349
Alarming results after running file recovery?
I ran a file recovery software and it returned thousands of documents. I've spent a LOT of time digging through them to find out what was done to my iMac (without my permission).
macOS Sierra 10.12.6
Here is some history on the device in question:
- Admin access was originally hers and not mine
- Admin access was added to my account
- Her account was removed from admin
- Her account was given admin access again
- Her admin access was removed
- She deleted her data
- Her user account was deactivated
My information & data remained (all of it, I think).
I've cut & paste parts of a couple of the suspicious documents I retrieved during the file recovery below. Some of these documents were very long and after editing this post, it no longer fits. I cut some things out and have now posted & linked to the longer one on github.
A link to the (long) Plist is (we'll refer to it as "Document 1") on github here.
I’ve done many hours (cumulatively days or even week by now) of searching trying to figure out what many of these processes are. Some appear to be completely normal, some were difficult to identify, and some looked outright malicious (given the context). Some of these processes appear to be programs that would tell another person about my activity, what I’m doing with my files or give another person control of my files either on my local network and/or remotely.
One such example is Aventail. It looks like a program that monitors activity.
https://www.eventtracker.com/knowledge-center/aventail-ssl-vpn/
In the top right corner of my screen (next to my username, date, and other icons), there is a black rectangular shaped icon with white vertical lines going through it. When I click on it now, a drop down menu with "VPN is not configured" (not clickable), and "Open Network Preferences" appears. I am almost certain that this was not like this before (it said something different, but I don’t remember what it was). I don't know how or if that might be relevant. This was one of the original clues that made me investigate further.
My google research tells me that there are a few programs listed in the list that monitor activity. Strangely, I saw a few of them on lists that were posted in similar documents elsewhere on the internet. I’m not sure why that’s the case or what it means about my specific situation.
It looks like this program Aventail was, in fact, run on my computer. After a google search told me that it has the ability to monitor activity via SSL VPN, I did a search in Finder for the term Aventail and found a few documents generated through the file recovery that seems to be relevant here.
Nothing new in the system turned up for the search term "Aventail", only documents in the file recovery. I assume this is because these documents were deleted and then recovered and also that the term isn't currently in my system (other than what's been deleted & recovered).
Documents 2 & 3 turned up in my file recovery that show her username associated with the software in question. I redacted parts of it for obvious reasons.
Document 4 turned up by searching for the term “hamachi”. Once again, this only turned up in recovered documents and nowhere else.
Document 5 I think confirms my suspicions that I wasn't exactly "hacked", but that my former partner gained access to my info/data and was able to view and/or log my activity.
If you're good with computers and know your way around an iMac, you'd likely have used a very different process than what I went through for all this, but let's say that you did it like I did and what I've posted here were your results. What would be alarming about them to you? What would be indicative that your data was transferred or was being looked over by someone other than yourself?
Document 2
#Uninstaller catalog, (c) Aventail Corporation
#Sat Jul 28 15:33:31 EDT 2007
https\://ex1500.n****************.com/postauthOnDemand/ondemand_daemon_pkg.jar=/Users/**********/Library/Application Support/Aventail/ondemand/
Document 3
#!/bin/bash
# Uninstaller script for Aventail OnDemand Daemon.
# This script removes all files associated with the Aventail OnDemand Daemon.
# Please copy this file to your home directory before executing it.
echo ""
echo "***Aventail OnDemand Daemon Uninstaller***"
echo ""
echo "You need to have Administrator privileges on this computer to"
echo "complete the operation."
#echo ""
#echo -n "Do you wish to proceed with the uninstallation [y/n]: "
#read RESPONSE
#if [ "$RESPONSE" != "y" ]; then
# exit 0
#fi
OSX_V4_STARTUP_DIR="/Library/StartupItems/OnDemand"
OSX_V3_STARTUP_DIR="/System/Library/StartupItems/OnDemand"
OD_EXEC_DIR="/var/Aventail/ondemand"
OD_HOME_DIR="$HOME/Library/Application Support/Aventail/ondemand"
INSTALL_FOUND="false"
# If the daemon is already running then stop it
DAEMON_PID=`ps -axww | grep -v grep | grep "ODService" | awk '{print $1}'`
if [ $DAEMON_PID ]; then
INSTALL_FOUND="true"
sudo kill $DAEMON_PID
fi
# Remove files from the /Library/StartupItems folder if on Mac OS X v4
if [ -d $OSX_V4_STARTUP_DIR ]; then
INSTALL_FOUND="true"
sudo rm -rf $OSX_V4_STARTUP_DIR
fi
# Remove files from the System/Library/StartupItems folder if on Mac OS X v3
if [ -d $OSX_V3_STARTUP_DIR ]; then
INSTALL_FOUND="true"
sudo rm -rf $OSX_V3_STARTUP_DIR
fi
# Remove files from the Aventail OnDemand Daemon execution directory
if [ -d $OD_EXEC_DIR ]; then
INSTALL_FOUND="true"
sudo rm -rf $OD_EXEC_DIR
fi
# Remove files from the Aventail OnDemand Daemon home directory
if [ -d "$OD_HOME_DIR" ]; then
INSTALL_FOUND="true"
sudo rm -rf "$OD_HOME_DIR"
fi
if [ "$INSTALL_FOUND" == "true" ]; then
# Expire sudo timestamp
sudo -k
else
echo ""
echo "No installation of Aventail OnDemand Daemon was found on your computer."
fi
Document 4
<key>BuildMachineOSBuild</key>
<string>15E55</string>
<key>CFBundleDevelopmentRegion</key>
<string>English</string>
<key>CFBundleExecutable</key>
<string>AMD7000Controller</string>
<key>CFBundleGetInfoString</key>
<string>AMD7000Controller 1.42.6 16644</string>
<key>CFBundleIdentifier</key>
<string>com.apple.kext.AMD7000Controller</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>Radeon HD 7000 Controller</string>
<key>CFBundlePackageType</key>
<string>KEXT</string>
<key>CFBundleShortVersionString</key>
<string>1.42.6</string>
<key>CFBundleSignature</key>
<string>????</string>
<key>CFBundleSupportedPlatforms</key>
<array>
<string>MacOSX</string>
</array>
<key>CFBundleVersion</key>
<string>1.4.2</string>
<key>DTCompiler</key>
<string>com.apple.compilers.llvm.clang.1_0</string>
<key>DTPlatformBuild</key>
<string>7D129b</string>
<key>DTPlatformVersion</key>
<string>GM</string>
<key>DTSDKBuild</key>
<string>15E55</string>
<key>DTSDKName</key>
<string>macosx10.11internal</string>
<key>DTXcode</key>
<string>0730</string>
<key>DTXcodeBuild</key>
<string>7D129b</string>
<key>IOKitPersonalities</key>
<dict>
<key>Controller</key>
<dict>
<key>ATY,Hamachi</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_USE_SM</key>
<true/>
</dict>
</dict>
<key>ATY,Ikura</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_PTPL2_TBL</key>
<data>
VwAAAFQAAABQAAAATAAAAEgAAABEAAAAQAAA
ADwAAAA4AAAANgAAADQAAAAyAAAAMAAAAC4A
AAAsAAAAKgAAAA==
</data>
<key>CFG_USE_AGDC</key>
<true/>
<key>CFG_USE_READ_VALIDATION</key>
<true/>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_MediumStateDownHysteresisTimeOut</key>
<integer>2162162</integer>
<key>PP_SISLANDSMediumStateHysteresisDown</key>
<integer>5</integer>
</dict>
</dict>
<key>ATY,IkuraS</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_PTPL2_TBL</key>
<data>
VwAAAFQAAABQAAAATAAAAEgAAABEAAAAQAAA
ADwAAAA4AAAANgAAADQAAAAyAAAAMAAAAC4A
AAAsAAAAKgAAAA==
</data>
<key>CFG_USE_AGDC</key>
<true/>
<key>CFG_USE_READ_VALIDATION</key>
<true/>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_MediumStateDownHysteresisTimeOut</key>
<integer>2162162</integer>
<key>PP_SISLANDSMediumStateHysteresisDown</key>
<integer>5</integer>
</dict>
</dict>
<key>ATY,Kani</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_PTPL2_TBL</key>
<data>
VwAAAFYAAABVAAAAVAAAAFMAAABSAAAAUQAA
AFAAAABPAAAATgAAAE0AAABMAAAASwAAAEoA
AABJAAAASAAAAA==
</data>
<key>CFG_USE_AGDC</key>
<true/>
<key>CFG_USE_READ_VALIDATION</key>
<true/>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_MediumStateDownHysteresisTimeOut</key>
<integer>2162162</integer>
<key>PP_SISLANDSMediumStateHysteresisDown</key>
<integer>5</integer>
</dict>
</dict>
<key>ATY,KaniS</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_PTPL2_TBL</key>
<data>
VwAAAFYAAABVAAAAVAAAAFMAAABSAAAAUQAA
AFAAAABPAAAATgAAAE0AAABMAAAASwAAAEoA
AABJAAAASAAAAA==
</data>
<key>CFG_USE_AGDC</key>
<true/>
<key>CFG_USE_READ_VALIDATION</key>
<true/>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_MediumStateDownHysteresisTimeOut</key>
<integer>2162162</integer>
<key>PP_SISLANDSMediumStateHysteresisDown</key>
<integer>5</integer>
</dict>
</dict>
<key>ATY,Maguro</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_PTPL2_TBL</key>
<data>
XQAAAEsAAABIAAAARQAAAEIAAAA/AAAAPAAA
ADYAAAAzAAAAMAAAAC0AAAAqAAAAJwAAACQA
AAAhAAAAHgAAAA==
</data>
<key>CFG_USE_AGDC</key>
<true/>
<key>CFG_USE_READ_VALIDATION</key>
<true/>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_MediumStateDownHysteresisTimeOut</key>
<integer>2162162</integer>
<key>PP_SISLANDSMediumStateHysteresisDown</key>
<integer>3</integer>
</dict>
</dict>
<key>ATY,MaguroS</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_PTPL2_TBL</key>
<data>
XQAAAEsAAABIAAAARQAAAEIAAAA/AAAAPAAA
ADYAAAAzAAAAMAAAAC0AAAAqAAAAJwAAACQA
AAAhAAAAHgAAAA==
</data>
<key>CFG_USE_AGDC</key>
<true/>
<key>CFG_USE_READ_VALIDATION</key>
<true/>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_MediumStateDownHysteresisTimeOut</key>
<integer>2162162</integer>
<key>PP_SISLANDSMediumStateHysteresisDown</key>
<integer>3</integer>
</dict>
</dict>
<key>ATY,Namako</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_DEF_DITH</key>
<integer>0</integer>
<key>CFG_NVV</key>
<integer>2</integer>
<key>CFG_USE_AGDC</key>
<true/>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_ActivitySamplingInterval</key>
<integer>1300</integer>
<key>PP_MediumStateDownHysteresisTimeOut</key>
<integer>2162162</integer>
<key>PP_SISLANDSMediumStateHysteresisDown</key>
<integer>3</integer>
</dict>
</dict>
<key>ATY,Ramen</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_FB_LIMIT</key>
<integer>6</integer>
<key>CFG_NVV</key>
<integer>2</integer>
<key>CFG_PTPL2_TBL</key>
<data>
GwAAABoAAAAZAAAAGAAAABcAAAAWAAAAFQAA
ABQAAAATAAAAEgAAABEAAAAQAAAADwAAAA4A
AAANAAAACgAAAA==
</data>
<key>CFG_USE_AGDC</key>
<true/>
<key>CFG_USE_STUTTER</key>
<true/>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_EnableLoadPostProductionFirmware</key>
<integer>1</integer>
</dict>
</dict>
<key>ATY,Tako</key>
<dict>
<key>aty_config</key>
<dict>
<key>CFG_DEF_DITH</key>
<integer>0</integer>
<key>CFG_FB_LIMIT</key>
<integer>6</integer>
<key>CFG_NVV</key>
<integer>2</integer>
<key>CFG_USE_AGDC</key>
<true/>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_EnableLoadPostProductionFirmware</key>
<integer>1</integer>
<key>PP_Falcon_QuickTransition_Enable</key>
<integer>1</integer>
</dict>
</dict>
<key>CFBundleIdentifier</key>
<string>com.apple.kext.AMD7000Controller</string>
<key>IOClass</key>
<string>AMD7000Controller</string>
<key>IOMatchCategory</key>
<string>IOFramebuffer</string>
<key>IOName</key>
<string>AMD7000Controller</string>
<key>IOPCIMatch</key>
<string>0x26001002 0x22001002 0x67901002 0x67981002 0x679A1002 0x679E1002 0x67801002 0x68201002 0x68211002 0x68231002 0x68251002 0x68271002 0x682B1002 0x682D1002 0x682F1002 0x68351002 0x68391002 0x683B1002 0x683D1002 0x683F1002 0x68001002 0x68011002 0x68061002 0x68081002 0x68101002 0x68181002 0x68191002</string>
<key>IOProbeScore</key>
<integer>65050</integer>
<key>IOProviderClass</key>
<string>IOPCIDevice</string>
<key>aty_config</key>
<dict>
<key>CFG_APER_MODE</key>
<integer>1</integer>
<key>CFG_CAA</key>
<integer>0</integer>
<key>CFG_FB_LIMIT</key>
<integer>0</integer>
<key>CFG_FORCE_HDMI</key>
<false/>
<key>CFG_FORCE_MAX_DPS</key>
<false/>
<key>CFG_GEN_FLAGS</key>
<integer>0</integer>
<key>CFG_INT_SSPC</key>
<integer>25</integer>
<key>CFG_NODM</key>
<true/>
<key>CFG_NO_HDCP</key>
<false/>
<key>CFG_NO_MST</key>
<false/>
<key>CFG_NO_PP</key>
<false/>
<key>CFG_NO_SLS</key>
<false/>
<key>CFG_PTPL2_MAX</key>
<integer>70</integer>
<key>CFG_PTPL2_MIN</key>
<integer>16</integer>
<key>CFG_USE_AGDC</key>
<false/>
<key>CFG_USE_FBC</key>
<false/>
<key>CFG_USE_FEDS</key>
<true/>
<key>CFG_USE_STUTTER</key>
<false/>
<key>DALReadDelayStutterOff</key>
<integer>4</integer>
<key>DALUseUrgencyWaterMarkOffset</key>
<integer>0</integer>
</dict>
<key>aty_properties</key>
<dict>
<key>PP_ActivitySamplingInterval</key>
<integer>1000</integer>
<key>PP_DALPowerLevel</key>
<integer>1</integer>
<key>PP_DisableCAC</key>
<integer>0</integer>
<key>PP_DisableDTE</key>
<integer>1</integer>
<key>PP_DisablePowerContainment</key>
<integer>0</integer>
<key>PP_DisableSMUUVDHandshake</key>
<integer>0</integer>
<key>PP_DisableSQRamping</key>
<integer>0</integer>
<key>PP_DisableULV</key>
<integer>0</integer>
<key>PP_DriverCalculateCACLeakage</key>
<integer>1</integer>
<key>PP_EnableLoadFalconSmcFirmware</key>
<integer>1</integer>
<key>PP_HighSamplingInterval</key>
<integer>200000</integer>
<key>PP_MCLKStutterModeThreshold</key>
<integer>40000</integer>
<key>PP_PowerGatingDisable</key>
<integer>0</integer>
<key>PP_SISLANDSVotingRightsClients</key>
<integer>12583475</integer>
<key>PP_UserMaxClockForMultiDisplays</key>
<integer>1</integer>
</dict>
</dict>
</dict>
<key>OSBundleLibraries</key>
<dict>
<key>com.apple.iokit.IOACPIFamily</key>
<string>1.2</string>
<key>com.apple.iokit.IOGraphicsFamily</key>
<string>1.3</string>
<key>com.apple.iokit.IOPCIFamily</key>
<string>1.2</string>
<key>com.apple.kext.AMDSupport</key>
<string>1.4.2</string>
<key>com.apple.kpi.bsd</key>
<string>8.0.0</string>
<key>com.apple.kpi.iokit</key>
<string>8.0.0</string>
<key>com.apple.kpi.libkern</key>
<string>8.0.0</string>
<key>com.apple.kpi.mach</key>
<string>8.0.0</string>
</dict>
<key>OSBundleRequired</key>
<string>Safe Boot</string>
Document 5
016-04-24 at 19.06.12</string>
<key>LAST_USED</key>
<date>2016-04-25T10:28:00Z</date>
<key>URL</key>
<string>file:///Users/**********/Library/Messages/Archive/2016-04-24/%E2%80%AA+1%20(808)%20341-8094%E2%80%AC%20on%202016-04-24%20at%2019.06.12.ichat</string>
</dict>
<key>calculat</key>
<dict>
<key>DISPLAY_NAME</key>
<string>Calculator</string>
<key>LAST_USED</key>
<date>2016-06-15T06:00:34Z</date>
<key>URL</key>
<string>file:///Applications/Calculator.app/</string>
</dict>
<key>console</key>
<dict>
<key>DISPLAY_NAME</key>
<string>Console</string>
<key>LAST_USED</key>
<date>2016-04-20T04:31:21Z</date>
<key>URL</key>
<string>file:///Applications/Utilities/Console.app/</string>
</dict>
<key>contro</key>
<dict>
<key>DISPLAY_NAME</key>
<string>Mission Control</string>
<key>LAST_USED</key>
<date>2016-05-07T17:19:30Z</date>
<key>URL</key>
<string>file:///Applications/Mission%20Control.app/</string>
</dict>
<key>hp</key>
<dict>
<key>DISPLAY_NAME</key>
<string>HP Scan</string>
<key>LAST_USED</key>
<date>2016-05-19T21:22:54Z</date>
<key>URL</key>
<string>file:///Applications/Hewlett-Packard/HP%20Scan.app/</string>
</dict>
<key>july</key>
<dict>
<key>DISPLAY_NAME</key>
<string>*************@gmail.com.ical</string>
<key>LAST_USED</key>
<date>2016-08-13T01:06:15Z</date>
<key>URL</key>
<string>file:///Users/**********/Downloads/*************@gmail.com.ical/</string>
</dict>
<key>ke</key>
<dict>
<key>DISPLAY_NAME</key>
<string>Keynote</string>
<key>LAST_USED</key>
<date>2016-07-26T07:09:35Z</date>
<key>URL</key>
<string>file:///Applications/iWork%20'09/Keynote.app/</string>
</dict>
<key>keychain</key>
<dict>
<key>DISPLAY_NAME</key>
<string>Keychain Access</string>
<key>LAST_USED</key>
<date>2016-07-26T07:10:42Z</date>
<key>URL</key>
<string>file:///Applications/Utilities/Keychain%20Access.app/</string>
</dict>
<key>logmein</key>
<dict>
<key>DISPLAY_NAME</key>
<string>LogMeIn.plugin</string>
<key>LAST_USED</key>
<date>2016-07-31T07:19:20Z</date>
<key>URL</key>
<string>file:///Library/Internet%20Plug-Ins/LogMeIn.plugin/</string>
</dict>
<key>preview</key>
<dict>
<key>DISPLAY_NAME</key>
<string>Preview</string>
<key>LAST_USED</key>
<date>2016-08-08T10:14:20Z</date>
<key>URL</key>
<string>file:///Applications/Preview.app/</string>
</dict>
<key>termin</key>
<dict>
<key>DISPLAY_NAME</key>
<string>Terminal</string>
<key>LAST_USED</key>
<date>2016-07-31T07:47:21Z</date>
<key>URL</key>
<string>file:///Applications/Utilities/Terminal.app/</string>
</dict>
<key>terminal</key>
<dict>
<key>DISPLAY_NAME</key>
<string>Terminal</string>
<key>LAST_USED</key>
<date>2016-05-07T17:27:08Z</date>
<key>URL</key>
<string>file:///Applications/Utilities/Terminal.app/</string>
最後更新:2017-09-13 16:17:54
上一篇:
Itunes 12.7 update messup
下一篇: Keep losing internet connection
- I have a Seagate Backup Plus portable drive whi...
- Itunes 12 wont see Apple TV 1
- Groups in Contacts and in Mail
- money
- I just bought 2TB of iCloud Storage. iCloud say...
- can i get a refund on apple music membership
- Siri to play downloaded music as default?
- How to check my iTunes balance from iPhone 6s Plus
- forgot password and contacts
- Preview is non responsive.
相關內容
- "com.apple.installer.pagecontroller error
- any idea what error 3503 is?
- Underallocation Detected on Main device
- The operation couldn’t be completed. (BKA...
- is ctoid.exe a virus on my ipad safari browser?
- iTunes Error: Declined to authorize this image ...
- Keep High Efficiency Original if Available Chec...
- iTunes 12.7 cannot edit playlist
- High Sierra Stuck & Decryption paused
- Need to unlock iphone 5 to reactivate the phone...
熱門內容
- Christian Music Removed From Itunes
- I'm being billed twice every month for Apple Mu...
- iMac running slow
- Fix disappearing album art after moving iTunes
- Activation Locked iWatch
- Can I change the iwatch to miles instead of kil...
- I keep seeing the "You don't have permission to...
- can't read any menus macbook air
- iPad 2, iOs9.3, taking days to restore
- charges made under itune memeberships