Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Help Please i need advice

K

Kris66

macrumors newbie
Original poster
Sep 16, 2010
3
0
Hi all sorry for the long first post but here goes

i have found this log file on my 3gs that i bought secondhand
and from the log it has been loading this from the day i turned it on
the phone was not jailbroken when i got it, i did that some 6weeks later,
i have read that keybag is a keylogger for the mac, i cant find the app on the phone just this log file
has anyone come across anything like it on there phones?
the file was in /private/var/logs
any help would be appreciated

this is the log i found

Sat Jul 17 16:42:52 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
Sun Jul 18 07:41:08 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
Sun Jul 18 12:09:16 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
Sun Jul 18 13:05:36 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
Thu Jul 22 08:30:16 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
Fri Jul 23 19:43:35 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
Sat Jul 24 09:04:39 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
Sun Jul 25 10:04:47 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
Sun Jul 25 10:37:28 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
Mon Jul 26 08:42:29 2010 pid=572 (0x381000) __handle_changepasscode_block_invoke_1: oldpass=NULL newpass=SECRET has blob
Mon Jul 26 08:42:29 2010 pid=572 (0x381000) __handle_changepasscode_block_invoke_1: success
Mon Jul 26 08:43:15 2010 pid=572 (0x381000) __handle_changepasscode_block_invoke_1: oldpass=SECRET newpass=SECRET has blob
Mon Jul 26 08:43:15 2010 pid=572 (0x381000) __handle_changepasscode_block_invoke_1: success
Mon Jul 26 13:37:09 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
Sat Jul 31 11:27:00 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
Sun Aug 1 03:27:20 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
Sun Aug 1 05:16:10 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
Sun Aug 1 05:32:24 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
Wed Aug 4 12:00:54 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
Tue Aug 10 12:34:39 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
Tue Aug 10 13:00:46 2010 pid=147 (0x381000) __handle_changepasscode_block_invoke_1: oldpass=SECRET newpass=SECRET has blob
Tue Aug 10 13:00:47 2010 pid=147 (0x381000) __handle_changepasscode_block_invoke_1: success
Tue Aug 10 14:30:18 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
Fri Aug 13 17:00:33 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
Fri Aug 13 18:58:49 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
Fri Aug 13 21:24:48 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
Fri Aug 13 23:49:43 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
Sat Aug 14 00:42:53 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
Sun Aug 15 00:35:18 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
Sun Aug 15 10:48:11 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
Tue Aug 17 22:07:01 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
Tue Aug 17 22:09:01 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
Tue Aug 17 22:22:40 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
Wed Aug 18 15:53:20 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
Wed Aug 18 16:12:28 2010 pid=35 (0x3e7037c8) main: System Keybag loaded
Wed Aug 18 17:31:48 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
Wed Aug 18 18:05:34 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
Sat Aug 21 02:13:04 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
Sat Aug 21 02:14:51 2010 pid=35 (0x3e7037c8) main: System Keybag loaded
Sat Aug 21 17:51:30 2010 pid=35 (0x3e7037c8) main: System Keybag loaded
Sat Aug 21 19:23:55 2010 pid=34 (0x3e7037c8) main: System Keybag loaded
Sun Aug 22 00:17:32 2010 pid=34 (0x3e7037c8) main: System Keybag loaded
Sun Aug 22 12:24:57 2010 pid=34 (0x3e7037c8) main: System Keybag loaded
Mon Aug 23 00:18:53 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
Mon Aug 30 14:37:50 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
Mon Sep 6 00:53:33 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
Tue Sep 7 00:11:57 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
Tue Sep 7 23:35:54 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
Wed Sep 8 18:57:41 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
Wed Sep 8 20:05:13 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
Wed Sep 8 20:07:35 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
Wed Sep 8 20:12:35 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
Wed Sep 8 20:26:27 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
Thu Sep 9 17:29:45 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
Fri Sep 10 14:03:23 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
Fri Sep 10 14:09:36 2010 pid=37 (0x3e7037c8) main: System Keybag loaded
Fri Sep 10 14:12:32 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
Sat Sep 11 10:13:51 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
Sat Sep 11 17:20:37 2010 pid=34 (0x3e7037c8) main: System Keybag loaded
Mon Sep 13 18:12:06 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
Mon Sep 13 23:34:33 2010 pid=34 (0x3e7037c8) main: System Keybag loaded
Tue Sep 14 17:05:26 2010 pid=34 (0x3e7037c8) main: System Keybag loaded
Tue Sep 14 17:06:54 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
Tue Sep 14 17:20:41 2010 pid=34 (0x3e7037c8) main: System Keybag loaded
Thu Sep 16 20:00:51 2010 pid=36 (0x3e7037c8) main: System Keybag loaded

Regards Kris
 
Thanks for the reply Aggie
this is what's in it

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.apple.mobile.keybagd</string>
<key>MachServices</key>
<dict>
<key>com.apple.mobile.keybagd</key>
<true/>
</dict>
<key>OnDemand</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/usr/libexec/keybagd</string>
<string>-t</string>
<string>15</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>


i have also noticed that when i change my password at the lockscreen it shows up in the log
like this: 2010 pid=147 (0x381000) __handle_changepasscode_block_invoke_1: oldpass=SECRET newpass=SECRET has blob
 
I decided to check my own phone for this plist, and I had it. I also have the same log as you. Mine started on the day I bought the phone. Therefore, I don’t think this is anything to be concerned about and has nothing to do with the keybag mac software you found. It’s not a trojan.
 
Thanks Aggie
That puts me at ease a little well the panic is over for now :D
 
Keybagd

WTF is it? I have the same symptoms as described above. Any mods have a clue? Iphone 3g JB/UL
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back