Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Twiceon2sday

macrumors member
Original poster
Mar 2, 2021
51
3
California
Can anyone tell me what source P is referencing?


"source" : "P",

"arch" : "arm64e",

"base" : 6487347200,

"size" : 3166208,

"uuid" : "",

"path" : "\/System\/Library\/Frameworks\/Foundation.framework\/Foundation",


"name" : "Foundation".

source" : "P",

"arch" : "arm64e",

"base" : 6616674304,

"size" : 172032,

"uuid" : ",

"path" : "\/System\/Library\/PrivateFrameworks\/AudioSession.framework\/AudioSession",

"name" : "AudioSession"

},



"source" : "P",

"arch" : "arm64e",

"base" : 6458896384,

"size" : 286720,

"uuid" : "",

"path" : "\/usr\/lib\/system\/libdispatch.dylib",

"name" : "libdispatch.dylib"

},

{

"source" : "P",

"arch" : "arm64e",

"base" : 8346234880,

"size" : 229376,

"uuid" : "",

"path" : "\/usr\/lib\/system\/libxpc.dylib",

"name" : "libxpc.dylib"

you can see it is across multiple libraries and multiple process’s

fyi -
A. my phone is not jailbroken, at least not by me.
B. It has been compromised but I’m trying to determine if it’s by someone or did I pull the short straw and get hacked randomly?
C.this is referenced thru numerous analytics logs referencing various apps and or process’s
D. Im trying to determine if this is something that is a bug in the new iOS 15 or something uncovered since the update related to the compromise?
 
Last edited:

Twiceon2sday

macrumors member
Original poster
Mar 2, 2021
51
3
California
What is the context for this data? Why do you think your device has been compromised?
This is a section of a report “Exc_UserFault_wifid”

The reasons that I know my device is compromised is for multiple reasons. There are the obvious….
move picked up my phone and my camera is on and I can tell now by the little green dot(thank you Apple!!)
I’ve had pictures in my photo album that do not belong to me
My keyboard has been taken over.
im constantly being spoofed online so it’s hard to tell what website I’m on is legit so I have to triple check everything
Home & Game Center in iCloud keep getting turned on (this I can’t figure out)
My messages and texts arrive hours to days after from friends and family and they are date stamped. Or my messages just go nowhere entirely.
but then you have the technical stuff like log reports that are clear indicators … namely
“Exc_UserFaults_CMFSyncAgent”
And I can only assume the other Exc logs are indicators too.
various times I have discovered profiles installed on my phone, I’ve had warnings early on that my phone was jailbroken however I never did that nor even know how.
I’ve picked up my phone to see something called “intercomcdn” on and playing or what ever it does.
my DNS has been parked, on the handful of times I have been able to do a reverse DNS the findings have definitely NOT been anything to do with my ISP or carrier.
I have pop up ads everywhere.
i use apples safari private browser and have pop up’s blocked I don’t have a Google or Amazon account and yet the pop up’s are still there.
I have had over 20 various accounts of mine show up in have you been pawned as having my credentials sold or whatever on the dark web.

this is just to name a few reasons why I believe I’ve been compromised. And before you give me the reset your devices, erase this or that and all that …. I’ve been dealing with this for years. I’ve done all of that!! More than once…. It’s happening to my husbands phone too but he has been listening to me lose my mind over it and I have been made aware that he hasn’t necessarily followed the rules in regards to creating ALL NEW accounts. So there’s that…

anyhow so I’ve given myself these crash courses in networking etc. I was already tech savvy but I’ve had to learn quite a bit. So I can understand quite a bit but I may not use the right terminology and I’m trying to piece it all together because it’s the only way I can make this all stop…. I’ve tried to report this on ic3.com but the powers that be will not allow me. Either the site is not accessible or the page is so big on my phone it’s not even legible.
Anyhow, Is there something I can provide to help me understand what this reference is? Because it’s used thru all the logs I referenced above and with every update I get something else is uncovered and I’m trying to work quickly because this compromise has always been 1-2 steps ahead of me and after every update I have a short window of time when things appear normal and then the strange starts.
I believe it’s in my network or in some old email account somewhere. But I know that we get texts or calls that have got to be handshakes because I’ve traced them back and it’s always something relating to ftp or netbios or tunneling and proxy related ports open.

I’m willing to listen to advice on something I can do besides reset my stuff again because I’m frankly tired of losing all my data doing so. And backing **** up that I can never touch again. It’s getting really flipping old!!
 
  • Like
Reactions: McRegRum

McRegRum

macrumors newbie
Feb 4, 2023
1
0
ZA, Johannesburg
Hi #Barbu, You are in one of the loneliest places I have ever been, and still trying to claw my way out of this hell hole. In fact I registered just to reply to you. I’m not as tech savvy as you appear to be and I can offer nothing but empathy and the belief in you and that your conviction in the reality of your situation is well placed. Until you know who it is or who they are and why there is such a need to keep surveiling you, there is no rest to be had.
Firstly, your post was a while back. Any updates?
I keep hoping the next security release will save the day, but a mobile OTA patch, soon comes through (ostensibly from Apple), and my devices all start displaying the telltale signs that it’s all starting again. Mine started with me helping a friends new husband with his aspect ratio on a new app he was developing where he wanted to see how it looked on my brand new 8+. 3 entry’s of my ID and Password secured my having provisioned my iPhone, Apple ID, and probably other apple devices to him. This was about October 2017, and over the next 3 years I realised something was not right and slowly started to investigate.
as you said, they are always a few steps ahead, and my life will never be the same…
 

JustAnExpat

macrumors 6502a
Nov 27, 2019
975
976
Not to belittle you, but your story doesn't make sense, and comes across as being quite trollish. Or maybe you're working for Apple and see who knows their networking stuff.

"Spoofing websites" on a phone is virtually impossible. The only way where this sounds plausible is if the phone has some certificates installed by the company you or your husband works for.

But assuming your post is real: What value would that information give you?

Or, to destroy your post point-by-point:

>various times I have discovered profiles installed on my phone, I’ve had warnings early on that my phone was jailbroken however I never did that nor even know how.

How are those profiles being installed? What type of firewalls do you have on your network? Who has access to the phone.

> various times I have discovered profiles installed on my phone, I’ve had warnings early on that my phone was jailbroken however I never did that nor even know how.

And what are those warnings?

>I’ve picked up my phone to see something called “intercomcdn” on and playing or what ever it does.

What is that, and how do you know it's on?

>my DNS has been parked, on the handful of times I have been able to do a reverse DNS the findings have definitely NOT been anything to do with my ISP or carrier.

What the heck does that mean, especially if you've been studying network.

DNS = Domain Name System. Converts names to IP addresses. Generally you use an IP server, either Google's or provided by your ISP, for your computer to get a listing of IP addresses and domain names.
"Reverse DNS" = What is that? And how would such a thing even work?

>I have pop up ads everywhere.
From which website?

>i use apples safari private browser and have pop up’s blocked I don’t have a Google or Amazon account and yet the pop up’s are still there.

You're playing with networking and you never used either Google OR Amazon?

And how do you know the pop ups are connected to whatever hacking is happening? And I don't think Private Mode prevents pop-ups by default.

>I have had over 20 various accounts of mine show up in have you been pawned as having my credentials sold or whatever on the dark web.

Showed up by who? Which website? Is it the pop up that says "warning: You are using a compromised password..."?

>I’m trying to work quickly because this compromise has always been 1-2 steps ahead of me and after every update I have a short window of time when things appear normal and then the strange starts.

Are you trying to do one of those "I'll reverse the hackers IP address and do a full trace on where he lives and then use his IP address of 302.591.222.1 and do a counter attack?" If you are, give it up. That's just something that's done in the movies, and not something that actually is done.
 

Twiceon2sday

macrumors member
Original poster
Mar 2, 2021
51
3
California
Not to belittle you, but your story doesn't make sense, and comes across as being quite trollish. Or maybe you're working for Apple and see who knows their networking stuff.

"Spoofing websites" on a phone is virtually impossible. The only way where this sounds plausible is if the phone has some certificates installed by the company you or your husband works for.

But assuming your post is real: What value would that information give you?

Or, to destroy your post point-by-point:

>various times I have discovered profiles installed on my phone, I’ve had warnings early on that my phone was jailbroken however I never did that nor even know how.

How are those profiles being installed? What type of firewalls do you have on your network? Who has access to the phone.

> various times I have discovered profiles installed on my phone, I’ve had warnings early on that my phone was jailbroken however I never did that nor even know how.

And what are those warnings?

>I’ve picked up my phone to see something called “intercomcdn” on and playing or what ever it does.

What is that, and how do you know it's on?

>my DNS has been parked, on the handful of times I have been able to do a reverse DNS the findings have definitely NOT been anything to do with my ISP or carrier.

What the heck does that mean, especially if you've been studying network.

DNS = Domain Name System. Converts names to IP addresses. Generally you use an IP server, either Google's or provided by your ISP, for your computer to get a listing of IP addresses and domain names.
"Reverse DNS" = What is that? And how would such a thing even work?

>I have pop up ads everywhere.
From which website?

>i use apples safari private browser and have pop up’s blocked I don’t have a Google or Amazon account and yet the pop up’s are still there.

You're playing with networking and you never used either Google OR Amazon?

And how do you know the pop ups are connected to whatever hacking is happening? And I don't think Private Mode prevents pop-ups by default.

>I have had over 20 various accounts of mine show up in have you been pawned as having my credentials sold or whatever on the dark web.

Showed up by who? Which website? Is it the pop up that says "warning: You are using a compromised password..."?

>I’m trying to work quickly because this compromise has always been 1-2 steps ahead of me and after every update I have a short window of time when things appear normal and then the strange starts.

Are you trying to do one of those "I'll reverse the hackers IP address and do a full trace on where he lives and then use his IP address of 302.591.222.1 and do a counter attack?" If you are, give it up. That's just something that's done in the movies, and not something that actually is done.
Wow, it took you two plus years to belittle my post? Well good on you…thank you because now you’ve given me the platform to explain in further details what is going on... Let’s see, let me dissect your comments and explain further….. but let me make it clear I never said I had a background in network administration. I merely said I’ve had to give myself a crash course in networking just to be able to see what is happening…. There is a vast difference the latter means I know some very basics.



- Spoofing websites, now in my defense maybe I used the incorrect terminology. What I was trying to explain is let’s take for example CA website during the pandemic to file for pandemic relief. Each time I logged in my user icon was a different picture than what I had chosen, or on another site I will get stuck in a loop entering my password. Or links on sites that were legitimate looked the same but took me to some Wordpress site. And again in my defense this is a huge problem for many people. Chase Bank for example gives notices and warning to all there customers to be weary of such things. And while I tried on numerous times to report this to the authorities using the link ic3.gov when I attempt to use this site the font will all be misaligned, or none of the links worked so as to keep me from being able to do so. Or maybe I just have the worst luck in the world.



Profiles Installed - now this hasn’t happened in quite some time and only happened when this whole mess began which for me was in 2016. Yeah that’s what I said it’s been going on for that long. And please I have had many professionals over this time look over my situation and all of them have confirmed yes something is very wrong. But I digress… the first random profile installed was for Xfinity but the funny part about that is that I did not have Xfinity. I had Directv as my tv provider and Viasat as my internet provider. Soo why was there a profile for Xfinity installed. I removed it promptly, it came back twice, after the last time I recall the afternoon precisely because I drove home and there is a dead zone along my drive at that time and I quickly removed the profile, reset my phone, and drove home. When I got home I had my phone off I plugged it in to charge and turned it back on and about a half hour later I went to check on said phone and it was so hot I couldn’t barely hold it. I shut it off and decided I needed a break from the damn thing. Later that evening when I turned it back on a new profile had been installed but this time the name of the profile was some female name Esther or Evelyn or something with an E. I was extremely upset at this point and shut my phone off for probably a good 24 hours.



- Jailbreak notifications and warnings - well for one I installed the app “Lockdown” which at that time was the number one app for security on the phones. And in the scan the phone does it notified me my phone had been jailbroken. I called Apple on the phone and they supposedly scanned the phone blah blah. But it was shortly after this all the devices I owned had been disabled. I had to hire an IT guy to help me get into them. He was inexperienced in network virus’s or network compromises



Because this brings up the most important part is that when I call support or use support chats there is no guaranteed way I know I’m actually speaking to someone at apple or whomever. And while I am extremely sensitive to changes around me more so than others there are tell tale signs I’m not speaking to the correct authority. I can go into this at another time. But I guarantee that my calls were being diverted or redirected you choose the correct verb!



Intercomcdn - you seriously asked how do I know it’s on and what is it?? You’re too funny…. How I know it’s on is because I picked up my phone and Like any iOS user knows when music or media is playing it always shows on the Lock Screen so you can forward or reverse the track or whatever. Well when I picked up my phone to which I had no media playing at the time on the Lock Screen the player was there and the the thing playing was “intercomcdn” - NOW IF I KNEW WHAT THE HELL IT WAS I WOULDNT HAVE ASKED WOULD I??? So maybe you tell me what it is? I know what an intercom is and I know what a cdn is now combine the two and what the hell is it?? Is it a website for an intercom? Is it a way to activate a phone to behave as an intercom ie. Listen to my surroundings?? I don’t know…… hence why I ask the questions….. I have screenshots of everything I bring up but most of these forums don’t allow you to post screenshots and I understand why but it makes it somewhat difficult for the average person to explain to you “experts” what the h*** is going on!!!



DNS parked - this somewhat boggles my mind that you are asking ME what this is? You the expert. Ok so let me try to explain - “A parked domain is a domain name that is registered, but not connected to an online service like a website or email hosting. In other words, it is a purchased domain name that is not currently being used. Instead, it is “parked” for future use.”

That is directly quoted by hubspot. As to how I know that the domain I am attached to is parked is well about halfway between when this crap started and today I was trying to figure out and learn as much as I could. But in doing so I started with doing reverse checks on my IP and on my DNS. Now the first two times I done a reverse on my DNS I came up with some business that had nothing to do with my isp at the time which at that time was Verizon and even now with ATT. Both of which my DNS remains this go nowhere IP address. But anytime after those initial checks I cannot get any data back on my DNS. Now maybe this is inconsequential however you’d think that providers like Verizon and ATT would have you linked to a DNS that would lead back to them. Either way I had contacted the company SecurityTrails and I was told the DNS I had linked to my account was in fact parked. But please be my guest and let me know what you come up with here it is….. and Mr. Expert the mere fact you aren’t privy to what a Reverse DNS check is only confirms your lack of expertise.



Please help to understand what your username “JustAnExpat” actually means? What exactly is an ex Pat or even a Pat? How do you know it actually is something or how did you come to obtain such a name? That’s how your questions feel…..



As to the rest of your question I don’t have the time or energy to humor you with an answer. Besides your question are only patronizing



And to the comments in the first part of your response no I’m not trolling and for that matter most apple employees I’ve come across don’t have any negative things to say about this forum.



Again thank you for the platform to further explain myself and just because it’s not happening to you or it’s not something you are aware of does not mean it isn’t happening. And that applies to every aspect of life. Grow up and open your eyes. If you plan to stay in the are of technology you had better open your eyes and stop dismissing people based on your level of knowledge. FYI technology has advance since 2010 you might need to catch up.
 

svenmany

macrumors demi-god
Jun 19, 2011
2,063
1,338
Wow, it took you two plus years to belittle my post?

My sympathies. You should definitely ignore @JustAnExpat's post; it was really mean-spirited. They opened with "not to belittle you" and followed with many comments that were meant to belittle you. The least generous and most revealing was "Or, to destroy your post point-by-point:". I think that made it clear that there were no good intentions in their post.

I was also surprised they'd never heard of reverse DNS. If they actually wanted to know "how would such a thing even work", they could have spent five minutes researching.
 

MNGR

Contributor
Sep 17, 2019
305
418
My sympathies. You should definitely ignore @JustAnExpat's post; it was really mean-spirited. They opened with "not to belittle you" and followed with many comments that were meant to belittle you. The least generous and most revealing was "Or, to destroy your post point-by-point:". I think that made it clear that there were no good intentions in their post.

I was also surprised they'd never heard of reverse DNS. If they actually wanted to know "how would such a thing even work", they could have spent five minutes researching.
Reverse DNS is just like it sounds. DNS=name to IP address; Reverse=address to name
 

svenmany

macrumors demi-god
Jun 19, 2011
2,063
1,338
Reverse DNS is just like it sounds. DNS=name to IP address; Reverse=address to name

Here's a good reference https://www.cloudflare.com/learning/dns/dns-records/dns-ptr-record/. That's probably enough to answer "how it even works". But the details are kind of interesting.

You can do your own reverse name lookups in terminal using the "dig" command. I picked a random IP address and ran

Code:
dig -x 71.100.44.10

and got

Code:
; <<>> DiG 9.10.6 <<>> -x 71.100.44.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33331
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;10.44.100.71.in-addr.arpa.    IN    PTR


;; AUTHORITY SECTION:
100.71.in-addr.arpa.    3600    IN    SOA    auth.roch.ny.frontiernet.net. hostmaster.frontiernet.net. 1459725738 10800 3600 604800 21600


;; Query time: 181 msec
;; SERVER: 10.27.80.1#53(10.27.80.1)
;; WHEN: Sun Mar 26 08:52:33 PDT 2023
;; MSG SIZE  rcvd: 129

That means that frontiernet.net "owns" the entire 71.100.* address range.

Then the question is "really how does that work". Again, you can use dig.

One answer from
Code:
dig arpa. ns
is
Code:
arpa.            86004 IN NS a.ns.arpa.

That means that nameserver a.ns.arpa can answer questions about the top-level "arpa" domain.

Code:
dig in-addr.arpa
gives
Code:
in-addr.arpa.        2852 IN    NS a.in-addr-servers.arpa.

That means a.in-addr-servers.arpa can answer questions about the in-addr.apra domain. Continuing:

Code:
71.in-addr.arpa.    2652 IN    NS r.arin.net.
and
Code:
100.71.in-addr.arpa.    86007 IN NS auth.dlls.pa.frontiernet.net.

And that's as deep as it goes, in this case, for nameservers. So, if you're doing a reverse name lookup of 71.100.44.10, auth.dlls.pa.frontiernet.net can answer such a query.

All DNS queries are recursive like this, descending through nameservers until you arrive at the one giving you the final answer. Sometimes the DNS servers themselves do the recursion; sometimes they refuse and it's up the the client (your own computer) to do the recursion.

At the very top level, software is hard-coded to know the root name servers who answer the question "dig . ns"

Well, at least that's my high-level understanding it.
 
  • Like
Reactions: HDFan

Twiceon2sday

macrumors member
Original poster
Mar 2, 2021
51
3
California
Thanks everyone! It’s nice to know that there is still humanity in this world. I’m just a simple gal trying to figure stuff out and I thought this was the safest forum to use.

Still plagued by whatever is occurring. It’s most troublesome when I see my camera indicator go on and I’m not using the camera, and my IP address changes dramatically when it does. It’s the same IP range I should say. The last few digits are all that changes. And this is regardless of using Wi-Fi or staying on cell data. I can’t figure it out. Just purchased a new phone problem is not near as bad most days. Example would be im at home and Wi-Fi is off and my IP address stays in the 107.xxx.xxx.xxx range. Now when the odd things begin to occur for whatever reason and same parameters (home Wi-Fi is off etc.) my IP address jumps to 166.xxx.xxx.xxx range. My DNS has at times been my loopback (this is confusing) but this hasn’t happened in a while. On my ATT account the Numbersync feature had been activated and it said “do not deactivate” on my account. I don’t use the feature, don’t have any watches or devices that would use the feature. I’m not sure what other things it could be used for. ATT can’t tell me. I do note that on my new phone it has not been made active so far (fingers crossed)

But the recent issue is my new MacBook I bought about 4 months ago. I was so excited to get it to hoping all this might go away. Well I accidentally left it on Wi-Fi one night and fell asleep and gremlins attacked again. I can’t say for certain what it was but anyhow so I just did a reset back to default as I hadn’t put any data on it or even used it but get through the initial setup. However when I tried to log on and I went to add my Apple ID and when it sent me the two factor number to my phone I never received it! I tried 3 times to no avail.

And on my phone it says on iMessage and FaceTimethat my number cannot be used as an official number because it’s in use on a different device????? Ooooookaaaaay! What device where and how in the world do I amend this??

*also, anyone else experiencing a bug possibly on iMessage on iOS 16.4 when you hit the back button it starts recording you? My screen goes black and then a recording starts and inputs it in the text box to send to whichever text I had open? I’m trying to determine if this is a bug in new iOS or another symptom of the same old b.s.

Does it sound like what I’m experiencing is device related, network related, or a bad actor or gremlin as I call them?
 

Twiceon2sday

macrumors member
Original poster
Mar 2, 2021
51
3
California
I’ve just seen two articles from Virustotal where others experience similar issue except they appear to be discussing Android and home network of which I am neither. So where do I go from there…..

Btw I have two dns servers currently both using the same DNS 172.26.38.2?? Why two, and why the same IP? How is that possible?
 

svenmany

macrumors demi-god
Jun 19, 2011
2,063
1,338
When you set up your new phone, did you restore the apps and settings you had in a backup from the old phone?
 

ThrowerGB

macrumors regular
Jun 11, 2014
241
84
A Whois lookup for the DNS address (172.26.38.2) you asked about indicates that that IP address is assigned for a special use. It won't work for you as a DNS server. As a start for fixing this, remove them both and instead, use one of the Google DNS servers such as 8.8.8.8
Your symptoms on both the iPhone and MacBook seem very strange to me. It does seem like they were previously used somewhere and aren't factory fresh.
If the problem persists, take both devices to an AppleStore and have them investigate.

The WHOIS lookup returned these comments:
"These addresses are in use by many millions of independently operated networks, which might be as small as a single computer connected to a home gateway, and are automatically configured in hundreds of millions of devices. They are only intended for use within a private context and traffic that needs to cross the Internet will need to use a different, unique address.

These addresses can be used by anyone without any need to coordinate with IANA or an Internet registry. The traffic from these addresses does not come from ICANN or IANA. We are not the source of activity you may see on logs or in e-mail records. Please refer to http://www.iana.org/abuse/answers

These addresses were assigned by the IETF, the organization that develops Internet protocols, in the Best Current Practice document, RFC 1918 which can be found at:
http://datatracker.ietf.org/doc/rfc1918"


Good luck!
 

svenmany

macrumors demi-god
Jun 19, 2011
2,063
1,338
I'm having a hard time giving any real input since there are so many issues you are mentioning. It's even hard to tell if any of them are real issues without deeper investigation. Perhaps pick one thing to start with and we can start digging in to see if it's normal.

Also, let me just repeat my earlier question... You said you just purchased a new phone. I assume that's the one you're now having problems with. Did you restore it from a backup? If you installed a malicious app on your old phone, then you might have restored that malicious app to your new phone.
 

Twiceon2sday

macrumors member
Original poster
Mar 2, 2021
51
3
California
no I didn’t restore from backup. I try to set up a new ID each time but that hasn’t thwarted the situation which boggles my mind.
 
Last edited:

Twiceon2sday

macrumors member
Original poster
Mar 2, 2021
51
3
California
I'm having a hard time giving any real input since there are so many issues you are mentioning. It's even hard to tell if any of them are real issues without deeper investigation. Perhaps pick one thing to start with and we can start digging in to see if it's normal.

Also, let me just repeat my earlier question... You said you just purchased a new phone. I assume that's the one you're now having problems with. Did you restore it from a backup? If you installed a malicious app on your old phone, then you might have restored that malicious app to your new phone.
Hi, so actually may have some clarity here because yesterday for some reason my network connections “appeared” and I use appear lightly, normal. One DNS, my IP was within range of what Att typically uses.

However today right now as I type this it’s changed to the one that most troubles seem to stem from.

My IP is 166.198.34.34
My DNS is duplicated meaning I have two and both are the same -
172.26.38.2 (how can both be the same and why 2)

The following ports are open -
TCP Ports 21, 80, 443, 554, 1723
 
Last edited:

Twiceon2sday

macrumors member
Original poster
Mar 2, 2021
51
3
California
iPhone 14Pro Max is my current phone but it’s happened on several phones I’ve had

I’m using cellular at the time. But I cannot say whether it’s Wi-Fi or cellular specific. But I’d guess cellular.
 
Last edited:

Twiceon2sday

macrumors member
Original poster
Mar 2, 2021
51
3
California
A Whois lookup for the DNS address (172.26.38.2) you asked about indicates that that IP address is assigned for a special use. It won't work for you as a DNS server. As a start for fixing this, remove them both and instead, use one of the Google DNS servers such as 8.8.8.8
Your symptoms on both the iPhone and MacBook seem very strange to me. It does seem like they were previously used somewhere and aren't factory fresh.
If the problem persists, take both devices to an AppleStore and have them investigate.

The WHOIS lookup returned these comments:
"These addresses are in use by many millions of independently operated networks, which might be as small as a single computer connected to a home gateway, and are automatically configured in hundreds of millions of devices. They are only intended for use within a private context and traffic that needs to cross the Internet will need to use a different, unique address.

These addresses can be used by anyone without any need to coordinate with IANA or an Internet registry. The traffic from these addresses does not come from ICANN or IANA. We are not the source of activity you may see on logs or in e-mail records. Please refer to http://www.iana.org/abuse/answers

These addresses were assigned by the IETF, the organization that develops Internet protocols, in the Best Current Practice document, RFC 1918 which can be found at:
http://datatracker.ietf.org/doc/rfc1918"


Good luck!
Thank you ThrowerGB, that’s honestly something useful!!
Thing is I have taken them to Apple more times than I know what to do with myself and each time they just look at me like deer caught in headlights. I’ve done the reset to default, the change my Apple ID. I’ve tried using the DNS for Google the 8.8.8.8 but I can’t say exactly but it almost got worse for a short period. I typicallly end up changing it back or going track to auto assigned.

The other thing I might add if it’s helpful is my loopback 127.0.0.1 has at times been my DNS.
 
Last edited:
  • Sad
Reactions: ThrowerGB

svenmany

macrumors demi-god
Jun 19, 2011
2,063
1,338
Hi, so actually may have some clarity here because yesterday for some reason my network connections “appeared” and I use appear lightly, normal. One DNS, my IP was within range of what Att typically uses.

However today right now as I type this it’s changed to the one that most troubles seem to stem from.

My IP is 166.198.34.34
My DNS is duplicated meaning I have two and both are the same -
172.26.38.2 (how can both be the same and why 2)

The following ports are open -
TCP Ports 21, 80, 443, 554, 1723

554 is real streaming according to the scanner im using and I had zero apps open and background refresh off entirely. I’m not synced to any other device that I own. And all sharing is off. No handshake, no air drop, etc.

Port 443 I’m guessing could just be the scanner I’m using but again I’m guessing.

Port 1723 is listed as point to point tunneling

21 is obviously FTP (I’m unaware if it’s used for anything else)

80 is http unsecured if I’m not mistaken.

Again bare with me I’m self taught.

I ran my IP and my AS number is 7018 which feeds to AS20057 (maybe not the right word for it but it’s the parent AS)
Looking up this AS using MXToolbox I come up with that there is a Proxy. The proxy IP is 15.158.0.114 which all pops for an Amazon cloudfront server.

I do not have the Amazon app on my phone. But I understand the AWS is different regardless and can be used by anyone trying to hide there identity.

That’s about what I have. There is an external IP I have but I don’t think it’s helpful. Any reverse IP lookup shows a dead end for me but in a perfect world it should show private because that’s by design am I correct?

So far the only way I’ve found any useful data is by seeing what ports are open at the time weird **** happens, and also my AS and DNS number which I know doesn’t help much.

But if it’s an iPhone my biggest hurdle is how can you configure the network like you can on a desktop because my understanding is unless I jailbreak the device I’m at the mercy of my provider??


At this point, all I can say is good luck. There's just too much information for me to manage to focus on one problem at a time. I don't even know if you're talking about a phone or a Mac. I don't know if you're on WiFi or Cellular. You're digging in to a lot of technical stuff and it's making it harder for me to even get a footing. I do hope you get to the bottom of it.
 
Last edited:

Twiceon2sday

macrumors member
Original poster
Mar 2, 2021
51
3
California
At this point, all I can say is good luck. There's just too much information for me to manage to focus on one problem at a time. I don't even know if you're talking about a phone or a Mac. I don't know if you're on WiFi or Cellular. You're digging in to a lot of technical stuff and it's making it harder for me to even get a footing. I do hope you get to the bottom of it.
Can you tell me what I can provide to help? Sorry for the details. I’m just trying to help. But it would be much easier if you told me what I should provide?
 

svenmany

macrumors demi-god
Jun 19, 2011
2,063
1,338
I'd like to focus on the iPhone only, using Cellular while WiFi is turned off.

You mentioned shifting and unexpected IP addresses, unexpected DNS servers, and open ports. Which of these apply to cellular? For those that do, how did you ascertain these settings and issues?

And if you could recap the issues that you've seen that apply to only network issues (like above), on just the iPhone, using just cellular, with WiFi turned off. I just want to make sure that the issues I mentioned just above are the only ones for this exact context. Also, I'd like to compare what you're seeing with what I am for this exact context.
 

Twiceon2sday

macrumors member
Original poster
Mar 2, 2021
51
3
California
That’s easy, they are all on iPhone and using cellular. I haven’t discussed the network transitions while on Wi-Fi yet. I know I mention it happening but I have been keeping this separate when I am discussing this. So all the parameters I mentioned were cellular specific and on my iPhone.

Now as I type this my current IP while at home is 166.198.34.55 (internal)

My external IP if it matter is 10.113.298.112

I have two DNS assigned both having the same number. 172.26.38.2

When I attempt to do a reverse on my DNS it says unavailable or Private IP. This is using MXToolbox. Using DNSchecker.org it resolves itself as both Host and IP.

Most times it returns nothing when I search as an IP but yesterday I was able to get a AS number as AS7018 which has a parent and the parent resolved to an Amazon webserver.

The tools I use on my phone are a couple so I can cross check my findings but Scany is one (great for using as an open port analyzer) and I’ve used, myip.ms, whatismyip.

Netanalyzer on my phone states my network is 5G NS (I don’t know what the NS stands for but I’m pretty sure it’s irrelevant to this problem)

The other IP my phone switches to is 107.77.211.169 the last three sections are typically different. But when my phone was using this IP it stated my DNS was my loopback 127.0.0.1 and it has also stated it was Proxying but I don’t know how to use a proxy nor have I done so.

Again all on my iPhone and using cellular
 

Twiceon2sday

macrumors member
Original poster
Mar 2, 2021
51
3
California
IMG_0442.PNG
I need to state that at the time my phone isn’t doing anything unusual and I only can see both UDP & TCP port 53 are open.

When I trace the IP this is what I get. I don’t know what the clouds mean except hops maybe? So as of now whether this is correct or incorrect there isn’t any strange activity on my phone but I haven’t used it much today either.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.