Jump to content

Suspect someone trying to get into my system


reifreak
 Share

6 posts in this topic

Recommended Posts

I have a Mac Mini running Yosemite 10.10.3. It's in a generally open area, so physical security is a bit of a concern. I'm the only user with an account on the system. I have guest access disabled. I have set a password on recovery mode. 

 

Recently I've become suspicious that someone may be trying to get some files off my machine or gain access to install remote/spy software. I found that this had happened on one of my Windows-based PC's in the past, which is why I went with a Mac this time. I'll attach a log file that shows activity from the time I logged out of it yesterday until the time I logged in next (this morning at 8:35).

 

I'm a noob to the Apple universe, so some parts of the log may look alarming to me but be harmless. I would be grateful to the community and anyone who could review the log file for anything out of the usual. I would like to call attention to a few entries:

 

6/30/15 5:45:01.017 AM com.apple.xpc.launchd[1]: (com.apple.quicklook[56530]) Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook

 

And this series:

6/30/15 5:45:24.000 AM kernel[0]: hfs: mounted Recovery HD on device disk0s3

6/30/15 5:45:24.864 AM mds[58]: (Volume.Normal:2464) volume:0x7fd628881000 ********** Bootstrapped Creating a default store:0 SpotLoc:(null) SpotVerLoc:(null) occlude:0 /Volumes/Recovery HD

6/30/15 5:45:24.866 AM mdworker[56249]: (ImportBailout.Error:1325) Asked to exit for Diskarb

6/30/15 5:45:24.868 AM mdworker[56398]: (ImportBailout.Error:1325) Asked to exit for Diskarb

6/30/15 5:45:24.871 AM mdworker[56496]: (ImportBailout.Error:1325) Asked to exit for Diskarb

6/30/15 5:45:24.873 AM mdworker[56397]: (ImportBailout.Error:1325) Asked to exit for Diskarb

6/30/15 5:45:24.903 AM fseventsd[45]: Logging disabled completely for device:1: /Volumes/Recovery HD

6/30/15 5:45:25.000 AM kernel[0]: hfs: unmount initiated on Recovery HD on device disk0s3

6/30/15 5:45:26.920 AM softwareupdate_download_service[46785]:  securityd_message_with_reply_sync Failed to talk to secd after 4 attempts.

6/30/15 5:45:26.920 AM softwareupdate_download_service[46785]:  SecOSStatusWith error:[-25291] The operation couldn’t be completed. (com.apple.security.xpc error 3 - <connection: 0x7f9ad3c45880> { name = com.apple.securityd.xpc, listener = false, pid = 0, euid = 4294967295, egid = 4294967295, asid = 4294967295 }: Connection invalid)
 
Another set of eyes on the log as a whole would be great. I know this is asking a lot of the community. All my techie colleagues that I usually go over these things with are strictly MS. Thank you in advance for the help!
 

2015 06-29 to 06-30 night log.rtf

Link to comment
Share on other sites

I guess the root of my question would be this... Unless someone brute-force hacks my user password and the recovery password, is my machine safe from data theft or malicious software? With our Windows machine in the past, we figured out someone just plugged a drive in and it auto-executed some code even though they weren't logged in. Another time, they used a Linux Live CD to boot up and access files on the Windows partition.

 

I bought Mac because of its reputation for security, so thought it was the best for our shared-space situation. An underlying question I have is whether there's a way someone can still get to things?

 

I'll check out FileVault - thank you for that tip!

Link to comment
Share on other sites

Thanks Micky - there are 3 items:

 

com.microsoft.office.licensing.helper (Office 2013)

com.microsoft.office.licensingV2.helper (Office 2016 preview I believe)

com.teamviewer.Helper

 

Only interesting thing to note is that the two Microsoft items have a "Date Modified" of 1/16/15 12:00am & 5/8/15 12:42am. I don't know how updates on the Mac work entirely yet - whether it's possible for these to be modified with my screen locked and me away. I know I haven't been at this machine at all past 10pm as long as I've had it. I do have Microsoft Office 2013 and 2016 (preview) installed, as well as TeamViewer.

 

Thank you for taking the time to look at the logs.

Link to comment
Share on other sites

You have also AirMedia installed? It is usually used to make presentations with MS Office tools.

 

6/30/15 5:45:26.920 AM softwareupdate_download_service[46785]:  securityd_message_with_reply_sync Failed to talk to secd after 4 attempts.

 

...something like that: http://www.crestron.com/resources/product_and_programming_resources/catalogs_and_brochures/online_catalog/default.asp?jump=1&model=am-100


Apparently you have also an Antivirus installed on this Hack (or Mac???) ...Sophos?? :thumbsdown_anim:

EDIT

Hey Bro, launchd (OSX program) is telling you:

 launchd[1]: (com.sophos.scan) This service is defined to be constantly running and is inherently inefficient.

....please remove it!

Link to comment
Share on other sites

 Share

×
×
  • Create New...