Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Twiceon2sday

macrumors newbie
Original poster
Mar 2, 2021
20
3
California
Can anyone tell me what source P is referencing?


"source" : "P",

"arch" : "arm64e",

"base" : 6487347200,

"size" : 3166208,

"uuid" : "",

"path" : "\/System\/Library\/Frameworks\/Foundation.framework\/Foundation",


"name" : "Foundation".

source" : "P",

"arch" : "arm64e",

"base" : 6616674304,

"size" : 172032,

"uuid" : ",

"path" : "\/System\/Library\/PrivateFrameworks\/AudioSession.framework\/AudioSession",

"name" : "AudioSession"

},



"source" : "P",

"arch" : "arm64e",

"base" : 6458896384,

"size" : 286720,

"uuid" : "",

"path" : "\/usr\/lib\/system\/libdispatch.dylib",

"name" : "libdispatch.dylib"

},

{

"source" : "P",

"arch" : "arm64e",

"base" : 8346234880,

"size" : 229376,

"uuid" : "",

"path" : "\/usr\/lib\/system\/libxpc.dylib",

"name" : "libxpc.dylib"

you can see it is across multiple libraries and multiple process’s

fyi -
A. my phone is not jailbroken, at least not by me.
B. It has been compromised but I’m trying to determine if it’s by someone or did I pull the short straw and get hacked randomly?
C.this is referenced thru numerous analytics logs referencing various apps and or process’s
D. Im trying to determine if this is something that is a bug in the new iOS 15 or something uncovered since the update related to the compromise?
 
Last edited:

Twiceon2sday

macrumors newbie
Original poster
Mar 2, 2021
20
3
California
What is the context for this data? Why do you think your device has been compromised?
This is a section of a report “Exc_UserFault_wifid”

The reasons that I know my device is compromised is for multiple reasons. There are the obvious….
move picked up my phone and my camera is on and I can tell now by the little green dot(thank you Apple!!)
I’ve had pictures in my photo album that do not belong to me
My keyboard has been taken over.
im constantly being spoofed online so it’s hard to tell what website I’m on is legit so I have to triple check everything
Home & Game Center in iCloud keep getting turned on (this I can’t figure out)
My messages and texts arrive hours to days after from friends and family and they are date stamped. Or my messages just go nowhere entirely.
but then you have the technical stuff like log reports that are clear indicators … namely
“Exc_UserFaults_CMFSyncAgent”
And I can only assume the other Exc logs are indicators too.
various times I have discovered profiles installed on my phone, I’ve had warnings early on that my phone was jailbroken however I never did that nor even know how.
I’ve picked up my phone to see something called “intercomcdn” on and playing or what ever it does.
my DNS has been parked, on the handful of times I have been able to do a reverse DNS the findings have definitely NOT been anything to do with my ISP or carrier.
I have pop up ads everywhere.
i use apples safari private browser and have pop up’s blocked I don’t have a Google or Amazon account and yet the pop up’s are still there.
I have had over 20 various accounts of mine show up in have you been pawned as having my credentials sold or whatever on the dark web.

this is just to name a few reasons why I believe I’ve been compromised. And before you give me the reset your devices, erase this or that and all that …. I’ve been dealing with this for years. I’ve done all of that!! More than once…. It’s happening to my husbands phone too but he has been listening to me lose my mind over it and I have been made aware that he hasn’t necessarily followed the rules in regards to creating ALL NEW accounts. So there’s that…

anyhow so I’ve given myself these crash courses in networking etc. I was already tech savvy but I’ve had to learn quite a bit. So I can understand quite a bit but I may not use the right terminology and I’m trying to piece it all together because it’s the only way I can make this all stop…. I’ve tried to report this on ic3.com but the powers that be will not allow me. Either the site is not accessible or the page is so big on my phone it’s not even legible.
Anyhow, Is there something I can provide to help me understand what this reference is? Because it’s used thru all the logs I referenced above and with every update I get something else is uncovered and I’m trying to work quickly because this compromise has always been 1-2 steps ahead of me and after every update I have a short window of time when things appear normal and then the strange starts.
I believe it’s in my network or in some old email account somewhere. But I know that we get texts or calls that have got to be handshakes because I’ve traced them back and it’s always something relating to ftp or netbios or tunneling and proxy related ports open.

I’m willing to listen to advice on something I can do besides reset my stuff again because I’m frankly tired of losing all my data doing so. And backing **** up that I can never touch again. It’s getting really flipping old!!
 
  • Like
Reactions: McRegRum

McRegRum

macrumors newbie
Feb 4, 2023
1
0
ZA, Johannesburg
Hi #Barbu, You are in one of the loneliest places I have ever been, and still trying to claw my way out of this hell hole. In fact I registered just to reply to you. I’m not as tech savvy as you appear to be and I can offer nothing but empathy and the belief in you and that your conviction in the reality of your situation is well placed. Until you know who it is or who they are and why there is such a need to keep surveiling you, there is no rest to be had.
Firstly, your post was a while back. Any updates?
I keep hoping the next security release will save the day, but a mobile OTA patch, soon comes through (ostensibly from Apple), and my devices all start displaying the telltale signs that it’s all starting again. Mine started with me helping a friends new husband with his aspect ratio on a new app he was developing where he wanted to see how it looked on my brand new 8+. 3 entry’s of my ID and Password secured my having provisioned my iPhone, Apple ID, and probably other apple devices to him. This was about October 2017, and over the next 3 years I realised something was not right and slowly started to investigate.
as you said, they are always a few steps ahead, and my life will never be the same…
 

JustAnExpat

macrumors 6502
Nov 27, 2019
335
229
Not to belittle you, but your story doesn't make sense, and comes across as being quite trollish. Or maybe you're working for Apple and see who knows their networking stuff.

"Spoofing websites" on a phone is virtually impossible. The only way where this sounds plausible is if the phone has some certificates installed by the company you or your husband works for.

But assuming your post is real: What value would that information give you?

Or, to destroy your post point-by-point:

>various times I have discovered profiles installed on my phone, I’ve had warnings early on that my phone was jailbroken however I never did that nor even know how.

How are those profiles being installed? What type of firewalls do you have on your network? Who has access to the phone.

> various times I have discovered profiles installed on my phone, I’ve had warnings early on that my phone was jailbroken however I never did that nor even know how.

And what are those warnings?

>I’ve picked up my phone to see something called “intercomcdn” on and playing or what ever it does.

What is that, and how do you know it's on?

>my DNS has been parked, on the handful of times I have been able to do a reverse DNS the findings have definitely NOT been anything to do with my ISP or carrier.

What the heck does that mean, especially if you've been studying network.

DNS = Domain Name System. Converts names to IP addresses. Generally you use an IP server, either Google's or provided by your ISP, for your computer to get a listing of IP addresses and domain names.
"Reverse DNS" = What is that? And how would such a thing even work?

>I have pop up ads everywhere.
From which website?

>i use apples safari private browser and have pop up’s blocked I don’t have a Google or Amazon account and yet the pop up’s are still there.

You're playing with networking and you never used either Google OR Amazon?

And how do you know the pop ups are connected to whatever hacking is happening? And I don't think Private Mode prevents pop-ups by default.

>I have had over 20 various accounts of mine show up in have you been pawned as having my credentials sold or whatever on the dark web.

Showed up by who? Which website? Is it the pop up that says "warning: You are using a compromised password..."?

>I’m trying to work quickly because this compromise has always been 1-2 steps ahead of me and after every update I have a short window of time when things appear normal and then the strange starts.

Are you trying to do one of those "I'll reverse the hackers IP address and do a full trace on where he lives and then use his IP address of 302.591.222.1 and do a counter attack?" If you are, give it up. That's just something that's done in the movies, and not something that actually is done.
 

Twiceon2sday

macrumors newbie
Original poster
Mar 2, 2021
20
3
California
Not to belittle you, but your story doesn't make sense, and comes across as being quite trollish. Or maybe you're working for Apple and see who knows their networking stuff.

"Spoofing websites" on a phone is virtually impossible. The only way where this sounds plausible is if the phone has some certificates installed by the company you or your husband works for.

But assuming your post is real: What value would that information give you?

Or, to destroy your post point-by-point:

>various times I have discovered profiles installed on my phone, I’ve had warnings early on that my phone was jailbroken however I never did that nor even know how.

How are those profiles being installed? What type of firewalls do you have on your network? Who has access to the phone.

> various times I have discovered profiles installed on my phone, I’ve had warnings early on that my phone was jailbroken however I never did that nor even know how.

And what are those warnings?

>I’ve picked up my phone to see something called “intercomcdn” on and playing or what ever it does.

What is that, and how do you know it's on?

>my DNS has been parked, on the handful of times I have been able to do a reverse DNS the findings have definitely NOT been anything to do with my ISP or carrier.

What the heck does that mean, especially if you've been studying network.

DNS = Domain Name System. Converts names to IP addresses. Generally you use an IP server, either Google's or provided by your ISP, for your computer to get a listing of IP addresses and domain names.
"Reverse DNS" = What is that? And how would such a thing even work?

>I have pop up ads everywhere.
From which website?

>i use apples safari private browser and have pop up’s blocked I don’t have a Google or Amazon account and yet the pop up’s are still there.

You're playing with networking and you never used either Google OR Amazon?

And how do you know the pop ups are connected to whatever hacking is happening? And I don't think Private Mode prevents pop-ups by default.

>I have had over 20 various accounts of mine show up in have you been pawned as having my credentials sold or whatever on the dark web.

Showed up by who? Which website? Is it the pop up that says "warning: You are using a compromised password..."?

>I’m trying to work quickly because this compromise has always been 1-2 steps ahead of me and after every update I have a short window of time when things appear normal and then the strange starts.

Are you trying to do one of those "I'll reverse the hackers IP address and do a full trace on where he lives and then use his IP address of 302.591.222.1 and do a counter attack?" If you are, give it up. That's just something that's done in the movies, and not something that actually is done.
Wow, it took you two plus years to belittle my post? Well good on you…thank you because now you’ve given me the platform to explain in further details what is going on... Let’s see, let me dissect your comments and explain further….. but let me make it clear I never said I had a background in network administration. I merely said I’ve had to give myself a crash course in networking just to be able to see what is happening…. There is a vast difference the latter means I know some very basics.



- Spoofing websites, now in my defense maybe I used the incorrect terminology. What I was trying to explain is let’s take for example CA website during the pandemic to file for pandemic relief. Each time I logged in my user icon was a different picture than what I had chosen, or on another site I will get stuck in a loop entering my password. Or links on sites that were legitimate looked the same but took me to some Wordpress site. And again in my defense this is a huge problem for many people. Chase Bank for example gives notices and warning to all there customers to be weary of such things. And while I tried on numerous times to report this to the authorities using the link ic3.gov when I attempt to use this site the font will all be misaligned, or none of the links worked so as to keep me from being able to do so. Or maybe I just have the worst luck in the world.



Profiles Installed - now this hasn’t happened in quite some time and only happened when this whole mess began which for me was in 2016. Yeah that’s what I said it’s been going on for that long. And please I have had many professionals over this time look over my situation and all of them have confirmed yes something is very wrong. But I digress… the first random profile installed was for Xfinity but the funny part about that is that I did not have Xfinity. I had Directv as my tv provider and Viasat as my internet provider. Soo why was there a profile for Xfinity installed. I removed it promptly, it came back twice, after the last time I recall the afternoon precisely because I drove home and there is a dead zone along my drive at that time and I quickly removed the profile, reset my phone, and drove home. When I got home I had my phone off I plugged it in to charge and turned it back on and about a half hour later I went to check on said phone and it was so hot I couldn’t barely hold it. I shut it off and decided I needed a break from the damn thing. Later that evening when I turned it back on a new profile had been installed but this time the name of the profile was some female name Esther or Evelyn or something with an E. I was extremely upset at this point and shut my phone off for probably a good 24 hours.



- Jailbreak notifications and warnings - well for one I installed the app “Lockdown” which at that time was the number one app for security on the phones. And in the scan the phone does it notified me my phone had been jailbroken. I called Apple on the phone and they supposedly scanned the phone blah blah. But it was shortly after this all the devices I owned had been disabled. I had to hire an IT guy to help me get into them. He was inexperienced in network virus’s or network compromises



Because this brings up the most important part is that when I call support or use support chats there is no guaranteed way I know I’m actually speaking to someone at apple or whomever. And while I am extremely sensitive to changes around me more so than others there are tell tale signs I’m not speaking to the correct authority. I can go into this at another time. But I guarantee that my calls were being diverted or redirected you choose the correct verb!



Intercomcdn - you seriously asked how do I know it’s on and what is it?? You’re too funny…. How I know it’s on is because I picked up my phone and Like any iOS user knows when music or media is playing it always shows on the Lock Screen so you can forward or reverse the track or whatever. Well when I picked up my phone to which I had no media playing at the time on the Lock Screen the player was there and the the thing playing was “intercomcdn” - NOW IF I KNEW WHAT THE HELL IT WAS I WOULDNT HAVE ASKED WOULD I??? So maybe you tell me what it is? I know what an intercom is and I know what a cdn is now combine the two and what the hell is it?? Is it a website for an intercom? Is it a way to activate a phone to behave as an intercom ie. Listen to my surroundings?? I don’t know…… hence why I ask the questions….. I have screenshots of everything I bring up but most of these forums don’t allow you to post screenshots and I understand why but it makes it somewhat difficult for the average person to explain to you “experts” what the h*** is going on!!!



DNS parked - this somewhat boggles my mind that you are asking ME what this is? You the expert. Ok so let me try to explain - “A parked domain is a domain name that is registered, but not connected to an online service like a website or email hosting. In other words, it is a purchased domain name that is not currently being used. Instead, it is “parked” for future use.”

That is directly quoted by hubspot. As to how I know that the domain I am attached to is parked is well about halfway between when this crap started and today I was trying to figure out and learn as much as I could. But in doing so I started with doing reverse checks on my IP and on my DNS. Now the first two times I done a reverse on my DNS I came up with some business that had nothing to do with my isp at the time which at that time was Verizon and even now with ATT. Both of which my DNS remains this go nowhere IP address. But anytime after those initial checks I cannot get any data back on my DNS. Now maybe this is inconsequential however you’d think that providers like Verizon and ATT would have you linked to a DNS that would lead back to them. Either way I had contacted the company SecurityTrails and I was told the DNS I had linked to my account was in fact parked. But please be my guest and let me know what you come up with here it is….. and Mr. Expert the mere fact you aren’t privy to what a Reverse DNS check is only confirms your lack of expertise.



Please help to understand what your username “JustAnExpat” actually means? What exactly is an ex Pat or even a Pat? How do you know it actually is something or how did you come to obtain such a name? That’s how your questions feel…..



As to the rest of your question I don’t have the time or energy to humor you with an answer. Besides your question are only patronizing



And to the comments in the first part of your response no I’m not trolling and for that matter most apple employees I’ve come across don’t have any negative things to say about this forum.



Again thank you for the platform to further explain myself and just because it’s not happening to you or it’s not something you are aware of does not mean it isn’t happening. And that applies to every aspect of life. Grow up and open your eyes. If you plan to stay in the are of technology you had better open your eyes and stop dismissing people based on your level of knowledge. FYI technology has advance since 2010 you might need to catch up.
 

svenmany

macrumors demi-god
Jun 19, 2011
1,308
748
Wow, it took you two plus years to belittle my post?

My sympathies. You should definitely ignore @JustAnExpat's post; it was really mean-spirited. They opened with "not to belittle you" and followed with many comments that were meant to belittle you. The least generous and most revealing was "Or, to destroy your post point-by-point:". I think that made it clear that there were no good intentions in their post.

I was also surprised they'd never heard of reverse DNS. If they actually wanted to know "how would such a thing even work", they could have spent five minutes researching.
 

MNGR

Contributor
Sep 17, 2019
165
225
My sympathies. You should definitely ignore @JustAnExpat's post; it was really mean-spirited. They opened with "not to belittle you" and followed with many comments that were meant to belittle you. The least generous and most revealing was "Or, to destroy your post point-by-point:". I think that made it clear that there were no good intentions in their post.

I was also surprised they'd never heard of reverse DNS. If they actually wanted to know "how would such a thing even work", they could have spent five minutes researching.
Reverse DNS is just like it sounds. DNS=name to IP address; Reverse=address to name
 

svenmany

macrumors demi-god
Jun 19, 2011
1,308
748
Reverse DNS is just like it sounds. DNS=name to IP address; Reverse=address to name

Here's a good reference https://www.cloudflare.com/learning/dns/dns-records/dns-ptr-record/. That's probably enough to answer "how it even works". But the details are kind of interesting.

You can do your own reverse name lookups in terminal using the "dig" command. I picked a random IP address and ran

Code:
dig -x 71.100.44.10

and got

Code:
; <<>> DiG 9.10.6 <<>> -x 71.100.44.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33331
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;10.44.100.71.in-addr.arpa.    IN    PTR


;; AUTHORITY SECTION:
100.71.in-addr.arpa.    3600    IN    SOA    auth.roch.ny.frontiernet.net. hostmaster.frontiernet.net. 1459725738 10800 3600 604800 21600


;; Query time: 181 msec
;; SERVER: 10.27.80.1#53(10.27.80.1)
;; WHEN: Sun Mar 26 08:52:33 PDT 2023
;; MSG SIZE  rcvd: 129

That means that frontiernet.net "owns" the entire 71.100.* address range.

Then the question is "really how does that work". Again, you can use dig.

One answer from
Code:
dig arpa. ns
is
Code:
arpa.            86004 IN NS a.ns.arpa.

That means that nameserver a.ns.arpa can answer questions about the top-level "arpa" domain.

Code:
dig in-addr.arpa
gives
Code:
in-addr.arpa.        2852 IN    NS a.in-addr-servers.arpa.

That means a.in-addr-servers.arpa can answer questions about the in-addr.apra domain. Continuing:

Code:
71.in-addr.arpa.    2652 IN    NS r.arin.net.
and
Code:
100.71.in-addr.arpa.    86007 IN NS auth.dlls.pa.frontiernet.net.

And that's as deep as it goes, in this case, for nameservers. So, if you're doing a reverse name lookup of 71.100.44.10, auth.dlls.pa.frontiernet.net can answer such a query.

All DNS queries are recursive like this, descending through nameservers until you arrive at the one giving you the final answer. Sometimes the DNS servers themselves do the recursion; sometimes they refuse and it's up the the client (your own computer) to do the recursion.

At the very top level, software is hard-coded to know the root name servers who answer the question "dig . ns"

Well, at least that's my high-level understanding it.
 
  • Like
Reactions: HDFan
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.