Did someone break-in or random boot?

Discussion in 'macOS' started by Yzerguy19, Jan 16, 2008.

  1. Yzerguy19 macrumors newbie

    Joined:
    Jan 15, 2008
    #1
    Hi all,

    I tried posting this to a different forum but no response, so out came Google and found this forum!

    I'm a new Mac user, just bought one 2 weeks ago and have been very happy.

    Last week, I powered down my Mac to leave town for the weekend, and I very clearly remember doing so. Just before powering down I disabled the schedules in Energy Saver (which were set up to wake/boot the Mac at 3am, then sleep at 7am, daily).

    When I got back home, my Mac was on. I checked Console, not knowing much of what I'm looking for, but did find that my Mac booted at 4pm last Friday (and I also see I powered down at 12:37pm that Friday just before I left home).

    I live alone, in theory no one should be here to turn it on. The Strata Council here has keys for all of our places, only for use in emergency, but now I'm paranoid someone is skulking around while I'm not here.

    Is there a chance Energy Saver got confused and booted my Mac at 4pm (the logs look exactly like previous boots done at 3am), including happening right at the top of the hour, bang on?

    Is there a chance my cats hit specific key strokes on the keyboard to power it up (it's a 24" iMac).

    Is there anywhere I can reference Mac logs to know what I may be looking for? Can I tell what, if anything was accessed?

    Is there a chance someone is logging my keystrokes as I type this?

    I'd prefer to not have to wipe the hard drive and reinstall everything, especially as my new external hard drive just arrived today and so I don't even have Time Machine set up yet.

    Am I being paranoid? (BTW, yes, I am now using a password, didn't think it was necessary in my own townhouse).

    Any and all help appreciated!

    Cheers, Sean
     
  2. NAG macrumors 68030

    NAG

    Joined:
    Aug 6, 2003
    Location:
    /usr/local/apps/nag
    #2
    Probably was a power surge. Do you have your mac on a surge protector?
     
  3. Yzerguy19 thread starter macrumors newbie

    Joined:
    Jan 15, 2008
    #3
    Yes, it's on a surge protector, an APC Performance Series 3400. Thanks for the reply though!

    Any other ideas?

    Cheers, Sean
     
  4. NAG macrumors 68030

    NAG

    Joined:
    Aug 6, 2003
    Location:
    /usr/local/apps/nag
    #4
    Honestly this problem has been described before (it can be the surge thing) but there is also this weird phantom thing where 10.5 does this. Maybe it is related to a syncing I'm not sure. I never actually saw a thread where this has been solved since 10.5 was released.
     
  5. Yzerguy19 thread starter macrumors newbie

    Joined:
    Jan 15, 2008
    #5
    Thx NAG

    I'm kinda relieved that it's been documented (or at least mentioned) before.

    The fact that it happened right at the top of the hour made me think it was likely some phantom thing as mentioned, but still, I was really worried -- if for no other reason than I chose a new password for this machine and had it written down right next to the keyboard so I wouldn't forget it. From what I've read (being a Mac newb), doesn't look like anything was added or installed on my machine. Not knowing much about Macs added to the doubt (I've seen key loggers on PCs before, scares the crap outta me)

    I've just installed a new external HD, and after a botched initial attempt to do the initial Time Machine backup, I've got it running smoothly.

    I'll sleep on it but the feeling of needing to wipe the internal drive, install Leopard again and restore from TM is fading.

    Cheers, Sean
     
  6. Lixivial macrumors 6502a

    Lixivial

    Joined:
    Jan 13, 2005
    Location:
    Between cats, dogs and wanderlust.
    #6
    If you really need reference, the system does log security escalations and login times. You can use /Applications/Utilities/Console.app to view these entries and cross reference times. The entries can be found under:

    File -> Open Quickly -> LOG FILES -> /var/log -> secure.log (numbers 1 - 4 denote newest to oldest). Or you can click "Show Log List" and use the pane to navigate the similar path structure as the File menu. Note you'll need to be an Administrator to read this log. If you're not an admin, you can either login as an admin account, or perform:

    Code:
    sudo /Applications/Utilities/Console.app/Contents/MacOS/Console
    EDIT: Fixed this command, because I'm clearly an idiot. :)

    In Terminal to read them as root. (I personally wouldn't recommend this route.)
     
  7. Yzerguy19 thread starter macrumors newbie

    Joined:
    Jan 15, 2008
    #7
    Lixivial, many thanks for the feedback -- I did as suggested in your quote above (first method). The status bar at the bottom of the console window advises I do not have permission to view the secure log, yet I am an admin -- heck I'm the only account on this machine, ie: admin

    Any ideas how this could happen -- and/or how to resolve without resorting to terminal (I'm heeding your advice to not go that route!)....?
     
  8. Makosuke macrumors 603

    Joined:
    Aug 15, 2001
    Location:
    The Cool Part of CA, USA
    #8
    Just wanted to add one other possible source of random boots that has caught me a few times:

    If you have your computer set to restart automatically after a power failure (Energy preference pane), and the power goes out, it will boot when it comes back, even if it was shut down completely when the power was lost--the firmware only sees that power was restored after going away, and initiates a boot.

    Given that yours happened at exactly 4 and that there was at least one other phantom boot issue someone here was dealing with, I'm more inclined to believe it's something in the system intentionally starting it on the wrong schedule, as others are saying.
     
  9. Yzerguy19 thread starter macrumors newbie

    Joined:
    Jan 15, 2008
    #9
    Thx for the feedback Makosuke, much appreciated.

    Fairly safe to say it wasn't a power failure or I would have come home to blinking displays on my alarm clock, microwave etc. Power surge shouldn't be it either given I've got a surge protector.

    I'm feeling better that it was the system starting itself given yours and other's feedback.

    That said I'd still like to figure out why I don't have permission to view the security log (see reply above) even though I live alone and I'm the only one who has access to the computer (on admin account), just want to relieve my nagging doubts about the neighbours in my complex.

    Anyone have any ideas for a Mac newb? I like to think I'm a fast learner and will happily give advice back as I get a handle on this stuff.

    Cheers, Sean
     
  10. Yzerguy19 thread starter macrumors newbie

    Joined:
    Jan 15, 2008
    #10
    For those who may be reading and (still) interested, if not affected...

    I still can't figure out exactly why I don't have permission to read the secure.log under an admin account -- but have read in a few places for OSX (prior to Leopard) that the log file gets swapped (I think weekly?) and permissions may go squirrelly (haven't looked into detail, it may be as simple as a permission repair, which I haven't tried, will do so soon).

    I found a thread on how to move the secure.log file to the desktop (with the need to enter password) to make it readable in Console, albeit this was for Panther, but it worked for me in Leopard, see here:

    http://www.thexlab.com/faqs/tamingsecurelog.html

    Specifically under the "Examining secure.log" heading.

    In looking at the log, I compared the log data of the boot that mysteriously happened at 4 pm on the Friday (after I powered down earlier in the day just before leaving for the weekend) to the data in the log of a boot that I had scheduled under energy saver that happened 3 days earlier (and at that time I know I was home alone, was awake in bed and heard the Mac boot in the next room)

    Both boot events had the exact same data entries in the log, and nothing extraneous. I don't understand most of it, some of it looks kinda questionable, then again, I'm new.

    So it appears my Mac booted itself just 'cause (and my concerns about neighbours using my key have faded).

    FWIW I'll report the random boot to the appropriate Apple feedback page, not holding my breath on resolution tho'.

    Thx for the replies and patience with a new Mac user.

    Cheers, Sean
     
  11. Lixivial macrumors 6502a

    Lixivial

    Joined:
    Jan 13, 2005
    Location:
    Between cats, dogs and wanderlust.
    #11
    I should say that I'm inclined to agree and would truly doubt it being a "break-in", but I did want to give Yzerguy19 the tools to allow himself/herself the peace of mind that it wasn't, and inform him/her on how to make certain it wasn't.

    That's mainly my fault for two reasons. I altered two things that broke the instructions I gave you -- altered long ago on Tiger and have taken them for granted since:

    1. I am not prompted for my password on sudoing under the account with which I was testing.
    2. I gave that same admin user access to read those logs.

    I apologise if I confused you in that regard. Yes, that log file gets rotated. I also should have given you stuff that you should be looking for in that log.

    If someone had rebooted the machine it would be logged as something like this:

    Code:
    Jan 18 19:22:29 MacBook shutdown[1903]: reboot by Jesse:
    If someone authenticated to the machine remotely it'd look like this:

    Code:
    Jan 18 19:33:01 MacBook com.apple.SecurityServer[24]: Succeeded authorizing right system.login.tty by client /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
    Jan 18 19:33:01 MacBook sshd[266]: Accepted keyboard-interactive/pam for Jesse from 192.168.0.3 port 62686 ssh2
    And if someone logged in on the console, it'd look like this:

    Failure:
    Code:
    Jan 18 19:23:51 MacBook authorizationhost[132]: Failed to authenticate user Jesse (tDirStatus: -14090).
    Success:
    Code:
    Jan 18 19:25:54 MacBook com.apple.SecurityServer[24]: checkpw() succeeded, creating credential for user Jesse
    Jan 18 19:25:54 MacBook com.apple.SecurityServer[24]: checkpw() succeeded, creating shared credential for user Jesse
    You can also consult system.log (in that same directory) where you'll have the same issues as you encountered with secure.log. You can read them as root by using the command I gave you previously, or drag to your Desktop as you did with secure.log.

    In this file you'll be looking for things like:

    Code:
    Jan 18 19:22:29 MacBook shutdown[1903]: reboot by Jesse: 
    Jan 18 19:22:29 MacBook shutdown[1903]: SHUTDOWN_TIME: 1232328149 81720
    Jan 18 19:23:14 localhost kernel[0]: Got boot device = {stuff}
    Jan 18 19:23:27 MacBook bootlog[45]: BOOT_TIME: 1232328185 0
    If there is no "reboot by {Username}" or "Shutdown by {Username}" you'll be able to assure yourself, I think, that it was a random reboot. Likewise, if there's a BOOT_TIME without a corresponding SHUTDOWN_TIME, you can draw similar conclusions.
     
  12. Yzerguy19 thread starter macrumors newbie

    Joined:
    Jan 15, 2008
    #12
    Thanks Lixivial, that's quite a follow-up, very much appreciated!

    I'm not sure if I clarified it, but at the time I had automatic login enabled, so there wouldn't have been any failed authentication attempts, unless I've interpreted that incorrectly. I also wasn't set up to require a password to wake from sleep.

    Thx for taking the time to post logs to illustrate your examples. That said, my secure.log entries don't follow along those lines. While I'm tempted to try and rationalize that, I'm (still) new so I thought it would be easier to just post the pertinent parts.

    First is an example of when I was home, everything normal.

    Starting with the shutdown I did on Jan 7th -- here is what the secure.log contained after the scheduled boot I had set up for 3 am daily was run (I was home, and awake, to hear it happen):

    Code:
    Jan  7 23:37:24 Macintosh shutdown[3064]: halt by Sean: 
    Jan  8 03:00:21 localhost com.apple.SecurityServer[20]: Entering service
    Jan  8 03:00:21 localhost com.apple.SecurityServer[20]: Succeeded authorizing right config.modify.com.apple.CoreRAID.admin by client /System/Library/PrivateFrameworks/CoreRAID.framework/Versions/A/Resources/CoreRAIDServer for authorization created by /System/Library/PrivateFrameworks/CoreRAID.framework/Versions/A/Resources/CoreRAIDServer.
    Jan  8 03:00:32 Macintosh loginwindow[24]: Login Window Started Security Agent
    Jan  8 03:00:32 Macintosh SecurityAgent[75]: User info context values set
    Jan  8 03:00:32 Macintosh SecurityAgent[75]: Login Window done
    Jan  8 03:00:32 Macintosh com.apple.SecurityServer[20]: Succeeded authorizing right system.login.console by client /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app.
    Jan  8 03:00:32 Macintosh loginwindow[24]: Login Window - Returned from Security Agent
    Jan  8 03:00:32 Macintosh com.apple.SecurityServer[20]: Succeeded authorizing right system.login.done by client /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app.
    And here is what the secure.log shows for the day I left town (Jan 11), starting with the shutdown I did at 12:37pm as I left home (I disabled the schedules in Energy Saver before the shut down), showing the "random" event after I was gone:

    Code:
    Jan 11 12:37:08 Macintosh shutdown[1552]: halt by Sean: 
    Jan 11 16:00:21 localhost com.apple.SecurityServer[20]: Entering service
    Jan 11 16:00:22 localhost com.apple.SecurityServer[20]: Succeeded authorizing right config.modify.com.apple.CoreRAID.admin by client /System/Library/PrivateFrameworks/CoreRAID.framework/Versions/A/Resources/CoreRAIDServer for authorization created by /System/Library/PrivateFrameworks/CoreRAID.framework/Versions/A/Resources/CoreRAIDServer.
    Jan 11 16:00:30 Macintosh loginwindow[24]: Login Window Started Security Agent
    Jan 11 16:00:31 Macintosh SecurityAgent[76]: User info context values set
    Jan 11 16:00:31 Macintosh SecurityAgent[76]: Login Window done
    Jan 11 16:00:31 Macintosh com.apple.SecurityServer[20]: Succeeded authorizing right system.login.console by client /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app.
    Jan 11 16:00:31 Macintosh loginwindow[24]: Login Window - Returned from Security Agent
    Jan 11 16:00:30 Macintosh com.apple.SecurityServer[20]: Succeeded authorizing right system.login.done by client /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app.
    Lastly, this is what the secure.log showed immediately after that last line referenced above (some failures to authenticate?):

    Code:
    Jan 14 17:18:56 Macintosh com.apple.SecurityServer[20]: Succeeded authorizing right system.preferences by client /Applications/System Preferences.app for authorization created by /Applications/System Preferences.app.
    Jan 14 17:18:56 Macintosh com.apple.SecurityServer[20]: Succeeded authorizing right system.preferences by client /System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/writeconfig for authorization created by /Applications/System Preferences.app.
    Jan 14 17:28:31 Macintosh com.apple.SecurityServer[20]: Succeeded authorizing right system.preferences by client /Applications/System Preferences.app for authorization created by /Applications/System Preferences.app.
    Jan 14 17:40:54 Macintosh com.apple.SecurityServer[20]: Succeeded authorizing right system.preferences by client /System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/writeconfig for authorization created by /Applications/System Preferences.app.
    Jan 14 17:41:37: --- last message repeated 3 times ---
    Jan 14 17:41:45 Macintosh authorizationhost[1883]: Failed to authenticate user Sean (tDirStatus: -14090).
    Jan 14 17:41:50 Macintosh authorizationhost[1883]: Failed to authenticate user Sean (tDirStatus: -14090).
    Jan 14 17:42:09: --- last message repeated 1 time ---
    Jan 14 17:42:09 Macintosh com.apple.SecurityServer[20]: Failed to authorize right system.login.screensaver by client /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app.
    Jan 14 17:42:27 Macintosh com.apple.SecurityServer[20]: uid 501 succeeded authenticating as user Sean (uid 501) for right system.login.screensaver.
    Jan 14 17:42:27 Macintosh com.apple.SecurityServer[20]: Succeeded authorizing right system.login.screensaver by client /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app.
    Jan 14 17:42:43 Macintosh com.apple.SecurityServer[20]: Succeeded authorizing right system.preferences by client /Applications/System Preferences.app for authorization created by /Applications/System Preferences.app.
    Jan 14 17:42:44 Macintosh com.apple.SecurityServer[20]: Succeeded authorizing right system.preferences by client /System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/writeconfig for authorization created by /Applications/System Preferences.app.
    Jan 14 17:42:55 Macintosh com.apple.SecurityServer[20]: Succeeded authorizing right system.preferences by client /Applications/System Preferences.app for authorization created by /Applications/System Preferences.app.
    Jan 14 17:44:18 Macintosh com.apple.SecurityServer[20]: Succeeded authorizing right system.preferences by client /Applications/System Preferences.app for authorization created by /Applications/System Preferences.app.
    Jan 14 19:55:43 Macintosh com.apple.SecurityServer[20]: Succeeded authorizing right system.burn by client /Applications/Utilities/Disk Utility.app for authorization created by /Applications/Utilities/Disk Utility.app.
    Jan 14 20:12:17 Macintosh com.apple.SecurityServer[20]: Succeeded authorizing right system.burn by client /Applications/Utilities/Disk Utility.app for authorization created by /Applications/Utilities/Disk Utility.app.
    Jan 14 20:18:23 Macintosh com.apple.SecurityServer[20]: Succeeded authorizing right system.preferences by client /Applications/System Preferences.app for authorization created by /Applications/System Preferences.app.
    Jan 14 20:18:23 Macintosh com.apple.SecurityServer[20]: Succeeded authorizing right system.preferences by client /System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/writeconfig for authorization created by /Applications/System Preferences.app.
    Jan 14 20:18:46 Macintosh shutdown[2038]: halt by Sean: 
    You mentioned what reboots would look like, but I didn't think I needed to look for those -- only b/c I left the machine off, and came back to it on (am I missing something?). I was more concerned about what happened after the Mac was turned on at 4 pm on the 11th when I was out of town -- given it looks the same as the boot event that was expected (when I was home), I think I've got my peace of mind now.

    If you (or anyone) see anything in there that gives concern, please let me know, I think I'm alright, but I'm new enough to not entirely know for sure.

    Again, thanks for taking the time to both read, and post.

    Cheers, Sean
     
  13. Lixivial macrumors 6502a

    Lixivial

    Joined:
    Jan 13, 2005
    Location:
    Between cats, dogs and wanderlust.
    #13
    I'd be inclined to agree.

    Yeah, I wouldn't worry about a "break-in" aspect. Everything looks like it's probably normal behaviour. Kudos for looking into the cause of the problem and taking computer security into account. The stuff below is just generalised stuff now:

    Failures will result from the rights escalation GUI Username/Password prompt, too. The "for right blah.blah.blah.blah" is the key there. In the instance of "for right system.login.screensaver" it's saying that the login was rejected for the password protected screensaver. The "authorization right" will still appear even if you don't password protect your screensaver, but I wouldn't expect there to be login failures on an unpassworded screensaver/return from sleep.

    That said, I can assume that you probably enabled the password after you returned and those login failures are probably just getting accustomed to typing in the password. And that's where you'll find most red flags in the log -- due to mistyped password or your own auth failures. But common sense is a good idea, and only you know your computer usage.

    Yes, so in the instance there you'd see it as a "halt" as you see there. Halt is shutdown, Reboot is restart, and I believe sleep is "sleep demand recorded: {Date}"
     
  14. Yzerguy19 thread starter macrumors newbie

    Joined:
    Jan 15, 2008
    #14
    Thx for the words, and the help -- The learning part is just my analytical side, process of elimination and all that -- And yes, I do take the security part seriously, what I've found early on is that is much easier to do on my new Mac vs the PC.

    In hindsight I should have used "unforced entry" rather than "break-in" about what was concerning me most at the time. There are some shady characters in my strata, looking forward to the day I can afford my own house and not have to live by strata rules (and change the locks!).

    Now, if I could stop spending cash on things like new computers, cameras and software, I may actually get there faster :rolleyes: :D

    I did enable passwords for awake from screen and awake from sleep, plus disabled auto log in, and also changed my password after I returned, BUT, I haven't had any failed login attempts when password was needed, haven't messed that up (yet)...?

    Cheers, Sean
     
  15. Makosuke macrumors 603

    Joined:
    Aug 15, 2001
    Location:
    The Cool Part of CA, USA
    #15
    This obviously doesn't relate to the OP's issue anymore, but an amusing (to me, anyway) coincidence: Today at work, someone asked me why their computer was sometimes on when they got to work in the morning and they'd shut it down the night before.

    Except in this case, it WAS a scheduled auto-start--it had somehow gotten set to boot one evening a week, and so of course it was. No doubt someone (me?) messing with the prefs at some point in the past, but given that it's only the second time I've ever heard a complaint about this, I thought it was funny given the timing.
     

Share This Page