Is my Mac being hacked or hijacked by DNS tampering?

Discussion in 'OS X El Capitan (10.11)' started by stanleywxc, Nov 10, 2016.

  1. stanleywxc macrumors newbie

    Joined:
    Nov 10, 2016
    #1
    I found a really suspicious traffic on my Mac, the process 'com.apple.photomoments' sending a strange traffic to a very suspicious server:

    com.apple 379 4u IPv4 0x52332f3f383fb82d 0t0 TCP 10.10.1.100:49170->72.191.188.61.broad.nc.sc.dynamic.163data.com.cn:http (ESTABLISHED)
    com.apple 379 6u IPv4 0x52332f3f383fb82d 0t0 TCP 10.10.1.100:49170->72.191.188.61.broad.nc.sc.dynamic.163data.com.cn:http (ESTABLISHED)

    Then I found out it is the 'com.apple.photomoments' process:

    sh-3.2# ps -Al | grep 379
    501 379 1 4004 0 4 0 2486088 17912 - Ss 0 ?? 0:00.17 /System/Library/PrivateFrameworks/PhotoLibraryPrivate.framework/Versions/A/Frameworks/PhotoLibraryServices.framework/Versions/A/XPCServices/com.apple.photomoments.xpc/Contents/MacOS/com.apple.photomoments

    Does anyone know about this 'com.apple.photomoments' process? Why does it send internet traffic if it is for photo related? And Why does it send the traffic to this very suspicious server? I found out that server is located in China's Telecom ISP datacenter. I suspect Chinese government somehow hijacked the DNS server query or tampered the DNS server, or my Mac simply was hacked by Chinese government hackers?

    Anyone? Please help!
     
  2. JohnDS macrumors 65816

    Joined:
    Oct 25, 2015
    #2
    I suspect that com.apple.photomoments has to do with iCloud photo synching. Do you have that turned on?

    If you think your DNS is being hijacked, the first thing to do is to check the DNS server shown in your Network prefs panel. If these are not your ISP's DNS servers, or public ones like DYNDNS or Google, you may have a trojan.

    Try downloading and running the free MalwareBytes for Mac: https://www.malwarebytes.com/antimalware/mac/

    You could also download and run the free Avast antivirus software https://www.avast.com/en-ca/free-mac-security , but I would be inclined to uninstall it after running a full scan as I find it a bit obtrusive.
     
  3. stanleywxc thread starter macrumors newbie

    Joined:
    Nov 10, 2016
    #3
    I am using Chinese ISP, the problem is Chinese government tampering DNS server with MITM DNS attack, which hijacks the connection to Chinese servers instead of apple's server. My question is if it is iCloud's photo syncing, why it is sending traffic to that server, that server is an actual Chinese government's server(72.191.188.61.broad.nc.sc.dynamic.163data.com.cn) inside Chinese ISP. I am sure Apple will not setup a server like that. Does anyone knows which server or servers that iCloud photo sharing sending traffic to?
     
  4. BorderingOn, Nov 12, 2016
    Last edited: Nov 12, 2016

    BorderingOn macrumors 6502

    Joined:
    Jun 12, 2016
    Location:
    BaseCamp Pro
  5. JohnDS macrumors 65816

    Joined:
    Oct 25, 2015
    #5
    China Telcom: http://tools.tracemyip.org/lookup/61.188.191.72 See line for reverse DNS pointer.
    --- Post Merged, Nov 12, 2016 ---
    According to this: http://www.cultofmac.com/291620/apple-moves-chinese-icloud-state-controlled-servers/

    "Apple is now using China Telecom’s servers instead of its own to power iCloud for Chinese customers. The switch took place on August 8th [2014], and now the carrier is Apple’s only cloud service provider in China."​

    so it would appear that iCloud photosharing is correctly using a Chinese server.
     
  6. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #6
    Apple uses Chinese data centres to store data of users located in that country. Many big companies do this. It is simply more efficient (faster network requests) and it appeases the Chinese Government. Use a VPN if you want to avoid this.
     
  7. stanleywxc thread starter macrumors newbie

    Joined:
    Nov 10, 2016
    #7
    Yup, it is really dangerous to sync my photo to the server under Chinese government control. I will never know if my photo or documents being stolen or hacked. Even Apple has encrypted the content, Chinese government may have means to crack the encryption, you never know. I stop using my iCloud sync while in China.


     

Share This Page