Unauthorized Remote Access

Discussion in 'OS X Yosemite (10.10)' started by immobilus, Mar 3, 2015.

  1. immobilus macrumors member

    Joined:
    May 5, 2012
    #1
    Hello:

    I couple days ago I had someone who I don't know very well over for a few hours. To make a long story short, he was asking a lot of questions about my home network and spent a lot of time on his phone while attempting to not let me see what he's doing. At some point, I grabbed the phone out of his hand and he had an array of hacking tools on his phone set up to look like common apps. I immediately turned off my computer and disconnected the modem.

    I kept the computer disconnected for three days while researching open processes and strange lines in the system logs. Unfortunately I erased them. But I do have some existing questions.

    Sharingd seems to be performing a lot of strange tasks, including changing my apple id. User access to different files and folders keep changing. (I, as the administrator, can't open a folder under the guest account.) One line that I found particularly suspicious I performed a google search on and a moderator in that case explained that it seemed like FBI-Fed surveillance.

    I'm particularly interested, now, about the following lines. How is sharing changing my apple id, why is airdrop server starting for "user 501," etc.? Are these lines at all suspicious for someone who has both airdrop and remote access disabled?

    3/3/15 6:35:44.525 PM sharingd[3866]: 18:35:44.525 : SDActivityAdvertiser::continuity:didFailToStartAdvertisingOfType:withError: Activity (The operation couldn’t be completed. (com.apple.identityservices.error error 200.))
    3/3/15 6:35:52.213 PM sharingd[3866]: 18:35:52.212 : SDActivityAdvertiser::continuity:didFailToStartAdvertisingOfType:withError: Activity (The operation couldn’t be completed. (com.apple.identityservices.error error 200.))
    3/3/15 6:36:01.706 PM sharingd[3866]: 18:36:01.705 : SDActivityAdvertiser::continuity:didFailToStartAdvertisingOfType:withError: Activity (The operation couldn’t be completed. (com.apple.identityservices.error error 200.))
    3/3/15 6:36:11.197 PM sharingd[3866]: 18:36:11.196 : SDActivityAdvertiser::continuity:didFailToStartAdvertisingOfType:withError: Activity (The operation couldn’t be completed. (com.apple.identityservices.error error 200.))
    3/3/15 6:36:20.688 PM sharingd[3866]: 18:36:20.687 : SDActivityAdvertiser::continuity:didFailToStartAdvertisingOfType:withError: Activity (The operation couldn’t be completed. (com.apple.identityservices.error error 200.))
    3/3/15 6:36:27.882 PM sharingd[3866]: 18:36:27.882 : SDActivityAdvertiser::continuity:didFailToStartAdvertisingOfType:withError: Activity (The operation couldn’t be completed. (com.apple.identityservices.error error 200.))
    3/3/15 6:36:51.111 PM sharingd[3866]: 18:36:51.111 : SDActivityAdvertiser::continuity:didFailToStartAdvertisingOfType:withError: Activity (The operation couldn’t be completed. (com.apple.identityservices.error error 200.))
    3/3/15 6:36:56.341 PM sharingd[3866]: 18:36:56.340 : SDActivityAdvertiser::continuity:didFailToStartAdvertisingOfType:withError: Activity (The operation couldn’t be completed. (com.apple.identityservices.error error 200.))
    3/3/15 8:10:47.409 PM sharingd[3866]: 20:10:47.409 : SDStatusMonitor::kStatusWirelessPowerChanged
    3/3/15 8:10:54.316 PM sharingd[3866]: 20:10:54.316 : SDStatusMonitor::kStatusWirelessPowerChanged
    3/3/15 8:11:03.221 PM sharingd[3866]: 20:11:03.221 : SDActivityAdvertiser::continuity:didFailToStartAdvertisingOfType:withError: TetheringTargetPresence (The operation couldn’t be completed. (com.apple.identityservices.error error 200.))
    3/3/15 8:11:34.297 PM sharingd[3866]: 20:11:34.296 : SDActivityAdvertiser::continuity:didFailToStartAdvertisingOfType:withError: TetheringTargetPresence (The operation couldn’t be completed. (com.apple.identityservices.error error 200.))
    3/3/15 8:25:57.567 PM sharingd[3866]: 20:25:57.567 : Bonjour discovery started
    3/3/15 8:25:57.569 PM sharingd[3866]: 20:25:57.568 : Finder entered AirDrop
    3/3/15 8:25:57.647 PM sharingd[3866]: 20:25:57.647 : BTLE advertiser Powered Off
    3/3/15 8:26:07.725 PM sharingd[3866]: 20:26:07.724 : Bonjour discovery stopped
    3/3/15 8:26:07.725 PM sharingd[3866]: 20:26:07.724 : BTLE advertising stopped
    3/3/15 8:26:07.727 PM sharingd[3866]: 20:26:07.727 : Finder exited AirDrop
    3/3/15 8:51:21.932 PM sharingd[3866]: 20:51:21.932 : SDConnectionManager:: XPC connection invalidated
    3/3/15 8:51:33.743 PM sharingd[3866]: 20:51:33.740 : SIGTERM received, shutting down.
    3/3/15 9:00:31.707 PM com.apple.xpc.launchd[1]: (com.apple.sharingd) This service is defined to be constantly running and is inherently inefficient.
    3/3/15 9:00:35.389 PM sharingd[298]: 21:00:35.388 : Starting Up...
    3/3/15 9:00:35.397 PM sharingd[298]: 21:00:35.396 : Device Capabilities (Handoff:YES, Instant Hotspot:YES, AirDrop:YES, Legacy AirDrop:YES, Remote Disc:YES)
    3/3/15 9:00:35.713 PM sharingd[298]: 21:00:35.712 WARNING: >compload> AudioComponentPluginLoader.cpp:391: QueryBundle: AudioComponentPluginLoader: can't create bundle: QuickTimeAudioComponents.component -- file:///System/Library/Components/
    3/3/15 9:00:42.640 PM sharingd[298]: 21:00:42.640 : Bonjour discovery started
    3/3/15 9:00:42.644 PM sharingd[298]: 21:00:42.643 : BTLE advertiser Powered Off
    3/3/15 9:00:52.414 PM sharingd[298]: 21:00:52.413 : SDStatusMonitor::kStatusWirelessPowerChanged
    3/3/15 9:00:53.421 PM sharingd[298]: 21:00:53.420 : Bonjour discovery stopped
    3/3/15 9:00:53.422 PM sharingd[298]: 21:00:53.422 : BTLE advertising stopped
    3/3/15 9:00:53.424 PM sharingd[298]: 21:00:53.423 : Bonjour discovery started
    3/3/15 9:00:53.431 PM sharingd[298]: 21:00:53.431 : BTLE advertiser Powered Off
    3/3/15 9:01:07.705 PM sharingd[298]: 21:01:07.704 : Bonjour discovery stopped
    3/3/15 9:01:07.705 PM sharingd[298]: 21:01:07.705 : BTLE advertising stopped
    3/3/15 9:01:52.431 PM sharingd[298]: 21:01:52.430 : Apple ID account changed
    3/3/15 10:07:15.726 PM sharingd[298]: 22:07:15.726 : SDStatusMonitor::kStatusWirelessPowerChanged
    3/3/15 10:22:39.384 PM sharingd[298]: 22:22:39.384 : SDStatusMonitor::kStatusWirelessPowerChanged
    3/3/15 10:22:39.548 PM sharingd[298]: 22:22:39.548 : SDStatusMonitor::kStatusWirelessPowerChanged
    3/3/15 10:22:39.664 PM sharingd[298]: 22:22:39.662 : Starting AirDrop server for user 501 on wake
    3/3/15 10:22:39.778 PM sharingd[298]: 22:22:39.777 : SDStatusMonitor::kStatusWirelessPowerChanged
    3/3/15 10:22:39.798 PM sharingd[298]: 22:22:39.798 : SDStatusMonitor::kStatusWirelessPowerChanged
    3/3/15 10:22:39.817 PM sharingd[298]: 22:22:39.816 : SDStatusMonitor::kStatusWirelessPowerChanged
    3/3/15 10:22:43.009 PM sharingd[298]: 22:22:43.008 : SDStatusMonitor::kStatusWirelessPowerChanged
     
  2. dyt1983, Mar 3, 2015
    Last edited: Jun 2, 2015

    dyt1983 macrumors 65816

    Joined:
    May 6, 2014
    Location:
    USA USA USA
    #2
    edit: To remove personally identifying information not relevant to the thread.
     
  3. MCSN macrumors regular

    MCSN

    Joined:
    Feb 7, 2012
    Location:
    Kayenta
    #3
    if you feel insecure about your system, try incorporating some of the safety precautions like encryption via file vault. change your passwords. up your security in the best ways possible. turn off file sharing and other services that make you nervous. read some articles on cleaning up your system vulnerabilities. if you saw any of the programs do some research on the ones he had. the best way to know what they can do, is to try to hack into your system using those same techniques and see if they work or not.

    if there's any information that you have that they would want, it doesn't hurt to restore to factory and remove it all. and start with a clean slate.

    they can't take what you don't leave on the counter.

    i hope that incident didn't frighten you from feeling safe in using your system openly. just keep taking precautions and there are always ways to learn better protection and security. just know if someone did try, its a good time to go through your vulnerabilities and lock all the doors, or clean up. its good you are asking questions and getting confirmation on what is what.
     

Share This Page