Munix hacked? Valid files for install of Leopard?

Status
Not open for further replies.

HelloMac

Registered
First recognized a problem in late February.

The environment:
10.5.2 imac new in Feb 08. 1 gig ram.
Airport Extreme.
Epson PS820 printer.
Cabled mouse and keyboard.
DSL Action Tec 701C modem.
No exotic software installed, just the Apple standards. iLife, iWork.

I've set the following upon intial account setup for the most recent re-do:
No internet connection.
Disable Firewire, Airport, Ethernet and Bluetooth.
Disable IPv6 for all devices.
NO sharing of any sort, file or internet wise.
NO permission for "everybody" or "users" groups to Terminal.
Software firewall - no incoming (essential only).
DSL Modem firewall - port 80 and imap only. Everything else no in or out.
Complex password on DSL modem.
Complex password on admin account on mac.
Complex password on root account on mac.


The problem:
Over time the Mac allows unknown user(s) to log into the computer, change permissions and eventually obtain root authority. Data is sent from the machine to the internet. Using a combination of ssh or telnet logins with AppleScript automation my machine is consistently compromised. Mouse movements are tracked, passwords are detected by a script that dupes me into thinking the system needs my password (though I recognize that one now). To what end I have no idea.

From the logs:
Anonymous logins, "race conditions" errors, random .plist files that seem to belong but upon inspection are made up of chinese or russian language, cups entries that my printer can accept up to one hundred hosts and all sorts of stuff probably unrelated. The machine's time changes randomly by a few seconds. The system performs a "window replay" everynow and again. That's all taken from the Console ALL MESSAGES logs. .plist files in config that reference WoW and other online games.

Action taken:
Several fresh installs of Leopard at the direction of Apple Care and local Apple Genius. From different install discs. It doesn't matter what customize option or exclusion I instruct the installer to make, the actual install is always ALL language options and X11.

Complete head to toe hardware checkout by my local Apple certified geeks. No problems with RAM or other hardware.

My theory:
Initial infection writes itself to discs that are inserted into the optical drive, including installation discs. Three files survive hard drive erasure and update the infection all over again upon a fresh install of Leopard.

The evidence:
Reset NPRAM and NVRAM.
From install DVD, a new one I purchased at retail 2 days ago in shrinkwrap -
1. Disc utility, repartition HD to a new single partition.
2. Erase, Security option Zero out.
Disc utility reports the drive has been erased. 3 folders and 3 files remain on the new \volume\HD using 107mg of space.
Apple tells me I can't see the EFI partition, so these folders can't be part of the EFI, right?

Install runs and reports errors that include not accepting custom options for the installation. Several folders and files related to ILife Media Browser are not overwritten by the install disc because a "newer version exists on the disc". That's from the install log. But we just wiped the drive clean.

How do I defeat this self repeating loop?!

How do I know if my install disc is compromised? Can you compare the following listing to yours?

This is the list of files on a DVD I purchased new at retail two days ago.
Displayed as a result of Terminal, BASH ls -a -l /.

1 root admin (time) ._DS_store
1 root wheel 2007 ._instructions
1 root wheel 2007 ._optional installs
12 _unknown _unknown (time) .fseventsd
2 root wheel 2007 .vol
3 root admin 2007 applications
3 root wheel 2007 install mac OSX.app
10 root wheel (time) Instructions
11 admin admin (time) Library
8 root wheel (time) optional installs
4 root wheel (time) System
40 root wheel (time) bin
2 root wheel (time) dev
1 root admin (time) etc -> private/etc
1 root wheel 2007 mach_kernel
5 root wheel (time) private
65 root wheel (time) sbin
1 root admin (time) tmp -> private/temp
8 root wheel (time) usr
1 root admin (time) var -> private/var

I'm exhausted chasing my tail on this. Any suggestions? My next plan is to say to hell with the hard drive and replace it but I don't know how I picked up the problem in the first place.

The local Apple Genious (s) have looked at my log files once I made them really focus. Even though there were exclamations that "some of that looks fishy", there was no resolution. Level 2 AppleCare techs have simply sent me install discs for a macBOOK to reinstall.

Thanks for taking the time to take a look. I really want to love being a new Mac convert. Really I do.

Dave
 
"Over time the Mac allows unknown user(s) to log into the computer, change permissions and eventually obtain root authority. Data is sent from the machine to the internet. Using a combination of ssh or telnet logins with AppleScript automation my machine is consistently compromised. Mouse movements are tracked, passwords are detected by a script that dupes me into thinking the system needs my password (though I recognize that one now). To what end I have no idea. "

Could you post some system log / console log entries where you see this?

If you have ALL options for sharing disabled, NO remote login allowed, and have firewall on (with only services you use), and use Little Snitch, what you describe should not happen. In addition to those, keep passwords secure, don't use back to my mac or screensharing, disable ARD and VNC for ALL users on that Mac, physically lock down USB (from having any keyloggers etc). If there is ANY user that would have VNC/ARD enabled, any user could be seen.. but as said, I'd love to have a look at the logs.
 
Just to clear the decks of something:

It is impossible for your system, compromised or not, to write additional data to CD or DVD installation media that you bought at the store -- those discs are not writable at all, and are even physically dissimilar from writable CD-R or DVD-R discs that you would normally purchase to burn stuff on.

Short answer: it's not your installation media that's being compromised.

Can you try installing all the good stuff WITHOUT being connected to the internet? Physically pull the ethernet plug out while you're installing and setting passwords, and do not re-connect it until you're done with setting passwords and locking the system down.

It seems as though you're being quickly compromised... are you setting the same root password each time you reinstall? If so, and you have a static IP address, then it's completely possible that the hacker that obtained your password the first time is simply using it over again to re-compromise your system.

Could there be a machine on your network that is doing this? The speed at which you say you're being compromised leads me to think that perhaps another machine has been compromised on your network, allowing faster "cracks" since there's less delay than going over the internet.
 
I can't believe that someone demonstrating this level of detailed knowledge would think that his/her DVD is being written to.. That sounds suspicious to me. Hmmm. However assuming you have some new amazing new super hacker infection of your HDD partition that no one has ever heard of.. 1) Try booting off your MacOS Install disk & use the partitioning tools on it to nuke the partitions OR.. 2) try booting off a Knoppix or other Linux 'Live CD' & use the partitioning tools on it to nuke the partitions.. then reboot off your MacOS Install DVD & reinstall WITH THE ETHERNET CABLE UNPLUGGED. Leave the cable out until you have safely configured your Mac - Firewall on/Sharing Off etc.
 
first, thanks to all for taking the time to consider this issue.

Good to know that my optical drive can't write to the install discs. I've stopped assuming anything at this point. As far as knowledge about the other stuff - I've just been doing a ton of reading about mac specific and unix in general. Lots to learn.

I've used different passwords and user names each time through. No repeats. When I run the erase procedure and the install the Ethernet cable is physically disconnected from the modem. I turn airport off as soon as the os enables it. Bluetooth remains on during the install. I can't figure out how to disable it during the install and there's no physical switch on the iMac, it's software controlled. I disable it as soon as the initial user account is active. I know it's on because I tried to pair my phone during the later phase of one of the installs and was successful. I'e disabled that connection.

VNC? There's something to investigate. I don't understand what that is but by this time tommorrow I will one a lot about it.

I notice that during boot up from the hd a line consistently appears that IPv6 is enabled, default accept, no detail log. I go into the network settings and turn off all IPv6 options I can find. Does that instruction during boot survive setting changes I make later? Is there another place a connection through that ip could live?

I will post some of the interesting log files on Wed.

Dave
 
Some info from the system...

Description: System events log
Size: 148 KB
Last Modified: 5/21/08 9:51 PM
Location: /var/log/system.log
Recent Contents: ...
May 20 00:31:05 localhost kernel[0]: BSD root: disk0s2, major
14, minor 2
May 20 00:31:05 localhost kernel[0]: Extension
"com.apple.driver.AppleHIDKeyboard" has no explicit kernel
dependency; using version 6.0.
May 20 00:31:05 localhost kernel[0]: Jettisoning kernel linker.
May 20 00:31:05 localhost kernel[0]: Resetting IOCatalogue.
May 20 00:31:05 localhost kernel[0]: Matching service count =
0
May 20 00:31:06: --- last message repeated 5 times ---
May 20 00:31:06 localhost kernel[0]: wl0: Broadcom BCM4328
802.11 Wireless Controller
May 20 00:31:06 localhost kernel[0]: 4.170.25.8.2
May 20 00:31:07 localhost kernel[0]:
CSRHIDTransitionDriver::start []
May 20 00:31:08 localhost kernel[0]:
CSRHIDTransitionDriver::switchToHCIMode legacy
May 20 00:31:08 localhost kernel[0]: USBF:
7.222
CSRHIDTransitionDriver[0x30fa300](IOUSBCompositeDevice)
GetFullConfigDescriptor(0) returned NULL
May 20 00:31:08 localhost kernel[0]: CSRHIDTransitionDriver...
done
May 20 00:31:08 localhost kernel[0]: E:
[AppleUSBBluetoothHCIController][FindInterfaces]
mInt0InterruptMaxPacketSize = 16
May 20 00:31:08 localhost bootlog[50]: BOOT_TIME:
1211257861 0
May 20 00:31:10 localhost DirectoryService[56]: Launched
version 5.0 (v514)
May 20 00:31:10 localhost rpc.statd[38]: statd.notify - no
notifications needed
May 20 00:31:10 localhost /System/Library/CoreServices/
loginwindow.app/Contents/MacOS/loginwindow[43]: Login
Window Application Started
May 20 00:31:10 localhost kernel[0]: yukon: Ethernet address
00:1e:c2:0a:c7:72
May 20 00:31:10 localhost fseventsd[45]: bumping event
counter to: 0x3f72 (current 0x0) from log file
'0000000000003d09'
May 20 00:31:10 localhost kernel[0]: AirPort_Brcm43xx:
Ethernet address 00:1e:52:86:be:17
May 20 00:31:10 localhost kernel[0]: IPv6 packet filtering
initialized, default to accept, logging disabled
May 20 00:31:10 localhost blued[68]: Apple Bluetooth daemon
started.
May 20 00:31:10 localhost /usr/sbin/ocspd[75]: starting
May 20 00:31:10 localhost mDNSResponder
mDNSResponder-164 (Nov 4 2007 13:23:04)[42]: starting
May 20 00:31:11 localhost kernel[0]: E:
[AppleUSBBluetoothHCIController][StartInterruptPipeRead] there
is alredy a pending read, skipping.
May 20 00:31:11 driver207s-imac org.ntp.ntpd[34]: Error :
nodename nor servname provided, or not known
May 20 00:31:11 driver207s-imac ntpdate[82]: can't find host
time.apple.com
May 20 00:31:11 driver207s-imac kernel[0]:
[InterruptReadHandler] Received kIODeviceNotResponding error
- retrying: 1.
May 20 00:31:11 driver207s-imac mDNSResponder[42]:
SetDomainSecrets: mDNSKeychainGetSecrets failed error 0
CFArrayRef 00000000
May 20 00:31:11 driver207s-imac configd[48]: setting
hostname to "driver207s-imac.local"
May 20 00:31:11 driver207s-imac ntpdate[82]: no servers can
be used, exiting
May 20 00:31:16 driver207s-imac loginwindow[43]: Login
Window Started Security Agent
May 20 00:31:16 driver207s-imac SecurityAgent[95]:
NSExceptionHandler has recorded the following exception:
\nNSRangeException -- *** -[NSCFArray objectAtIndex:]: index
(0) beyond bounds (0)\nStack trace: 0x3719a 0x91a2e09b
0x95ec704b 0x95ec708a 0x9014addf 0x900c8cb8 0x6f58a
0x6fdc9 0x594e1 0x6d847 0x615d9 0x6290e 0x6430d
0x62160 0x60c8e 0x663f4 0x76187 0xd648 0x12c40
0x129f3 0xd18a 0x90107f73 0x95e295c5 0x95e4d941
0x95e4dd38 0x913f88a4 0x913f86bd 0x913f8531
0x93ee8d5b 0x93ee86a0 0x93ee16d1 0x10fc7 0x202a 0x1
May 20 00:31:17 driver207s-imac kextd[10]: writing kernel link
data to /var/run/mach.sym
May 20 00:31:42 driver207s-imac authorizationhost[94]:
MechanismInvoke 0x124550 retainCount 2
May 20 00:31:42 driver207s-imac SecurityAgent[95]:
MechanismInvoke 0x103c70 retainCount 1
May 20 00:31:42 driver207s-imac SecurityAgent[95]:
NSSecureTextFieldCell detected a field editor ((null)) that is not
a NSTextView subclass designed to work with the cell.
Ignoring...
May 20 00:31:42 driver207s-imac SecurityAgent[95]:
NSExceptionHandler has recorded the following exception:
\nNSRangeException -- *** -[NSCFArray objectAtIndex:]: index
(0) beyond bounds (0)\nStack trace: 0x3719a 0x91a2e09b
0x95ec704b 0x95ec708a 0x9014addf 0x900c8cb8 0x6f58a
0x6fdc9 0x594e1 0x6d847 0x615d9 0x6d7de 0x66471
0x76187 0xd648 0x12c40 0x129f3 0xd18a 0x90107f73
0x95e295c5 0x95e4d941 0x95e4dd38 0x913f88a4
0x913f86bd 0x913f8531 0x93ee8d5b 0x93ee86a0
0x93ee16d1 0x10fc7 0x202a 0x1
May 20 00:31:42 driver207s-imac SecurityAgent[95]:
MechanismDestroy 0x103c70 retainCount 1
May 20 00:31:42 driver207s-imac loginwindow[43]: Login
Window - Returned from Security Agent
May 20 00:31:42 driver207s-imac authorizationhost[94]:
MechanismDestroy 0x124550 retainCount 2
May 20 00:31:42 driver207s-imac loginwindow[43]:
USER_PROCESS: 43 console
May 20 00:31:42 driver207s-imac com.apple.launchd[1]
(com.apple.UserEventAgent-LoginWindow[89]): Exited:
Terminated
May 20 00:31:45 driver207s-imac Dock[108]:
_DESCRegisterDockExtraClient failed 268435459
May 20 00:31:47 driver207s-imac /System/Library/
CoreServices/coreservicesd[64]:
SFLSharePointsEntry::CreateDSRecord:
dsCreateRecordAndOpen(Driver207's Public Folder) returned
-14135
May 20 00:41:03 driver207s-imac System Preferences[181]:
LSOpenFromURLSpec() returned -43 for application (null) path /
var/log/appfirewall.log.
May 20 00:41:33: --- last message repeated 1 time ---
May 20 00:48:23 driver207s-imac SCHelper[212]: no command
May 20 00:48:23 driver207s-imac SCHelper[198]: no command
May 20 00:48:23 driver207s-imac SCHelper[190]: no command
May 20 00:48:23 driver207s-imac SCHelper[204]: no command
May 20 00:48:23 driver207s-imac SCHelper[186]: no command
May 20 00:48:23 driver207s-imac com.apple.launchd[99]
([0x0-0xe00e].com.apple.systempreferences[181]): Stray
process with PGID equal to this dead job: PID 212 PPID 1
SCHelper
May 20 00:48:23 driver207s-imac com.apple.launchd[99]
([0x0-0xe00e].com.apple.systempreferences[181]): Stray
process with PGID equal to this dead job: PID 204 PPID 1
SCHelper
May 20 00:48:23 driver207s-imac com.apple.launchd[99]
([0x0-0xe00e].com.apple.systempreferences[181]): Stray
process with PGID equal to this dead job: PID 198 PPID 1
SCHelper
May 20 00:48:23 driver207s-imac com.apple.launchd[99]
([0x0-0xe00e].com.apple.systempreferences[181]): Stray
process with PGID equal to this dead job: PID 190 PPID 1
SCHelper
May 20 00:48:23 driver207s-imac com.apple.launchd[99]
([0x0-0xe00e].com.apple.systempreferences[181]): Stray
process with PGID equal to this dead job: PID 186 PPID 1
SCHelper
May 20 01:01:43 driver207s-imac PubSubAgent[294]: SQL
Error: SQLITE_CANTOPEN[14.0]: Database file not found
May 20 01:09:36 driver207s-imac Automator[308]: The action
“Add Movie to iDVD Menu” could not be loaded because the
application “iDVD” was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“Add Photos to Album” could not be loaded because the
application “iPhoto” was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“Apply SQL” could not be loaded because the application
“Xcode” was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“Ask for Photos” could not be loaded because the application
“iPhoto” was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“Build Xcode Project” could not be loaded because the
application “Xcode” was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“CVS Add” could not be loaded because the file “/usr/bin/cvs”
was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“CVS Checkout” could not be loaded because the file “/usr/bin/
cvs” was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“CVS Commit” could not be loaded because the file “/usr/bin/
cvs” was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“CVS Update” could not be loaded because the file “/usr/bin/
cvs” was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“Convert CSV to SQL” could not be loaded because the
application “Xcode” was not found.
May 20 01:09:36 driver207s-imac Automator[308]: The action
“Create Package” could not be loaded because the application
“PackageMaker” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Enable or Disable Tracks” could not be loaded because
QuickTime Pro is required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Execute SQL” could not be loaded because the application
“Xcode” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Export Movies” could not be loaded because QuickTime Pro is
required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Get Specified iPhoto Items” could not be loaded because the
application “iPhoto” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Get iDVD Slideshow Images” could not be loaded because the
application “iDVD” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Hint Movies” could not be loaded because QuickTime Pro is
required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Import Files into iPhoto” could not be loaded because the
application “iPhoto” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Initiate Remote Broadcast” could not be loaded because the
application “QuickTime Broadcaster” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“New Audio Capture” could not be loaded because QuickTime
Pro is required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“New Video Capture” could not be loaded because QuickTime
Pro is required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“New iDVD Menu” could not be loaded because the application
“iDVD” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“New iDVD Movie Sequence” could not be loaded because the
application “iDVD” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“New iDVD Slideshow” could not be loaded because the
application “iDVD” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“New iPhoto Album” could not be loaded because the
application “iPhoto” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Open Keynote Presentations” could not be loaded because the
application “Keynote” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Pause Capture” could not be loaded because QuickTime Pro is
required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Play Movies” could not be loaded because QuickTime Pro is
required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Play iPhoto Slideshow” could not be loaded because the
application “iPhoto” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Print Keynote Presentation” could not be loaded because the
application “Keynote” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Review Photos” could not be loaded because the application
“iPhoto” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Set iDVD Background Image” could not be loaded because the
application “iDVD” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Set iDVD Button Face” could not be loaded because the
application “iDVD” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Show Main iDVD Menu” could not be loaded because the
application “iDVD” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Show Next Keynote Slide” could not be loaded because the
application “Keynote” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Show Previous Keynote Slide” could not be loaded because the
application “Keynote” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Show Specified Keynote Slide” could not be loaded because the
application “Keynote” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Start Capture” could not be loaded because QuickTime Pro is
required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Start Keynote Slideshow” could not be loaded because the
application “Keynote” was not found.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Stop Capture” could not be loaded because QuickTime Pro is
required.
May 20 01:09:37 driver207s-imac Automator[308]: The action
“Stop Keynote Slideshow” could not be loaded because the
application “Keynote” was not found.
May 20 01:14:30 driver207s-imac com.apple.launchd[99]
(0x109e00.Locum[320]): Exited: Terminated
May 20 01:16:26 driver207s-imac Script Editor[282]: -
[SEResultController loadWindow]: failed to load window nib file
'/Applications/AppleScript/Script Editor.app/Contents/
Resources/English.lproj/SEResultWindow.nib'.
May 20 01:16:26: --- last message repeated 5 times ---
May 20 01:16:26 driver207s-imac Script Editor[282]: -
[SEEventLogController loadWindow]: failed to load window nib
file '/Applications/AppleScript/Script Editor.app/Contents/
Resources/English.lproj/SEEventLogWindow.nib'.
May 20 01:16:26: --- last message repeated 5 times ---
May 20 01:16:26 driver207s-imac Script Editor[282]: -
[SEPLibraryController loadWindow]: failed to load window nib
file 'SEPLibraryWindow'.
May 20 01:16:56: --- last message repeated 5 times ---
May 20 01:20:59 driver207s-imac com.apple.launchd[99]
(0x109bc0.Locum[329]): Exited: Terminated
May 20 01:31:07 driver207s-imac com.apple.launchd[99]
([0x0-0x15015].com.apple.speech.synthesis.SpeechSynthesisSe
rver[252]): Exited: Killed
May 20 01:35:31 driver207s-imac loginwindow[43]:
DEAD_PROCESS: 0 console
May 20 01:35:31 driver207s-imac shutdown[358]: halt by
Driver207:
May 20 01:35:31 driver207s-imac shutdown[358]:
SHUTDOWN_TIME: 1211261731 87145
May 20 18:48:05 localhost kernel[0]: npvhash=4095
May 20 18:48:05 localhost com.apple.launchctl.System[2]:
launchctl: Please convert the following to launchd: /etc/
mach_init.d/dashboardadvisoryd.plist
May 20 18:48:05 localhost com.apple.launchd[1]
(org.cups.cupsd): Unknown key: SHAuthorizationRight
May 20 18:48:05 localhost com.apple.launchd[1] (org.ntp.ntpd):
Unknown key: SHAuthorizationRight
May 20 18:48:05 localhost kextd[10]: 395 cached, 0 uncached
personalities to catalog
May 20 18:48:05 localhost kernel[0]: hi mem tramps at
0xffe00000
May 20 18:48:05 localhost kernel[0]: PAE enabled
May 20 18:48:05 localhost kernel[0]: 64 bit mode enabled
May 20 18:48:05 localhost kernel[0]: Darwin Kernel Version
9.1.0: Wed Oct 31 17:46:22 PDT 2007; root:xnu-1228.0.2~1/
RELEASE_I386
May 20 18:48:05 localhost kernel[0]: standard timeslicing
quantum is 10000 us
May 20 18:48:05 localhost kernel[0]: vm_page_bootstrap:
253720 free pages and 8424 wired pages
May 20 18:48:05 localhost kernel[0]: mig_table_max_displ = 79
May 20 18:48:05 localhost kernel[0]: 89 prelinked modules
May 20 18:48:05 localhost kernel[0]: AppleACPICPU:
ProcessorApicId=0 LocalApicId=0 Enabled
May 20 18:48:05 localhost kernel[0]: AppleACPICPU:
ProcessorApicId=1 LocalApicId=1 Enabled
May 20 18:48:05 localhost kernel[0]: Loading security extension
com.apple.security.TMSafetyNet
May 20 18:48:05 localhost kernel[0]: calling mpo_policy_init for
TMSafetyNet
May 20 18:48:05 localhost kernel[0]: Security policy loaded:
Safety net for Time Machine (TMSafetyNet)
May 20 18:48:05 localhost kernel[0]: Loading security extension
com.apple.nke.applicationfirewall
May 20 18:48:05 localhost kernel[0]: Loading security extension
com.apple.security.seatbelt
May 20 18:48:05 localhost kernel[0]: calling mpo_policy_init for
mb
May 20 18:48:05 localhost kernel[0]: Seatbelt MACF policy
initialized
May 20 18:48:05 localhost kernel[0]: Security policy loaded:
Seatbelt Policy (mb)
May 20 18:48:05 localhost kernel[0]: Copyright (c) 1982, 1986,
1989, 1991, 1993
May 20 18:48:05 localhost kernel[0]: The Regents of the
University of California. All rights reserved.
May 20 18:48:05 localhost kernel[0]: MAC Framework
successfully initialized
May 20 18:48:05 localhost kernel[0]: using 5242 buffer headers
and 4096 cluster IO buffer headers
May 20 18:48:05 localhost kernel[0]: devfs_make_node: not
ready for devices!
May 20 18:48:05 localhost kernel[0]: IOAPIC: Version 0x20
Vectors 64:87
May 20 18:48:05 localhost kernel[0]: ACPI: System State [S0 S3
S4 S5] (S3)
May 20 18:48:05 localhost kernel[0]: mbinit: done
May 20 18:48:05 localhost kernel[0]: Security auditing service
present
May 20 18:48:05 localhost kernel[0]: BSM auditing present
May 20 18:48:05 localhost kernel[0]: rooting via boot-uuid
from /chosen: 659F2845-E9B9-3621-A7AE-B4755A01705C
May 20 18:48:05 localhost kernel[0]: Waiting on <dict
ID="0"><key>IOProviderClass</key><string
ID="1">IOResources</string><key>IOResourceMatch</
key><string ID="2">boot-uuid-media</string></dict>
May 20 18:48:05 localhost kernel[0]: FireWire (OHCI) Lucent ID
5901 built-in now active, GUID 001e52fffe63958a; max speed
s800.
May 20 18:48:05 localhost kernel[0]: Got boot device =
IOService:/AppleACPIPlatformExpert/PCI0/AppleACPIPCI/
SATA@1F,2/AppleAHCI/PRT0@0/IOAHCIDevice@0/
AppleAHCIDiskDriver/IOAHCIBlockStorageDevice/
IOBlockStorageDriver/Hitachi HDT725025VLA380 Media/
IOGUIDPartitionScheme/Untitled@2
May 20 18:48:05 localhost kernel[0]: BSD root: disk0s2, major
14, minor 2
May 20 18:48:05 localhost kernel[0]:
CSRHIDTransitionDriver::start []
May 20 18:48:05 localhost kernel[0]:
CSRHIDTransitionDriver::switchToHCIMode legacy
Ma
 
Quick Look and Command Line?

May 21 13:20:33 driver207s-imac Safari[169]: WARNING: PubSub SCGIProtocol got NetError CFURL error -1009; reporting NSError Error Domain=NSURLErrorDomain Code=-1009 UserInfo=0xd1cd9b0 "no Internet connection"
May 21 13:21:31 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:22:34 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:23:37 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:24:41 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:25:47 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:26:42 driver207s-imac SCHelper[147]: no command
May 21 13:26:42 driver207s-imac SCHelper[127]: no command
May 21 13:26:42 driver207s-imac SCHelper[110]: no command
May 21 13:26:42 driver207s-imac [0x0-0x10010].com.apple.systempreferences[105]: QTAudioDeviceContextCreate: AudioContextInitialize failed
May 21 13:26:43: --- last message repeated 2 times ---
May 21 13:26:42 driver207s-imac com.apple.launchd[81] ([0x0-0x10010].com.apple.systempreferences[105]): Stray process with PGID equal to this dead job: PID 147 PPID 1 SCHelper
May 21 13:26:42 driver207s-imac com.apple.launchd[81] ([0x0-0x10010].com.apple.systempreferences[105]): Stray process with PGID equal to this dead job: PID 127 PPID 1 SCHelper
May 21 13:26:42 driver207s-imac com.apple.launchd[81] ([0x0-0x10010].com.apple.systempreferences[105]): Stray process with PGID equal to this dead job: PID 110 PPID 1 SCHelper
May 21 13:26:52 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:27:57 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:30:06 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:30:00 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: SpeechSynthesis: Failed AUGraph:
May 21 13:30:00 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: SpeechSynthesis: CoreAudio failure!
May 21 13:34:24 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:38:42 driver207s-imac com.apple.quicklook[199]: failed to find start of cross-reference table.
May 21 13:38:42 driver207s-imac com.apple.quicklook[199]: missing or invalid cross-reference trailer.
May 21 13:42:55 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 13:45:50 driver207s-imac com.apple.quicklook[225]: failed to find start of cross-reference table.
May 21 13:45:50 driver207s-imac com.apple.quicklook[225]: missing or invalid cross-reference trailer.
May 21 13:45:50 driver207s-imac com.apple.quicklook[225]: failed to find start of cross-reference table.
May 21 13:45:50 driver207s-imac com.apple.quicklook[225]: missing or invalid cross-reference trailer.
May 21 13:51:27 driver207s-imac TextEdit[185]: Printing failed because PMSessionBeginCGDocumentNoDialog() returned -30872.
May 21 13:59:58 driver207s-imac ntpd[14]: sendto(17.151.16.21) (fd=23): No route to host
May 21 14:00:00 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: SpeechSynthesis: Failed AUGraph:
May 21 14:00:00 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: SpeechSynthesis: CoreAudio failure!
May 21 14:00:14 driver207s-imac SyncServer[267]: SyncServer: Reaping records for inactive clients. Next reap on 2008-07-05 14:00:14 -0400
May 21 14:01:06 driver207s-imac com.apple.quicklook[271]: failed to find start of cross-reference table.
May 21 14:01:06 driver207s-imac com.apple.quicklook[271]: missing or invalid cross-reference trailer.
May 21 14:01:06 driver207s-imac com.apple.quicklook[271]: failed to find start of cross-reference table.
May 21 14:01:06 driver207s-imac com.apple.quicklook[271]: missing or invalid cross-reference trailer.
May 21 14:02:36 driver207s-imac PubSubAgent[274]: SQL Error: SQLITE_CANTOPEN[14.0]: Database file not found
May 21 14:04:42 driver207s-imac com.apple.launchd[81] (0x1099b0.Locum[278]): Exited: Terminated
May 21 14:04:47 driver207s-imac login[280]: USER_PROCESS: 280 ttys000
May 21 14:08:38 driver207s-imac login[280]: DEAD_PROCESS: 280 ttys000
May 21 14:08:55 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: AudioUnitGraph 0x81CE1C:
May 21 14:08:55 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: Member Nodes:
May 21 14:08:55 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: node 1: desc uoua fed lppa, instance 0x0
May 21 14:08:55 driver207s-imac [0x0-0xe00e].com.apple.speech.synthesis.SpeechSynthesisServer[99]: node 2: desc ngua
 
Display issues? Power controls? X-Grid Agent?



May 21 21:16:27 driver207s-imac com.apple.launchd[116] (0x1082a0.Locum[231]): Exited: Terminated
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/Contrast.monitorPanel/Contents/MacOS/Contrast and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/Geometry.monitorPanel/Contents/MacOS/
Geometry. Using implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/Geometry.monitorPanel/Contents/MacOS/Geometry.
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/Geometry.monitorPanel/Contents/MacOS/Geometry and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/VPT.monitorPanel/Contents/MacOS/VPT.
Using implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/VPT.monitorPanel/Contents/MacOS/VPT.
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/VPT.monitorPanel/Contents/MacOS/VPT and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/Bezel.monitorPanel/Contents/MacOS/Bezel. Using
implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/Bezel.monitorPanel/Contents/MacOS/Bezel.
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/Bezel.monitorPanel/Contents/MacOS/Bezel and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/ExtendedTouchSwitch.monitorPanel/Contents/
MacOS/ExtendedTouchSwitch. Using implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/ExtendedTouchSwitch.monitorPanel/Contents/MacOS/
ExtendedTouchSwitch.
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/ExtendedTouchSwitch.monitorPanel/Contents/MacOS/ExtendedTouchSwitch and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/
PowerMode.monitorPanel/Contents/MacOS/PowerMode. Using implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/PowerMode.monitorPanel/
Contents/MacOS/PowerMode.

May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/PowerMode.monitorPanel/Contents/MacOS/PowerMode and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/Authorization.monitorPanel/
Contents/MacOS/Authorization. Using implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/Authorization.monitorPanel/Contents/MacOS/Authorization.
May 21 21:18:33 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236]: objc[236]: Class O3Panel is implemented in both /System/Library/MonitorPanels/AppleDisplay.monitorPanels/
Contents/Resources/Authorization.monitorPanel/Contents/MacOS/Authorization and /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/TVOptions.monitorPanel/Contents/
MacOS/TVOptions. Using implementation from /System/Library/MonitorPanels/AppleDisplay.monitorPanels/Contents/Resources/TVOptions.monitorPanel/Contents/MacOS/TVOptions.
May 21 21:20:15 driver207s-imac System Preferences[236]: Admin.xgridAgentControllerPassword: called without first being authenticated.
May 21 21:25:36 driver207s-imac System Preferences[236]: unable to find type: GIF image
May 21 21:25:36 driver207s-imac System Preferences[236]: unable to find type: Flash media
May 21 21:27:25 driver207s-imac [0x0-0x15015].com.apple.systempreferences[236
 
Printer errors? No printer has been connected to the machine since the install of the OS.

Description: Printer error log
Size: 17 KB
Last Modified: 5/21/08 9:51 PM
Location: /var/log/cups/error_log
Recent Contents: I [19/May/2008:21:22:57 -0700] Listening to ::1:631 (IPv6)
I [19/May/2008:21:22:57 -0700] Listening to ::1:631 (IPv6)
I [19/May/2008:21:22:57 -0700] Listening to 127.0.0.1:631 (IPv4)
I [19/May/2008:21:22:57 -0700] Listening to /private/var/run/cupsd (Domain)
I [19/May/2008:21:22:57 -0700] Loaded configuration file "/private/etc/cups/cupsd.conf"
I [19/May/2008:21:22:57 -0700] Using default TempDir of /private/var/spool/cups/tmp...
I [19/May/2008:21:22:57 -0700] Configured for up to 100 clients.
I [19/May/2008:21:22:57 -0700] Allowing up to 100 client connections per host.
I [19/May/2008:21:22:57 -0700] Using policy "default" as the default!
I [19/May/2008:21:22:57 -0700] Full reload is required.
I [19/May/2008:21:22:57 -0700] Loaded MIME database from '/private/etc/cups': 52 types, 48 filters...
I [19/May/2008:21:22:58 -0700] Full reload complete.
I [19/May/2008:21:22:58 -0700] Cleaning out old temporary files in "/private/var/spool/cups/tmp"...
I [19/May/2008:21:22:58 -0700] Listening to ::1:631 on fd 4...
E [19/May/2008:21:22:58 -0700] Unable to bind socket for address ::1:631 - Address already in use.
I [19/May/2008:21:22:58 -0700] Listening to 127.0.0.1:631 on fd 6...
I [19/May/2008:21:22:58 -0700] Listening to /private/var/run/cupsd on fd 7...
I [19/May/2008:21:22:58 -0700] Resuming new connection processing...
I [20/May/2008:00:27:29 -0400] Scheduler shutting down normally.
I [20/May/2008:00:27:29 -0400] Saving job cache file "/private/var/spool/cups/cache/job.cache"...
I [20/May/2008:00:40:58 -0400] Listening to ::1:631 (IPv6)
I [20/May/2008:00:40:58 -0400] Listening to ::1:631 (IPv6)
I [20/May/2008:00:40:58 -0400] Listening to 127.0.0.1:631 (IPv4)
I [20/May/2008:00:40:58 -0400] Listening to /private/var/run/cupsd (Domain)
I [20/May/2008:00:40:58 -0400] Loaded configuration file "/private/etc/cups/cupsd.conf"
I [20/May/2008:00:40:58 -0400] Using default TempDir of /private/var/spool/cups/tmp...
I [20/May/2008:00:40:58 -0400] Configured for up to 100 clients.
I [20/May/2008:00:40:58 -0400] Allowing up to 100 client connections per host.
I [20/May/2008:00:40:58 -0400] Using
 
Log in sequence:



May 21 12:59:31 localhost kernel[0]: IPv6 packet filtering initialized, default to accept, logging disabled
May 21 12:59:31 localhost blued[47]: Apple Bluetooth daemon started.
May 21 12:59:33 driver207s-imac org.ntp.ntpd[14]: Error : nodename nor servname provided, or not known
May 21 12:59:32 driver207s-imac /usr/sbin/ocspd[51]: starting
May 21 12:59:32 driver207s-imac mDNSResponder mDNSResponder-164 (Nov 4 2007 13:23:04)[22]: starting
May 21 12:59:33 driver207s-imac ntpdate[58]: can't find host time.apple.com
May 21 12:59:33 driver207s-imac ntpdate[58]: no servers can be used, exiting
May 21 12:59:33 driver207s-imac mDNSResponder[22]: SetDomainSecrets: mDNSKeychainGetSecrets failed error 0 CFArrayRef 00000000
May 21 12:59:33 driver207s-imac configd[28]: setting hostname to "driver207s-imac.local"
May 21 12:59:36 driver207s-imac kernel[0]: AppleYukon2: 00000000,00000000 sk98osx_dnet - recovering from missed interrupt
May 21 12:59:36 driver207s-imac kextd[10]: writing kernel link data to /var/run/mach.sym
May 21 12:59:37 driver207s-imac loginwindow[23]: Login Window Started Security Agent
May 21 13:00:08 driver207s-imac authorizationhost[76]: MechanismInvoke 0x12aa40 retainCount
2
May 21 13:00:08 driver207s-imac SecurityAgent[77]: MechanismInvoke 0x103cb0 retainCount 1
May 21 13:00:08 driver207s-imac SecurityAgent[77]: NSSecureTextFieldCell detected a field editor ((null)) that is not a NSTextView subclass designed to work with the cell. Ignoring...
May 21 13:00:08 driver207s-imac SecurityAgent[77]: NSExceptionHandler has recorded the following exception:\nNSRangeException -- *** -[NSCFArray objectAtIndex:]: index (0) beyond bounds (0)\nStack trace: 0x3719a 0x91a2e09b 0x95ec704b 0x95ec708a 0x9014addf 0x900c8cb8 0x6f58a 0x6fdc9 0x594e1 0x6d847 0x615d9 0x5ca87 0x66471 0x76187 0xd648 0x12c40 0x129f3 0xd18a 0x90107f73 0x95e295c5 0x95e4d941 0x95e4dd38 0x913f88a4 0x913f86bd 0x913f8531 0x93ee8d5b 0x93ee86a0 0x93ee16d1 0x10fc7 0x202a 0x1
May 21 13:00:08 driver207s-imac SecurityAgent[77]: MechanismDestroy 0x103cb0 retainCount 1May 21 13:00:08 driver207s-imac loginwindow[23]: Login Window - Returned from Security Agent
May 21 13:00:08 driver207s-imac authorizationhost[76]: MechanismDestroy 0x12aa40 retainCount 2
May 21 13:00:08 driver207s-imac loginwindow[23]: USER_PROCESS: 23 consoleMay 21 13:00:09 driver207s-imac com.apple.launchd[1] (com.apple.UserEventAgent-LoginWindow[72]): Exited: Terminated
 
I don't see anything out-of-the-ordinary with that log file.

Even the bold lines seem normal: ttys is the local terminal, as if someone was sitting at the keyboard, if I'm not mistaken.
 
CUPS will start whether you have printers set up or not.

It's perfectly normal to see "error" messages throughout your system log files -- more often than not, it's the system operating normally (normal systems have error conditions arise ALL the time -- and the system "handles" those errors in a graceful way). Just because you see a message that looks like something "crashed" or has the words "error" or "cannot find" or any negative wording like that does NOT mean that anything out-of-the-ordinary is happening.
 
What is happening here with accounts and Root?


5/20/08 12:22:46 AM kernel [InterruptReadHandler] Received kIODeviceNotResponding error - retrying: 1.
5/20/08 12:22:47 AM kextd[10] writing kernel link data to /var/run/mach.sym
5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] launchctl: Error unloading: com.apple.kdcmond
5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] /usr/sbin/kadmin.local-q add_principal -randkey afpserver/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957
5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] WARNING: no policy specified for afpserver/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957; defaulting to no policy
5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] Authenticating as principal root/admin@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with password. 5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] Principal "afpserver/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957" created.
5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] /usr/sbin/kadmin.local-q ktadd afpserver/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957
5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] Authenticating as principal root/admin@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with password. 5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] Entry for principal afpserver/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] Entry for principal afpserver/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] Entry for principal afpserver/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
5/20/08 12:22:47 AM com.apple.configureLocalKDC[48] /usr/bin/defaults write /Library/Preferences/com.apple.AppleFileServer kerberosPrincipal afpserver/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] /usr/sbin/kadmin.local-q add_principal -randkey cifs/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] WARNING: no policy specified for cifs/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957; defaulting to no policy 5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Authenticating as principal root/admin@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with password.
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Principal "cifs/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957" created.
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] /usr/sbin/kadmin.local-q ktadd cifs/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Authenticating as principal root/admin@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with password.
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Entry for principal cifs/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Entry for principal cifs/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Entry for principal cifs/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server LocalKerberosRealm LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] /usr/sbin/kadmin.local-q add_principal -randkey vnc/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] WARNING: no policy specified for vnc/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957; defaulting to no policy
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Authenticating as principal root/admin@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with password.
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Principal "vnc/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957" created.
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] /usr/sbin/kadmin.local-q ktadd vnc/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Authenticating as principal root/admin@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with password.
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Entry for principal vnc/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. 5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Entry for principal vnc/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] Entry for principal vnc/LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957@LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957 with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
5/20/08 12:22:48 AM com.apple.configureLocalKDC[48] LKDC:SHA1.799D5486B766D00C679E939993EF9588EDA6B957
5/20/08 12:22:50 AM com.apple.ATSServer[113] FODBCheck: New annex file created
5/20/08 12:22:52 AM kernel AppleYukon2: 00000000,00000000 sk98osx_dnet - recovering from missed interrupt
5/20/08 12:22:52 AM mDNSResponder[42] Couldn't read user-specified Computer Name; using default &#8220;Macintosh-001EC20AC772&#8221; instead
5/20/08 12:22:52 AM mDNSResponder[42] Couldn't read user-specified local hostname; using default &#8220;Macintosh-001EC20AC772.local&#8221; instead
5/20/08 12:22:53 AM mDNSResponder[42] SetDomainSecrets: mDNSKeychainGetSecrets failed error 0 CFArrayRef 00000000
5/20/08 12:22:53 AM loginwindow[43] USER_PROCESS: 43 console
5/20/08 12:22:53 AM loginwindow[43] Folder Manager is being asked to create a folder (asav) while running as uid 0 5/20/08 12:22:54 AM mDNSResponder[42] Couldn't read user-specified Computer Name; using default &#8220;Macintosh-001EC20AC772&#8221; instead
5/20/08 12:22:54 AM mDNSResponder[42] Couldn't read user-specified local hostname; using default &#8220;Macintosh-001EC20AC772.local&#8221; instead
5/20/08 12:22:55 AM [0x0-0x4004].com.apple.SetupAssistant[123] ...System identity already exists for domain com.apple.systemdefault. Done. 5/20/08 12:22:56 AM KernelEventAgent[56] tid 00000000 received unknown event (256)
5/20/08 12:22:58 AM /System/Library/CoreServices/Setup Assistant.app/Contents/MacOS/Setup Assistant[123] _MDSuspendIndexing() 1
5/20/08 12:22:59 AM kernel AppleYukon2: 00000000,00000000 sk98osx_dnet - recovering from missed interrupt
5/20/08 12:23:00 AM /System/Library/CoreServices/Setup Assistant.app/Contents/MacOS/Setup Assistant[123] will start movie

5/20/08 12:25:13 AM mDNSResponder[42] Couldn't read user-specified local hostname; using default &#8220;Macintosh-001EC20AC772.local&#8221; instead
5/20/08 12:25:13 AM mDNSResponder[42] User updated Computer Name from Macintosh-001EC20AC772 to Driver207&#8217;s iMac
5/20/08 12:25:13 AM configd[49] setting hostname to "driver207s-imac.local"
5/20/08 12:25:13 AM mDNSResponder[42] User updated Local Hostname from Macintosh-001EC20AC772 to driver207s-imac
5/20/08 12:25:31 AM org.ntp.ntpd[212] Error : nodename nor servname provided, or not known
5/20/08 12:25:31 AM ntpdate[214] can't find host time.apple.com

5/20/08 12:25:31 AM ntpdate[214] no servers can be used, exiting
5/20/08 12:25:38 AM com.apple.launchd[1] (com.apple.UserEventAgent-LoginWindow[118]) Exited: Terminated
5/20/08 12:25:38
AM /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow[218] Login Window Application Started
5/20/08 12:25:39 AM loginwindow[218] Login Window Started Security Agent
5/20/08 12:25:39 AM com.apple.KerberosAutoConfig[225] The machine is standalone
5/20/08 12:25:39 AM com.apple.KerberosAutoConfig[225] Removing /Library/Preferences/edu.mit.Kerberos
5/20/08 12:25:40 AM SecurityAgent[227] User info context values set
5/20/08 12:25:40 AM SecurityAgent[227] Login Window done
5/20/08 12:25:40 AM loginwindow[218] Login Window - Returned from Security Agent
5/20/08 12:25:40 AM loginwindow[218] USER_PROCESS: 218 console
5/20/08 12:25:40 AM com.apple.launchd[1] (com.apple.UserEventAgent-LoginWindow[226]) Exited: Terminated
5/20/08 12:25:42 AM com.apple.ATSServer[241] FODBCheck: New annex file created
5/20/08 12:25:42 AM /System/Library/CoreServices/coreservicesd[68] SFLSharePointsEntry::CreateDSRecord: dsCreateRecordAndOpen(Driver207's Public Folder) returned -14135
5/20/08 12:25:47 AM Finder[240] [QL ERROR] Generator database update takes too long... we will use what we currently have
5/20/08 12:25:47 AM [0x0-0xf00f].SoftwareUpdateCheck[246] SoftwareUpdateCheck: network unreachable
5/20/08 12:25:47 AM com.apple.launchd[190] ([0x0-0xf00f].SoftwareUpdateCheck[246]) Exited with exit code: 3
5/20/08 12:25:49 AM KernelEventAgent[56] tid 00000000 received unknown event (12)
5/20/08 12:25:50 AM SyncServer[259] SyncServer: Reaping records for inactive clients. Next reap on 2008-07-04 00:25:50 -0400
5/20/08 12:27:12 AM kernel IPv6 packet filtering initialized, default to accept, logging disabled
5/20/08 12:27:28 AM SCHelper[283] no command
5/20/08 12:27:28 AM com.apple.launchd[190] ([0x0-0x14014].com.apple.systempreferences[272]) Stray process with PGID equal to this dead job: PID 283 PPID 1 SCHelper
5/20/08 12:27:29 AM loginwindow[218] DEAD_PROCESS: 0 console
5/20/08 12:27:29 AM shutdown[294] reboot by Driver207:
5/20/08 12:27:29 AM com.apple.loginwindow[218] Shutdown NOW!
5/20/08 12:27:29 AM SystemStarter[55] "/System/Library/StartupItems" failed sanity check: path was created after boot up
5/20/08 12:27:29 AM shutdown[294] SHUTDOWN_TIME: 1211257649 287603
5/20/08 12:28:21 AM com.apple.launchctl.System[2] launchctl: Please convert the following to launchd: /etc/mach_init.d/dashboardadvisoryd.plist
5/20/08 12:28:21 AM com.apple.launchd[1] (org.cups.cupsd) Unknown key: SHAuthorizationRight
5/20/08 12:28:21 AM com.apple.launchd[1] (org.ntp.ntpd) Unknown key: SHAuthorizationRight
5/20/08 12:28:22 AM kernel npvhash=4095
5/20/08 12:28:21 AM kextd[10] 395 cached, 0 uncached personalities to catalog
5/20/08 12:28:22 AM kernel hi mem tramps at 0xffe00000
5/20/08 12:28:22 AM kernel PAE enabled
5/20/08 12:28:22 AM kernel 64 bit mode enabled
5/20/08 12:28:22 AM kernel Darwin Kernel Version 9.1.0: Wed Oct 31 17:46:22 PDT 2007; root:xnu-1228.0.2~1/RELEASE_I386
5/20/08 12:28:22 AM kernel standard timeslicing quantum is 10000 us
5/20/08 12:28:22 AM kernel vm_page_bootstrap: 254508 free pages and 7636 wired pages
5/20/08 12:28:22 AM kernel mig_table_max_displ = 79
5/20/08 12:28:22 AM kernel Extension "com.apple.driver.AppleACPIPlatform" has immediate dependencies
 
Do you play World of Warcraft? And have you been duped into viewing some of those account trading/gold buying sites?
 
Oh and if you haven't already done it, download Little Snitch and have that running at all times. Helps you prevent unauthorized connects to the internet.
 
Re: Terminal - that's the point. NO ONE was supposed to be using terminal.
If your system is booted and the Login window is being displayed, then yes, a "Terminal session" of sorts is running.

Here's some output from my system log, and my system has not ever been compromised:
Code:
exception:\nNSRangeException -- *** -[NSCFArray objectAtIndex:]: index (0) beyond bounds (0)\nStack trace:  0x3719a  0x915f60fb  0x962e102b  0x962e106a  0x95e2d3df  0x95dab218  0x70568  0x70da7  0x5a451  0x6e825  0x62549  0x6e7bc  0x6744e  0x77165  0xd648  0x12c40  0x129f3  0xd18a  0x95dea4d3  0x96243555  0x96267921  0x96267d18  0x94ba56a0  0x94ba54b9  0x94ba532d  0x940c67d9  0x940c608e  0x940bf0c5  0x10fc7  0x202a  0x1

May 22 07:43:04 Pipsqueak com.apple.launchd[1] (com.apple.UserEventAgent-LoginWindow[28920]): Exited: Terminated
May 22 08:54:59 Pipsqueak /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow[29938]: Login Window Application Started
May 22 08:55:01 Pipsqueak loginwindow[29938]: Login Window Started Security Agent
May 22 10:14:01 Pipsqueak loginwindow[29938]: Login Window - Returned from Security Agent
May 22 10:14:01 Pipsqueak com.apple.launchd[1] (com.apple.UserEventAgent-LoginWindow[29947]): Exited: Terminated
May 22 11:28:44 Pipsqueak loginwindow[28916]: DEAD_PROCESS: 0 console
May 22 11:28:44 Pipsqueak loginwindow[28916]: CGSShutdownServerConnections: Detaching application from window server

I think what you're seeing is perfectly normal, in my opinion. Even though no one is physically logged in as "root," some processes will run as root, like fileservers and vnc servers and what-not.
 
Two additional issues that I noticed yesterday when on the machine.

On Tuesday night I stopped poking around on the machine at 10:30pm. Shut it down. Not sleep, but shut down. Prior to shut down I put Ethernet, Firewire, Bluetooth and Airport services in "Inactive". The ethernet cable continued to be disconnected from the machine.

Upon turning the machine back on on Wednesday afternoon I noticed that my "Library" folder indicated serveral files had been modified at 12:25am that morning. The files are all related to user id information in the application support area. I had physical control of the machine at that time and know for certain that neither I or my wife turned on the box or connected a cable to it. The power cord was still plugged in, but the machine did not show any sign of waking up - at least not turning on the screen.

In the power options I have it set to not wake on Ethernet/Lan and to not respond to wake up on Bluetooth.

So how did those files get modified to reflect a time 2 1/2 hours after I shut down the machine?

I was awake at that time and was using my iPhone to read email, etc. This iPhone and iMac have been paired via bluetooth in the past. I know the iPhone isn't setup to do anything with the mac, but I tried it anyway and succesfully paired them together. I had since deleted any pairing, but wonder if somehow I have a process running in the background on the iPhone that lets the machines talk to each other and connect over the AT&T Edge network? If I have odd stuff happening on the mac and have synced the phone with the mac through iTunes I wonder if I've put some file on the iPhone that doesn't belong?


The other:
I turned on the machine last night and upon login I noticed that my network preferences pane had the little lock symbol "unlocked" and options had changedincluding "disconnect upon logout". In the file sharing preference pain the "everyone" group had been re-enabled for access vs. my previous setting to deny access.

There's no way I mistakenly left those preferences changed like that or left the little lock unlocked. I'm paying way too much ettention to every detail at this point. I locked it back down.

I've enable the verbose display on start up and shut down and have noticed when logging out and shutting down the net and home volumes fail to dismount everytime.

I now unplug the electricity from the machine after shut down.


I haven't turned it on today but will look at that again tonight.
 
Status
Not open for further replies.
Back
Top