]): Stray
process with PGID equal to this dead job: PID 198 PPID 1
SCHelper
May 20 00:48:23 driver207s-imac com.apple.launchd[99]
([0x0-0xe00e].com.apple.systempreferences[181]): Stray
process with PGID equal to this dead job: PID 190 PPID 1
SCHelper
May 20 00:48:23 driver207s-imac com.apple.launchd[99]
([0x0-0xe00e].com.apple.systempreferences[181]): Stray
process with PGID equal to this dead job: PID 186 PPID 1
SCHelper
May 20 01:01:43 driver207s-imac PubSubAgent[294]: SQL
Error: SQLITE_CANTOPEN[14.0]: Database file not found
May 20 01:09:36 driver207s-imac Automator[308]: The action
&#8220;Add Movie to iDVD Menu&#8221; could not be loaded because the
application &#8220;iDVD&#8221; was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
&#8220;Add Photos to Album&#8221; could not be loaded because the
application &#8220;iPhoto&#8221; was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
&#8220;Apply SQL&#8221; could not be loaded because the application
&#8220;Xcode&#8221; was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
&#8220;Ask for Photos&#8221; could not be loaded because the application
&#8220;iPhoto&#8221; was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
&#8220;Build Xcode Project&#8221; could not be loaded because the
application &#8220;Xcode&#8221; was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
&#8220;CVS Add&#8221; could not be loaded because the file &#8220;/usr/bin/cvs&#8221;
was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
&#8220;CVS Checkout&#8221; could not be loaded because the file &#8220;/usr/bin/
cvs&#8221; was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
&#8220;CVS Commit&#8221; could not be loaded because the file &#8220;/usr/bin/
cvs&#8221; was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
&#8220;CVS Update&#8221; could not be loaded because the file &#8220;/usr/bin/
cvs&#8221; was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
&#8220;Convert CSV to SQL&#8221; could not be loaded because the
application &#8220;Xcode&#8221; was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
&#8220;Create Package&#8221; could not be loaded because the application
&#8220;PackageMaker&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Enable or Disable Tracks&#8221; could not be loaded because
QuickTime Pro is required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Execute SQL&#8221; could not be loaded because the application
&#8220;Xcode&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Export Movies&#8221; could not be loaded because QuickTime Pro is
required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Get Specified iPhoto Items&#8221; could not be loaded because the
application &#8220;iPhoto&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Get iDVD Slideshow Images&#8221; could not be loaded because the
application &#8220;iDVD&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Hint Movies&#8221; could not be loaded because QuickTime Pro is
required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Import Files into iPhoto&#8221; could not be loaded because the
application &#8220;iPhoto&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Initiate Remote Broadcast&#8221; could not be loaded because the
application &#8220;QuickTime Broadcaster&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;New Audio Capture&#8221; could not be loaded because QuickTime
Pro is required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;New Video Capture&#8221; could not be loaded because QuickTime
Pro is required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;New iDVD Menu&#8221; could not be loaded because the application
&#8220;iDVD&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;New iDVD Movie Sequence&#8221; could not be loaded because the
application &#8220;iDVD&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;New iDVD Slideshow&#8221; could not be loaded because the
application &#8220;iDVD&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;New iPhoto Album&#8221; could not be loaded because the
application &#8220;iPhoto&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Open Keynote Presentations&#8221; could not be loaded because the
application &#8220;Keynote&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Pause Capture&#8221; could not be loaded because QuickTime Pro is
required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Play Movies&#8221; could not be loaded because QuickTime Pro is
required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Play iPhoto Slideshow&#8221; could not be loaded because the
application &#8220;iPhoto&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Print Keynote Presentation&#8221; could not be loaded because the
application &#8220;Keynote&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Review Photos&#8221; could not be loaded because the application
&#8220;iPhoto&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Set iDVD Background Image&#8221; could not be loaded because the
application &#8220;iDVD&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Set iDVD Button Face&#8221; could not be loaded because the
application &#8220;iDVD&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Show Main iDVD Menu&#8221; could not be loaded because the
application &#8220;iDVD&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Show Next Keynote Slide&#8221; could not be loaded because the
application &#8220;Keynote&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Show Previous Keynote Slide&#8221; could not be loaded because the
application &#8220;Keynote&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Show Specified Keynote Slide&#8221; could not be loaded because the
application &#8220;Keynote&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Start Capture&#8221; could not be loaded because QuickTime Pro is
required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Start Keynote Slideshow&#8221; could not be loaded because the
application &#8220;Keynote&#8221; was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Stop Capture&#8221; could not be loaded because QuickTime Pro is
required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
&#8220;Stop Keynote Slideshow&#8221; could not be loaded because the
application &#8220;Keynote&#8221; was not found.
May 20 01:14:30 driver207s-imac com.apple.launchd[99]
(0x109e00.Locum[320]): Exited: Terminated
May 20 01:16:26 driver207s-imac Script Editor[282]: -
[SEResultController loadWindow]: failed to load window nib file
'/Applications/AppleScript/Script Editor.app/Contents/
Resources/English.lproj/SEResultWindow.nib'.
May 20 01:16:26: --- last message repeated 5 times ---
May 20 01:16:26 driver207s-imac Script Editor[282]: -
[SEEventLogController loadWindow]: failed to load window nib
file '/Applications/AppleScript/Script Editor.app/Contents/
Resources/English.lproj/SEEventLogWindow.nib'.
May 20 01:16:26: --- last message repeated 5 times ---
May 20 01:16:26 driver207s-imac Script Editor[282]: -
[SEPLibraryController loadWindow]: failed to load window nib
file 'SEPLibraryWindow'.
May 20 01:16:56: --- last message repeated 5 times ---
May 20 01:20:59 driver207s-imac com.apple.launchd[99]
(0x109bc0.Locum[329]): Exited: Terminated
May 20 01:31:07 driver207s-imac com.apple.launchd[99]
([0x0-0x15015].com.apple.speech.synthesis.SpeechSynthesisSe
rver[252]): Exited: Killed
May 20 01:35:31 driver207s-imac loginwindow[43]:
DEAD_PROCESS: 0 console
May 20 01:35:31 driver207s-imac shutdown[358]: halt by
Driver207:
May 20 01:35:31 driver207s-imac shutdown[358]:
SHUTDOWN_TIME: 1211261731 87145
May 20 18:48:05 localhost kernel[0]: npvhash=4095
May 20 18:48:05 localhost com.apple.launchctl.System[2]:
launchctl: Please convert the following to launchd: /etc/
mach_init.d/dashboardadvisoryd.plist
May 20 18:48:05 localhost com.apple.launchd[1]
(org.cups.cupsd): Unknown key: SHAuthorizationRight
May 20 18:48:05 localhost com.apple.launchd[1] (org.ntp.ntpd):
Unknown key: SHAuthorizationRight
May 20 18:48:05 localhost kextd[10]: 395 cached, 0 uncached
personalities to catalog
May 20 18:48:05 localhost kernel[0]: hi mem tramps at
0xffe00000
May 20 18:48:05 localhost kernel[0]: PAE enabled
May 20 18:48:05 localhost kernel[0]: 64 bit mode enabled
May 20 18:48:05 localhost kernel[0]: Darwin Kernel Version
9.1.0: Wed Oct 31 17:46:22 PDT 2007; root:xnu-1228.0.2~1/
RELEASE_I386
May 20 18:48:05 localhost kernel[0]: standard timeslicing
quantum is 10000 us
May 20 18:48:05 localhost kernel[0]: vm_page_bootstrap:
253720 free pages and 8424 wired pages
May 20 18:48:05 localhost kernel[0]: mig_table_max_displ = 79
May 20 18:48:05 localhost kernel[0]: 89 prelinked modules
May 20 18:48:05 localhost kernel[0]: AppleACPICPU:
ProcessorApicId=0 LocalApicId=0 Enabled
May 20 18:48:05 localhost kernel[0]: AppleACPICPU:
ProcessorApicId=1 LocalApicId=1 Enabled
May 20 18:48:05 localhost kernel[0]: Loading security extension
com.apple.security.TMSafetyNet
May 20 18:48:05 localhost kernel[0]: calling mpo_policy_init for
TMSafetyNet
May 20 18:48:05 localhost kernel[0]: Security policy loaded:
Safety net for Time Machine (TMSafetyNet)
May 20 18:48:05 localhost kernel[0]: Loading security extension
com.apple.nke.applicationfirewall
May 20 18:48:05 localhost kernel[0]: Loading security extension
com.apple.security.seatbelt
May 20 18:48:05 localhost kernel[0]: calling mpo_policy_init for
mb
May 20 18:48:05 localhost kernel[0]: Seatbelt MACF policy
initialized
May 20 18:48:05 localhost kernel[0]: Security policy loaded:
Seatbelt Policy (mb)
May 20 18:48:05 localhost kernel[0]: Copyright (c) 1982, 1986,
1989, 1991, 1993
May 20 18:48:05 localhost kernel[0]: The Regents of the
University of California. All rights reserved.
May 20 18:48:05 localhost kernel[0]: MAC Framework
successfully initialized
May 20 18:48:05 localhost kernel[0]: using 5242 buffer headers
and 4096 cluster IO buffer headers
May 20 18:48:05 localhost kernel[0]: devfs_make_node: not
ready for devices!
May 20 18:48:05 localhost kernel[0]: IOAPIC: Version 0x20
Vectors 64:87
May 20 18:48:05 localhost kernel[0]: ACPI: System State [S0 S3
S4 S5] (S3)
May 20 18:48:05 localhost kernel[0]: mbinit: done
May 20 18:48:05 localhost kernel[0]: Security auditing service
present
May 20 18:48:05 localhost kernel[0]: BSM auditing present
May 20 18:48:05 localhost kernel[0]: rooting via boot-uuid
from /chosen: 659F2845-E9B9-3621-A7AE-B4755A01705C
May 20 18:48:05 localhost kernel[0]: Waiting on <dict
ID="0"><key>IOProviderClass</key><string
ID="1">IOResources</string><key>IOResourceMatch</
key><string ID="2">boot-uuid-media</string></dict>
May 20 18:48:05 localhost kernel[0]: FireWire (OHCI) Lucent ID
5901 built-in now active, GUID 001e52fffe63958a; max speed
s800.
May 20 18:48:05 localhost kernel[0]: Got boot device =
IOService:/AppleACPIPlatformExpert/PCI0/AppleACPIPCI/
SATA@1F,2/AppleAHCI/PRT0@0/IOAHCIDevice@0/
AppleAHCIDiskDriver/IOAHCIBlockStorageDevice/
IOBlockStorageDriver/Hitachi HDT725025VLA380 Media/
IOGUIDPartitionScheme/Untitled@2
May 20 18:48:05 localhost kernel[0]: BSD root: disk0s2, major
14, minor 2
May 20 18:48:05 localhost kernel[0]:
CSRHIDTransitionDriver::start []
May 20 18:48:05 localhost kernel[0]:
CSRHIDTransitionDriver::switchToHCIMode legacy
Ma


----------



## HelloMac (May 22, 2008)

Quick Look and Command Line?

May 21 13:20:33 driver207s-imac Safari[169]: WARNING: PubSub SCGIProtocol got NetError CFURL error -1009; reporting NSError Error Domain=NSURLErrorDomain Code=-1009 UserInfo=0xd1cd9b0 "no Internet connection"
May 21 13:21:31 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:22:34 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:23:37 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:24:41 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:25:47 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:26:42 driver207s-imac SCHelper[147]: no command
May 21 13:26:42 driver207s-imac SCHelper[127]: no command
May 21 13:26:42 driver207s-imac SCHelper[110]: no command
May 21 13:26:42 driver207s-imac [0x0-0x10010].com.apple.systempreferences[105]: QTAudioDeviceContextCreate: AudioContextInitialize failed
May 21 13:26:43: --- last message repeated 2 times ---
May 21 13:26:42 driver207s-imac com.apple.launchd[81] ([0x0-0x10010].com.apple.systempreferences[105]): Stray process with PGID equal to this dead job: PID 147 PPID 1 SCHelper
May 21 13:26:42 driver207s-imac com.apple.launchd[81] ([0x0-0x10010].com.apple.systempreferences[105]): Stray process with PGID equal to this dead job: PID 127 PPID 1 SCHelper
May 21 13:26:42 driver207s-imac com.apple.launchd[81] ([0x0-0x10010].com.apple.systempreferences[105]): Stray process with PGID equal to this dead job: PID 110 PPID 1 SCHelper
May 21 13:26:52 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:27:57 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:30:06 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:30:00 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: SpeechSynthesis: Failed AUGraph:
May 21 13:30:00 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: SpeechSynthesis: CoreAudio failure!
May 21 13:34:24 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:38:42 driver207s-imac com.apple.quicklook[199]: failed to find start of cross-reference table.
May 21 13:38:42 driver207s-imac com.apple.quicklook[199]: missing or invalid cross-reference trailer.
May 21 13:42:55 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:45:50 driver207s-imac com.apple.quicklook[225]: failed to find start of cross-reference table.
May 21 13:45:50 driver207s-imac com.apple.quicklook[225]: missing or invalid cross-reference trailer.
May 21 13:45:50 driver207s-imac com.apple.quicklook[225]: failed to find start of cross-reference table.
May 21 13:45:50 driver207s-imac com.apple.quicklook[225]: missing or invalid cross-reference trailer.
May 21 13:51:27 driver207s-imac TextEdit[185]: Printing failed because PMSessionBeginCGDocumentNoDialog() returned -30872.
May 21 13:59:58 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 14:00:00 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: SpeechSynthesis: Failed AUGraph:
May 21 14:00:00 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: SpeechSynthesis: CoreAudio failure!
May 21 14:00:14 driver207s-imac SyncServer[267]: SyncServer: Reaping records for inactive clients. Next reap on 2008-07-05 14:00:14 -0400
May 21 14:01:06 driver207s-imac com.apple.quicklook[271]: failed to find start of cross-reference table.
May 21 14:01:06 driver207s-imac com.apple.quicklook[271]: missing or invalid cross-reference trailer.
May 21 14:01:06 driver207s-imac com.apple.quicklook[271]: failed to find start of cross-reference table.
May 21 14:01:06 driver207s-imac com.apple.quicklook[271]: missing or invalid cross-reference trailer.
May 21 14:02:36 driver207s-imac PubSubAgent[274]: SQL Error: SQLITE_CANTOPEN[14.0]: Database file not found
May 21 14:04:42 driver207s-imac com.apple.launchd[81] (0x1099b0.Locum[278]): Exited: Terminated
*May 21 14:04:47 driver207s-imac login[280]: USER_PROCESS: 280 ttys000
May 21 14:08:38 driver207s-imac login[280]: DEAD_PROCESS: 280 ttys000*May 21 14:08:55 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: AudioUnitGraph 0x81CE1C:
May 21 14:08:55 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]:   Member Nodes:
May 21 14:08:55 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: 	node 1: desc uoua  fed lppa, instance 0x0    
May 21 14:08:55 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: 	node 2: desc ngua


----------



## HelloMac (May 22, 2008)

Display issues? Power controls? X-Grid Agent?



May 21 21:16:27 driver207s-imac com.apple.launchd[116] (0x1082a0.Locum[231]): Exited: Terminated
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: *objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/Contrast.monitorPanel/Contents/MacOS/Contrast and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/Geometry.monitorPanel/Contents/MacOS/*Geometry. Using implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/Geometry.monitorPanel/Contents/MacOS/Geometry.
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/Geometry.monitorPanel/Contents/MacOS/Geometry and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/VPT.monitorPanel/Contents/MacOS/VPT.
Using implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/VPT.monitorPanel/Contents/MacOS/VPT.
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/VPT.monitorPanel/Contents/MacOS/VPT and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/Bezel.monitorPanel/Contents/MacOS/Bezel. Using
implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/Bezel.monitorPanel/Contents/MacOS/Bezel.
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/Bezel.monitorPanel/Contents/MacOS/Bezel and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/ExtendedTouchSwitch.monitorPanel/Contents/
MacOS/ExtendedTouchSwitch. Using implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/ExtendedTouchSwitch.monitorPanel/Contents/MacOS/
ExtendedTouchSwitch.
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/ExtendedTouchSwitch.monitorPanel/Contents/MacOS/ExtendedTouchSwitch and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/
*PowerMode.monitorPanel/Contents/MacOS/PowerMode. Using implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/PowerMode.monitorPanel/
Contents/MacOS/PowerMode.*
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/PowerMode.monitorPanel/Contents/MacOS/PowerMode and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/Authorization.monitorPanel/
Contents/MacOS/Authorization. Using implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/Authorization.monitorPanel/Contents/MacOS/Authorization.
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/Authorization.monitorPanel/Contents/MacOS/Authorization and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/TVOptions.monitorPanel/Contents/
MacOS/TVOptions. Using implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/TVOptions.monitorPanel/Contents/MacOS/TVOptions.
May 21 21:20:15 driver207s-imac System Preferences[236]: *Admin.xgridAgentControllerPassword: called without first being authenticated.*
May 21 21:25:36 driver207s-imac System Preferences[236]: unable to find type: GIF image
May 21 21:25:36 driver207s-imac System Preferences[236]: unable to find type: Flash media
May 21 21:27:25 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236


----------



## HelloMac (May 22, 2008)

Printer errors?* No printer has been connected to the machine since the install of the OS.*

  Description:	Printer error log
  Size:	17 KB
  Last Modified:	5/21/08 9:51 PM
  Location:	/var/log/cups/error_log
  Recent Contents:	I [19/May/2008:21:22:57 -0700] Listening to ::1:631 (IPv6)
I [19/May/2008:21:22:57 -0700] Listening to ::1:631 (IPv6)
I [19/May/2008:21:22:57 -0700] Listening to 127.0.0.1:631 (IPv4)
I [19/May/2008:21:22:57 -0700] Listening to /private/var/run/cupsd (Domain)
I [19/May/2008:21:22:57 -0700] Loaded configuration file "/private/etc/cups/cupsd.conf"
I [19/May/2008:21:22:57 -0700] Using default TempDir of /private/var/spool/cups/tmp...
I [19/May/2008:21:22:57 -0700] *Configured for up to 100 clients.
I [19/May/2008:21:22:57 -0700] Allowing up to 100 client connections per host.
I [19/May/2008:21:22:57 -0700] Using policy "default" as the default!
I [19/May/2008:21:22:57 -0700] Full reload is required.
I [19/May/2008:21:22:57 -0700] Loaded MIME database from '/private/etc/cups': 52 types, 48 filters...
I [19/May/2008:21:22:58 -0700] Full reload complete.
I [19/May/2008:21:22:58 -0700] Cleaning out old temporary files in "/private/var/spool/cups/tmp"...*I [19/May/2008:21:22:58 -0700] Listening to ::1:631 on fd 4...
E [19/May/2008:21:22:58 -0700] Unable to bind socket for address ::1:631 - Address already in use.
I [19/May/2008:21:22:58 -0700] Listening to 127.0.0.1:631 on fd 6...
I [19/May/2008:21:22:58 -0700] Listening to /private/var/run/cupsd on fd 7...
I [19/May/2008:21:22:58 -0700] Resuming new connection processing...
I [20/May/2008:00:27:29 -0400] Scheduler shutting down normally.
I [20/May/2008:00:27:29 -0400] Saving job cache file "/private/var/spool/cups/cache/job.cache"...
I [20/May/2008:00:40:58 -0400] Listening to ::1:631 (IPv6)
I [20/May/2008:00:40:58 -0400] Listening to ::1:631 (IPv6)
I [20/May/2008:00:40:58 -0400] Listening to 127.0.0.1:631 (IPv4)
I [20/May/2008:00:40:58 -0400] Listening to /private/var/run/cupsd (Domain)
I [20/May/2008:00:40:58 -0400] Loaded configuration file "/private/etc/cups/cupsd.conf"
I [20/May/2008:00:40:58 -0400] Using default TempDir of /private/var/spool/cups/tmp...
I [20/May/2008:00:40:58 -0400] Configured for up to 100 clients.
I [20/May/2008:00:40:58 -0400] Allowing up to 100 client connections per host.
I [20/May/2008:00:40:58 -0400] Using


----------



## HelloMac (May 22, 2008)

Log in sequence:



May 21 12:59:31 localhost kernel[0]: IPv6 packet filtering initialized, default to accept, logging disabled
*May 21 12:59:31 localhost blued[47]: Apple Bluetooth daemon started.
May 21 12:59:33 driver207s-imac org.ntp.ntpd[14]: Error : nodename nor servname provided, or not known
May 21 12:59:32 driver207s-imac /usr/sbin/ocspd[51]: starting
May 21 12:59:32 driver207s-imac mDNSResponder mDNSResponder-164 (Nov  4 2007 13:23:04)[22]: starting*May 21 12:59:33 driver207s-imac ntpdate[58]: can't find host time.apple.com
May 21 12:59:33 driver207s-imac ntpdate[58]: no servers can be used, exiting
May 21 12:59:33 driver207s-imac mDNSResponder[22]: SetDomainSecrets: mDNSKeychainGetSecrets failed error 0 CFArrayRef 00000000
May 21 12:59:33 driver207s-imac configd[28]: setting hostname to "driver207s-imac.local"
May 21 12:59:36 driver207s-imac kernel[0]: AppleYukon2: 00000000,00000000 sk98osx_dnet - recovering from missed interrupt
May 21 12:59:36 driver207s-imac kextd[10]: writing kernel link data to /var/run/mach.sym
*May 21 12:59:37 driver207s-imac loginwindow[23]: Login Window Started Security Agent
May 21 13:00:08 driver207s-imac authorizationhost[76]: MechanismInvoke 0x12aa40 retainCount *2
May 21 13:00:08 driver207s-imac SecurityAgent[77]: MechanismInvoke 0x103cb0 retainCount 1
*May 21 13:00:08 driver207s-imac SecurityAgent[77]: NSSecureTextFieldCell detected a field editor ((null)) that is not a NSTextView subclass designed to work with the cell. Ignoring...*
May 21 13:00:08 driver207s-imac SecurityAgent[77]: NSExceptionHandler has recorded the following exception:\nNSRangeException -- *** -[NSCFArray objectAtIndex:]: index (0) *beyond bounds (0)\nStack trace:  0x3719a  0x91a2e09b  0x95ec704b  0x95ec708a  0x9014addf  0x900c8cb8  0x6f58a  0x6fdc9  0x594e1  0x6d847  0x615d9  0x5ca87  0x66471  0x76187  0xd648  0x12c40  0x129f3  0xd18a  0x90107f73  0x95e295c5  0x95e4d941  0x95e4dd38  0x913f88a4  0x913f86bd  0x913f8531  0x93ee8d5b  0x93ee86a0  0x93ee16d1  *0x10fc7  0x202a  0x1
*May 21 13:00:08 driver207s-imac SecurityAgent[77]: MechanismDestroy 0x103cb0 retainCount 1*May 21 13:00:08 driver207s-imac loginwindow[23]: Login Window - Returned from Security Agent
May 21 13:00:08 driver207s-imac authorizationhost[76]: MechanismDestroy 0x12aa40 retainCount 2
May 21 13:00:08 driver207s-imac loginwindow[23]:* USER_PROCESS: 23 console*May 21 13:00:09 driver207s-imac com.apple.launchd[1] (com.apple.UserEventAgent-LoginWindow[72]): Exited: Terminated


----------



## ElDiabloConCaca (May 22, 2008)

I don't see anything out-of-the-ordinary with that log file.

Even the bold lines seem normal: ttys is the local terminal, as if someone was sitting at the keyboard, if I'm not mistaken.


----------



## ElDiabloConCaca (May 22, 2008)

CUPS will start whether you have printers set up or not.

It's perfectly normal to see "error" messages throughout your system log files -- more often than not, it's the system operating normally (normal systems have error conditions arise ALL the time -- and the system "handles" those errors in a graceful way).  Just because you see a message that looks like something "crashed" or has the words "error" or "cannot find" or any negative wording like that does NOT mean that anything out-of-the-ordinary is happening.


----------



## HelloMac (May 22, 2008)

What is happening here with accounts and Root?


5/20/08 12:22:46 AM kernel [InterruptReadHandler] Received kIODeviceNotResponding error - retrying: 1. 
5/20/08 12:22:47 AM kextd[10] writing kernel link data to /var/run/mach.sym 
5/20/08 12:22:47 *AM com.apple.configureLocalKDC[48] launchctl: Error unloading: com.apple.kdcmond *
5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] /usr/sbin/kadmin.local-q *add_principal -randkey afpserver/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 *
5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] WARNING: no policy specified for afpserver/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957; defaulting to no policy 
5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] *Authenticating as principal root/admin@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with password. *5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] Principal "afpserver/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957" created. 
5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] /usr/sbin/kadmin.local-q ktadd afpserver/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 
*5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] Authenticating as principal root/admin@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with password. *5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] Entry for principal afpserver/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. 
5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] Entry for principal afpserver/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. 
5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] Entry for principal afpserver/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. 
5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] /usr/bin/defaults write /Library/Preferences/com.apple.AppleFileServer kerberosPrincipal afpserver/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] /usr/sbin/kadmin.local-q add_principal -randkey cifs/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 
*5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] WARNING: no policy specified for cifs/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957; defaulting to no policy *5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Authenticating as principal root/admin@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with password. 
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Principal "cifs/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957" created. 
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] /usr/sbin/kadmin.local-q ktadd cifs/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Authenticating as principal root/admin@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with password. 
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Entry for principal cifs/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. 
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Entry for principal cifs/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. 
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Entry for principal cifs/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. 
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server LocalKerberosRealm LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] /usr/sbin/kadmin.local-q add_principal -randkey vnc/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] WARNING: no policy specified for vnc/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957; defaulting to no policy 
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Authenticating as principal root/admin@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with password. 
*5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Principal "vnc/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957" created.* 
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] /usr/sbin/kadmin.local-q ktadd vnc/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Authenticating as principal root/admin@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with password. 
*5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Entry for principal vnc/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. *5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Entry for principal vnc/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. 
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Entry for principal vnc/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. 
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 
5*/20/08 12:22:50 AM com.apple.ATSServer[113] FODBCheck: New annex file created 
5/20/08 12:22:52 AM kernel AppleYukon2: 00000000,00000000 sk98osx_dnet - recovering from missed interrupt *5/20/08 12:22:52 AM mDNSResponder[42] Couldn't read user-specified Computer Name; using default &#8220;Macintosh-001EC20AC772&#8221; instead 
5/20/08 12:22:52 AM mDNSResponder[42] Couldn't read user-specified local hostname; using default &#8220;Macintosh-001EC20AC772.local&#8221; instead 
5/20/08 12:22:53 AM mDNSResponder[42] SetDomainSecrets: mDNSKeychainGetSecrets failed error 0 CFArrayRef 00000000 
5/20/08 12:22:53 AM loginwindow[43] USER_PROCESS: 43 console 
*5/20/08 12:22:53 AM loginwindow[43] Folder Manager is being asked to create a folder (asav) while running as uid 0 *5/20/08 12:22:54 AM mDNSResponder[42] Couldn't read user-specified Computer Name; using default &#8220;Macintosh-001EC20AC772&#8221; instead 
5/20/08 12:22:54 AM mDNSResponder[42] Couldn't read user-specified local hostname; using default &#8220;Macintosh-001EC20AC772.local&#8221; instead 
*5/20/08 12:22:55 AM [0x0-0x4004].com.apple.SetupAssistant[123] ...System identity already exists for domain com.apple.systemdefault. Done. *5/20/08 12:22:56 *AM KernelEventAgent[56] tid 00000000 received unknown event (256) *
5/20/08 12:22:58 AM /System/Library/CoreServices/Setup Assistant.app/Contents/MacOS/Setup Assistant[123] _MDSuspendIndexing() 1 
5/20/08 12:22:59 AM kernel AppleYukon2: 00000000,00000000 sk98osx_dnet - recovering from missed interrupt 
5/20/08 12:23:00 AM /System/Library/CoreServices/Setup *Assistant.app/Contents/MacOS/Setup Assistant[123] will start movie*

5/20/08 12:25:13 AM mDNSResponder[42] Couldn't read user-specified local hostname; using default &#8220;Macintosh-001EC20AC772.local&#8221; instead 
5/20/08 12:25:13 AM mDNSResponder[42] User updated Computer Name from Macintosh-001EC20AC772 to Driver207&#8217;s iMac 
5/20/08 12:25:13 AM configd[49] setting hostname to "driver207s-imac.local" 
5/20/08 12:25:13 AM mDNSResponder[42] User updated Local Hostname from Macintosh-001EC20AC772 to driver207s-imac 
5/20/08 12:25:31 AM org.ntp.ntpd[212] Error : nodename nor servname provided, or not known 
5/20/08 12:25:31 AM ntpdate[214] can't find host time.apple.com

5/20/08 12:25:31 AM ntpdate[214] no servers can be used, exiting 
*5/20/08 12:25:38 AM com.apple.launchd[1] (com.apple.UserEventAgent-LoginWindow[118]) Exited: Terminated 
5/20/08 12:25:38 *AM /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow[218] Login Window Application Started 
*5/20/08 12:25:39 AM loginwindow[218] Login Window Started Security Agent 
5/20/08 12:25:39 AM com.apple.KerberosAutoConfig[225] The machine is standalone 
5/20/08 12:25:39 AM com.apple.KerberosAutoConfig[225] Removing /Library/Preferences/edu.mit.Kerberos 
5/20/08 12:25:40 AM SecurityAgent[227] User info context values set 
5/20/08 12:25:40 AM SecurityAgent[227] Login Window done *5/20/08 12:25:40 AM loginwindow[218] Login Window - Returned from Security Agent 
5/20/08 12:25:40 AM loginwindow[218] USER_PROCESS: 218 console 
5/20/08 12:25:40 AM com.apple.launchd[1] (com.apple.UserEventAgent-LoginWindow[226]) Exited: Terminated 
*5/20/08 12:25:42 AM com.apple.ATSServer[241] FODBCheck: New annex file created *
5/20/08 12:25:42 AM /System/Library/CoreServices/coreservicesd[68] SFLSharePointsEntry::CreateDSRecord: dsCreateRecordAndOpen(Driver207's Public Folder) returned -14135 
5/20/08 12:25:47 AM Finder[240] [QL ERROR] Generator database update takes too long... we will use what we currently have 
5/20/08 12:25:47 AM [0x0-0xf00f].SoftwareUpdateCheck[246] SoftwareUpdateCheck: network unreachable 
5/20/08 12:25:47 AM com.apple.launchd[190] ([0x0-0xf00f].SoftwareUpdateCheck[246]) Exited with exit code: 3 
5/20/08 12:25:49 AM KernelEventAgent[56] tid 00000000 received unknown event (12) 
5/20/08 12:25:50 AM SyncServer[259] SyncServer: Reaping records for inactive clients. Next reap on 2008-07-04 00:25:50 -0400 
5/20/08 12:27:12 AM kernel IPv6 packet filtering initialized, default to accept, logging disabled 
5/20/08 12:27:28 AM SCHelper[283] no command 
5/20/08 12:27:28 AM com.apple.launchd[190] ([0x0-0x14014].com.apple.systempreferences[272]) Stray process with PGID equal to this dead job: PID 283 PPID 1 SCHelper 
5/20/08 12:27:29 AM loginwindow[218] DEAD_PROCESS: 0 console 
5/20/08 12:27:29 AM shutdown[294] reboot by Driver207:  
5/20/08 12:27:29 AM com.apple.loginwindow[218] Shutdown NOW! 
5*/20/08 12:27:29 AM SystemStarter[55] "/System/Library/StartupItems" failed sanity check: path was created after boot up *
5/20/08 12:27:29 AM shutdown[294] SHUTDOWN_TIME: 1211257649 287603 
5/20/08 12:28:21 AM com.apple.launchctl.System[2] launchctl: Please convert the following to launchd: /etc/mach_init.d/dashboardadvisoryd.plist 
5/20/08 12:28:21 AM com.apple.launchd[1] (org.cups.cupsd) Unknown key: SHAuthorizationRight 
5/20/08 12:28:21 AM com.apple.launchd[1] (org.ntp.ntpd) Unknown key: SHAuthorizationRight 
5/20/08 12:28:22 AM kernel npvhash=4095 
5/20/08 12:28:21 AM kextd[10] 395 cached, 0 uncached personalities to catalog 
5/20/08 12:28:22 AM kernel hi mem tramps at 0xffe00000 
5/20/08 12:28:22 AM kernel PAE enabled 
5/20/08 12:28:22 AM kernel 64 bit mode enabled 
5/20/08 12:28:22 AM kernel Darwin Kernel Version 9.1.0: Wed Oct 31 17:46:22 PDT 2007; root:xnu-1228.0.2~1/RELEASE_I386 
5/20/08 12:28:22 AM kernel standard timeslicing quantum is 10000 us 
5/20/08 12:28:22 AM kernel vm_page_bootstrap: 254508 free pages and 7636 wired pages 
5/20/08 12:28:22 AM kernel mig_table_max_displ = 79 
5/20/08 12:28:22 AM kernel Extension "com.apple.driver.AppleACPIPlatform" has immediate dependencies


----------



## HelloMac (May 22, 2008)

Re: Terminal - that's the point. NO ONE was supposed to be using terminal.


----------



## Viro (May 22, 2008)

Do you play World of Warcraft? And have you been duped into viewing some of those account trading/gold buying sites?


----------



## Viro (May 22, 2008)

Oh and if you haven't already done it, download Little Snitch and have that running at all times. Helps you prevent unauthorized connects to the internet.


----------



## ElDiabloConCaca (May 22, 2008)

HelloMac said:


> Re: Terminal - that's the point. NO ONE was supposed to be using terminal.


If your system is booted and the Login window is being displayed, then yes, a "Terminal session" of sorts is running.

Here's some output from my system log, and my system has not ever been compromised:

```
exception:\nNSRangeException -- *** -[NSCFArray objectAtIndex:]: index (0) beyond bounds (0)\nStack trace:  0x3719a  0x915f60fb  0x962e102b  0x962e106a  0x95e2d3df  0x95dab218  0x70568  0x70da7  0x5a451  0x6e825  0x62549  0x6e7bc  0x6744e  0x77165  0xd648  0x12c40  0x129f3  0xd18a  0x95dea4d3  0x96243555  0x96267921  0x96267d18  0x94ba56a0  0x94ba54b9  0x94ba532d  0x940c67d9  0x940c608e  0x940bf0c5  0x10fc7  0x202a  0x1

May 22 07:43:04 Pipsqueak com.apple.launchd[1] (com.apple.UserEventAgent-LoginWindow[28920]): Exited: Terminated
May 22 08:54:59 Pipsqueak /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow[29938]: Login Window Application Started
May 22 08:55:01 Pipsqueak loginwindow[29938]: Login Window Started Security Agent
May 22 10:14:01 Pipsqueak loginwindow[29938]: Login Window - Returned from Security Agent
May 22 10:14:01 Pipsqueak com.apple.launchd[1] (com.apple.UserEventAgent-LoginWindow[29947]): Exited: Terminated
May 22 11:28:44 Pipsqueak loginwindow[28916]: DEAD_PROCESS: 0 console
May 22 11:28:44 Pipsqueak loginwindow[28916]: CGSShutdownServerConnections: Detaching application from window server
```

I think what you're seeing is perfectly normal, in my opinion.  Even though no one is physically logged in as "root," some processes will run as root, like fileservers and vnc servers and what-not.


----------



## HelloMac (May 22, 2008)

Not a WoW player. Just aware that it's out there. And I do not trade gold online or off.


----------



## HelloMac (May 22, 2008)

Two additional issues that I noticed yesterday when on the machine.

On Tuesday night I stopped poking around on the machine at 10:30pm. Shut it down. Not sleep, but shut down. Prior to shut down I put Ethernet, Firewire, Bluetooth and Airport services in "Inactive". The ethernet cable continued to be disconnected from the machine. 

Upon turning the machine back on on Wednesday afternoon I noticed that my "Library" folder indicated serveral files had been modified at 12:25am that morning. The files are all related to user id information in the application support area. I had physical control of the machine at that time and know for certain that neither I or my wife turned on the box or connected a cable to it. The power cord was still plugged in, but the machine did not show any sign of waking up - at least not turning on the screen.

In the power options I have it set to not wake on Ethernet/Lan and to not respond to wake up on Bluetooth.

So how did those files get modified to reflect a time 2 1/2 hours after I shut down the machine?

I was awake at that time and was using my iPhone to read email, etc. This iPhone and iMac have been paired via bluetooth in the past. I know the iPhone isn't setup to do anything with the mac, but I tried it anyway and succesfully paired them together. I had since deleted any pairing, but wonder if somehow I have a process running in the background on the iPhone that lets the machines talk to each other and connect over the AT&T Edge network? If I have odd stuff happening on the mac and have synced the phone with the mac through iTunes I wonder if I've put some file on the iPhone that doesn't belong?


The other:
I turned on the machine last night and upon login I noticed that my network preferences pane had the little lock symbol "unlocked" and options had changedincluding "disconnect upon logout". In the file sharing preference pain the "everyone" group had been re-enabled for access vs. my previous setting to deny access.

There's no way I mistakenly left those preferences changed like that or left the little lock unlocked. I'm paying way too much ettention to every detail at this point. I locked it back down.

I've enable the verbose display on start up and shut down and have noticed when logging out and shutting down the net and home volumes fail to dismount everytime.

I now unplug the electricity from the machine after shut down.


I haven't turned it on today but will look at that again tonight.


----------



## Giaguara (May 22, 2008)

KDC and NTPD are normal. Kerberos and network time...
Are those automator scripts set on startup?


----------



## HelloMac (May 22, 2008)

The scripts were set for startup. Not by me. I've since deleted.


----------



## ElDiabloConCaca (May 22, 2008)

Does anyone else have physical access to the machine?


----------



## HelloMac (May 23, 2008)

The only other person with physical access is my wife, but she only knows how to turn it on and use applications.

I've had another thought about this...

Is it possible that when I'm logged into my account that I'm actually interacting with the computer within a virtual machine environment?

Here's whay I ask...

When logging in from the initial screen that is set up for me to type in my user name and pass word the screen will accept my information and then briefly display the login screen that has my account picture. As if it was passing through the credentials and then logs in.

If I enter Terminal and examine the file and folder list from / , I cannot get into any folder except /user. If I cd vol or cd bin and then type pwd, it always shows that I've been put into the /user folder. It appears that all my folders are aliases.

When I log out Finder goes through the process but istead of a smooth visual transition back to the log in screen, my screen fades to black, hold there a half second of so and then the default desktop picture pops onto the screen with the login boxes. Sometimes during that little blip of black screen I can see a solid white cursor in the top left hand corner of the screen.

Whenever I shut down the machine I see an error that /home and /net volumes fail to dismount.


----------



## Viro (May 23, 2008)

Oooh, could be a root kit.

In the terminal, can you do echo $PATH and see what that says?


----------



## Giaguara (May 23, 2008)

cd / will get you to home folder.
cd /System
cd /Library
do those take you anywhere?


----------



## HelloMac (May 24, 2008)

My machine would not boot today. Had to reset npram/nvram in 
order to get it to boot from install disc. It would get to the gray logo screen
and the turning gears but go no farther. 

Reset partition, erase, zero out, reinstall. 

At the end of the install log there multiple entries of folders in private framework/version a/* that metadata was updated with "actual metadata" from a similarly named folder. 

One of the last lines on the log says 
"if diskobject (null) was set with a nil dmdisk object"

I found a .plist file with setting references to World of Warcraft, starfighter, com.blizzard.launch, com.blizzard.download and otherstuff like that. I have never played wow and don't know the reference to blizzard. 

The machine has not been allowed on the net, everything is locked down. Installed little snitch and set rules to deny outgoing communications. 

Will look at the path question tommorrow when I'm more fresh so I can be sure to carefully see where I can move around on the he from the command line.


----------



## HelloMac (May 24, 2008)

another thing - the box that I bought with a fresh copy of leapord says 10.5.2. 

System profiler now says I am running 10.5.1.


----------



## g/re/p (May 25, 2008)

I smell a hoax.....


----------



## g/re/p (Jun 2, 2008)

lol....


----------



## HelloMac (Jun 3, 2008)

I wish it was a hoax and my life would be easier.

Through more trial and error and using a program called RootKit Hunter I've learned that after a HD erase, zero out, OS install, combo update to 10.5.3 I'm left with a system that is configured for SSH protocol 2:

ssh config file - yes
ssh root access allowed - yes
ssh protocol v1 allowed - no
syslog daemon? found
syslog remote logging? yes warning
install.*@127.0.0.1:3236

I also find that a hidden file /usr/share/man/man5/.rhosts.5gz:gzip compressed was changed from ".rhosts.5" from Unix.

These settings persist through the various setting updates I make in the account preferences regarding sharing, etc.

If I try to edit the files (with TextEditor.app), the system will not allow me to save the changes. I'm attempting through Finder and I modify the file and folder permissions for my account to write, but still am blocked.

What's this from my DSL modem's system log this morning? 
"Connecting PPPoE socket: 00:90:1a:a0:57:82 9702 br0 0x1000d538"
I don't recognize 00:90:1a:a0:57:82.

The date is May 2007 until several lines in when it changes to today's date. This modem was purchased on Saturday and configured on Sunday.

Verizon DSL modem log 060308 07:52
(GMT)16:01:15 Tue May 15 2007 syslogd started: BusyBox v0.61.pre
(GMT)16:01:15 Tue May 15 2007 init: Waiting for enter to start '/bin/sh' (pid 88, terminal /dev/tts/0)
(GMT)16:01:16 Tue May 15 2007 logic: qos_prepare:iptables -t mangle -N EGRESS
(GMT)16:01:16 Tue May 15 2007 logic: qos_prepare:iptables -t mangle -N INGRESS
(GMT)16:01:17 Tue May 15 2007 logic: qos_prepare:iptables -t mangle -A INGRESS -j IMQ
(GMT-05:00)16:01:18 Tue May 15 2007 logic: Stunnel conf 2: TR-069 1 /var/etc/stunnel2.conf https://cpe-ems.verizon.com/cwmpWeb/CPEMgt 1 8080
(GMT-05:00)16:01:19 Tue May 15 2007 logic: dhcps starting
(GMT-05:00)16:01:24 Tue May 15 2007 udhcpd: udhcp server (v0.9.7) started
(GMT-05:00)16:01:25 Tue May 15 2007 udhcpd: ADD - (my mac address) 192.168.1.64 86400 bigmacs-imac

Later:
GMT-05:00)16:02:00 Tue May 15 2007 udhcpd: udhcp server (v0.9.7) started

(GMT-05:00)16:02:00 Tue May 15 2007 udhcpd: interface: br0, start : 4001a8c0 end : fe01a8c0
(GMT-05:00)07:44:16 Tue Jun 03 2008 pc: act_hnm not exist, restart it
(GMT-05:00)07:45:24 Tue Jun 03 2008 udhcpd: SENDING ACK to bigmacs-imac
(GMT-05:00)07:45:24 Tue Jun 03 2008 udhcpd: sending ACK to 192.168.1.67
(GMT-05:00)07:45:24 Tue Jun 03 2008 udhcpd: ADD 192.168.1.67 86400 bigmacs-imac
(GMT-05:00)07:45:24 Tue Jun 03 2008 logic: 192.168.1.67 now is 192.168.1.67
(GMT-05:00)07:45:27 Tue Jun 03 2008 syslog: No response for DNS request to server 71.252.0.12 yet.
(GMT-05:00)07:45:27 Tue Jun 03 2008 syslog: No response for DNS request to server 71.252.0.12 yet.
(GMT-05:00)07:45:27 Tue Jun 03 2008 syslog: No response for DNS request to server 71.252.0.12 yet.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: No response for DNS request to server 71.242.0.12 yet.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: All DNS servers tried, no response.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: No response for DNS request to server 71.242.0.12 yet.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: All DNS servers tried, no response.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: No response for DNS request to server 71.242.0.12 yet.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: All DNS servers tried, no response.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: failed dns request 
len=71,srcip=192.168.1.1, url=67.1.168.192.in-addr.arpa
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: failed dns request len=61,srcip=192.168.1.1, url=dslmodem.domain
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: failed dns request len=61,srcip=192.168.1.1, url=dslmodem.domain
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: failed dns request len=71,srcip=71.252.0.12, url=67.1.168.192.in-addr.arpa


----------



## ElDiabloConCaca (Jun 3, 2008)

HelloMac said:


> I wish it was a hoax and my life would be easier.
> 
> Through more trial and error and using a program called RootKit Hunter I've learned that after a HD erase, zero out, OS install, combo update to 10.5.3 I'm left with a system that is configured for SSH protocol 2:
> 
> ...


Yup, standard Mac OS X Server config... SSH2 is used for remote logins among other things.


> If I try to edit the files (with TextEditor.app), the system will not allow me to save the changes. I'm attempting through Finder and I modify the file and folder permissions for my account to write, but still am blocked.


Because you need to edit that file as root, and you can't do that with TextEdit by simple double-clicking the "TextEdit" icon.  If you're versed in vi or nano, try editing the file from the command-line with "sudo".



> What's this from my DSL modem's system log this morning?
> "Connecting PPPoE socket: 00:90:1a:a0:57:82 9702 br0 0x1000d538"
> I don't recognize 00:90:1a:a0:57:82.


Could that be your ISP's Mac address?

Could it also be that your DSL modem's DNS has been poisoned?  Can you do a "hard reset" of the modem -- in other words, can you purge the settings on the modem to their default state, then reconfigure the modem to be sure that it's not some poisoned modem settings?


----------



## HelloMac (Jun 3, 2008)

I will try a reset on the modem, but I've attempted that on the previous DSL modem a couple of times and ended up with the same thing. Thus my decision to buy a new modem. And here I am again.

I haven't looked up the man file on it yet, but do you know what the default config for Raccoon should be upon a fresh install? My system has a config setting that allows anonymous login right off the bat.


Here's a bit more of the log from this morning that I meant to post.

The second remote connection attempt to port 443 is what worries me. I have that port blocked by the firewall that is built into the modem.

GMT-05:00)07:45:44 Tue Jun 03 2008 syslog: failed dns request len=136,srcip=71.252.0.12, url=dslmodem.domain
(GMT-05:00)07:45:50 Tue Jun 03 2008 logic: fw_trans_query kp.key = report_all_clients_act0
(GMT-05:00)07:45:51 Tue Jun 03 2008 logic: fw_trans_query kp.key = report_all_clients_act0
(GMT-05:00)07:46:11 Tue Jun 03 2008 stunnel[377]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:46:11 Tue Jun 03 2008 stunnel[377]: Failed to initialize remote connection
(GMT-05:00)07:46:17 Tue Jun 03 2008 logic: fw_trans_query kp.key = report_all_clients_act0
(GMT-05:00)07:46:18 Tue Jun 03 2008 logic: fw_trans_query kp.key = report_all_clients_act0
(GMT-05:00)07:46:27 Tue Jun 03 2008 stunnel[455]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:46:27 Tue Jun 03 2008 stunnel[455]: Failed to initialize remote connection
(GMT-05:00)07:46:57 Tue Jun 03 2008 stunnel[464]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:46:57 Tue Jun 03 2008 stunnel[464]: Failed to initialize remote connection
(GMT-05:00)07:47:27 Tue Jun 03 2008 stunnel[479]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:47:27 Tue Jun 03 2008 stunnel[479]: Failed to initialize remote connection
(GMT-05:00)07:47:56 Tue Jun 03 2008 stunnel[486]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:47:56 Tue Jun 03 2008 stunnel[486]: Failed to initialize remote connection
(GMT-05:00)07:48:26 Tue Jun 03 2008 stunnel[497]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:48:26 Tue Jun 03 2008 stunnel[497]: Failed to initialize remote connection


----------



## HelloMac (Jun 3, 2008)

And another question - 

I've never specified an WINS name in any of the MAC's interfaces, though I've noticed that a name gets used. It usallsally is MACINTOSH-77777777 or something generic like that. 

My computer does have a name as specified in the Sharing preferences, though file sharing is outlawed on my machine. The two names don't match up.

I've created a new "Location" and deleted the automatic location and have found over time that the generic mac name will get used again.

I'd get it if the mac needs to default to a name as a placeholder but what I don't get is why the WINS name doesn't default to the computer name defined in Sharing preferences, since WINS is to help the machine share with Windows. Right? There must be a setting somewhere that I'm missing. Just want to make sure the machine isn't sharing files through some config file that has been modified or overlooked.


----------



## Viro (Jun 3, 2008)

HelloMac said:


> The second remote connection attempt to port 443 is what worries me. I have that port blocked by the firewall that is built into the modem.



http://en.wikipedia.org/wiki/Https
http://www.grc.com/port_443.htm

That's a HTTP connection over SSL, i.e. secure HTTP, the protocol that you'll use when communicating with secure sites like your bank.


----------



## Viro (Jun 3, 2008)

I don't think that your system is compromised. From where I'm sitting, it looks as though you are already believing that your system is compromised and that is leading you to see "intrusions" everywhere.

Try scanning your computer against https://www.grc.com/x/ne.dll?bh0bkyd2 and see what it says.


----------



## HelloMac (Jun 3, 2008)

I understand your skepticism. It's true that I'm watching every movement of the system.

I want to join your side on this issue and will as soon as I can find someone who can explain to me what might be legitimate reasons for:

su commands on the logs
anonymous logins on the logs
sections of logs that dissappear 
time changes by a few seconds on the logs
"race conditions" on the logs
"window replay" on the logs
"recall volume changes" on the logs
preference settings changing over time


Hand me my alimuinum foil hat please.


----------



## NewMacUser-TX (Jun 20, 2008)

I am reading the last few posts of this thread with much interest.  I too have been encountering strange issues with both Windows and Mac machines.  To start with, I had three computers in my home office become compromised through MBR/Downloader and DNS Hijack Trojans.  At one time I too thought they were re-writing CD's but eventually what I realized they are doing is emulating CD's for the purpose of preventing my being able to reinstall Windows and to covertly install files that will give them control of the machine.  I noticed this on a Windows machine when re-installing drivers after completing FDISK and Format on my hard drive.  Earlier I had inspected the files on the CD and saw there were 10 drivers.  However, when trying to install them the "disk" showed 14 driver files.  They copy the disk to the hard drive, make you think you are accessing the CD in the CD drive but then install from the HD the files they want.  I know this sounds crazy, but it is happening.

I got fed up with Windows, after going through THREE new hard drives in less than a week trying to "beat" the hackers, and bought an iMac:

Hardware Overview:

  Model Name:	iMac
  Model Identifier:	iMac7,1
  Processor Name:	Intel Core 2 Duo
  Processor Speed:	2 GHz
  Number Of Processors:	1
  Total Number Of Cores:	2
  L2 Cache:	4 MB
  Memory:	1 GB
  Bus Speed:	800 MHz
  Boot ROM Version:	IM71.007A.B03
  SMC Version:	1.20f4
  Serial Number:	QP816056X85

It wasn't long after connecting this machine (never could get Airport Extreme to configure properly) that I noticed it was being used as a DNS server.  I am not familiar with Macs so it took a while before I figured out how to block incoming traffic, etc.  I too was getting "fake" log-in screens, etc. popping up asking for my password and even had a message pop saying that Apple suggests I install "Growl" for network management.  I also noticed that some of my documents were being copied into image files and somehow interfacing with X-11 to send them over the net (also not yet familiar with X-11).  In doing some research I learned how to see where my user bin location is and, from what I understand, it was in the wrong place and in a strange place (when I perform the command echo $PATH in the terminal this is what I get:  /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin).  After seeing this I erased the hard drive with a 7 pass erase and reinstalled OSX and this time I did not install X-11 or anything else other than the core requirements.  However is I perform the command echo $PATH in the terminal it STILL gives me /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin.  I also noticed that although I chose not to install any of the language packs other than English, all the languages are installed. 

On the Windows computers I was getting error messages in Chinese and Korean.  From what I have learned through some online research (when my searches aren't being re-directed), there is some serious hacking taking place and it is being done by a sophisticated and organized group out of China and possibly North Korea.  Their primary goal is identity theft.  This is a serious issue that is not getting much press and needs to be addressed by companies such as Microsoft and Apple.

I know I am not imaging things because my bank recently notified me that my account was locked due to repeated attempts to access my account from a foreign IP address.


----------



## NewMacUser-TX (Jun 20, 2008)

Viro said:


> http://en.wikipedia.org/wiki/Https
> http://www.grc.com/port_443.htm
> 
> That's a HTTP connection over SSL, i.e. secure HTTP, the protocol that you'll use when communicating with secure sites like your bank.



And that a hacker will use to communicate with his bank.


----------



## NewMacUser-TX (Jun 20, 2008)

A question:  Tonight I noticed the following "critical" notification in the log:

6/19/08 8:21:38 PM localhost fseventsd[26] fseventsd Critical log dir: /.fseventsd getting new uuid: 8B590C92-EBAE-4C8B-8441-8C61DD440BCB 

Any ideas?

Or this error:

6/19/08 8:22:01 PM imac /usr/sbin/screenreaderd[68] /usr/sbin/screenreaderd Error SCREENREADER[68]: Stopping screen reader because login happened


----------



## elander (Jun 20, 2008)

First of all: I can't see anything that even remotely resembles a root kit or any other type of foul play in any of these logs.

Second: if you don't know what to look for, don't look. Seriously. If you want to learn, then by all means look, and then google every log entry you don't understand, and learn what process caused the log entry and why. If you're not prepared to learn, don't look. You'll only grow (more) paranoid.

I agree with g/re/p though, this smells lika a hoax. HelloMac seems more like a troll/flamebait than a seriously concerned user.


----------



## ElDiabloConCaca (Jun 20, 2008)

I agree... I smell fish, and it just doesn't make sense.

If you're getting hacked _during the install process_, as HelloMac has insinuated, then something is drastically wrong with your network setup.

HelloMac, if I remember correctly, even claimed that s/he was "hacked" during the install process even when not connected via any network interface... and wondered if, perhaps, the install DVD was compromised.  This is just completely unrealistic... no legitimate copies of Mac OS X have trojans/viruses/rootkits on the install media, period, so this is completely impossible.

If either HelloMac or NewMacUser-TX are willing, I'd like to please ask them to post some screenshots of the error messages they're receiving.  Simply press Shift-Command-3 to generate a picture of the screen, then post it here.  I'd especially like to see the screenshot of "Apple suggests I install "Growl" for network management", since no error message anywhere within Mac OS X contains the verbage "Apple suggests you install...".

Not to be too stereotypical of a forum dissenter, but pics or it didn't happen.


----------



## NewMacUser-TX (Jun 20, 2008)

If I am able to capture a screen shot I will.  The Windows computers are dead as every new hard drive I have installed has become corrupted and as such, I have given up on trying to use them for anything.  I am not sure if it is possible, but I believe that the MBR changes have been written to the motherboard or something as every hard drive I have installed has become corrupted.  

As I mentioned, I do not believe they are writing to install discs, but I do believe they are creating hidden, encrypted drives that the computer boots from whenever you try to reinstall or restore Windows.  I also believe the Trojan "tricks" you into thinking you are installing "a", when in reality, you are installing "x".  There have been many strange things happening that are just unexplainable.

As for my Mac, I agree that I do not know enough yet about Mac to understand many of the errors, etc. that I see.  But again, after a 7 pass erase, reformat and reinstall, should my user bin still be where I showed?  Especially if X-11 had not been installed?  How could it be in the X-11 directory if there is no X-11 program on the computer?

As for the Growl message, if it happens again I will gladly capture a screen shot and put it up.  I don't think it will happen again though as I had a local Apple tech come out at $100 an hour and assist me in finally getting the Airport Extreme to configure properly, etc.  Even he could not explain the log entries, etc. that he was seeing and thought it was something he should investigate.

I am not sure why you have to think people are lying just because you haven't seen what they say?  Sure, seeing is believing, but I have no reason to make stuff up.  These issues have cost me in my business and put a burden me financially and mentally.  I have lost all of this year's financial data and have to rebuild everything as I am too afraid my back-ups are compromised and will not take a chance.


----------



## HelloMac (Jun 20, 2008)

Hello again all. I thought this thread was dead and I was dismissed. And I see there continue to be folks who can't see how this is taking place. I will in fact post some screen shots within the next day in order to show file system examples. DTD files and other strangeness.

New - Ser - TX. What you describe is very similar to my issue.

This week I reached the same conclusion that part of the problem is a DNS hijack. 

All - the following are elements that help combine to make the system fail. The initial entry point is through a takeover of DNS and the cgi-bin of a modem which uses BusyBox, a Linux based operating system to DSL/Cable modems.

Need to open a port for ssh? No problem, I own your modem so I'll do whatever I want. In fact I'll write a script that automater will execute the next time you boot the machine and let you do the work for me.

Man AWK and readup on this old technology that works with all Unix flavored systems:
"Function declarations can be placed in a program wherever a match-action clause can. All parameters are local to the function. Local variables can be defined inside the function. 

* A second improvement is a new function, "getline", that allows input from files other than those specified in the command line at invocation (as well as input from pipes). "Getline" can be used in a number of ways: 
   getline                   Loads $0 from current input.
   getline myvar             Loads "myvar" from current input.
   getline myfile            Loads $0 from "myfile".
   getline myvar myfile      Loads "myvar" from "myfile".
   command | getline         Loads $0 from output of "command".
   command | getline myvar   Loads "myvar" from output of "command".
* A related function, "close", allows a file to be closed so it can be read from the beginning again: 
   close("myfile")
* A new function, "system", allows Awk programs to invoke system commands: 
   system("rm myfile")
* Command-line parameters can be interpreted using two new predefined variables, ARGC and ARGV, a mechanism instantly familiar to C programmers. ARGC ("argument count") gives the number of command-line elements, and ARGV ("argument vector") is an array whose entries store the elements individually. 

* There is a new conditional-assignment expression, known as "?:", which is used as follows: 
   status = (condition == "green")? "go" : "stop"
This translates to: 
   if (condition=="green") {status = "go"} else {status = "stop"}
This construct should also be familiar to C programmers. 

* There are new math functions, such as trig and random-number functions: 
   sin(x)         Sine, with x in radians.
   cos(x)         Cosine, with x in radians.
   atan2(y,z)     Arctangent of y/x, in range -PI to PI.
   rand()         Random number, with 0 <= number < 1.
   srand()        Seed for random-number generator.
* There are new string functions, such as match and substitution functions: 

match(<target string>,<search string>) 

Search the target string for the search string; return 0 if no match, return starting index of search string if match. Also sets built-in variable RSTART to the starting index, and sets built-in variable RLENGTH to the matched string's length."

http://www.vectorsite.net/tsawk_3.html#m1

Strings, arrays - sound familiar? Oh yes all those .plist files.


UDP communication is used to output and input information to the system through channels the MAC considers normal.

CUPS printing system that is part of MAC OS is capable of so much more than handling print jobs. It has a built in http server that can be logged on through port 80 just like any other url. Cups will open a port through the firewall and listen for connections. Man cups and learn.

ARD has a vulnerability that allows takeover of the machine through escalating permissions. *Google Slashdot and read up on it.*

LittleSnitch shows activity flowing out of my machine to host names including "time.apple.com" or other similar unusual names, but if one drills down on the host name and looks at the actual IP address one will find that connections are being made to places including* http://www.sarialtin.com *"Zero Ground Condition". TURN OFF JAVA SCRIPT IN SAFARI BEFORE YOU VISIT THAT URL. Use the Dev tools and have a look under the skin at that site.* Esp /test/pakdost.txt*

Java VM
Active Directory
nmblookup
MDNSResponder 
Those three system processes play a roll in discovering internal settings on the MAC and sending an update outside the system.

Duplicate filesystems are in place on my iMAC and my MacBook that duplicate private frameworks for system\library, but the directories are located ...

 file:// *
 file:/// *

Multiple IPs that I trace resolve to 169.###.##.##-addr-arpa. Good luck finding from there.

NEWMACUSR-TX - do you ever see msdosfs.kextd load? ALL - Kernel Extenions as you all know, of course, according to Apple docs, only load into memory when they are needed. I do not have a windows or dos/ntfs based file system installed on the machine so why does the system need it? 

There's room for one. Disk Utility provides the space formatted FAT in the same area where the initial bootup files for the EFI are stored. There isn't supposed to be anything there but I don't know how to look at it. Perhaps the seed of this problem inhabits the FAT formatted part of the system partition? Maybe that's why I also see something called EFISYNC.KEXT run on occassion? Usually around the same time that msdosfs.kextd loads? Oh wait, I'm a troll and paranoid.

I'm up for additional education gentlemen. Usually the responses on this thread are answers to things that are explainable, but the hard questions are ignored.

*Why does my ISight camera turn on by itself when the machine is on the web? *IChat is NOT running. No IM software is running. But hi "smile for the camera"!

If you are willing to actually be of assistance in this I'm happy to post up additional information including log files and screen shots, but if you just want to tell me that I'm stupid or a troll and that my Mac is bulletproof, then I'll leave it alone as I was. But the fellow in Texas described issues I had with my PC's almost to a T before I gave up and bought TWO macs thinking hey, now I'll be in good shape.

I'm on my third brand of modem/router.
I've switched from cable to DSL.
I've formatted my HD's multiple times. AppleCare can't figure it out. The local Genius tells me it's a software problem so call AppleCare.

Even so, I still enjoy my Mac more than I ever enjoyed using a PC. The problem is that I can only use it for three or four days, then have to tear it back down and start over. It's annoying.


----------



## HelloMac (Jun 20, 2008)

Why have I been blocked from this forum?


----------



## HelloMac (Jun 20, 2008)

So I'm not? I just wrote out a detailed post but is was setaside for moderator review. Whatever.


----------



## HelloMac (Jun 20, 2008)

Look, I'm not a troll. I'll post some screen shots and some logs and you can beat me up about it or give it a go. I stopped posting because my last two posts were blocked by the moderator.

A quicker synopsis. TURN OFF JAVA in Safari and visit sarialtn.com/test/pakdost.txt. Littlesnitch tells me all the time about this process or that who wnats to connect there. Also look under the hood at sarialtin.com.

Read the man for AWK - it's an old technology but it works on every unix flavored box.
Google *ATA over Ethernet*. It's low level, it works and leaves no trace on the logs about what it's doing. I've seen it listed by System Profiler in my applications. Just realized what it was this week.

The initial entry to the MAC is through a compromized cable or DSL modem using a scaled down version of Linux called BusyBox. Gain control of the cgi-bin and welcome to the MAC. Need a port opened for ssh? Coming right up!

CUPS built into the mac is SO capable. You should read the man for it. It includes an http server built in. Combine it with BACKENDS and go to town. Oh yeah, just open a port and listen to IPv6 and instructions on what to do next. Send a script to automator? Sure, it's run on the next boot. Thanks.

Mr TX just saved my sanity. The extra files I though were on the install DVD are in fact on my HD. Duplicate files at file:// * and file:/// *.

Upon install Disk Utlity puts EFI into a special hidden partition. It also creates some space formatted FAT. No files, just the space. Standard procedure.

My system loads msdofs.kextd once or twice after a fresh drive wipe. WIthin a few minutes something called EFISync.kextd runs too. Is the seed of this problem living on that FAT partition? Remember kids - MAC OS X only loads a kernel extension when it needs to be used so I wonder why the MSDOS FILE SYSTEM KERNEL EXTENSION IS LOADED BY OS X? I'm not running boot camp, or Fusion or Parrallels, or windows or a VM for pong.

I'll talk to you later, gotta go reformat my hard drive again.


----------



## HelloMac (Jun 20, 2008)

MR- TX - 

Usual suspects that are always invloved. Run Little Snitch and watch and tell me what you see in order to learn if we are both living the same dream.

mDNSresponder
nmblookup
directory service
ntpd - notice that this always lights up everytime you press the enter key? Is it REALLY checking the time on that schedule?

Don't rely on the hostnames when those processes attempt to make a connection, but drill down to the actual IP address. Go over to  DNSStuff.com and run some searches. In most cases, the IP does not end up where you think it's going.

My bet is you'll find variants of 169.xxx.xxx.x-in-addr-arpa most of the time.

Take a look at YOUR ip address. If it's been assigned to the machine for more than a day (DHCP) it might not actually be your ISP's assignment. Take a close look and see if you find srcip= xxxxxxx url=XXXXXXX etc. Redirected.


----------



## ElDiabloConCaca (Jun 20, 2008)

So... what you two are trying to say is that this has nothing to do with the Mac, nothing to do with the Windows box, and everything to do with your router and/or cable modem?



HelloMac said:


> My system loads msdofs.kextd once or twice after a fresh drive wipe. WIthin a few minutes something called EFISync.kextd runs too. Is the seed of this problem living on that FAT partition? Remember kids - MAC OS X only loads a kernel extension when it needs to be used so I wonder why the MSDOS FILE SYSTEM KERNEL EXTENSION IS LOADED BY OS X? I'm not running boot camp, or Fusion or Parrallels, or windows or a VM for pong.



Maybe because Mac OS X supports reading and writing to MS-DOS formatted disks out-of-the-box and all the time.  Gotta have a kernel extension for that functionality.  When you plug in an MS-DOS formatted disk, the computer mounts it.  In order to mount it, it has to understand the format.  One way for Mac OS X to "understand" the MS-DOS format is via kernel extension.

Although that extension is not present on my system.

EFISync.kext I don't know about.

I'm not calling anyone a liar -- the quip about "pics or it didn't happen" is a reference to forum trolls who don't believe a thing unless there's pics.  It, and the "I smell fish" comment, were typed tongue-in-cheek.  I'm just saying that something fishy is going on here -- with you, your computer, your router, or the electromagnetic fields around your location.


----------



## NewMacUser-TX (Jun 20, 2008)

but I did notice the following in my logs this morning:

Deny configd data in from 10.198.242.1:67 uid = 0 proto=17
Deny mDNSResponder data in from fe80::21f:5bff:feee:446c:5353 uid = 0 proto=17

From what I can learn from searches, this is my Mac denying my ISP from configuring my DHCP settings which should be allowed.

I also continually notice that CUPSD is "listening" on a port... why?  My printer is connected directly to my MAC and I am not running a network.


----------



## HelloMac (Jun 20, 2008)

Modem/Router log

(GMT)16:01:15 Tue May 15 2007 syslogd started: BusyBox v0.61.pre

(GMT)16:01:15 Tue May 15 2007 init: Waiting for enter to start '/bin/sh' (pid 86, terminal /dev/tts/0) 
(GMT)16:01:16 Tue May 15 2007 logic: qos_prepare:iptables  -t mangle -N EGRESS 

(GMT)16:01:16 Tue May 15 2007 logic: qos_prepare:iptables  -t mangle -N INGRESS

(GMT)16:01:17 Tue May 15 2007 logic: qos_prepare:iptables  -t mangle -A INGRESS -j IMQ 

(GMT-05:00)16:01:17 Tue May 15 2007 logic: Stunnel conf 2: TR-069 1 /var/etc/stunnel2.conf https://cpe-ems.verizon.com/cwmpWeb/CPEMgt 1 8080 

(GMT-05:00)16:01:19 Tue May 15 2007 logic: dhcps starting
(GMT-05:00)16:01:24 Tue May 15 2007 udhcpd: udhcp server (v0.9.7) started

(GMT-05:00)16:01:24 Tue May 15 2007 udhcpd: ADD 00:1f:f3:52:b9:39 192.168.1.75 1000 unknownpc1

(GMT-05:00)16:01:24 Tue May 15 2007 udhcpd: ADD 00:1f:5b:b6:e8:16 192.168.1.76 1000 unknownpc1

(GMT-05:00)16:01:24 Tue May 15 2007 udhcpd: ADD 00:1e:c2:32:d5:4e 192.168.1.77 1000 unknownpc1

(GMT-05:00)16:01:24 Tue May 15 2007 udhcpd: ADD 00:1f:5b:b6:e8:16 192.168.1.78 1000 unknownpc1

(GMT-05:00)16:01:24 Tue May 15 2007 udhcpd: interface: br0, start : 4b01a8c0 end : 5001a8c0 

(GMT-05:00)16:01:35 Tue May 15 2007 udhcpd: Received SIGTERM

(GMT-05:00)16:01:35 Tue May 15 2007 udhcpd: udhcp server (v0.9.7) started
(GMT-05:00)16:01:35 Tue May 15 2007 udhcpd: ADD 00:1f:f3:52:b9:39 192.168.1.75 989 

unknownpc1
(
GMT-05:00)16:01:35 Tue May 15 2007 udhcpd: ADD 00:1f:5b:b6:e8:16 192.168.1.76 989 unknownpc1
(GMT-05:00)16:01:35 Tue May 15 2007 udhcpd: ADD 

00:1e:c2:32:d5:4e 192.168.1.77 989 unknownpc1

(GMT-05:00)16:01:35 Tue May 15 2007 udhcpd: ADD 00:1f:5b:b6:e8:16 192.168.1.78 989 unknownpc1

(GMT-05:00)16:01:35 Tue May 15 2007 udhcpd: interface: br0, start : 4b01a8c0 end : 5001a8c0 

(GMT-05:00)16:01:39 Tue May 15 2007 logic: launch stunnel 0, 0 
(GMT-05:00)16:01:42 Tue May 15 2007 udhcpd: SENDING OFFER to daddy-macs-imac 
(GMT-05:00)16:01:42 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.76 60 daddy-macs-imac

(GMT-05:00)16:01:42 Tue May 15 2007 udhcpd: sending OFFER of 192.168.1.76

(GMT-05:00)16:01:42 Tue May 15 2007 udhcpd: SENDING OFFER to daddy-macs-imac 

(GMT-05:00)16:01:42 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.76 60 daddy-macs-imac

(GMT-05:00)16:01:42 Tue May 15 2007 udhcpd: sending OFFER of 192.168.1.76

(GMT-05:00)16:01:43 Tue May 15 2007 udhcpd: SENDING ACK to daddy-macs-imac 

(GMT-05:00)16:01:43 Tue May 15 2007 udhcpd: sending ACK to 192.168.1.76

(GMT-05:00)16:01:43 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.76 1000 daddy-macs-imac
(GMT-05:00)16:01:46 Tue May 15 2007 pppd[262]: Plugin 

pppoe loaded.

(GMT-05:00)16:01:46 Tue May 15 2007 pppd[262]: PPPoE Plugin Initialized
(GMT-05:00)16:01:46 Tue May 15 2007 pppd[262]: Plugin pppoe called.
(GMT-05:00)16:01:46 Tue 

May 15 2007 pppd[262]: pppd 2.4.1 started by DHLM, uid 0

(GMT-05:00)16:01:46 Tue May 15 2007 pppd[262]: setting line discipline hook
(GMT-05:00)16:01:46 Tue May 15 2007 pppd[262]: don't turn led red when auto-detecting
(GMT-05:00)16:01:46 Tue May 15 2007 pppd[262]: Sending PADI
(GMT-05:00)16:01:49 Tue May 15 2007 pppd[278]: Plugin pppoe loaded.

(GMT-05:00)16:01:49 Tue May 15 2007 pppd[278]: PPPoE Plugin Initialized
(GMT-05:00)16:01:49 Tue May 15 2007 pppd[278]: Plugin pppoe called.

(GMT-05:00)16:01:49 Tue May 15 2007 pppd[278]: pppd 2.4.1 started by DHLM, uid 0
(GMT-05:00)16:01:49 Tue May 15 2007 pppd[278]: setting line discipline hook
(GMT-05:00)16:01:49 Tue May 15 2007 pppd[278]: don't turn led red when auto-detecting
(GMT-05:00)16:01:49 Tue May 15 2007 pppd[278]: Sending PADI
(GMT-05:00)16:01:55 Tue May 15 2007 udhcpc: udhcp client (v0.9.7) started

(GMT-05:00)16:01:55 Tue May 15 2007 udhcpc: Sending discover...

(GMT-05:00)16:01:55 Tue May 15 2007 udhcpd: ADD 00:1f:5b:b6:e8:16 192.168.1.78 60 unknown

(GMT-05:00)16:01:55 Tue May 15 2007 udhcpd: sending OFFER of 192.168.1.78

(GMT-05:00)16:01:56 Tue May 15 2007 udhcpd: sending ACK to 192.168.1.78

(GMT-05:00)16:01:56 Tue May 15 2007 udhcpd: ADD 00:1f:5b:b6:e8:16 192.168.1.78 1000 

(GMT-05:00)16:01:57 Tue May 15 2007 udhcpc: Sending discover...

(GMT-05:00)16:01:59 Tue May 15 2007 udhcpc: Sending discover...
(
GMT-05:00)16:02:01 Tue May 15 2007 pppd[306]: Plugin pppoe loaded.

(GMT-05:00)16:02:01 Tue May 15 2007 pppd[306]: PPPoE Plugin Initialized

(GMT-05:00)16:02:01 Tue May 15 2007 pppd[306]: Plugin pppoe called.

(GMT-05:00)16:02:01 Tue May 15 2007 pppd[306]: pppd 2.4.1 started by DHLM, uid 0
(
GMT-05:00)16:02:01 Tue May 15 2007 pppd[306]: setting line discipline hook

(GMT-05:00)16:02:01 Tue May 15 2007 pppd[306]: don't turn led red when auto-detecting

(GMT-05:00)16:02:01 Tue May 15 2007 pppd[306]: Sending PADI

(GMT-05:00)16:02:06 Tue May 15 2007 udhcpc: udhcp client (v0.9.7) started
(
GMT-05:00)16:02:06 Tue May 15 2007 udhcpc: Sending discover...

(GMT-05:00)16:02:07 Tue May 15 2007 udhcpd: SENDING OFFER to daddy-macs-imac 

(GMT-05:00)16:02:07 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.79 60 daddy-macs-imac

(GMT-05:00)16:02:07 Tue May 15 2007 udhcpd: sending OFFER of 192.168.1.79

(GMT-05:00)16:02:07 Tue May 15 2007 udhcpd: SENDING OFFER to daddy-macs-imac 

(GMT-05:00)16:02:07 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.79 60 daddy-macs-imac

(GMT-05:00)16:02:07 Tue May 15 2007 udhcpd: sending OFFER of 192.168.1.79

(GMT-05:00)16:02:08 Tue May 15 2007 udhcpc: Sending discover...

(GMT-05:00)16:02:08 Tue May 15 2007 udhcpd: SENDING ACK to daddy-macs-imac 

(GMT-05:00)16:02:08 Tue May 15 2007 udhcpd: sending ACK to 192.168.1.79

(GMT-05:00)16:02:08 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.79 1000 daddy-macs-imac

(GMT-05:00)16:02:08 Tue May 15 2007 logic: 00-1e-52-86-be-17/192.168.1.79 now is 192.168.1.79

(GMT-05:00)16:02:10 Tue May 15 2007 udhcpc: Sending discover...

(GMT-05:00)16:02:48 Tue May 15 2007 udhcpd: SENDING ACK to daddy-macs-imac 
(
GMT-05:00)16:02:48 Tue May 15 2007 udhcpd: sending ACK to 192.168.1.79

(GMT-05:00)16:02:48 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.79 1000 daddy-macs-imac
(
GMT-05:00)16:03:04 Tue May 15 2007 udhcpd: SENDING ACK to daddy-macs-imac 

(GMT-05:00)16:03:04 Tue May 15 2007 udhcpd: sending ACK to 192.168.1.79

(GMT-05:00)16:03:04 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.79 1000 daddy-macs-imac

(GMT-05:00)16:03:27 Tue May 15 2007 logic: fw_trans_query kp.key = report_all_clients_act0

(GMT-05:00)16:03:27 Tue May 15 2007 logic: fw_trans_query kp.key = report_all_clients_act0

(GMT-05:00)16:04:10 Tue May 15 2007 pppd[262]: HOST_UNIQ successful match 

(GMT-05:00)16:04:10 Tue May 15 2007 pppd[262]: HOST_UNIQ successful match 

(GMT-05:00)16:04:10 Tue May 15 2007 pppd[262]: Got connection: 1f09

(GMT-05:00)16:04:10 Tue May 15 2007 pppd[262]: Saved Session ID: 0

(GMT-05:00)16:04:10 Tue May 15 2007 pppd[262]: Connecting PPPoE socket: 00:90:1a:a0:57:82 1f09 br0 0x1000d538
(
GMT-05:00)16:04:10 Tue May 15 2007 pppd[262]: Using interface ppp0

(GMT-05:00)16:04:10 Tue May 15 2007 pppd[262]: Connect: ppp0 -> br0

(GMT-05:00)16:04:10 Tue May 15 2007 pppd[262]: MRU: 1500

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read start 192.168.1.75 
(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read end 192.168.1.80 

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read interface br0 

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read opt router 192.168.1.1 

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read opt domain dslhighway 

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read opt dns 192.168.1.1 192.168.1.1 38.8.82.2 

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read opt subnet 255.255.255.0 

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read opt renew 20 
(
GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read opt lease 1000 

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read conflict_time 1000 

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read lease_file /var/tmp/landhcps0.leases 

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: local  IP address 72.66.59.80

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: remote IP address 10.1.48.1
(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: primary   DNS address 71.252.0.12

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: secondary DNS address 71.242.0.12
(
GMT-05:00)16:04:11 Tue May 15 2007 syslog: config.name_server[0]=71.252.0.12 

(GMT-05:00)16:04:14 Tue May 15 2007 logic: got wan ip launch stunnel 

(GMT-05:00)16:04:14 Tue May 15 2007 logic: launch stunnel 1, 0 
(GMT-05:00)16:04:14 Tue May 15 2007 udhcpd: Received SIGTERM

(GMT-05:00)16:04:15 Tue May 15 2007 udhcpd: udhcp server (v0.9.7) started

(GMT-05:00)16:04:15 Tue May 15 2007 udhcpd: ADD 00:1f:f3:52:b9:39 192.168.1.75 830 unknownpc1

(GMT-05:00)16:04:15 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.76 852 daddy-macs-imac
(
GMT-05:00)16:04:15 Tue May 15 2007 udhcpd: ADD 00:1e:c2:32:d5:4e 192.168.1.77 830 unknownpc1

(GMT-05:00)16:04:15 Tue May 15 2007 udhcpd: ADD 00:1f:5b:b6:e8:16 192.168.1.78 862 unknownpc1
(
GMT-05:00)16:04:15 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.79 930 daddy-macs-imac

(GMT-05:00)16:04:15 Tue May 15 2007 udhcpd: interface: br0, start : 4b01a8c0 end : 5001a8c0 

(GMT-05:00)16:04:18 Tue May 15 2007 logic: stunnel message type 1 
(
GMT-05:00)16:04:18 Tue May 15 2007 logic: stunnel report start,stunnel2,517 

(GMT-05:00)16:04:20 Tue May 15 2007 logic: tr-69-client exist, do not restart it
(
GMT-05:00)23:32:56 Wed Jun 18 2008 logic: fw_trans_query kp.key = report_all_clients_act0

(GMT-05:00)23:32:57 Wed Jun 18 2008 logic: fw_trans_query kp.key = report_all_clients_act0
(
GMT-05:00)23:33:19 Wed Jun 18 2008 syslog: No response for DNS request to server 71.252.0.12 yet.

(GMT-05:00)23:33:19 Wed Jun 18 2008 pc: act_hnm not exist, restart it

(GMT-05:00)23:33:20 Wed Jun 18 2008 logic: fw_trans_query kp.key = report_all_clients_act0

(GMT-05:00)23:33:21 Wed Jun 18 2008 logic: fw_trans_query kp.key = report_all_clients_act0

(GMT-05:00)23:33:22 Wed Jun 18 2008 syslog: No response for DNS request to server 71.242.0.12 yet.

(GMT-05:00)23:33:22 Wed Jun 18 2008 syslog: All DNS servers tried, no response.
(
GMT-05:00)23:33:22 Wed Jun 18 2008 syslog: failed dns request len=71,srcip=192.168.1.1, url=79.1.168.192.in-addr.arpa 

(GMT-05:00)23:34:28 Wed Jun 18 2008 syslog: No response for DNS request to server 71.252.0.12 yet.

(GMT-05:00)23:34:30 Wed Jun 18 2008 syslog: No response for DNS request to server 71.242.0.12 yet.

(GMT-05:00)23:34:30 Wed Jun 18 2008 syslog: All DNS servers tried, no response.

(GMT-05:00)23:34:30 Wed Jun 18 2008 syslog: failed dns request len=71,srcip=192.168.1.1, url=79.1.168.192.in-addr.arpa 

(GMT-05:00)23:35:41 Wed Jun 18 2008 stunnel[587]: remote connect #2 (192.168.0.1:443): Connection timed out (145)

(GMT-05:00)23:35:41 Wed Jun 18 2008 stunnel[587]: Failed to initialize remote connection


----------



## nixgeek (Jun 20, 2008)

No offense or anything, but at this point it seems like much ado about nothing.  I don't see anything that's out of the ordinary here in this entire thread...maybe that "unknownpc" in your router log, but other than that it looks like the status quo to me.


----------



## ElDiabloConCaca (Jun 20, 2008)

NewMacUser-TX said:


> I also continually notice that CUPSD is "listening" on a port... why?  My printer is connected directly to my MAC and I am not running a network.


CUPS manages all printers, local and networked.

CUPS also runs a website on port 631.  You can access the CUPS setup page by opening a browser and pointing it to http://127.0.0.1:631 or http://localhost:631.

If you're seeing listening happening on port 631, that's why, and it's normal.


----------



## HelloMac (Jun 20, 2008)

Let me more clear, when msdosfs.kext loads, nothing is happening that would require the mac to "understand" a non mac file format. No disc is inserted, no usb drive attatched, just the hard disc humming away doing it's dance with RAM.


----------



## nixgeek (Jun 20, 2008)

Most every app on a Unix-based system listens to ports (you'll also find this in Windows as well).  Some are local, some are not.  Just type "netstat" on the command shell of any Windows or UNIX-like system and you'll see all the ports that are being used.  CUPS is always listening at that port since it is a server daemon running in the background, as most other processes on Unix tend to be.  Again, I still fail to see what the major problem (other than that "unknownpc" in your router log) is even after reading through this whole thread and the logs more than once.


----------



## nixgeek (Jun 20, 2008)

HelloMac said:


> Let me more clear, when msdosfs.kext loads, nothing is happening that would require the mac to "understand" a non mac file format. No disc is inserted, no usb drive attatched, just the hard disc humming away doing it's dance with RAM.



It's possible that the Mac is probably preconfigured to load that kernel extension on boot time.  The same thing is done in any GNU/Linux or BSD system so that it can read MS-DOS filesystems right from the get go.  Otherwise, you would have to MANUALLY load the kernel extension or module each time.  It's just sitting there idle until it's time to be used.  Again, nothing out of the norm here.

BTW, in classic Mac OS you had Control Panels and Extensions that would load on startup in order to provide you the functionality you needed once at the desktop.  One of these was an extension that would allow you to mount an MS-DOS disk or volume.  Sure, it would sit there idle while not being used, but it was always enabled to allow you to use it when needed....otherwise, you would not be able to access those MS-DOS volumes.

Again, I think you're making more of this than is actually the case.  Though I understand your frustration, the end is not nigh.


----------



## HelloMac (Jun 20, 2008)

"CUPS also runs a website on port 631. You can access the CUPS setup page by opening a browser and pointing it to http://127.0.0.1:631 or http://localhost:631.

If you're seeing listening happening on port 631, that's why, and it's normal."

Are you just messing with me? I know that's normal. But the flipside is that CUPS can be manipulated to penetrate the system. Do you drink seven or eight gallons of the kool-Aid daily?


----------



## HelloMac (Jun 20, 2008)

TURN OFF JAVA in Safari and visit sarialtn.com/test/pakdost.txt. Littlesnitch tells me all the time about this process or that who wnats to connect there. Also look under the hood at sarialtin.com.


----------



## HelloMac (Jun 20, 2008)

Just one more post, then I'll drop it for today till I can get some screen shots.

Mac TX and I both have reported that the OS installer does not follow instructions for installation. When told NOT to install X11 and extra language packes, the installer ignores the custom options and installs those components anyway. Every. Single. Time.

I've repeated that on my iMac AND my MacBook. Different install media. Same results.

Educate me. I have an open mind.


----------



## nixgeek (Jun 20, 2008)

HelloMac said:


> "CUPS also runs a website on port 631. You can access the CUPS setup page by opening a browser and pointing it to http://127.0.0.1:631 or http://localhost:631.
> 
> If you're seeing listening happening on port 631, that's why, and it's normal."
> 
> Are you just messing with me? I know that's normal. But the flipside is that CUPS can be manipulated to penetrate the system. Do you drink seven or eight gallons of the kool-Aid daily?



Yes, but this is why there are things called *security patches *that are to be installed when they come out for said packages.  There's never going to be a patch for a zero day exploit until there is one available, and nothing is ever going to be invulnerable forever.  The best you can do is secure yourself through defense in depth.

If you don't patch your packages (whatever they may be), then you're asking to get owned.  Seriously, there's only so much you can do.  The only true secure computer is one that's disconnected, covered in 3 feet of concrete, and buried 6 feet under.


----------



## ElDiabloConCaca (Jun 20, 2008)

HelloMac said:


> "CUPS also runs a website on port 631. You can access the CUPS setup page by opening a browser and pointing it to http://127.0.0.1:631 or http://localhost:631.
> 
> If you're seeing listening happening on port 631, that's why, and it's normal."
> 
> Are you just messing with me? I know that's normal. But the flipside is that CUPS can be manipulated to penetrate the system. Do you drink seven or eight gallons of the kool-Aid daily?


My response was a direct response to something that NewMacUser-TX wrote, not you.

EVERYthing can be manipulated to penetrate the system.  That doesn't mean that everything IS penetrating the system.


----------



## HelloMac (Jun 20, 2008)

Allright. I hear both of you. I'll calm down. I do appreciate the knowledge and your willingness to take the time to pay attention to this.

My Isight camera turned itself on on the Macbook a couple of nights ago when my wife was using the machine. I verified ichat was off and no IM program was running. This type of thing causes some stress.


----------



## nixgeek (Jun 20, 2008)

I checked the directory path of that link you gave and then I took off the _pktdos.txt _which revealed a directory listing.  I downloaded that text file and opened it in an editor.  It just lists a bunch of IP addresses that lead to different sites, many of them Google:



> explorer
> 64.233.169.103, 64.233.169.104, 207.46.192.254, 64.233.169.100, 207.46.192.254, 65.55.184.125, 69.25.21.221, 69.25.21.233, 64.233.183.147, 64.233.183.99, 63.245.213.21, 209.85.147.83, 208.67.216.231, 64.233.183.99, 209.85.147.83, 66.249.93.18, 64.233.165.97, 216.239.51.91, 64.249.93.189, 69.25.21.223, 64.233.183.99, 64.233.183.104, 66.249.93.19, 66.249.91.147, 64.233.171.83, 64.249.83.19, 66.249.83.19, 66.102.1.91, 66.249.83.83, 64.233.161.83, 64.233.187.99, 64.233.167.99, 72.14.207.99, 208.65.153.253, 83.66.140.10, 193.238.160.62, 193.238.163.19, 64.23.165.99, 212.58.226.33, 64.233.165.99, 165.165.39.144, 72.41.114.123, 165.165.39.138, 66.11.119.70, 64.233.169.147, 72.14.253.83, 64.233.183.83, 212.58.226.79, 64.233.183.83, 72.14.215.19
> 
> firefox
> 64.233.169.103, 64.233.169.104, 207.46.192.254, 64.233.169.100, 207.46.192.254, 65.55.184.125, 69.25.21.221, 69.25.21.233, 64.233.183.147, 64.233.183.99, 63.245.213.21, 209.85.147.83, 208.67.216.231, 64.233.183.99, 209.85.147.83, 66.249.93.18, 64.233.165.97, 216.239.51.91, 64.249.93.189, 69.25.21.223, 64.233.183.99, 64.233.183.104, 66.249.93.19, 66.249.91.147, 64.233.171.83, 64.249.83.19, 66.249.83.19, 66.102.1.91, 66.249.83.83, 64.233.161.83, 64.233.187.99, 64.233.167.99, 72.14.207.99, 208.65.153.253, 83.66.140.10, 193.238.160.62, 193.238.163.19, 64.23.165.99, 212.58.226.33, 64.233.165.99, 64.233.169.99, 165.165.39.144, 72.41.114.123, 165.165.39.138, 66.11.119.70, 64.233.169.147, 72.14.253.83, 64.233.183.83, 212.58.226.79, 64.233.183.83, 72.14.215.19


----------



## ElDiabloConCaca (Jun 20, 2008)

Understood, and we'd love to help, but it's just such an alien experience, it seems, with many, many, many things going wrong at once.  Not to mention that none of us other than you have direct access to the computer, so we rely on you and NewMacUser-TX to relay the information we need.

I understand it's frustrating, and we'll try to make it as non-frustrating as possible.

If you do suspect router/modem infestation, then the best bet is to eliminate those pieces of hardware completely from the equation.  They just complicate things if, in fact, they have been compromised.

Quick question, may have already been answered but let's try one more time: Are you choosing relatively strong password when you install Mac OS X clean?  Also, when you have been re-installing Mac OS X when disconnected from any network, have you been _re-partitioning_ the drive, or simply formatting an existing partition and using it over again?


----------



## NewMacUser-TX (Jun 20, 2008)

I will be the first to admit I probably only know enough to sometimes get myself in trouble, but I am very paranoid after what happened on my windows puters.

It should also be pointed out though that both Apple and MS give just enough info in their systems to make people worry.  For example, today I have these "Warnings" in my log and they are just a sample of many:

6/20/08 11:59:23 AM xxx (my name was here)-imac loginwindow[22] login window Warning CGSDisplayServerShutdown: Detaching display subsystem from window server 
6/20/08 1:18:02 PM - xxx (my name was here) imac - com.apple.launchd[165] com.apple.launchd Warning (com.apple.CSConfigDotMacCert-xxx (my name was here) -SharedServices[168]) Exited with exit code: 1 
6/20/08 1:22:37 PM xxx (my name was here)-imac helpdatad[198] helpdatad Warning port 'com.apple.helpdata' created 

If the situation is serious enough to warrant a "Warning", why not provide a way to find out "why" it is a warning?


----------



## NewMacUser-TX (Jun 20, 2008)

That warning at 11:59:23 AM is strange.  From what I can find in searches, CGSDsiplayServerShutdown happens when there are problems sharing screens on a network.  I am NOT on a network.


----------



## NewMacUser-TX (Jun 20, 2008)

OK, I used "shift command 3", but where does it get saved?


----------



## NewMacUser-TX (Jun 20, 2008)

Ok, found it... just wanting to show I have no 'sharing' at all enables, so why the screensharing warning?


----------



## ElDiabloConCaca (Jun 20, 2008)

Are you using "Back to my Mac"?  Check here:

http://support.apple.com/kb/HT1109?viewlocale=en_US

If so, Back to my Mac supports screen sharing, and may be where that message is coming from.

Also, remember that UNIX is a _very_ verbose operating system in terms of logging.  Just because something is deemed a "warning" does not mean that one should be alarmed or that any action needs to be taken.


----------



## NewMacUser-TX (Jun 20, 2008)

I never have even heard of "Back to my Mac" until now.  I followed the directions in the link and NO, I do not have "Back to my Mac" enabled.


----------



## NewMacUser-TX (Jun 20, 2008)

BTW:  WTF does "Warning Modal session requires modal window" mean?


----------



## NewMacUser-TX (Jun 20, 2008)

OK... now my GMail account is giving me the following message:

We&#8217;re sorry, but your Gmail account is currently experiencing errors. You won&#8217;t be able to use your account while these errors last, but don&#8217;t worry, your account data and messages are safe. Our engineers are working to resolve this issue.

Please try accessing your account again in a few minutes.

I know this has nothing to do with Mac, but all my other GMail accounts are working.  This is the on I used when signing up for .Mac.....


----------



## NewMacUser-TX (Jun 20, 2008)

Finally, and then I will leave this alone for now unless anybody sees anything strange, the following is my Netstat log:

Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0  10.0.1.200.49762       py-in-f83.google.http  ESTABLISHED
tcp4       0      0  10.0.1.200.49756       py-in-f19.google.http  ESTABLISHED
tcp4       0      0  10.0.1.200.49750       a69.26.188.64.de.http  ESTABLISHED
tcp4       0      0  10.0.1.200.49749       a69.26.188.64.de.http  ESTABLISHED
tcp4       0      0  10.0.1.200.49748       a69.26.188.64.de.http  ESTABLISHED
tcp4       0      0  10.0.1.200.49747       a69.26.188.64.de.http  ESTABLISHED
tcp4       0      0  10.0.1.200.49746       a69.26.188.64.de.http  ESTABLISHED
tcp4       0      0  10.0.1.200.49744       a69.26.188.50.de.http  ESTABLISHED
tcp4       0      0  10.0.1.200.49743       a69.26.188.64.de.http  ESTABLISHED
tcp4       0      0  10.0.1.200.49741       a69.26.188.41.de.http  ESTABLISHED
tcp4       0      0  10.0.1.200.49737       64.78.155.105.http     ESTABLISHED
tcp4       0      0  10.0.1.200.49735       a69.26.188.58.de.http  ESTABLISHED
tcp4       0      0  10.0.1.200.49723       yx-in-f164.googl.http  ESTABLISHED
tcp4       0      0  10.0.1.200.49722       yx-in-f164.googl.http  ESTABLISHED
tcp4       0      0  localhost.ipp          *.*                    LISTEN
tcp6       0      0  localhost.ipp          *.*                    LISTEN
udp4       0      0  *.*                    *.*                    
udp4       0      0  10.0.1.200.ntp         *.*                    
udp6       0      0  thomas-lees-imac.ntp   *.*                    
udp6       0      0  localhost.ntp          *.*                    
udp4       0      0  localhost.ntp          *.*                    
udp6       0      0  localhost.ntp          *.*                    
udp6       0      0  *.ntp                  *.*                    
udp4       0      0  *.ntp                  *.*                    
udp6       0      0  *.mdns                 *.*                    
udp4       0      0  *.mdns                 *.*                    
udp4       0      0  *.*                    *.*                    
icm6       0      0  *.*                    *.*                    
Active LOCAL (UNIX) domain sockets
Address  Type   Recv-Q Send-Q    Inode     Conn     Refs  Nextref Addr
 3bf1c38 stream      0      0        0  3bf1880        0        0
 3bf1880 stream      0      0        0  3bf1c38        0        0
 3bf1660 stream      0      0        0  3bf1990        0        0 /var/run/mDNSResponder
 3bf1990 stream      0      0        0  3bf1660        0        0
 3235000 stream      0      0        0  3250088        0        0
 3250088 stream      0      0        0  3235000        0        0
 2e62660 stream      0      0        0  32502a8        0        0
 32502a8 stream      0      0        0  2e62660        0        0
 3bf1d48 stream      0      0        0  3250aa0        0        0
 3250aa0 stream      0      0        0  3bf1d48        0        0
 3250e58 stream      0      0        0  32355d8        0        0 /var/run/usbmuxd
 32355d8 stream      0      0        0  3250e58        0        0
 3250b28 stream      0      0        0  3bf1b28        0        0 /var/run/mDNSResponder
 3bf1b28 stream      0      0        0  3250b28        0        0
 3250220 stream      0      0        0  3bf1cc0        0        0 /var/run/mDNSResponder
 3bf1cc0 stream      0      0        0  3250220        0        0
 32507f8 stream      0      0        0  32506e8        0        0 /var/run/mDNSResponder
 32506e8 stream      0      0        0  32507f8        0        0
 3235ee0 stream      0      0        0  2e624c8        0        0
 2e624c8 stream      0      0        0  3235ee0        0        0
 3bf1ee0 stream      0      0        0  3250198        0        0
 3250198 stream      0      0        0  3bf1ee0        0        0
 3bf1f68 stream      0      0  3fec400        0        0        0 /tmp/launch-T9hsEC/:0
 3250110 stream      0      0  3fec520        0        0        0 /tmp/launch-T8bJ6T/Listeners
 2e62b28 stream      0      0  3fec640        0        0        0 /tmp/launch-IG0YYU/Render
 32505d8 stream      0      0  34c1a30        0        0        0 /tmp/launchd-165.93Pw9E/sock
 3235330 stream      0      0        0  3235198        0        0
 3235198 stream      0      0        0  3235330        0        0
 3235110 stream      0      0        0  2e62550        0        0
 2e62550 stream      0      0        0  3235110        0        0
 3235f68 stream      0      0        0  3250880        0        0
 3250880 stream      0      0        0  3235f68        0        0
 2e62330 stream      0      0        0  3235908        0        0
 3235908 stream      0      0        0  2e62330        0        0
 3235770 stream      0      0        0        0        0        0
 3235aa0 stream      0      0        0  2e62088        0        0
 2e62088 stream      0      0        0  3235aa0        0        0
 32352a8 stream      0      0  3490c20        0        0        0 /var/run/pppconfd
 3250660 stream      0      0        0  3250550        0        0
 3250550 stream      0      0        0  3250660        0        0
 3235cc0 stream      0      0        0  3250440        0        0
 3250440 stream      0      0        0  3235cc0        0        0
 3250990 stream      0      0        0  3250a18        0        0
 3250a18 stream      0      0        0  3250990        0        0
 3250cc0 stream      0      0        0  3250d48        0        0
 3250d48 stream      0      0        0  3250cc0        0        0
 3250ee0 stream      0      0        0  3250f68        0        0
 3250f68 stream      0      0        0  3250ee0        0        0
 3235440 stream      0      0        0  32354c8        0        0
 32354c8 stream      0      0        0  3235440        0        0
 3235660 stream      0      0        0  32356e8        0        0
 32356e8 stream      0      0        0  3235660        0        0
 3235bb0 stream      0      0        0  3235c38        0        0
 3235c38 stream      0      0        0  3235bb0        0        0
 3235dd0 stream      0      0        0  3235e58        0        0
 3235e58 stream      0      0        0  3235dd0        0        0
 2e62220 stream      0      0        0  2e622a8        0        0
 2e622a8 stream      0      0        0  2e62220        0        0
 2e627f8 stream      0      0        0  2e62770        0        0
 2e62770 stream      0      0        0  2e627f8        0        0
 2e62880 stream      0      0        0  2e62990        0        0
 2e62990 stream      0      0        0  2e62880        0        0
 2e62a18 stream      0      0        0  2e62aa0        0        0
 2e62aa0 stream      0      0        0  2e62a18        0        0
 2e62c38 stream      0      0  2f570a0        0        0        0 /var/tmp/launchd/sock
 2e62cc0 stream      0      0  2f571c0        0        0        0 /private/var/run/cupsd
 2e62d48 stream      0      0  2f572e0        0        0        0 /var/run/usbmuxd
 2e62e58 stream      0      0  2f57400        0        0        0 /var/run/asl_input
 2e62f68 stream      0      0  2f57490        0        0        0 /var/run/portmap.socket
 2e62ee0 stream      0      0  2f57520        0        0        0 /var/run/mDNSResponder
 3bf13b8 dgram       0      0        0  3bf14c8  3bf14c8        0
 3bf14c8 dgram       0      0        0  3bf13b8  3bf13b8        0
 3bf1770 dgram       0      0        0  3bf17f8  3bf17f8        0
 3bf17f8 dgram       0      0        0  3bf1770  3bf1770        0
 3bf1bb0 dgram       0      0        0  2e62dd0        0  32503b8
 3250770 dgram       0      0        0  3bf1aa0  3bf1aa0        0
 3bf1aa0 dgram       0      0        0  3250770  3250770        0
 3250c38 dgram       0      0        0  3235088  3235088        0
 3235088 dgram       0      0        0  3250c38  3250c38        0
 32357f8 dgram       0      0        0  2e62198  2e62198        0
 2e62198 dgram       0      0        0  32357f8  32357f8        0
 2e62bb0 dgram       0      0        0  3bf1dd0  3bf1dd0        0
 3bf1dd0 dgram       0      0        0  2e62bb0  2e62bb0        0
 3250000 dgram       0      0        0  3bf1e58  3bf1e58        0
 3bf1e58 dgram       0      0        0  3250000  3250000        0
 3235220 dgram       0      0        0  3250bb0  3250bb0        0
 3250bb0 dgram       0      0        0  3235220  3235220        0
 32503b8 dgram       0      0        0  2e62dd0        0  2e623b8
 2e623b8 dgram       0      0        0  2e62dd0        0  3235990
 3235990 dgram       0      0        0  2e62dd0        0  32353b8
 3235a18 dgram       0      0        0  3235b28  3235b28        0
 3235b28 dgram       0      0        0  3235a18  3235a18        0
 32353b8 dgram       0      0        0  2e62dd0        0  3235550
 3250dd0 dgram       0      0        0  3235880  3235880        0
 3235880 dgram       0      0        0  3250dd0  3250dd0        0
 3235550 dgram       0      0        0  2e62dd0        0  2e62110
 2e62440 dgram       0      0        0  2e626e8  2e626e8        0
 2e626e8 dgram       0      0        0  2e62440  2e62440        0
 2e62110 dgram       0      0        0  2e62dd0        0  3250330
 3250330 dgram       0      0        0  2e62dd0        0  2e62908
 2e62908 dgram       0      0        0  2e62dd0        0        0
 2e62dd0 dgram       0      0  2f57370        0  3bf1bb0        0 /var/run/syslog

Seems like an awfully lot of connections to me, but then again, I am NOT a net techie.


----------



## ElDiabloConCaca (Jun 20, 2008)

Everything looks fine to me.

My suggestion, like another suggested, is to quit looking through the logs unless you know what you're looking for.  Things like "warning" and "error" and "fatal" are completely normal terminology and are not indicators of problems.  "Errors" happening are completely normal in ANY software -- it does not indicate that the program is acting abnormally or has been compromised... errors occur all the time, and the program handles them gracefully.

Think of it like this: you're walking down the hall, and there's an unexpected rock there.  You stub your toe and almost trip, but you're quick enough with the leg movements that you don't fall down.  Does that mean that your brain and/or legs have been compromised, and that your body as a whole is acting abnormally?  No... an "error" occurred (tripping), and you handled it "gracefully" (by quick-moving legs preventing a complete fall-over).  Happens ALL the time in software.  It's supposed to.  Errors and warnings are SUPPOSED to occur.



> Seems like an awfully lot of connections to me, but then again, I am NOT a net techie.


Yes, it's a lot of connections, but nothing abnormal -- that's how web (http) requests work -- there's a lot of connections going on simultaneously... when you hit up google.com in your browser, there isn't just one connection from you to google.com -- there's a handful of connections made, and even more made as you do different things on the website.  Absolutely, 100% normal.


----------



## NewMacUser-TX (Jun 20, 2008)

thanks for your replies, etc.  I understand what you mean and as I admitted earlier, I often just know enough to make more trouble than is needed.  With the Mac I am not as concerned as things seem to be more transparent.  With my Windows machines I kept listening to those that said, "don't worry, that's normal" only to find out later it wasn't, so perhaps you can understand my concern.  I know I can't "prove" it to you, but the Windows issues were serious and real.  As I said, two different banks and a credit card company notified me of attempts to access my accounts.  Therefore, the problems I had with Windows has made more paranoid than ever about net security and as such, I admit I tend to look too much.

I am just glad that, as of now, my identity is still mine and has not been "hi-jacked"! ;-)


----------



## nixgeek (Jun 20, 2008)

One thing that will always be true.  No matter how patched up your system is, there's no patch for the *human condition*.  Social engineering tactics on unsuspecting computer users can compromise even the most protected system, which is why end-user education is VERY important.

Case in point, I had a teacher coworker of mine hire me to remove a rogue application called Vista Antivirus 2008 from her Windows laptop.  She was downloading stuff from Limewire and all of a sudden when she tried to view a movie file she had downloaded, the movie file installed the rogue app and it fooled her into thinking she was infected with viruses.  She ran a scan through this tool (not knowing it was a rogue app since it looks like it's part of Windows) and was told that if she wanted it removed that she had to pay for the full version.  She then proceeded to enter her credit card information and sent it on its way to the Russian malware coders that created the application for this purpose.  Now she has to contact her credit card company and keep tabs on her accounts to make sure hings don't get any worse.

All it takes is common sense when going on the web.  Don't go to websites you are not familiar with, and make sure that you are on a legitimate site and not a phishing site (there are tools that can detect these sites for you).  Don't willfully give out personal information, and if a file that you downloaded asks for a password when it really shouldn't, delete it immediately.  An ounce of common sense is worth more than a pound of hindsight.


----------



## HelloMac (Jun 20, 2008)

More mystery.

While getting out some CDs to find some interesting log entries to post I decided to re-do my little backup HD that I've been using the past couple of months to hold on to files. 

Instead of using Disk Utility I decided to try Drive Genius 2. As you'll see from the screenshot in the pdf with this post I was advised that re-partitioning the drive would cause me to lose boot ability with OS 9.  OS 9? My mac is only three months old and has always had 10.5.2 or better. 

This little hard drive was purchased store new no more than two months ago and has only been connected to a Mac that I own and control. So what's with OS 9? It was previously wiped and formatted using Disk utility.

IMac reports I'm using Disk utility v11, build 252.3. IMac is running 10.5.3.

Regarding questions in earlier post Diabl0 - when I redo the drive I always make a new partition. Even made an extra partition for fun during one go round. Always erase, zero out. Nothing connected to the mac during the process and airport / bluetooth off.

Here's a couple of examples of passwords I've used in the past with this machine to illustrate, hopefully, complexity:

KgvL!1037>raDio
kemm!Kz0n?<
!omtSpr|eT

Back with more data before too long...


----------



## HelloMac (Jun 20, 2008)

When I last used my Airport Extreme base station. The configuration changes battle began were not initiated by me. 

Jun 07 10:46:17	Severity:5	Connection accepted from ::ffff:10.0.1.200/50893.
Jun 07 10:46:21	Severity:5	Connection accepted from fe80::21f:f3ff:fe52:b939%bridge0/50894.
Jun 07 10:46:25	Severity:5	Clock synchronized to network time server time.apple.com (adjusted -1 seconds).
Jun 07 10:48:16	Severity:5	Configuration updated. ME
Jun 07 10:48:16	Severity:5	unloading current configuration. NOT ME
Jun 07 10:48:26	Severity:5	(WAN) link state is Up.
Jun 07 10:48:26	Severity:5	Deauthenticating with station ff:ff:ff:ff:ff:ff (reserved 3)NOT ME.
Jun 07 10:48:26	Severity:5	Rotated TKIP group key.
Jun 07 10:48:26	Severity:3	No Address for NTP server time.apple.com.
Jun 07 10:48:26	Severity:5	Internet Configuration leased -- host <98.204.114.48/255.255.252.0> gateway <98.204.112.1> dns <68.87.73.242 68.87.71.226> wins <> lease <2757> domain <hsd1.dc.comcast.net.>

Jun 07 10:48:38	Severity:5	Connection accepted from fe80::21f:f3ff:fe52:b939%bridge0/50896.
Jun 07 10:48:40	Severity:5	Connection accepted from fe80::21f:f3ff:fe52:b939%bridge0/50897.
Jun 07 10:48:41	Severity:5	Clock synchronized to network time server time.apple.com (adjusted +0 seconds).
None of these changes were initiated by me.
Jun 07 10:51:02	Severity:6	Parameter updated - slvl.
Jun 07 10:51:02	Severity:6	Parameter updated - snAF.
Jun 07 10:51:02	Severity:6	Parameter updated - snLW.
Jun 07 10:51:02	Severity:6	Parameter updated - snLL.
Jun 07 10:51:02	Severity:6	Parameter updated - snRW.
Jun 07 10:51:02	Severity:6	Parameter updated - snWW.
Jun 07 10:51:02	Severity:6	Parameter updated - snRL.
Jun 07 10:51:02	Severity:6	Parameter updated - snWL.
Jun 07 10:51:02	Severity:6	Parameter updated - snCS.
Jun 07 10:51:02	Severity:6	Parameter updated - usbF.
Jun 07 10:51:02	Severity:6	Parameter updated - prnR.
Jun 07 10:51:02	Severity:6	Parameter updated - SMBw.
Jun 07 10:51:02	Severity:6	Parameter updated - SMBs.
Jun 07 10:51:02	Severity:6	Parameter updated - fssp.
Jun 07 10:51:02	Severity:6	Parameter updated - cver.
Jun 07 10:51:02	Severity:6	Parameter updated - ctim.
Jun 07 10:51:02	Severity:6	Parameter updated - Prof.
Jun 07 10:51:02	Severity:6	Parameter updated - leAc.
Jun 07 10:51:02	Severity:6	Parameter updated - AAU .
Jun 07 10:51:02	Severity:5	Configuration updated.
Jun 07 10:51:02	Severity:6	Parameter updated - acFN.
Jun 07 10:51:02	Severity:6	Parameter updated - acRI.
Jun 07 10:51:02	Severity:5	unloading current configuration.
Jun 07 10:51:12	Severity:5	(WAN) link state is Up.
Jun 07 10:51:12	Severity:3	No Address for NTP server time.apple.com.
Jun 07 10:51:12	Severity:5	Deauthenticating with station ff:ff:ff:ff:ff:ff (reserved 3).
Jun 07 10:51:12	Severity:5	Rotated TKIP group key.
Jun 07 10:51:14	Severity:5	Internet Configuration leased -- host <98.204.114.48/255.255.252.0> gateway <98.204.112.1> dns <68.87.73.242 68.87.71.226> wins <> lease <2589> domain <hsd1.dc.comcast.net.>

Jun 07 10:51:23	Severity:5	Connection accepted from ::ffff:10.0.1.200/50899.
Jun 07 10:51:25	Severity:5	Connection accepted from fe80::21f:f3ff:fe52:b939%bridge0/50900.
Jun 07 10:51:27	Severity:5	Clock synchronized to network time server time.apple.com (adjusted +0 seconds).
Jun 07 10:51:43	Severity:6	Parameter updated - syNm.
Jun 07 10:51:43	Severity:6	Parameter updated - syPW.
Jun 07 10:51:43	Severity:6	Parameter updated - syPR.
Jun 07 10:51:43	Severity:6	Parameter updated - syCt.
Jun 07 10:51:43	Severity:6	Parameter updated - syLo.
Jun 07 10:51:43	Severity:6	Parameter updated - SUEn.
Jun 07 10:51:43	Severity:6	Parameter updated - SUFq.
Jun 07 10:51:43	Severity:6	Parameter updated - SUSv.
Jun 07 10:51:43	Severity:6	Parameter updated - syRe.
Jun 07 10:51:44	Severity:6	Parameter updated - time.
Jun 07 10:51:44	Severity:6	Parameter updated - timz.
Jun 07 10:51:44	Severity:6	Parameter updated - wbEn.
Jun 07 10:51:44	Severity:6	Parameter updated - wbHN.
Jun 07 10:51:44	Severity:6	Parameter updated - wbHU.
Jun 07 10:51:44	Severity:6	Parameter updated - wbHP.
Jun 07 10:51:44	Severity:6	Parameter updated - wbRD.
Jun 07 10:51:44	Severity:6	Parameter updated - waD1.
Jun 07 10:51:44	Severity:6	Parameter updated - prnR.
Jun 07 10:51:44	Severity:6	Parameter updated - SMBw.
Jun 07 10:51:44	Severity:6	Parameter updated - SMBs.
Jun 07 10:51:44	Severity:6	Parameter updated - fssp.
Jun 07 10:51:44	Severity:6	Parameter updated - cver.
Jun 07 10:51:44	Severity:6	Parameter updated - ctim.
Jun 07 10:51:44	Severity:6	Parameter updated - Prof.
Jun 07 10:51:44	Severity:6	Parameter updated - leAc.
Jun 07 10:51:44	Severity:6	Parameter updated - AAU .
Jun 07 10:51:44	Severity:5	Configuration updated.
Jun 07 10:51:44	Severity:6	Parameter updated - acFN.
Jun 07 10:51:44	Severity:6	Parameter updated - acRI.
Jun 07 10:51:44	Severity:5	unloading current configuration.
Jun 07 10:52:03	Severity:5	(WAN) link state is Up.
Jun 07 10:52:03	Severity:5	Deauthenticating with station ff:ff:ff:ff:ff:ff (reserved 3).
Jun 07 10:52:03	Severity:5	Rotated TKIP group key.
Jun 07 10:52:06	Severity:5	Internet Configuration leased -- host <98.204.114.48/255.255.252.0> gateway <98.204.112.1> dns <68.87.73.242 68.87.71.226> wins <> lease <2537> domain <hsd1.dc.comcast.net.>

Jun 07 10:52:14	Severity:5	Connection accepted from ::ffff:10.0.1.200/50902.
Jun 07 10:52:16	Severity:5	Connection accepted from fe80::21f:f3ff:fe52:b939%bridge0/50903.
Jun 07 10:52:27	Severity:3	Administrative access denied to fe80::21f:f3ff:fe52:b939%bridge0/50904.
Jun 07 10:52:50	Severity:5	Connection accepted from fe80::21f:f3ff:fe52:b939%bridge0/50905.
Jun 07 10:52:52	Severity:5	Connection accepted from fe80::21f:f3ff:fe52:b939%bridge0/50906.
Jun 07 10:55:05	Severity:6	Parameter updated - syNm.
Jun 07 10:55:05	Severity:6	Parameter updated - syPW.
Jun 07 10:55:05	Severity:6	Parameter updated - syPR.
Jun 07 10:55:05	Severity:6	Parameter updated - syCt.
Jun 07 10:55:05	Severity:6	Parameter updated - syLo.
Jun 07 10:55:05	Severity:6	Parameter updated - SUEn.
Jun 07 10:55:05	Severity:6	Parameter updated - SUFq.
Jun 07 10:55:05	Severity:6	Parameter updated - SUSv.
Jun 07 10:55:05	Severity:6	Parameter updated - syRe.
Jun 07 10:55:04	Severity:6	Parameter updated - time.
Jun 07 10:55:04	Severity:6	Parameter updated - timz.
Jun 07 10:55:04	Severity:6	Parameter updated - wbEn.
Jun 07 10:55:04	Severity:6	Parameter updated - wbHN.
Jun 07 10:55:04	Severity:6	Parameter updated - wbHU.
Jun 07 10:55:04	Severity:6	Parameter updated - wbHP.
Jun 07 10:55:04	Severity:6	Parameter updated - wbRD.
Jun 07 10:55:04	Severity:6	Parameter updated - raT2.
Jun 07 10:55:04	Severity:6	Parameter updated - prnR.
Jun 07 10:55:04	Severity:6	Parameter updated - SMBw.
Jun 07 10:55:04	Severity:6	Parameter updated - SMBs.
Jun 07 10:55:04	Severity:6	Parameter updated - fssp.
Jun 07 10:55:04	Severity:6	Parameter updated - cver.
Jun 07 10:55:04	Severity:6	Parameter updated - ctim.
Jun 07 10:55:04	Severity:6	Parameter updated - Prof.
Jun 07 10:55:04	Severity:6	Parameter updated - leAc.
Jun 07 10:55:04	Severity:6	Parameter updated - AAU .
Jun 07 10:55:04	Severity:5	Configuration updated.
Jun 07 10:55:04	Severity:6	Parameter updated - acFN.
Jun 07 10:55:04	Severity:6	Parameter updated - acRI.
Jun 07 10:55:04	Severity:5	unloading current configuration.
Jun 07 10:55:23	Severity:5	(WAN) link state is Up.
Jun 07 10:55:23	Severity:5	Deauthenticating with station ff:ff:ff:ff:ff:ff (reserved 3).


----------



## HelloMac (Jun 20, 2008)

An install log from the MacBook. Others look pretty much the same.

First entry:
Jun  3 07:51:52 localhost LCA[65]: Folder Manager is being asked to create a folder (cach) while running as uid 0
Jun  3 07:51:52 localhost LCA[65]: Folder Manager is being asked to create a folder (asav) while running as uid 0
Jun  3 07:51:53 localhost LCA[65]: Found primary language hint "en"
Jun  3 07:54:01 localhost LCA[65]: Launching the Installer using language code "English"
Jun  3 07:54:01 localhost /System/Installation/CDIS/Mac OS X Installer.app/Contents/MacOS/Mac OS X Installer[149]: vm_allocate: 0, 0x200e2000 - 0x400e2000
Jun  3 07:54:01 localhost /System/Installation/CDIS/Mac OS X Installer.app/Contents/MacOS/Mac OS X Installer[149]: vm_protect: 0
Jun  3 07:54:01 localhost OSInstaller[149]: Mac OS X Installer application started
Jun  3 07:54:01 localhost OSInstaller[149]: 1 display(s) found.
Jun  3 07:54:01 localhost OSInstaller[149]: Display[1] is using OpenGL acceleration.
Jun  3 07:54:01 localhost OSInstaller[149]: @(#)PROGRAM:Install  PROJECT:Install-378
Jun  3 07:54:01 localhost OSInstaller[149]: @(#)PROGRAM:Mac OS X Installer  PROJECT:OSInstaller-116.1
Jun  3 07:54:01 localhost OSInstaller[149]: Hardware: MacBook4,1 @ 2.40 GHz (x 2), 2048 MB RAM
Jun  3 07:54:01 localhost OSInstaller[149]: Running OS Build: Mac OS X 10.5.2 (9C2028)
Jun  3 07:54:01 localhost OSInstaller[149]: Env: DYLD_NO_FIX_PREBINDING=1
Jun  3 07:54:01 localhost OSInstaller[149]: Env: PATH=/usr/bin:/bin:/usr/sbin:/sbin
Jun  3 07:54:01 localhost OSInstaller[149]: Env: PWD=/
Jun  3 07:54:01 localhost OSInstaller[149]: Env: SHLVL=1
Jun  3 07:54:01 localhost OSInstaller[149]: Env: OS_INSTALL=1
Jun  3 07:54:01 localhost OSInstaller[149]: Env: _=/System/Installation/CDIS/LCA.app/Contents/MacOS/LCA
Jun  3 07:54:01 localhost OSInstaller[149]: Opening OSInstall package '/System/Installation/Packages/OSInstall.mpkg'.
Jun  3 07:54:02 localhost OSInstaller[149]: Remote Install Assistant found at 1024null)
Jun  3 07:54:02 localhost OSInstaller[149]: Memory statistics for 'Welcome' pane:
Jun  3 07:54:02 localhost OSInstaller[149]: Physical Memory Allocation:   238 MB wired,   210 MB trapped,    42 MB active,     8 MB inactive,  1550 MB free,  1600 MB usable,  2048 MB total
Jun  3 07:54:02 localhost OSInstaller[149]: Folder Manager is being asked to create a folder (asav) while running as uid 0
Jun  3 07:54:14 localhost OSInstaller[149]: CPSGetProcessInfo(): This call is deprecated and should not be called anymore.
Jun  3 07:54:14 localhost OSInstaller[149]: CPSPBGetProcessInfo(): This call is deprecated and should not be called anymore.
Jun  3 07:54:15 localhost installdb[154]: started (uid 96)
Jun  3 07:54:15 localhost installdb[154]: Opened receipt database on '/Volumes/LittleMac' with schema 17.




Jun  3 07:54:17 localhost OSInstaller[149]: Found receipt (full match) for (CPU_AHT / hwbe.pkg.018-3329): (CPU_AHT / hwbe.pkg.018-3329)
Jun  3 07:54:17 localhost Unknown[66]: 2008-06-03 07:54:17.348 Disk Utility[153:10b] Disk Utility started.
Jun  3 07:54:17 localhost Unknown[66]: 
Jun  3 07:54:24 localhost installdb[154]: done. (0.027u + 0.018s)
Jun  3 07:55:20 localhost Unknown[66]: 2008-06-03 07:55:20.465 Disk Utility[153:10b] Preparing to partition disk: ÄúHitachi HTS542516K9SA00 MediaÄù
Jun  3 07:55:20 localhost Unknown[66]: 2008-06-03 07:55:20.466 Disk Utility[153:10b] 	Partition Scheme: GUID Partition Table
Jun  3 07:55:20 localhost Unknown[66]: 2008-06-03 07:55:20.467 Disk Utility[153:10b] 	1 volume will be created
Jun  3 07:55:20 localhost Unknown[66]: 2008-06-03 07:55:20.467 Disk Utility[153:10b] 
Jun  3 07:55:20 localhost Unknown[66]: 2008-06-03 07:55:20.468 Disk Utility[153:10b] 	Partition 1
Jun  3 07:55:20 localhost Unknown[66]: 2008-06-03 07:55:20.468 Disk Utility[153:10b] 		Name       : ÄúLMac HDÄù
Jun  3 07:55:20 localhost Unknown[66]: 2008-06-03 07:55:20.468 Disk Utility[153:10b] 		Size       : 149.1 GB
Jun  3 07:55:20 localhost Unknown[66]: 2008-06-03 07:55:20.469 Disk Utility[153:10b] 		Filesystem : Mac OS Extended (Journaled)
Jun  3 07:55:20 localhost Unknown[66]: 2008-06-03 07:55:20.469 Disk Utility[153:10b] 
Jun  3 07:55:20 localhost Unknown[66]: 2008-06-03 07:55:20.475 Disk Utility[153:10b] Creating partition map.
Jun  3 07:55:23 localhost Unknown[66]: 2008-06-03 07:55:23.547 Disk Utility[153:10b] Formatting disk0s2 as Mac OS Extended (Journaled) with name LMac HD.
Jun  3 07:55:27 localhost installdb[167]: started (uid 96)
Jun  3 07:55:27 localhost Unknown[66]: 2008-06-03 07:55:27.024 Disk Utility[153:10b] Partition complete.
Jun  3 07:55:27 localhost Unknown[66]: 2008-06-03 07:55:27.032 Disk Utility[153:10b] 
Jun  3 07:55:33 localhost installdb[167]: done. (0.012u + 0.010s)


Jun  3 07:55:55 localhost Unknown[66]: 2008-06-03 07:55:55.372 Disk Utility[153:10b] Preparing to zero disk : ÄúLMac HDÄù
Jun  3 07:55:55 localhost Unknown[66]: 2008-06-03 07:55:55.372 Disk Utility[153:10b] 		Passes     : 0
Jun  3 08:58:22 localhost Unknown[66]: 2008-06-03 08:58:22.184 Disk Utility[153:10b] Secure Erase completed successfully in 1 hour, 2 minutes.
Jun  3 08:58:22 localhost Unknown[66]: 
Jun  3 08:58:22 localhost Unknown[66]: 2008-06-03 08:58:22.202 Disk Utility[153:10b] Preparing to erase : ÄúLMac HDÄù
Jun  3 08:58:22 localhost Unknown[66]: 2008-06-03 08:58:22.203 Disk Utility[153:10b] 	Partition Scheme: GUID Partition Table
Jun  3 08:58:22 localhost Unknown[66]: 2008-06-03 08:58:22.203 Disk Utility[153:10b] 	1 volume will be erased
Jun  3 08:58:22 localhost Unknown[66]: 2008-06-03 08:58:22.204 Disk Utility[153:10b] 		Name       : ÄúLMac HDÄù
Jun  3 08:58:22 localhost Unknown[66]: 2008-06-03 08:58:22.204 Disk Utility[153:10b] 		Size       : 148.7 GB
Jun  3 08:58:22 localhost Unknown[66]: 2008-06-03 08:58:22.205 Disk Utility[153:10b] 		Filesystem : Mac OS Extended (Journaled)
Jun  3 08:58:22 localhost Unknown[66]: 
Jun  3 08:58:23 localhost Unknown[66]: 2008-06-03 08:58:23.503 Disk Utility[153:10b] Initialized /dev/rdisk0s2 as a 149 GB HFS Plus volume with a 16384k journal
Jun  3 08:58:23 localhost Unknown[66]: 
Jun  3 08:58:23 localhost Unknown[66]: 2008-06-03 08:58:23.512 Disk Utility[153:10b] Mounting disk.
Jun  3 08:58:25 localhost installdb[178]: started (uid 96)
Jun  3 08:58:25 localhost Unknown[66]: 2008-06-03 08:58:24.997 Disk Utility[153:10b] Erase complete.
Jun  3 08:58:25 localhost Unknown[66]: 2008-06-03 08:58:24.998 Disk Utility[153:10b] 
Jun  3 08:58:31 localhost installdb[178]: done. (0.012u + 0.011s)
Jun  3 09:03:38 localhost Unknown[66]: 
Jun  3 09:03:57 localhost OSInstaller[149]: Memory statistics for 'Select a Destination' pane:
Jun  3 09:03:57 localhost OSInstaller[149]: Physical Memory Allocation:   277 MB wired,   223 MB trapped,    51 MB active,     9 MB inactive,  1488 MB free,  1548 MB usable,  2048 MB total
Jun  3 09:04:05 localhost OSInstaller[149]: Customization choices were reset to default state.
Jun  3 09:04:14 localhost installdb[181]: started (uid 96)
Jun  3 09:04:24 localhost in

Jun  3 09:05:32 localhost OSInstaller[149]: Finished media verification.
Jun  3 09:05:33 localhost OSInstaller[149]: -[IFDInstallController(Private) _buildInstallPlan]: location = file://localhost
Jun  3 09:05:33 localhost OSInstaller[149]: -[IFDInstallController(Private) _buildInstallPlan]: file://localhost/System/Installation/Packages/BaseSystem.pkg




Jun  3 09:05:33 localhost OSInstaller[149]: -[IFDInstallController(Private) _buildInstallPlan]: x-disc://Mac%20OS%20X%20Install%20Disc%202/Packages/GarageBand.mpkg/Contents/Installers/GarageBandFactoryContent.pkg
Jun  3 09:05:33 localhost OSInstaller[149]: -[IFDInstallController(Private) _buildInstallPlan]: x-disc://Mac%20OS%20X%20Install%20Disc%202/Packages/GarageBand.mpkg/Contents/Installers/GarageBand.pkg
Jun  3 09:05:33 localhost OSInstaller[149]: -[IFDInstallController(Private) _buildInstallPlan]: x-disc://Mac%20OS%20X%20Install%20Disc%202/Packages/GarageBand.mpkg/Contents/Installers/GarageBand_Instruments.pkg
Jun  3 09:05:33 localhost OSInstaller[149]: -[IFDInstallController(Private) _buildInstallPlan]: x-disc://Mac%20OS%20X%20Install%20Disc%202/Packages/GarageBand.mpkg/Contents/I

Jun  3 09:05:50 localhost root[202]: Running Install Scripts . . .
Jun  3 09:05:50 localhost root[204]: Begin script: fixVar.sh
Jun  3 09:05:50 localhost root[206]: End script: fixVar.sh
Jun  3 09:05:50 localhost root[207]: 1 Install Scripts run.
Jun  3 09:05:50 localhost OSInstaller[149]: 	Creating destination path
Jun  3 09:05:50 localhost OSInstaller[149]: 	Validating package payload
Jun  3 09:08:38 localhost OSInstaller[149]: 	Starting file extraction
Jun  3 09:08:39 localhost payloadExtractor[209]: 	Initializing new flat-package receipt.
Jun  3 09:08:39 localhost installdb[210]: started (uid 96)
Jun  3 09:08:39 localhost installdb[210]: Opened receipt database on '/Volumes/LMac HD/' with schema 0.
Jun  3 09:08:39 localhost installdb[210]: The db cache for '/Volumes/LMac HD/Library/Receipts/db/a.receiptdb' contains: {\n    schema = 0;\n    sqlite = <2070c001>;\n}
Jun  3 09:08:39 localhost installdb[210]: Initializing database with schema version 17 at '/Volumes/LMac HD/Library/Receipts/db/a.receiptdb'.
Jun  3 09:08:39 localhost payloadExtractor[209]: 	Extracting...
Jun  3 09:09:13 localhost payloadExtractor[209]: 	22794 of 22794 files written in 34.01 seconds.
Jun  3 09:09:13 localhost payloadExtractor[209]: 	1291924 kilobytes installed at 37.1 MB/s.
Jun  3 09:09:15 localhost payloadExtractor[209]: 	Receipt closed in 1.78 seconds (12813 files/s).
Jun  3 09:09:15 localhost OSInstaller[149]: 	run postinstall script for BaseSystem
Jun  3 09:09:15 localhost root[216]: Running Install Scripts . . .
Jun  3 09:09:15 localhost root[218]: Begin script: permLearn.sh
Jun  3 09:09:20 localhost pkgutil[222]: Updating receipt 'com.apple.pkg.BaseSystem' path '.' on '/Volumes/LMac HD/' with actual metadata from '/Volumes/LMac HD'.
Jun  3 09:09


Begin script: copyX509Anchors.sh
Jun  3 09:13:48 localhost root[267]: End script: copyX509Anchors.sh
Jun  3 09:13:48 localhost root[268]: Begin script: createJavaExtDir.sh
Jun  3 09:13:49 localhost root[275]: End script: createJavaExtDir.sh
Jun  3 09:13:49 localhost root[276]: Begin script: createSIUDir.sh
Jun  3 09:13:49 localhost root[284]: End script: createSIUDir.sh
Jun  3 09:13:49 localhost root[285]: Begin script: deleteReg.sh
Jun  3 09:13:49 localhost root[287]: End script: deleteReg.sh
Jun  3 09:13:49 localhost root[288]: Begin script: deleteSA.sh
Jun  3 09:13:49 localhost root[290]: End script: deleteSA.sh
Jun  3 09:13:49 localhost root[291]: Begin script: deleteSSHSave.sh
Jun  3 09:13:49 localhost root[294]: End script: deleteSSHSave.sh
Jun  3 09:13:49 localhost root[295]: Begin script: disableAPE
Jun  3 09:13:49 localhost root[297]: End script: disableAPE
Jun  3 09:13:49 localhost root[298]: Begin script: migrator
Jun  3 09:13:50 localhost root[310]: End script: migrator
Jun  3 09:13:50 localhost root[311]: Begin script: removeJava1.6DevPreview
Jun  3 09:13:50 localhost root[317]: End script: removeJava1.6DevPreview
Jun  3 09:13:50 localhost root[318]: Begin script: renameIntegoContentBarrierPre10.4.3
Jun  3 09:13:50 localhost root[320]: End script: renameIntegoContentBarrierPre10.4.3
Jun  3 09:13:50 localhost root[321]: Begin script: runChrooted.sh
Jun  3 09:13:52 localhost installdb[255]: done. (4.399u + 1.532s)
Jun  3 09:13:55 localhost root[344]: End script: runChrooted.sh
Jun  3 09:13:55 localhost root[345]: Begin script: upgradeProKit
Jun  3 09:13:55 localhost root[347]: End script: upgradeProKit
Jun  3 09:13:55 localhost root[348]: 12 Install Scripts run.




Jun  3 09:15:26 localhost root[373]: Running Install Scripts . . .
Jun  3 09:15:26 localhost root[375]: Begin script: dumpemacs.sh
Jun  3 09:15:32 localhost installdb[367]: done. (1.952u + 0.594s)
Jun  3 09:15:36 localhost root[389]: End script: dumpemacs.sh
Jun  3 09:15:36 localhost root[390]: Begin script: fixnortinst.sh
Jun  3 09:15:36 localhost root[393]: End script: fixnortinst.sh
Jun  3 09:15:36 localhost root[394]: 2 Install Scripts run.
Jun  3 09:15:36 localhost OSInstaller[149]: 	Performing post-extraction actions
Jun  3 09:15:36 localhost OSInstaller[149]: 	Finishing receipt
Jun  3 09:15:36 localhost installdb[396]: started (uid 96)
Jun  3 09:15:36 localhost in



Jun  3 09:25:09 localhost root[629]: End script: ProKitMove.pl
Jun  3 09:25:09 localhost root[630]: Begin script: RemoveClientLicense.sh
Jun  3 09:25:09 localhost root[632]: End script: RemoveClientLicense.sh
Jun  3 09:25:09 localhost root[633]: Begin script: iLifebkpluginMove.pl
Jun  3 09:25:09 localhost root[636]: End script: iLifebkpluginMove.pl
Jun  3 09:25:09 localhost root[637]: Begin script: postinstall
Jun  3 09:25:09 localhost root[640]: Running kextcache -k /Volumes/LMac HD/System/Library/Extensions
Jun  3 09:25:14 localhost installdb[498]: done. (3.130u + 1.187s)
Jun  3 09:25:15 localhost root[642]: Running ifcstart
Jun  3 09:25:19 localhost root[644]: Running update_dyld_shared_cache
Jun  3 09:25:44 localhost root[646]: End script: postinstall
Jun  3 09:25:44 localhost root[647]: 5 Install Scripts run.
Jun  3


Jun  3 09:26:16 localhost OSInstaller[149]: 	Performing post-extraction actions
Jun  3 09:26:16 localhost OSInstaller[149]: 	Finishing receipt
Jun  3 09:26:16 localhost OSInstaller[149]: Processing Regional Boot:
Jun  3 09:26:16 localhost OSInstaller[149]: 	Determining files to install
Jun  3 09:26:16 localhost OSInstaller[149]: 	It took 0.01 seconds to create the install plan for CPU_RegionalBoot.
Jun  3 09:26:16 localhost OSInstaller[149]: 	Configuring deferred files
Jun  3 09:26:16 localhost OSInstaller[149]: 	Assembling temporary receipt
Jun  3 09:26:16 localhost OSInstaller[149]: 	Performing pre-extraction actions
Jun  3 09:26:16 localhost OSInstaller[149]: 	Creating destination path
Jun  3 09:26:16 localhost OSInstaller[149]: 	Validating package payload
Jun  3 09:26:16 localhost OSInstaller[149]: 	Starting file extraction
Jun  3 09:26:16 localhost pkgExtractor[659]: 	Extracting...
Jun  3 09:26:16 localhost runner[184]: pkgExtractor[659]: pkgExtractor: Ignoring invalid resource fork length for /Volumes/LMac HD//private/var/db
Jun  3 09:26:16 localhost runner[184]: pkgExtractor[659]: pkgExtractor: Ignoring invalid resource fork length for /Volumes/LMac HD//private/var
Jun  3 09:26:16 localhost runner[184]: pkgExtractor[659]: pkgExtractor: Ignoring invalid resource fork length for /Volumes/LMac HD//usr/sbin
Jun  3 09:26:16 localhost runner[184]: pkgExtractor[659]: pkgExtractor: Ignoring invalid resource fork length for /Volumes/LMac HD//private
Jun  3 09:26:16 localhost pkgExtractor[659]: 	15 of 15 files written in 0.15 seconds.
Jun  3 09:26:16 localhost pkgExtractor[659]: 	288 kilobytes installed at 1.9 MB/s.


Jun  3 09:28:35 localhost OSInstaller[130]: Running OS Build: Mac OS X 10.5.2 (9C2028)
Jun  3 09:28:35 localhost OSInstaller[130]: Env: PATH=/usr/bin:/bin:/usr/sbin:/sbin
Jun  3 09:28:35 localhost OSInstaller[130]: Env: COMMAND_MODE=unix2003
Jun  3 09:28:35 localhost OSInstaller[130]: Env: SECURITYSESSIONID=11991f0
Jun  3 09:28:37 localhost installdb[138]: started (uid 96)
Jun  3 09:28:37 localhost installdb[138]: Opened receipt database on '/' with schema 17.
Jun  3 09:28:38 localhost OSInstaller[130]: Automated Install: Found requested target at /.
Ju



Jun  3 09:39:48 localhost OSInstaller[130]: /System/Library/PrivateFrameworks/iLifeMediaBrowser.framework/Versions/A (version 1.0.2.193.0.0.1930000.2) was not installed because a newer version (1.0.4.205.0.1.2050001.2) already exists.
Jun  3 09:39:49 localhost OSInstaller[130]: 	It took 0.43 seconds to create the install plan for iLifeMediaBrowser.

Jun  3 09:39:51 localhost pkgExtractor[292]: 	Skipping "./System/Library/PrivateFrameworks/iLifeMediaBrowser.framework/Versions/A"


Jun  3 09:41:58 localhost runner[181]: postflight[341]: su: unknown login: 
Jun  3 09:41:58 localhost runner[181]: postflight[341]: 
Jun  3 09:41:58 localhost runner[181]: postflight[341]: su: unknown login: 
Jun  3 09:41:58 localhost runner[181]: postflight[341]: 


Jun  3 09:42:06 localhost runner[181]: Touched '/./Applications/iPhoto.app'
Jun  3 09:42:06 localhost runner[181]: Touched '/./Applications'
Jun  3 09:42:06 localhost runner[181]: Touched '/./Applications/iMovie.app'
Jun  3 09:42:06 localhost runner[181]: Touched '/./Applications'
Jun  3 09:42:06 localhost runner[181]: Touched '/./Library/Documentation/Applications/iMovie/iMovie 08 Getting Started.app'
Jun  3 09:42:06 localhost runner[181]: Touched '/./Library/Documentation/Applications/iMovie'
Jun  3 09:42:06 localhost runner[181]: Touched '/./Library/Documentation/Applications/iPhoto/iPhoto Getting Started.app'
Jun  3 09:42:06 localhost runner[181]: Touched '/./Library/Documentation/Applications/iPhot


Jun  3 09:28:42 localhost OSInstaller[130]: Waiting for Remote Install Assistant...
Jun  3 09:28:42 localhost OSInstaller[130]: Not loading AirPort extra for phase 2.
Jun  3 09:28:43 localhost installdb[138]: done. (0.007u + 0.006s)
Jun  3 09:29:25 localhost OSInstaller[130]: fileURLForURL = x-disc://Mac%20OS%20X%20Install%20Disc%202/Packages/iWeb.pkg
Jun  3 09:29:25 localhost OSInstaller[130]: fileURLForURL = file://localhost/Volumes/Mac%20OS%20X%20Install%20Disc%202/Packages/iWeb.pkg


----------



## HelloMac (Jun 20, 2008)

Thank you for your time.


----------



## ElDiabloConCaca (Jun 21, 2008)

Not much in those log files looks out-of-the-ordinary.

Are you using Comcast cable for your internet?


----------



## Viro (Jun 21, 2008)

NewMacUser-TX said:


> Active Internet connections (including servers)
> Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
> tcp4       0      0  10.0.1.200.49762       py-in-f83.google.http  ESTABLISHED
> tcp4       0      0  10.0.1.200.49756       py-in-f19.google.http  ESTABLISHED
> ...



These are your internet connections to the outside world. Notice that they have an address associated with them. They appear to be connected to google, and you have your network time protocol daemon running.

Nothing to worry about.



> Active LOCAL (UNIX) domain sockets
> Address  Type   Recv-Q Send-Q    Inode     Conn     Refs  Nextref Addr
> 3bf1c38 stream      0      0        0  3bf1880        0        0
> 3bf1880 stream      0      0        0  3bf1c38        0        0
> ...



And these are your local connections, connections that are made between programs on your machine. Sockets are how Unix programs communicate with one another. On any machine, you will find that there are hundreds if not thousands of such sockets open at any one time. 

What you are seeing is perfectly normal.


----------



## Viro (Jun 21, 2008)

Addendum:

You might want to read http://arstechnica.com/journals/app...-in-apple-remote-desktop-exploited-via-trojan and then take the steps listed there if you are really paranoid.


----------



## ElDiabloConCaca (Jun 21, 2008)

Of course, this exploit requires the hacker to have access to the machine (meaning they have to be sitting in front of the computer, or to have already hacked into your system), or social engineering skills high enough to trick a user into running some application.

The short answer is that for the trojan to be exploited, the user has to explicitly execute a program that takes advantage of this security hole.  No current software does this -- it's just a "potential" threat.  In addition, a program that DOES exploit this security hole wouldn't be masquerading as the latest FireFox download, a system update, or some pinball game... if you obtain your software from reputable sources, the likelihood of the software containing this trojan is nanometers away from nil.

Maybe we should start at the beginning with these problems and find out what's really wrong...

What abnormal operations of the system that are detrimental to using the computer are occurring?

Have you lost any data (Word files, text files, programs, etc.) due to the abnormal activity?

If you believe your system has been compromised, what have the hackers done with your system (relaying spam, deleting documents, locking you out of the system)?

If any of the above have occurred, what log entries do they coincide with?

If none of the above, could this just all be a question of understanding and interpreting cryptic log entries which seem like they're abnormal, but in fact are benign and normal?

I think it's important to remember that even though you're not clicking and typing on the computer that the computer is going to do a lot of stuff, generate a lot of log entries, do housekeeping on the filesystem, check network connections, and generate warnings and errors (which are normal and handled gracefully), among other things.  Just because you don't, for example, renew a DHCP lease manually, your computer may do it for you.  Just because you don't explicitly tell the computer to accept a connection from an outside source doesn't mean it's not gonna do it automatically, routinely, and normally.  Just because a process is named "Remote Install Assistant" does not mean that some hacker is getting assistance installing stuff on your machine remotely.


----------



## elander (Jun 21, 2008)

I recommend that a moderator steps in and closes this thread now. We are either dealing with trolls here, or mentally unstable people. In either case, nothing we say or do is going to settle this.


----------



## nixgeek (Jun 21, 2008)

I couldn't agree more.  All that has been said to solve this problem has been said.  If someone chooses to be paranoid about the processes going on in a computer (especially if those processes are perfectly normal), then let he or she wear the tinfoil hat and let's be done with it.  I recommend that those in question look for some reading material on the inner workings or Unix-based operating systems and computer security, if even just for some basic understanding

What the two posters are asking for goes beyond what this thread (or this forum for that matter) can assist with.  This thread is running in circles at this point.


----------



## Viro (Jun 21, 2008)

elander said:


> I recommend that a moderator steps in and closes this thread now. We are either dealing with trolls here, or mentally unstable people. In either case, nothing we say or do is going to settle this.



They could genuinely have a problem. A Mac one, that is...

Personally, I've never seen anything remotely like an exploit on the Mac and nothing I've seen in this thread jumps out at me and strikes me as being a potential exploit.


----------



## nixgeek (Jun 21, 2008)

Viro said:


> They could genuinely have a problem. A Mac one, that is...
> 
> Personally, I've never seen anything remotely like an exploit on the Mac and nothing I've seen in this thread jumps out at me and strikes me as being a potential exploit.



Then it's time for the original posters to get some reading materials on Mac OS X and some basic Unix-based OS concepts, as well as some basic computer security materials.  Again, what's being asked goes beyond the scope of this thread and this forum, IMO.


----------



## Viro (Jun 21, 2008)

ElDiabloConCaca said:


> I think it's important to remember that even though you're not clicking and typing on the computer that the computer is going to do a lot of stuff, generate a lot of log entries, do housekeeping on the filesystem, check network connections, and generate warnings and errors (which are normal and handled gracefully), among other things.



I think this whole incident does teach me to be really really careful with my code in the future. It tells me that as a software developer, I shouldn *not* liberally sprinkle trace statements in my code which will be captured by the debug console. Sure, those messages only have meaning to me but they mean nothing to others and could potentially panic users should they ever choose to look at the debug log. Also, I need to write less cryptic debug messages. And choose better more descriptive names for my processes.


----------



## HelloMac (Jun 21, 2008)

Was using comcast, now Verizon dsl.


----------



## HelloMac (Jun 21, 2008)

I've firmly secured my tinfoil hat to my head and will scurry off. It's quite rude to suggest that perhaps I'm mentally unstable or a troll, but such is life.

I do thank those of you that have taken time to look over materials and provide guidance. It's appreciated.

I also find it incredible that STILL the really odd log entries are ignored for comment or explanation, yet minor notes are hyped as examples of how ignorant I am of the Unix environment.

Just WHAT was going on with the Airport Extreme base station?

The initial issues for the machine that prompted the paranoia:
- iSight comes on at will.
- File sharing preferences change over time to allow greater access to the machine.
- My admin account privileges are reduced over time. During one go round I was no longer allowed to insert a CD into the optical drive. It would be rejected with an error that I did not have the rights to perform that action.

Can't happen on a Mac, I know.

Wait what's that? I think the FBI's at the door. Gotta go.


----------



## nixgeek (Jun 21, 2008)

HelloMac said:


> I've firmly secured my tinfoil hat to my head and will scurry off. It's quite rude to suggest that perhaps I'm mentally unstable or a troll, but such is life.
> 
> I do thank those of you that have taken time to look over materials and provide guidance. It's appreciated.
> 
> ...



Since you haven't quite left yet (as I see you still viewing the thread as of this writing),  I'll take the time to answer.

I looked at your Airport log where you posted that an update to the configuration was not done by you, and it looks as though the configuration of the basestation was changing due to being synchronized through NTP so that the time would be correct.  In order to take the changes, I'm guessing that the base station had to unload the currently active configuration and reload it with the updated time information from the NTP server its accessing.  It seems to do this in intervals because it's probably checking it in intervals.  As for that long list of parameters you say also were not done by you, I can only assume it has something to do with the type of encryption you're using on your base station.  There's mention of TKIP, so I'm assuming that you're using either WPA or WPA2.

I hope that you're using a very strong password if you're not using some sort of certificate authentication as would be done using a RADIUS server (please don't ask how to set RADIUS up.  Google is your friend for this).  If not, then a simple dictionary attack would compromise your base station.  Defense in depth is important in keeping your network secure.

I personally think that you and the other poster are making a big deal about normal processes on all your devices.  Mind you I could be wrong, but from what everyone has seen and read regarding your problem there is absolutely nothing wrong.  As a matter of fact, the log from your MacBook looks as though you were conducting a fresh installation and you're merely highlighing things that, while seemingly foreign to you, are perfectly normal within a Mac OS X installation.  If you both are still seriously concerned about this problem, then you both need to take it to the next level and have someone examine your systems and your networks.  There's no way anyone here can diagnose something this (seemingly) deep without actually being there with you.  For you and NewMacUser-TX, I think it's time to get the direct, hands-on assistance from someone who specializes in computer/network security and have them perform some sort of penetration test for you.  If it's that important to you, then the cost should not matter.

Nothing more can be said about this really.....every element that can possibly be done *through a forum* has been done.

Good luck to the both of you.


----------



## HelloMac (Jun 22, 2008)

So, after all this...looks to me like I'm dealing with this...

*Researchers spot Mac Trojan In the Wild*

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101898

"The malware exploits a recently publicized vulnerability in the Apple Remote Desktop Agent (ARDAgent), part of Tiger's and Leopard's Remote Management component. Composed as a compiled AppleScript, or in another variant, script bundled into an application, the Trojan leverages the ARDAgent bug to gain full control of the victimized Mac.

"[It] allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging," claimed SecureMac. "Additionally, the Trojan can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing."

SecureMac's warning came one day after an anonymous reader disclosed a few details of the ARDAgent vulnerability on Slashdot.org, and on the same day that rival security vendor Intego provided more information about the bug.

Malicious AppleScript, said Intego, can call ARDAgent, which then gives that script full "root" access to the system. "When an application enables a root privilege escalation of this type, any malicious code that is run may have devastating effects. These may range from deleting all the files on the Mac to more pernicious attacks such as changing system settings, and even setting up periodic tasks to perform them repeatedly," Intego's warning read."

Best to all...


----------



## Giaguara (Jun 22, 2008)

"SecureMac, a Mac-specific anti-virus vendor, posted an alert last Thursday that its researchers had found a Trojan horse.." well. That's what the companies that sell antivirus software do. Make you scared and to shed money to their software.

How do you think you had this trojan in place when the system was installed from the retail discs?


----------



## nixgeek (Jun 22, 2008)

That exploit was already brought up twice as a possibility, and ElDiabloConCaca already responded about it above:
http://macosx.com/forums/1442876-post82.html

You also failed to mention that the reports given by those antivirus companies specify the following...

*From SecureMac:*


> SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, *where discussion has taken place on distributing the Trojan horse through iChat and Limewire*.
> 
> The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.



Seems as though this works initially by socially engineering the victim through a rogue file.  Have you used anything like Limewire or accessed files from other users through iChat or some other IM client?  If you want the help, then you need to honestly share more information.  In my experience most of the times, especially in the Windows world, it seems that those that have been compromised in such a way have been using Limewire to download files.  I doubt it would be any different just because you're on a Mac (don't believe the marketing hype from the commercials, please....yes, I've been an Apple user since the Apple IIc).  Social engineering proves one thing: no matter what system you're running, no matter how many security solutions you've put in place, there's just no patch for human stupidity. (I referred to it as the "human condition" in my previous post, but in reality it's the "human stupidity" in all of us that we need to keep in check.)


----------



## g/re/p (Jun 22, 2008)

OMG!  I have been hacked (chopped) hacked (chopped) hacked (chopped)....


(butter?.......PARKAY!!!!!!)





::evil::


----------



## ElDiabloConCaca (Jun 22, 2008)

HelloMac said:


> So, after all this...looks to me like I'm dealing with this...
> 
> *Researchers spot Mac Trojan In the Wild*
> 
> ...


If you believe you have been compromised by this trojan, then you would have been required to manually execute an infected application on your hard drive.  This application would HAVE to have been downloaded manually, by you, from the internet (in other words, this infected application could NOT be on your system directly after a clean install, and there is no way for someone to "push" the application to you without your knowledge).  You would have then had to execute this application manually.

In short, if you are indeed infected by this trojan, then you, yourself, are the one that infected yourself with it.  That's social engineering, and there's nothing any anti-virus software can do about it, nor is there anything you can do to your network to prevent it.  It's like ramming your head into a wall -- if you don't want a headache, don't ram your head into the wall -- you and only you are in charge of your head.

If you do seriously believe you have been compromised by this trojan, what application did you download from the internet and execute manually directly after a clean Mac OS X installation?


----------



## ElDiabloConCaca (Jun 22, 2008)

Viro said:


> I think this whole incident does teach me to be really really careful with my code in the future. It tells me that as a software developer, I shouldn *not* liberally sprinkle trace statements in my code which will be captured by the debug console.


Heh... precisely why large software developers have "beta" software, which is usually very verbose in logging and useful to the developer, as opposed to "release" versions, which do not spit out spurious messages and are intended for end-users.


----------



## ElDiabloConCaca (Jun 22, 2008)

HelloMac said:


> Was using comcast, now Verizon dsl.


One of your many log posts included some connections that were highlighted by you that included connections to IP addresses, if I am correctly remembering... doing a lookup on those IP addresses yielded information that traced back to Comcast.

I know we've beat this subject to death already, whether resolved or not, but could it be possible that your AirPort (and/or other network devices) is still configured for Comcast settings (gateways, DNS servers, etc.), even though you're using a new service from Verizon?  Also, cable modems use a DHCP-style connection, while DSL uses a PPPoE-style connection, which are very different and, basically, "incompatible" for lack of a better work.

If your AirPort is still configured to connect to the Comcast network via DHCP, but you need to connect to Verizon's DSL with a PPPoE connection, then network unhappiness will occur... the results being indeterminable, but definitely problematic.


Hell, people, I'm all about continuing this discussion -- it is moving forward (however slowly), and could result in something good.  If not anything, move it to a category more suited for casual discussion instead of closing it.  We'll eventually prove one of two things: the posters were lying, or we helped them on a path to resolution.


----------



## Viro (Jun 22, 2008)

ElDiabloConCaca said:


> Heh... precisely why large software developers have "beta" software, which is usually very verbose in logging and useful to the developer, as opposed to "release" versions, which do not spit out spurious messages and are intended for end-users.



On windows, we have different trace logging levels. We usually have some fairly verbose logging on, since it means that if clients repeatedly run into trouble and crash we can look at their logs and understand what happened. While it sounds bad for performance, we did look at it and found that there wasn't too much of a performance increase (aobut 2% more on a P4 2GHz) so we left it enabled.


----------



## HelloMac (Jun 23, 2008)

From the Washington Post today...


http://blog.washingtonpost.com/securityfix/2008/06/new_trojan_leverages_unpatched.html?nav=rss_blog

"...
Dai Zovi said the Trojan tries two different exploits to install itself without having to prompt the user for his or her system credentials. One exploit is the aforementioned ARDagent attack; the other is for a privilege escalation vulnerability that Apple patched in 2006. (As an interesting aside, Dai Zovi himself reported that latter vulnerability to Apple back in 2006, only to later learn that exploit code for that same vulnerability had been publicly posted online prior to Apple issuing a patch for the flaw).


Once installed, the Trojan drops a keystroke logger called "logkext" on the Mac user's system. It then sets up a virtual network computing (VNC) server listening on the victim's machine, which would provide an attacker remote access to the victim's computer.

The code also installs a Web-based "PHP shell" program that allows the attackers to remotely manipulate the infected machine using nothing more than a Web browser. That component of the Trojan also sets the victim's system so that it can be tracked using dynamic DNS services, which permit remote users to remain connected to a system even if its numeric Internet address changes over time. ..."


----------



## HelloMac (Jun 23, 2008)

I just caught up on the other replys in the thread that I'd missed...

RE: installing software myself after clean install...

The only software I've put on the machine over the past several weeks after installs included manual updates of Adobe Flash to the current version, Little Snitch downloaded from the OBDEV site, Apple iWork from a retail version I purchased new.

For a short period I installed Tunnelblick as an application that was provided to me for VPN service by WiTopia.net. Uses OpenVPN. Leopard didn't like it much and after running for a couple of days it would eventually stop working, so i stopped using it. WiTopia support said it worked with Tiger, and looking at the Tunnelblick site, the developer notes there are problems with it with Leopard.

I've been switching off between two VPN providers. One runs on the iMac and the other on the MacBook. Both are PPTP solutions. Secure-Tunnel.com and Strong-VPN.com.

That's not to say I didn't inadvertently drop something onto the machine while surfing around the web. I know at various points in this adventure when I've tracked down IP addresses I've come across LimeWire. I remember that specifically because it seemed odd to me since I am/was aware of the name in general but I've not used it before - meaning I've not downloaded or streamed content from a network known to me as Limewire. 

I have viewed streaming media and downloaded content but it's been through iTunes. I don't use Bitorrent or other peer to peer download networks for music, etc. I purchase from iTunes or import from a CD.

Interestingly this week on the iMac I've noticed much less outgoing activity/ attempt by LittleSnitch. Where the past couple of weeks it seemed I was constantly being asked to approve a new connection, not so much in the past couple of days. 

I made three changes on this machine for this go round of the install that I had not done before:

1. Trash the Applescripts folder from Applications and secure empty.

2. Trash the MAC OS Remote Install application from the /applications/utilities folder and secure empty.

3. Activated an account with OpenDNS.com and manually setup DNS information in my router, airport, ethernet and firewire settings. (I don't use firewire or physically connect through ethernet, but what the heck?)

That's the latest.


----------



## nixgeek (Jun 23, 2008)

I don't remember you ever mentioning the type of encryption your using for your wireless.  Also, are you using any other measures to secure your wireless?  How about the password for your Airport?  Are you broadcasting your SSID?  What about MAC filtering?

This one is a stretch, but are you sure you're connecting to your Airport and not some rogue access point imitating yours (quite possible with something like Evil Twin)?  Do you experience the same problems when you reinstall and only use the ethernet as opposed to the wireless?

Something to test out, just in case...


----------



## nixgeek (Jun 25, 2008)

Don't know if either HelloMac or NewMacUser-TX is still checking this thread, but here's something I just stumbled upon today:

http://www.sans.edu/resources/securitylab/wireless_security_1.php

Might answer some questions as to where the problems came from.


----------



## HelloMac (Jun 27, 2008)

I'm using WPA-Personal and have also used a Radius server connection. Will be attempting the Radius setup again this weekend.

So the screenshots are from earlier this week. Repartitioned and wiped the drive using DriveGenius 2. Established admin account and locked down. Did not allow connection to the internet. Created a STANDARD account. The shots you'll see were from the standard user account. 

Things were different on the system this time. In the past when in a standard account then clicking on the Mac HD icon I would only see a folder called System. That folder would open to Library.

Now I can see multiple folders including sbin. At this point as a newbie to Mac I'm not even certain which view is the correct one, though as I navigated through various folder levels I found myself being reconnected with a higher level folder in a loop.

What prompted this round of wipe and reinstall? I turned on the machine and the Grab and Terminal apps were gone. GONE from the machine.

I've learned that if I turn off the iMac and leave it connected to electricity then changes may take place by the next time I turn it back on. (From shutdown, not sleep, never put it in sleep anymore). If I disconnect electricity there will be no changes. 

Feedback is welcome.


----------



## ElDiabloConCaca (Jun 27, 2008)

All of those screenshots "jive" with what I've got on my machine... nothing I see is out-of-the-ordinary.

The only thing I see that's weird is that those folders (var, etc, etc.) should not be visible in the Finder windows, unless you manually turned on something that shows invisible files in the Finder.

The "loop" behavior you're experiencing when navigating those folders is because a lot of those folders are symbolic links... meaning the folder you see (folder icons with a little arrow on them) isn't the true "home" of that folder... it's simply an "alias" link to that folder.

It also appears that you're using FileVault (your home folder in the left-hand sidebar of the Finder windows shows a gray house with a padlock on it)... any specific reason for this?

What format did you format the hard drive in (HFS+, Case-sensitive, etc.)?  Also, why use DriveGenius 2 to format the drive when Disk Utility on the Mac OS X Install CD/DVD would do just fine?

I think perhaps it's time for another wipe-and-reinstall, but I'd like to provide specific procedures for doing so, and then check the results at the end of the install.  That way, I can have complete control over the install process and know everything that's done along the way.  Right now, we really have only your word on what exactly is being done -- for instance, I don't think it was ever mentioned that FileVault was turned on, even though it apparently is.  If that's cool with you, let me know!


----------



## HelloMac (Jun 27, 2008)

Interesting article NIXGeek -I sometimes have wondered if my bluetooth device is actually turned off. I know the little icon says it is, but since there's no hardware switch only reliance upon software, I wonder if it is truly turned off.

I've also noticed somthing new popping up in the OS boot sequence in Console. something called BTCO or similar loads now. Goolge says it's BlueTooth and wifi co-exist. That's been since 10.5.3 so perhaps it's a legit change.

I've also considered the possiblity of a rouge AP and the longer this problem goes on the more I lean towards that being a real possiblity. There are multiple ssid's in my building that are almost always on and three of them resolve to the same hardware MAC address. (used istumbler and frameseer to capture some data). Typically when I'm connected online if I use another device to scan the availalbe SSID's only two of the three are visible. Not always, but often. I've no clue how to track from that point or how to figure out if there is a direct tie-in. 

But then again if it's Bluetooth, I won't be able to detect that anyway. Letting the iMac bluetooth run in scan mode to try to connect to a device usually comes up with nothing in range other my own devices if I have those devices in discover mode.


----------



## HelloMac (Jun 27, 2008)

I'll be happy to follow a specific install plan if you'd like.

Yes FileVault is running this time. Somethimes I have it on sometimes not. This time I did. Turned it on in hopes it blocks access to files in that home folder when the machine is turned off.

Used DriveGenius because I was hoping that it would make enough changes to the HD that if something is continuing to live on the drive it would get shaken up. Disk Utility gives the same results over and over.

Formatted HFS Journaled. 1 partition for the mac HD. 1 partition for the EFI. and 1 partition that is about 97 mb that DriveGenius would let me see exists, but would not allow me to delete. I could add space to that "Free Space" parition but that's the only option that was active. Disk Utility never shows me that the EFI or "Free Space" partitions exist.

I did not install a utility or issue a command to enable Finder to see hidden files. Thus my surprise at being able to see those folders.


----------



## HelloMac (Jun 27, 2008)

Jun 27 01:41:46 PoquitoMac SecurityAgent[77]: Login Window done
Jun 27 01:41:46 PoquitoMac com.apple.SecurityServer[18]: Succeeded authorizing right system.login.console by client /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app.
Jun 27 01:41:46 PoquitoMac loginwindow[22]: Login Window - Returned from Security Agent
Jun 27 01:41:46 PoquitoMac com.apple.SecurityServer[18]: Succeeded authorizing right system.login.done by client /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app.
Jun 27 03:04:51 exchng-129 /System/Library/CoreServices/Finder.app*/Contents/MacOS/Finder[100]: Unexpected quarantine error: -5000; ignoring
Jun 27 03:17:58 exchng-129 com.apple.SecurityServer[18]: Failed to authorize right system.install.root.admin by client /System/Library/PrivateFrameworks/Install.framework/Versions/A/Resources/runner for authorization created by /System/Library/CoreServices/Installer.app.*
Jun 27 03:19:24 PoquitoMac loginwindow[414]: Login Window Started Security Agent
Jun 27 03:19:25 PoquitoMac SecurityAgent[422]: Showing Login Window
Jun 27 03:20:27 PoquitoMac SecurityAgent[422]: User info context values set
Jun 27 03:20:27 PoquitoMac authorizationhost[421]: Failed to authenticate user LittleMac (tDirStatus: -14090).
Jun 27 03:20:40 PoquitoMac SecurityAgent[422]: User info context values set
Jun 27 03:20:41 PoquitoMac SecurityAgent[422]: Login Window done
Jun 27 03:20:41 PoquitoMac com.apple.SecurityServer[18]: Succeeded authorizing right system.login.console by client /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app.
Jun 27 03:20:41 PoquitoMac loginwindow[414]: Login Window - Returned from Security Agent
Jun 27 03:20:41 PoquitoMac com.apple.SecurityServer[18]: Succeeded authorizing right system.login.done by client /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app.
Jun 27 03:56:15 exchng-129 com.apple.SecurityServer[18]: Succeeded authorizing right com.apple.Safari.parental-controls by client /Applications/Safari.app for authorization created by /Applications/Safari.app.
Jun 27 03:56:17 exchng-129 com.apple.SecurityServer[18]:* Succeeded authorizing right com.apple.Safari.parental-controls by client /Applications/Safari.app for authorization created by /Applications/Safari.app.*
Jun 27 04:47:50 PoquitoMac shutdown[676]: halt by Leslie: 
Jun 27 05:26:18 localhost com.apple.SecurityServer[18]: Entering service
Jun 27 05:26:18 localhost com.apple.SecurityServer[18]: Succeeded a*uthorizing right config.modify.com.apple.CoreRAID.admin by client /System/Library/PrivateFrameworks/CoreRAID.framework/Versions/A/Resources/CoreRAIDServer for authorization created by /System/Library/PrivateFrameworks/CoreRAID.framework/Versions/A/Resources/CoreRAIDServer.*


----------



## HelloMac (Jun 27, 2008)

A Japanese wiki server is active for java?


----------



## HelloMac (Jun 27, 2008)

Note the sharing and permissions access.


----------



## Viro (Jun 28, 2008)

HelloMac said:


> Note the sharing and permissions access.



They are exactly the same on my 2 Macs, and they are going to be exactly the same for any other Mac. Please read up and understand file permissions before being paranoid about this.

That panel show that the file was last opened on the 21st of March 2008. So ... really. What's the problem?


----------



## ElDiabloConCaca (Jun 28, 2008)

HelloMac said:


> A Japanese wiki server is active for java?


Just because there's some folder called "WikiServer" does not mean that a Java Wiki server is actually _running_ on your machine.

There's a file called "Don't Steal Mac OS X" on your hard drive, too... does that mean that you _stole_ Mac OS X?  No.

The Japanese folder you're seeing is called a "localization."  It's files and support things for when you change your system's language to Japanese.  The default install of Mac OS X includes many localizations for many languages, and these localization files are located all over your hard drive and within many application packages.

Get a good book on the underpinnings of Mac OS X if you're curious about all these files.  There are literally tens of thousands of files included with a Mac OS X install, and assuring you 10,000 times that each of these files is benign is going to make this thread very, very long.  Perhaps a better book would be something on UNIX, since Mac OS X _is_ UNIX.  UNIX is _extremely_ file-based -- and in most UNIX installations, many, many, many files for many, many, many different services exist on your hard drive whether you intend on using those services or not.

You can think of UNIX as very "modularized."  Unlike Windows with its monolithic registry, UNIX stores application settings and configurations in separate files for different applications.  Your Mac OS X installation includes things such as php (even if you never intend on writing a line of php code in your life), the Apache web server (even if you never intend on serving web pages), support for connecting to AD or OD servers (even if you never intend on actually connecting to this type of network environment)... the list goes on and on.  EVERYthing is on your hard drive whether you intend on using it or not, but that does not mean that EVERYthing is active and running all the time.  Just the _files_ are there, just in case you want to... unlike Windows, which only installs and activates what you tell it to (and, of course, some things you don't) -- and when it comes time to turn on a service that wasn't installed, you're prompted to insert your original Windows CD so it can install the proper files.

Also, even though during the install process you only set yourself up as a user on the system, there are already a handful of other users on your system... "root," "wheel," "www," and "nobody" are just a few.  This is how UNIX operates -- every process that's active on your system is "owned" by some user account -- maybe you, maybe one of the default users.  And just because those users exist doesn't mean that they can actually log into your system.  This is how UNIX works -- users and groups that own processes, each with their own set of permissions.

Wanna really blow your mind?  Open up "Activity Monitor" in the /Applications/Utilities folder.  Change the list for "All Processes" from the drop-down at the top.  You'll see a handful of users other than yourself running processes... all perfectly normal.  There's even one called "daemon."  Doesn't mean you've got demons (er, "daemons") in your system, though.

It's like working on a car -- if I didn't know anything about an engine and went poking around under the hood of my car, I'd be pretty perplexed and possibly concerned... "Why is this tube here?"  "Who put this clamp over there?!"  "Why is that thing over there spinning, even though the car isn't moving?"  "You mean explosions in the engine are _supposed_ to happen?"  "Oh, a battery... but I didn't know this was a hybrid!"  In order not to freak myself out, I just shouldn't be poking under the hood without supervision or without the knowledge to tell me what's normal and what's not.


----------



## Viro (Jun 28, 2008)

ElDiabloConCaca said:


> Wanna really blow your mind?  Open up "Activity Monitor" in the /Applications/Utilities folder.  Change the list for "All Processes" from the drop-down at the top.  You'll see a handful of users other than yourself running processes... all perfectly normal.  There's even one called "daemon."  Doesn't mean you've got demons (er, "daemons") in your system, though.



Now he tells me. I gotta go phone up and cancel the appointment with my exorcist.


----------



## VirtualTracy (Jun 28, 2008)

> _Also, even though during the install process you only set yourself up as a user on the system, there are already a handful of other users on your system... "root," "wheel," "www," and "nobody" are just a few._



When I told my family, "_Nobody_ touch my iMac when I'm out!" I was being literal!


----------



## NewMacUser-TX (Jul 5, 2008)

Well, I am back.  I can't get my MAC boot to the install disc at all and I keep having problem with my settings staying, well, set.  Today I have hundreds of "WARNING!" messages in the System Log, but I will probably be told, 'that's normal, don't sweat it and don't look at the logs and then you won't worry'.  I guess the old "outta site outta mind" phrase comes into play when it comes to Macs?  Screen capture of my Log is attached.  Sorry if I sound like a smart ass, but nobody will address the questions as presented.  If you look back I knew something was wrong because I did a 7 pass erase and reinstall yet even though I didn't install X-11 or the language packages, they were all installed.  The question of "how could that happen" is ignored and I'm not sure why.  I am VERY frustrated and starting to feel like the hacking issues I had with my window's machines are just going to continue even though I switched to a Mac and so I might as well get used to it


----------



## nixgeek (Jul 5, 2008)

NewMacUser-TX said:


> Well, I am back.  I can't get my MAC boot to the install disc at all and I keep having problem with my settings staying, well, set.  Today I have hundreds of "WARNING!" messages in the System Log, but I will probably be told, 'that's normal, don't sweat it and don't look at the logs and then you won't worry'.  I guess the old "outta site outta mind" phrase comes into play when it comes to Macs?  Screen capture of my Log is attached.  Sorry if I sound like a smart ass, but nobody will address the questions as presented.  If you look back I knew something was wrong because I did a 7 pass erase and reinstall yet even though I didn't install X-11 or the language packages, they were all installed.  The question of "how could that happen" is ignored and I'm not sure why.  I am VERY frustrated and starting to feel like the hacking issues I had with my window's machines are just going to continue even though I switched to a Mac and so I might as well get used to it



First of all, read the *entire* thread....don't just skim it.  We tried as best we can to cover all that was possible.  Anything that looked normal was confirmed as such by everyone that's responded.  There's a difference between actually having problems and jumping at every little message that ways "Warning" on it just because you're not familiar with how Unix works.  If you think it's any different in Windows, have a gander at the Event Viewer logs and see what you'll find there.  That might just make your hair stand up just as it is with what you're finding in OS X's logs.

Now, on the the log you attached.  As it stands, we're only seeing part of the log where it repeats the same message.  We don't see where it starts happening to be able to assess how this came to pass.  All that is shown is that you have a System Preferences warning.  Could you possibly post some of the information prior to that message first showing up?

As for X11 being installed, did you see an icon for X11.app in your Applications folder?  If not, then it's not installed.  Plain and simple.  To my knowledge, X11 was never installed by default until Leopard (see this link).  The language packs are also installed by default to my knowledge.  To prevent this from happening, you have to select to "Customize" before selecting to begin the installation of the files and then uncheck that which you do NOT want installed (I'm sure this was mentioned in previous posts as I remember reading this when going through this unnecessarily long thread).  This link shows you how to do a custom installation (yes, it's about Tiger but it applied just as well to Leopard).  BTW, this was EASILY found on Google just by using a few key words relating to your problem.

I hate to say it, but sometimes one must read the manual if one does not have familiarity with a particular OS.  Many in this thread have even mentioned some great books that will help in the matter.  As was mentioned, logs are there to inform you of what's going on.  Not everything that says "Warning" means you're getting hacked.  It might apply to the fact that something might not be activated/supported/whatever and it just telling you this.  Or, it might be an application that is trying to do something that the operating system does not like (possibly due to a bug in the application).  Whatever the case, you can't assume that every message means someone is trying to "pwn" you.  You have to check the logs in context in order to properly deduce what the problem might be, whether it's just an informative message or a genuine intrusion to your system.


----------



## Viro (Jul 6, 2008)

NewMacUser-TX said:


> Well, I am back. I can't get my MAC boot to the install disc at all and I keep having problem with my settings staying, well, set. Today I have hundreds of "WARNING!" messages in the System Log, but I will probably be told, 'that's normal, don't sweat it and don't look at the logs and then you won't worry'.


 
Sorry to say this but that log file is a list of assertion failures (and they can be normal!). What were you running that generated those assertion failure messages?

Before you start panicking, assertion are normal if you're running a debug build or a program that for one reason or another, decided to keep those asserts in at release. We do that at my company, so that developers will get to see exactly where a problem occured. Notice, this is completely and thoroughly useless for an end user as you will have no idea what is contained at NSView.m at line 4755 and you're not expected to. It's there for developers of the app to determine what's going on in their program. 

If you want something similar on Windows, download DebugViewer or view the Event Log.

*There could be a lot of reasons why you're seeing those messages. *What were you doing prior to seeing those messages? And what error are you getting when you cannot boot up?


----------



## Viro (Jul 6, 2008)

And just to show you what me and nixgeek mean, here's a screenshot of my Windows log. No, my system is functioning correctly and it's not hacked nor is it going to blow up at any point in time.

You're viewing a log file that is used by system administrators and developers for tracing down problems. There's a reason why those messages are hidden away from users but are readily available to those who need such info.


----------



## CuteCari (Jul 18, 2008)

i ran across this site while i was looking for answers and noticed the problems you are having.  i have been killing windows viruses for 9 years.  i switched to mac after i ran into the cd replicating virus.  i couldnt figure out how it was doing it and where it could possibly be storing itself (trust me, i have a firm understanding and knowledge of removing the most insane viruses (and there of course was no one who could even conceive that this was possible).  this virus was the only one i couldnt figure out and because of this, it rendered the infected computer useless.

i switched to mac because i was obsessed with figuring out this virus and it turned me into a mad scientist  which prevented me from living a "normal" life.

so now i am infected with the same virus/hack issues that are being discussed here on my mac. anyone who says something is "impossible" or you are "just paranoid" is someone with a mind that cant comprehend passed what they can see and if you are familiar with viruses, you know that it is what you cant see, explain or even comprehend that is the issue.  i told myself a long time ago that if your computer is making you feel crazy in any way that it is most likely the computer and not you although the line between reality and perceived reality can become blurred and create paranoia. i, from all of my years working with computers, can tell the difference between what is real and what isnt, but finding someone else that can is almost impossible which is why i feel the need to post.    

if you are one of the 95% of the population which cannot comprehend the incomprehensible, there is a book called "Big Book of Apple Hacks" that will surely open your eyes and take you to the next level of understanding.

1. the cd replication is true, as i stated i have seen this in windows an uncountable amount of times.  it is happening to my g4 which is not connected in any way to any network; no matter what i do, i cant get rid of it. i recently found that there is memory in the optical drive can be programed and store information although i dont know how, and in the mac hack book also tells you about memory in other places you would not even think of. this opened my eyes to an ability that i didnt know was possible.  this made sense to me wether it is true, i dont know as FACT.  if it is true then there must be other areas that can be programed the same way (we must keep an open mind or we will never find the answers).  Please help me with this if you are aware that this is a possibility.

2. i am also experiencing the same virus/hack on my laptop, but the one on my laptop is network oriented, i did the same thing as that other guy with getting all of the new routers and all of that crap.  mac store (idiots by the way) etc... even replaced my laptop and deleted my airport card through the software.  but when i looked in to my computer (software) the airport card was still connected and functioning.  i dont know the ins and outs of networks which is where the confusion lies for me.  i have the isight issue, fake web pages, everything and feel like there is someone with me at all times.  the mac hack book has taught me some and i have crammed my head full of book after giant book trying to figure all of this out.  my computer has been taken over completely though im not sure that the virus i have on my laptop is the same one that is on my g4 or not, but if not, they are very similar.  i suspect the remote function.  i want to physically disable any entry to my laptop but dont want to void my apple care.  if you know how to do this please help me with it as i will do it if i have to.

so as of now i am screwed and there is no help for this in the world of closed minds.  

so i just wanted to let you guys know that you are not crazy in any way and we, as of now, are stuck in the purgatory between the 2nd plane, which is where we are now and the 3rd plane which is where we will be after figuring out this new craziness.  every plane is more isolating and painful but to a "scientist" the progression is out of our control.

please help!!!!


----------



## ElDiabloConCaca (Jul 18, 2008)

If the people here are so sure that their computers have been infected at the hardware level, then simply take the computers to the nearest Apple Store.  They'll be very interested in seeing the first Mac computer to be infected at the hardware level in over 20 years.

Other than that, I'm about ready to say that the scope of the problems being discussed here is beyond our help.  We don't have physical access to the computer, people are too paranoid to put their computers on a network for us to have remote access to them, and it seems that just when we're squashing or explaining one problem away, a completely new one manifests itself (or a completely new member joins the discussion to chime in with a "me too").

Take your computers to security experts who can have physical access to do diagnostics on the machine.  We would be very interested in hearing about the results.  Otherwise, we have no choice other than to be skeptical, since these problems are obviously WAY out of the realm of anything we've heard of before.


----------



## nixgeek (Jul 18, 2008)

I listen to a few security podcasts (PaulDotCom Security Weekly is one) and they've NEVER mentioned anything other than the ARD issue (which has been all over the tech news sites).  Beyond that, anything that is being described would have been discussed and exposed.  We live in a global village now, and information is more readily available than ever before, so even 0day exploits are known about very quickly.  Patching them takes longer, of course.

Like EDCC said, all that could be done over a forum has been done.  At this point, it's a matter of contacting a security professional and having that security professional examine the system.  Mind you, this will not be cheap....security professionals charge quite a bit for their expertise.

I still stick by my opinion that those in question are claiming that the sky is falling due to lack of knowledge, and are just trying to cover that up by sprinkling jargon in their posts.  I'm sorry if that offends, but we've been going on a wild goose chase here.

BTW, I just did a search for the "Big Book of Apple Hacks".  Here's what Amazon says about it:
http://www.amazon.com/Big-Book-Apple-Hacks-unlocking/dp/0596529821



> *Product Description*
> Bigger in size, longer in length, broader in scope, and even more useful than our original Mac OS X Hacks, the new Big Book of Apple Hacks offers a grab bag of tips, tricks and hacks to get the most out of Mac OS X Leopard, as well as the new line of iPods, iPhone, and Apple TV.
> 
> With 125 entirely new hacks presented in step-by-step fashion, this practical book is for serious Apple computer and gadget users who really want to take control of these systems. Many of the hacks take you under the hood and show you how to tweak system preferences, alter or add keyboard shortcuts, mount drives and devices, and generally do things with your operating system and gadgets that Apple doesn't expect you to do. The Big Book of Apple Hacks gives you:
> ...



All this book is about is how to maximize the use of the Mac hardware and apps that run on it, which leads me to call BS on the posters.  To claim such knowledge and not realize that "hack" means "finding ways to do things with hardware/software that were not originally intended by the creator" and not "pwning yer 'puter" leads me to believe that we are officially wasting our time.  If not, then as was mentioned take it to a security professional and make yourself famous.

Are we done now???


----------



## CuteCari (Jul 18, 2008)

nixgeek said:


> I listen to a few security podcasts (PaulDotCom Security Weekly is one) and they've NEVER mentioned anything other than the ARD issue (which has been all over the tech news sites).  Beyond that, anything that is being described would have been discussed and exposed.  We live in a global village now, and information is more readily available than ever before, so even 0day exploits are known about very quickly.  Patching them takes longer, of course.
> 
> Like EDCC said, all that could be done over a forum has been done.  At this point, it's a matter of contacting a security professional and having that security professional examine the system.  Mind you, this will not be cheap....security professionals charge quite a bit for their expertise.
> 
> ...



are you done now is the question because i am not, i am still dealing with this situation - it infected my f4 and my macbook (mac replaced right away), my iphone (mac replaced it as well but i havent activated it yet) and my work pc which i got fired for not sure why.  

have you read the book? no you havent. 

there are other more shady things that of course are not mentioned in the description of the book and that you have mentioned in your post and on the more hush hushes of hacks regarding what you can do to others - remote control, viewing users through their isight, etc. etc. etc. 

the last message i received from the person who gave me this virus said "i will forever be in your home".  i am not paranoid, i am not going to allow this to be forever in my home because i am in search of someone who is interested and capable.  if you are not one of the people who pave the path then you are merely following a path that has been paved for you.  i would prefer to speak to the person actually paving the path as i have experienced too many of "you" throughout my computer travels.  you sound no different from anyone else with blinders on.  no offense, but writing this off as ridiculous is not the way to make progress in a field that has potential beyond our understanding.  if we wrote everything off as that, think of where we would be - no where.  

do you believe that there are anomalies happening that you are unaware of or mind boggling to you?  if not, maybe you should have a look at that.  

i dont have the money for a super security master, that is why i look for information on the internet, there are a lot of people out there who like to help others, i am one of them and the main reason i wanted to post was because i have been in the situation of the guy that no one believes and i know how lonely and mentally damaging it can be at the beginning.... until the truth comes out, then everyone apologizes for not believing you when you were having the experience.  that has happened to me every time i have discovered something on the newer side of virus detection including my first cell phone virus a few years ago before it came out to the public.  i honestly thought i was going crazy.... but i wasnt. and am not now.  

so no, i dont accept any of what you said to be of value and it seems you are speaking for everyone else as well... no it is not only hardware related as i said.  by posting i am looking for the person who is interested in learning more then what they already think they know.  isnt that what we are after... the quest for knowledge.  if youre not, then what is your function? 

if there is anyone who is prepared to infect them with the virus that i have mentioned, i would happy to give you the website for you to give it a go... if you are in fact as sure as you think you are, i would be very interested to find out your thoughts and diagnosis of the virus i am speaking of.  just say the word.  or if anyone else would like to infect themselves and attempt to figure out its potential and try to kill it that would be great.  but my warning is that it is much more sophisticated then you think (unless it is only targeting me 24 hrs a day, but i dont think i am that interesting)  i would love to be proved wrong in my assessments of it.   

AND, who would ever want to be famous for a virus in any way shape or form?  not i.   

i wonder why it make you mad or frustrated when someone adds to the conversation please answer this as i am very curious as to the answer?  if you cant help, then why respond?  i have in no way meant to upset or anger you with either of my post.

i hope there is someone who would be willing to check this virus out. 

Anyone else, i am still looking for help on this subject... if i cant find it here i will be happy to move on.  Thank you very much!!


----------



## elander (Jul 19, 2008)

Oh for the love of everything holy or not, close and remove this thread already! As I said early on, these people are either trolls or have serious psychiatric issues, it is not Mac-related. Let's put this to rest now.


----------



## Viro (Jul 19, 2008)

Seriously, just take the mac to the Apple store and get a one of the geniuses at the bar to help you out. There is nothing more we can do from the confines of a forum. This will be the last post I make in this thread as the people coming up with problems do not ... lets not even go there.

Just bring it in to a shop, and get someone to look at it.


----------



## nixgeek (Jul 19, 2008)

CuteCari said:


> are you done now is the question because i am not, i am still dealing with this situation - it infected my f4 and my macbook (mac replaced right away), my iphone (mac replaced it as well but i havent activated it yet) and my work pc which i got fired for not sure why.
> 
> have you read the book? no you havent.
> 
> ...



Here's a thought (and it will be my last one).  Contact Apple directly about your problem.  Speak to someone there in detail about your problem.  Send an e-mail to Steve Jobs himself if you need to (I hear it actually works).  If in fact you and all of the other posters regarding this problem are in fact having a problem, make it known to them.  Go to the source with this problem.  We here are not the source and have given all of the help we can...*READ ALL OF THE THREAD IF YOU DO NOT BELIEVE ME, DON'T JUST SKIM IT!*  As has been said ad nauseum already, the answers you're looking for go beyond the scope of this forum....ANY forum for that matter.  These problems need hands-on action if they're actually real, and getting Apple involved would be one way to do so.

So again, are we done?  Guess what...I am for sure.


----------



## ElDiabloConCaca (Jul 19, 2008)

CuteCari said:


> if there is anyone who is prepared to infect them with the virus that i have mentioned, i would happy to give you the website for you to give it a go... if you are in fact as sure as you think you are, i would be very interested to find out your thoughts and diagnosis of the virus i am speaking of.  just say the word.  or if anyone else would like to infect themselves and attempt to figure out its potential and try to kill it that would be great.  but my warning is that it is much more sophisticated then you think (unless it is only targeting me 24 hrs a day, but i dont think i am that interesting)  i would love to be proved wrong in my assessments of it.



I would love to have the chance to check out this virus/trojan/hack/whatever... please send me the website address and I'll thoroughly check it out.

Email is eldiabloconqueso@sbcglobal.net.  I anxiously await your email.


----------



## ElDiabloConCaca (Jul 19, 2008)

CuteCari said:


> AND, who would ever want to be famous for a virus in any way shape or form?  not i.


I hope this was said facetiously... there are many, many, many, many, many people out there who write viruses specifically to have their egos stroked.

There are "hacker's rings" that do nothing but collaborate on how to write viruses, and the best way to release those viruses so that their group of programmers/hackers gets the most notoriety.  There are even "wars" between competing virus writing groups over who wrote what first, who's virus had the most impact, who's virus was most widespread, etc.  They all sit around and bask in the glory of notoriety.

Failing to see this is an extreme shortcoming.  Just because you wouldn't do it for the fame doesn't mean that it's absurd to think that someone else would.

Do you think "I will forever be in your home" is hacking you because your family photos are like a goldmine to him/her?  Do you think they really want your Word document cake recipe files that bad?  What data of value do you store on your hard drive that a hacker would want that bad?


----------



## CuteCari (Jul 19, 2008)

i just wanted to let that guy know he wasn't crazy... i wish someone would have told me that a long time ago.  ill kill my viruses on my own.  thanks.


----------



## CuteCari (Jul 19, 2008)

ElDiabloConCaca said:


> I hope this was said facetiously... there are many, many, many, many, many people out there who write viruses specifically to have their egos stroked.
> 
> There are "hacker's rings" that do nothing but collaborate on how to write viruses, and the best way to release those viruses so that their group of programmers/hackers gets the most notoriety.  There are even "wars" between competing virus writing groups over who wrote what first, who's virus had the most impact, who's virus was most widespread, etc.  They all sit around and bask in the glory of notoriety.
> 
> ...


i know... i find viruses incredibly intriguing although i would have preferred to analyze them in a controlled environment... perhaps a clean room with a hazmat suit.  

oh well, you get what you ask for and it seems i asked for it with out even knowing... didnt someone say "never accept gifts from strangers".

im sure they probably enjoyed my picture collection, now sitting on a myspace page somewhere with a 24 hr web cam of me sitting in front of my computer with an occasional easter egg thrown in on accident.  other than that im not sure... i guess i am just fascinating.


----------



## ElDiabloConCaca (Jul 20, 2008)

Just a reminder, I'm still waiting for your email with the supposed virus website.  I am extremely interested in checking it out, and it would help this thread's credibility immensely if we could have some source of the problems.


----------



## g/re/p (Jul 20, 2008)

all i know is what my momma told me // all i know is what she said

when beelzibub is sneaking up on you // you best be dancin' on his head.

Do the devil stomp!!!!!!


----------



## CuteCari (Jul 20, 2008)

im nervous to give you the web site for some reason... i try to avoid getting in trouble and i have no way of knowing i wouldnt if i give it to you.


----------



## Viro (Jul 21, 2008)

Just give him the website -.-


----------



## ElDiabloConCaca (Jul 21, 2008)

I gave you my email address.  Send it to me.  There's no law against sending me an email with the website that you suspect infected you with a virus, especially since I requested you send it to me for troubleshooting/research purposes.

eldiabloconqueso@sbcglobal.net

Your offering to send it to me, then backtracking on your word makes your claims look less plausible.  If you want us to believe and help you, just send the damn website and let's get on with this shindig.


----------



## Viro (Jul 23, 2008)

Hey EDCC, is your computer still working?


----------



## ElDiabloConCaca (Jul 23, 2008)

He/She never sent me the link.  In fact, I haven't heard from CuteCari since -- neither on this forum, nor via email.

I'm starting to think, "bogus."


----------



## ScottW (Jul 24, 2008)

I think its time to move on and have requested that this be done. Closing thread.


----------

