Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Was my Mac wiped fully? This terminal log has old install dates in it


  • Please log in to reply
21 replies to this topic

#1 JimmyRiddle

JimmyRiddle

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:12:58 PM

Posted 06 June 2017 - 07:51 AM

I took my Mac to the Apple store a couple of months ago and had the guy wipe it, after i found my Router may have been compromised. This was around end march early April. 

 

Today i was looking at the install history and noticed it runs back to last  August, and 'Remote Desktop updates being on there as part of 'cleans-imac install'. I never installed this knowingly. Is it something that is included on a standard update when installing? I have searched on here for Remote Desktop and cannot find it.

 

The entries are in March and April. I had it 'wiped' in late March.  The April update is after the wipe, and i certainly didn't install Remote Desktop knowingly post 'wipe'. Does this mean it's still on my computer.  I cannot locate it by using Finder, apps or downloads. 

 

Is this cause for concern? Why does the log go this far back if it was wiped correctly?

 

 

Last login: Mon Jun  5 10:00:13 on console

MacBook-Pro-uzivatela-MBP:~ mbp1$ grep 'Installed' /private/var/log/install.log

Aug  5 04:29:03 iMac OSInstaller[501]: Installed "OS X" ()

Aug  9 08:50:49 Cleans-iMac system_installd[743]: Installed "Digital Camera RAW Compatibility Update" (6.20)

Aug 25 17:28:16 Cleans-iMac system_installd[564]: Installed "OS X El Capitan Update" (10.11.6)

Aug 25 17:28:16 Cleans-iMac system_installd[564]: Installed "iTunes" (12.4.3)

    PostLogoutUpdatesInstalled =     {

            InstalledLater = 0;

            State = Installed;

            InstalledLater = 0;

            State = Installed;

Aug 26 12:06:32 Cleans-iMac system_installd[513]: Installed "MRT Configuration Data" (1.9)

Aug 26 12:08:49 Cleans-iMac system_installd[513]: Installed "Core Suggestions Configuration Data" (762)

Aug 26 12:09:00 Cleans-iMac system_installd[513]: Installed "CoreLSKD Configuration Data" (8)

Aug 26 12:10:08 Cleans-iMac system_installd[513]: Installed "Gatekeeper Configuration Data" (96)

Aug 26 12:10:22 Cleans-iMac system_installd[513]: Installed "Chinese Word List Update" (4.21)

Sep  2 13:47:06 Cleans-iMac system_installd[531]: Installed "Digital Camera RAW Compatibility Update" (6.20)

Sep  2 13:57:06 Cleans-iMac system_installd[531]: Installed "Security Update 2016-001" (10.11.6)

    PostLogoutUpdatesInstalled =     {

            InstalledLater = 0;

            State = Installed;

Sep  3 10:44:03 Cleans-iMac system_installd[474]: Installed "Chinese Word List Update" (4.22)

Sep  3 10:44:07 Cleans-iMac system_installd[474]: Installed "Gatekeeper Configuration Data" (97)

Sep  9 16:41:45 Cleans-iMac system_installd[550]: Installed "Gatekeeper Configuration Data" (100)

Sep 14 11:38:48 Cleans-iMac system_installd[524]: Installed "Gatekeeper Configuration Data" (101)

Sep 14 11:45:10 Cleans-iMac system_installd[524]: Installed "Core Suggestions Configuration Data" (766)

Sep 19 17:42:41 Cleans-iMac system_installd[550]: Installed "Aktualizácia Digital Camera RAW Compatibility" (6.21)

Sep 19 17:42:41 Cleans-iMac system_installd[550]: Installed "iTunes" (12.5.1)

Sep 19 18:10:29 Cleans-iMac system_installd[472]: Installed "OSInstall" ()

Sep 21 13:09:39 Cleans-iMac system_installd[337]: Installed "XProtectPlistConfigData" (1.0)

Sep 21 13:10:38 Cleans-iMac system_installd[337]: Installed "MRT Configuration Data" (1.10)

Sep 21 13:10:49 Cleans-iMac system_installd[337]: Installed "Gatekeeper Configuration Data" (103)

Sep 23 13:43:46 Cleans-iMac system_installd[428]: Installed "Aktualizácia pre USB-C Multiport Adapter" ()

Sep 23 13:48:09 Cleans-iMac system_installd[425]: Installed "Aktualizácia pre USB-C Multiport Adapter" ()

Sep 29 11:51:07 Cleans-iMac system_installd[484]: Installed "Safari" (10.0)

    PostLogoutUpdatesInstalled =     {

            InstalledLater = 0;

            State = Installed;

Oct  3 15:45:54 Cleans-iMac system_installd[383]: Installed "XProtectPlistConfigData" (1.0)

Oct  3 15:46:35 Cleans-iMac system_installd[383]: Installed "MRT Configuration Data" (1.11)

Oct  4 09:41:20 Cleans-iMac system_installd[695]: Installed "OSX_10_12_IncompatibleAppList" ()

Oct  5 13:28:52 Cleans-iMac system_installd[406]: Installed "macOS Installer Notification" (1.0)

Oct  5 13:29:23 Cleans-iMac system_installd[406]: Installed "Core Suggestions Configuration Data" (767)

Oct 17 16:37:33 Cleans-iMac system_installd[717]: Installed "XProtectPlistConfigData" (1.0)

Oct 25 11:51:09 Cleans-iMac installd[401]: Installed "macOS" (12.0.49)

Oct 26 12:34:22 Cleans-iMac installd[364]: Installed "macOS" (12.0.49)

Oct 29 17:46:42 Cleans-iMac system_installd[374]: Installed "Gatekeeper Configuration Data" (104)

Oct 29 17:48:18 Cleans-iMac system_installd[374]: Installed "Core Suggestions Configuration Data" (768)

Nov  3 18:25:18 Cleans-iMac system_installd[324]: Installed "XProtectPlistConfigData" (1.0)

Nov  4 17:43:11 Cleans-iMac system_installd[591]: Installed "iTunes" (12.5.3)

Nov 16 13:37:39 Cleans-iMac system_installd[524]: Installed "Core Suggestions Configuration Data" (770)

Dec  1 14:55:55 Cleans-iMac system_installd[552]: Installed "XProtectPlistConfigData" (1.0)

Dec  1 14:56:38 Cleans-iMac system_installd[552]: Installed "MRT Configuration Data" (1.12)

    PostLogoutUpdatesInstalled =     {

            InstalledLater = 1;

Dec 12 11:37:42 Cleans-iMac system_installd[531]: Installed "Gatekeeper Configuration Data" (105)

Dec 23 13:21:53 Cleans-iMac system_installd[572]: Installed "Core Suggestions Configuration Data" (774)

Dec 23 13:21:56 Cleans-iMac system_installd[572]: Installed "Gatekeeper Configuration Data" (107)

Jan 26 19:06:49 Cleans-iMac system_installd[561]: Installed "Core Suggestions Configuration Data" (778)

Jan 26 19:11:43 Cleans-iMac system_installd[561]: Installed "Incompatible Kernel Extension Configuration Data" (11.6.1)

Jan 26 19:12:41 Cleans-iMac system_installd[561]: Installed "MRT Configuration Data" (1.14)

Jan 26 19:13:25 Cleans-iMac system_installd[561]: Installed "XProtectPlistConfigData" (1.0)

Jan 26 19:13:37 Cleans-iMac system_installd[561]: Installed "Gatekeeper Configuration Data" (108)

Feb  5 10:35:35 Cleans-iMac system_installd[640]: Installed "iTunes" (12.5.5)

Feb  9 10:40:19 Cleans-iMac system_installd[533]: Installed "Core Suggestions Configuration Data" (782)

Mar  1 15:17:33 Cleans-iMac system_installd[439]: Installed "XProtectPlistConfigData" (1.0)

Mar 13 10:55:06 Cleans-iMac system_installd[576]: Installed "Core Suggestions Configuration Data" (785)

Mar 13 10:57:08 Cleans-iMac system_installd[576]: Installed "Remote Desktop Client Update" (3.9.0)

Mar 20 11:21:55 Cleans-iMac system_installd[579]: Installed "Remote Desktop Client Update" (3.9.2)

 

(at this point the alleged 'wipe' took place)

 

 

Mar 21 11:36:57 MacBook-Pro OSInstaller[542]: Installed "macOS" ()

Mar 30 13:37:19 MacBook-Pro-uzivatela-MBP system_installd[302]: Installed "iTunes" ()

Apr  2 21:03:02 MacBook-Pro-uzivatela-MBP system_installd[297]: Installed "MRT Configuration Data" (1.14)

Apr  2 21:04:37 MacBook-Pro-uzivatela-MBP system_installd[297]: Installed "XProtectPlistConfigData" (1.0)

Apr  2 21:04:40 MacBook-Pro-uzivatela-MBP system_installd[297]: Installed "Chinese Word List Update" (5.16)

Apr  2 21:04:45 MacBook-Pro-uzivatela-MBP system_installd[297]: Installed "Gatekeeper Configuration Data" (110)

Apr  6 23:24:19 MacBook-Pro-uzivatela-MBP system_installd[306]: Installed "Chinese Word List Update" (5.17)

Apr  7 10:43:32 MacBook-Pro-uzivatela-MBP installd[1940]: Installed "Steam Retail Installer" ()

Apr  9 14:57:16 MacBook-Pro-uzivatela-MBP installd[18896]: Installed "Adobe Flash Player" ()

Apr 10 19:58:27 MacBook-Pro-uzivatela-MBP installd[25922]: Installed "Adobe Flash Player" ()

Apr 10 20:45:37 MacBook-Pro-uzivatela-MBP system_installd[25923]: Installed "Remote Desktop Client Update" (3.9.2)

Apr 11 21:19:24 MacBook-Pro-uzivatela-MBP installd[3216]: Installed "Adobe Flash Player" ()

Apr 12 00:13:27 MacBook-Pro-uzivatela-MBP system_installd[4769]: Installed "Chinese Word List Update" (5.18)

    PostLogoutUpdatesInstalled =     {

            InstalledLater = 1;

Apr 17 02:13:28 MacBook-Pro-uzivatela-MBP system_installd[10662]: Installed "macOS Sierra Update" (10.12.4)

    PostLogoutUpdatesInstalled =     {

            InstalledLater = 0;

            State = Installed;

Apr 20 13:50:50 MacBook-Pro-uzivatela-MBP system_installd[3472]: Installed "Chinese Word List Update" (5.19)

Apr 21 12:33:38 MacBook-Pro-uzivatela-MBP installd[4470]: Installed "Adobe Flash Player" ()

Apr 23 10:05:30 MacBook-Pro-uzivatela-MBP system_installd[5802]: Installed "Voice Update - Nicky" (1.0.14)

Apr 28 00:25:33 MacBook-Pro-uzivatela-MBP system_installd[2385]: Installed "MRT Configuration Data" (1.15)

Apr 29 20:38:22 MacBook-Pro-uzivatela-MBP system_installd[3982]: Installed "XProtectPlistConfigData" (1.0)

Apr 29 20:45:40 MacBook-Pro-uzivatela-MBP system_installd[3982]: Installed "MRT Configuration Data" (1.16)

May  3 13:07:37 MacBook-Pro-uzivatela-MBP system_installd[2505]: Installed "Chinese Word List Update" (5.20)

May  7 17:19:15 MacBook-Pro-uzivatela-MBP system_installd[1817]: Installed "XProtectPlistConfigData" (1.0)

May  9 19:59:07 MacBook-Pro-uzivatela-MBP installd[3438]: Installed "Adobe Flash Player" ()

May  9 21:57:45 MacBook-Pro-uzivatela-MBP system_installd[3636]: Installed "Chinese Word List Update" (5.21)

May 12 13:13:09 MacBook-Pro-uzivatela-MBP system_installd[320]: Installed "MRTConfigData" (1.0)

May 12 13:13:25 MacBook-Pro-uzivatela-MBP system_installd[320]: Installed "Gatekeeper Configuration Data" (111)

May 16 00:06:31 MacBook-Pro-uzivatela-MBP system_installd[3773]: Installed "iTunes" (12.6.1)

May 17 09:41:00 MacBook-Pro-uzivatela-MBP system_installd[4537]: Installed "Chinese Word List Update" (5.22)

    PostLogoutUpdatesInstalled =     {

            InstalledLater = 0;

May 23 15:20:43 MacBook-Pro-uzivatela-MBP system_installd[312]: Installed "macOS Sierra Update" (10.12.5)

    PostLogoutUpdatesInstalled =     {

            InstalledLater = 0;

            State = Installed;

May 23 20:00:16 MacBook-Pro-uzivatela-MBP system_installd[311]: Installed "Chinese Word List Update" (5.23)

Jun  3 15:25:49 MacBook-Pro-uzivatela-MBP system_installd[3296]: Installed "Gatekeeper Configuration Data" (112)

MacBook-Pro-uzivatela-MBP:~ mbp1$ 


Edited by JimmyRiddle, 06 June 2017 - 01:51 PM.
Moved from Gen Security to Mac OS - Hamluis.


BC AdBot (Login to Remove)

 


#2 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:58 AM

Posted 06 June 2017 - 08:25 AM

I see one of two innocent possibilities:

1) Those dates are likely the dates that the updates were originally issued/released, not when they were actually installed on your system.

2) Or those dates are dates when they were installed on your computer, but that includes them being installed to the recovery partition. And since the person likely used the recovery partition when they wiped the computer, those updates still might end up being shown as being installed prior to the wipe date.

The potentially less innocent possibility is that the tech did not properly wipe the Mac. If you got the setup process (i.e. starts with pick a language etc), then they likely did properly wipe the Mac (although there are ways to trigger the Setup Assistant as if it was wiped or a new Mac WITHOUT actually wiping the Mac, but it is a VERY deliberate process). I rather doubt they did not wipe the Mac unless you DID NOT get a Setup Assistant process. The only real way would be to confront the tech, not that I am advising that at all.

To me, it does not look like something to worry about.

#3 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:12:58 PM

Posted 06 June 2017 - 01:32 PM

Thanks Smax. 

 

Yes it was at at the Choose Language screen. To be honest i wouldn't be surprised if the tech didn't wipe it. He was adamant that it was unnecessary, saying there's no way you could be at risk with your set up (stealth mode, firewall and no remote sharing), which frankly i found naive. 

 

Is there any way i can check if it was wiped fully by looking at the system or logs? This whole thing is getting beyond stressful.

 

It certainly appeared wiped (although i am far from an expert), there were no programs on it, but then maybe he just deleted them all, instead of a proper wipe, i don't know. I certainly won't approach him about it, as frankly he's only going to say he wiped it regardless. 

 

 

Fact is there is a Remote Desktop update listed from April 10, and i have no idea why that would be the case, being as it was post wipe.  I do not have Sharing enabled on the mac, which to my mind makes that not possible. The only thing i can recall was a tech person with Audible took control of my mac a while back while i was having tech problems, which could explain it i suppose. 

 

I really wanted to draw a line under this issue when i wiped the mac, if it turns out it's not been wiped all along that will be beyond infuriating. 


Edited by JimmyRiddle, 06 June 2017 - 01:36 PM.


#4 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:58 AM

Posted 06 June 2017 - 03:04 PM

Thanks Smax. 
 
Yes it was at at the Choose Language screen. To be honest i wouldn't be surprised if the tech didn't wipe it. He was adamant that it was unnecessary, saying there's no way you could be at risk with your set up (stealth mode, firewall and no remote sharing), which frankly i found naive.


There is likely a good chance it was not necessary, but then you did not really describe in your original post why you felt you needed/wanted it wiped. I just read through your other thread that did outline why you wanted it wiped. I have to agree that the likelihood of your Mac being broken into is pretty low. Your router being potentially compromised does not necessarily mean that your computer was as well. So, I agree with x64 in that your Mac was likely not affected.

As to the router itself, you said in the other thread that it was a rented apartment. Did the router come with the apartment? Or did you own the router? How did you Mac connect to the router? I ask because the simplest answer might be that the apartment owner potentially reset the router password. They would have physical access to reset it and then set their own password for the router. The main potential wrinkle with this would be that it would also reset the WiFi password. That would be OK if it was a WiFi password that they original setup anyway, but not if it was one you setup and did not tell them. In the later case, you would have known the router was reset as the WiFi password would have changed (assuming you were connecting by WiFi).

Or it could have been what x64 suggested that it was just some automated attack the exploited the firmware of the router.

The point is that a lot of the times things that seem suspicious are not what we think they are.

As to you doubting that the tech wiped the computer, I would not. It is frankly more work to make the computer look wiped than it is to actually wipe it. So, unless you really pissed off the tech or the tech was a complete and total jerk who is more than willing to waste their time just to mess with people, just wiping the computer would be the mush easier path. And generally people don't like to make more work for themselves.
 

Is there any way i can check if it was wiped fully by looking at the system or logs? This whole thing is getting beyond stressful.


Not that I can think of off the top of my head as I have never really thought about it. If you are really worried about it, you could wipe the Mac yourself. It is not that hard to do. If you want to go that route, then I can provide some steps, but I will need to know the specific Mac model you are using. The process has changed a bit over the years and will depend on the Mac model you have.
 

It certainly appeared wiped (although i am far from an expert), there were no programs on it, but then maybe he just deleted them all, instead of a proper wipe, i don't know. I certainly won't approach him about it, as frankly he's only going to say he wiped it regardless. 
 
 
Fact is there is a Remote Desktop update listed from April 10, and i have no idea why that would be the case, being as it was post wipe.  I do not have Sharing enabled on the mac, which to my mind makes that not possible. The only thing i can recall was a tech person with Audible took control of my mac a while back while i was having tech problems, which could explain it i suppose.


The Remote Desktop update I am 99.99999% sure is just a part of the macOS update. RD is effectively built into the macOS and there are frequent updates through the macOS update system from Apple for Remote Desktop. I have a Remote Desktop update that is still shown in my installed update list in the App Store that was installed on May 13th last month. It is a very common component that is updated.
 

I really wanted to draw a line under this issue when i wiped the mac, if it turns out it's not been wiped all along that will be beyond infuriating.


I am pretty sure it was wiped. As I said, it would actually be more work for the tech to NOT truly wipe it and then make it look wiped just to "mess with you". So, I would not worry about it. Am I 100% positive? No as I don't have access to the Mac and I definitely did not sit there watching the tech while they wiped it. But, then there are a lot of things that I am not 100% positive about. In the end, if my belief that it is wiped does not help, then the only path to potentially make you comfortable is to just wipe it yourself. And if that is a path you want to go down, then I have help guide you down that path.

#5 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:12:58 PM

Posted 06 June 2017 - 03:45 PM

Thanks Smax, appreciate it. 

 

My gut tells me the Mac itself was unlikely compromised, though it's evident the router was, and that was enough reason to do so. I doubt very much the owners would have changed any settings, they were an elderly couple acting for their daughter, and while not impossible i'd say highly unlikely. The router i can move on from, like has been outlined, it could well have been some other issue. It was just this today that threw me seeing the log going this far back. 

 

The tech was a bit of an odd guy frankly, was adamant i was being paranoid to the point of being bullish about it, and very dismissive when i outlined my concerns. Like you said, i can't see him making more work for himself, rather thought 'this guys crazy what the hell' and wiped it. But i suppose there's no way of knowing for sure. 

 

I'm just confused by this log stretching so far back. Do you know what the "Cleans-iMac system_installd[531]:"   bit refers to in the entries "pre wipe"? After that updates are given a different name  "MacBook-Pro-uzivatela-MBP system_installd"

 

To my mind there shouldn't be any entries prior to that date, but again, i am far from an expert.



#6 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:58 AM

Posted 06 June 2017 - 04:13 PM

I'm just confused by this log stretching so far back. Do you know what the "Cleans-iMac system_installd[531]:"   bit refers to in the entries "pre wipe"? After that updates are given a different name  "MacBook-Pro-uzivatela-MBP system_installd"[/size]
 
To my mind there shouldn't be any entries prior to that date, but again, i am far from an expert.

I don't know for sure what that means, but it kind of sounds like it was maybe a log entry due to a macOS reinstall due to using the recovery partition. It looks like you were using El Capitan (aka 10.11.x) prior to the wipe from the entries in your original post and then installed Sierra (aka 10.12.x) on April 17th, after the wipe. Both versions use a recovery disk partition for reinstalling the macOS as a primary method. This is likely what the tech used to wipe the Mac and reinstall the macOS as it is faster than the other option of Internet Recovery (which requires a LARGE download from the Apple servers). As I originally said, I am pretty sure that when you install a macOS update to your system, it also updates the recovery partition. So, take the "OS X El Capitan Update" listed as Aug 25. That update likely updated your active boot partition on that date AND also updated the recovery partition on that date. And then a log of that update is likely kept on the recovery partition and is then "appended" into the installed update logs when the recovery partition is used to wipe and reinstall the macOS. I am not 100% sure of this, but it makes a lot of sense so I am like 90+/-% sure. If you really wanted to know, you could try chatting with an Apple support person through their web page...it is free.

Just out of curiosity, when did you get the Mac? I ask because those install logs only go back to August 5th. So, my guess is that is either when you go the Mac and set it up for the first time...or it might have been when you installed the El Capitan update, although I would assume if that were the case, then at a minimum that first entry would say something like "Installed 'OS X El Capitan Update'" similar to the April 17th entry but more than likely also have entries going back before Aug 5th.

#7 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:12:58 PM

Posted 06 June 2017 - 05:10 PM

Thanks again for your input Smax.

 

I've had it for around 4 years now, and have never wiped it previously. Bought it second hand and the guy before wiped it and helped me through the initial set up.  Your theory sounds about right, as do those dates. I'm pretty sure around the 17th April i installed an update to Sierra. 



#8 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:12:58 PM

Posted 07 June 2017 - 03:52 AM

By the way, this Remote Desktop Update - why is it on there if i don't have R.D. anywhere listed on the mac? Also if it's just some standard thing, how come it only shows for the two dates in March and once in April, and not before or after. Seems a bit out of the blue there...



#9 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:58 AM

Posted 07 June 2017 - 08:19 AM

As I said, you effectively do have Remote Desktop. It is effectively built into the macOS. So, getting updates for it through the macOS updates system is normal. As I said, I get them even though I don't use Remote Desktop. I have three such updates listed in my update/install log.

As to why none before or after, they only send updates when they need to. So, since that date, there has been no need for them to update. As to before, I don't know why your install log only goes back to Aug. As I previously said, my best guess it that might tied into when you installed El Capitan, but I am not sure. As to why the RD 3.9.2 update appears twice, my best guess is that the first 3.9.2 update did not get "remembered" on the recovery partition and so after the Mac was wiped and the macOS was reinstalled from the recovery partition, it likely did NOT include the 3.9.2 update. So, the system update function offered it again and it was installed again.

So, again, I don't believe there is anything to be concerned about.

#10 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:12:58 PM

Posted 09 June 2017 - 03:32 PM

I've just done some investigation about the logging of re-installations. Based on what I saw, I think that I would recommend another macOS reinstall. Kt's not too difficult to do the basic OS reinstall but putting your data and settings back without accidentally re-introducing anything that you might be worried about might be a bit more of a challenge (and that bit I'm not Mac au-fait enough to advise someone about. I'm not sating that I think there is something nasty there, just covering all bases. Basically I checked back upon a recent  el-capitan wipe/re-install that I did and identified the same log that JimmyRiddle has viewed. That log did not go back much before the OS install visibly started (and what was there could well have been/probably was a legitimate prelude to the installer.

 

I'll describe my checks and the circumstances around them. 

 

A couple of yeas ago, before Windows 10 was released, I realised what Microsoft was planning (both from the Win10 product itself, and the bolls-heavy handedness of MS itself. It turns out that I was spot on with my predictions. Back then I started thinking of contingency plans and switching to Mac was one of them. There were still reasons why I needed to be on PC however (there still are) and until about a month ago I held out, begrudgingly using Win10 as my primary OS. Back with those initial thoughts about moving I'd purchased second hand a mid-2009 MBP and set about using it to get some familiarity with mac in general. I never carried through a full move to Mac but did get a good idea of how I'd use it if I did. That old Mac got some extra memory, and an SSD along the way, as sell as a clean install of Snow Leopard, and in-place upgrades to Mountain Lion, Mavericks, Yosemite and el-capitan. All of that was done with the Apple ID that I used with what was a growing menagerie of iThingies. That old MBP will not officially upgrade further than el-Capitan.

 

About a month ago, (feeling sorry for myself after some recent surgery), I suffered an extreme fit of 'retail therapy' and found a brand new MBP winging it's way to me. As part of clearing the decks or that new purchase, I wiped the old 2009 MBP. I had no data that needed preserving and wanted to disassociate it from my main Apple ID. I used DU to wipe the partition and reinstalled el-capitan over the net, authenticated with my old Apple ID. I left the install at the user setup wizard, and only about a week ago generated a new secondary Apple ID to continue setup of the old MBP as a separate identity.

 

Just now I checked back at the install.log file to see if that particular log somehow traversed OS installs. I do not think it did.

 

Re-install instructions are here (along with how to erase the startup disk if you like - I'd recommend it)

https://support.apple.com/en-gb/HT204904

 

As I said, you'd need to be confident that you had backed up and know how to restore your data [this is something I can't advise on myself], and reinstate any settings (such as email account settings). Top be thorough, I'd re-install any software from freshly downloaded copies of that program. 

 

x64

 

(apologies for the half baked post a few mins ago, if anyone spotted that - one thing that it is too easy to do on my new MBP is release a post accidentally)


Edited by x64, 09 June 2017 - 03:47 PM.


#11 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:12:58 PM

Posted 09 June 2017 - 04:08 PM

Oh and a couple of other thoughts before I turn in for the night...

 

I agree with Smax the Remote Desktop sounds like a legitimate update to a standard Apple component, and Smax's assertion that the proper re-install would be easier than bodging a re-install.

 

One thing however - did any data get restored after the OS re-install could logs have been overwritten as part of that restore?

 

x64



#12 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:58 AM

Posted 09 June 2017 - 08:42 PM

I've just done some investigation about the logging of re-installations. Based on what I saw, I think that I would recommend another macOS reinstall. Kt's not too difficult to do the basic OS reinstall but putting your data and settings back without accidentally re-introducing anything that you might be worried about might be a bit more of a challenge (and that bit I'm not Mac au-fait enough to advise someone about. I'm not sating that I think there is something nasty there, just covering all bases. Basically I checked back upon a recent  el-capitan wipe/re-install that I did and identified the same log that JimmyRiddle has viewed. That log did not go back much before the OS install visibly started (and what was there could well have been/probably was a legitimate prelude to the installer.
 
I'll describe my checks and the circumstances around them. 
 
A couple of yeas ago, before Windows 10 was released, I realised what Microsoft was planning (both from the Win10 product itself, and the bolls-heavy handedness of MS itself. It turns out that I was spot on with my predictions. Back then I started thinking of contingency plans and switching to Mac was one of them. There were still reasons why I needed to be on PC however (there still are) and until about a month ago I held out, begrudgingly using Win10 as my primary OS. Back with those initial thoughts about moving I'd purchased second hand a mid-2009 MBP and set about using it to get some familiarity with mac in general. I never carried through a full move to Mac but did get a good idea of how I'd use it if I did. That old Mac got some extra memory, and an SSD along the way, as sell as a clean install of Snow Leopard, and in-place upgrades to Mountain Lion, Mavericks, Yosemite and el-capitan. All of that was done with the Apple ID that I used with what was a growing menagerie of iThingies. That old MBP will not officially upgrade further than el-Capitan.
 
About a month ago, (feeling sorry for myself after some recent surgery), I suffered an extreme fit of 'retail therapy' and found a brand new MBP winging it's way to me. As part of clearing the decks or that new purchase, I wiped the old 2009 MBP. I had no data that needed preserving and wanted to disassociate it from my main Apple ID. I used DU to wipe the partition and reinstalled el-capitan over the net, authenticated with my old Apple ID. I left the install at the user setup wizard, and only about a week ago generated a new secondary Apple ID to continue setup of the old MBP as a separate identity.
 
Just now I checked back at the install.log file to see if that particular log somehow traversed OS installs. I do not think it did.
 
Re-install instructions are here (along with how to erase the startup disk if you like - I'd recommend it)
https://support.apple.com/en-gb/HT204904
 
As I said, you'd need to be confident that you had backed up and know how to restore your data [this is something I can't advise on myself], and reinstate any settings (such as email account settings). Top be thorough, I'd re-install any software from freshly downloaded copies of that program. 
 
x64
 
(apologies for the half baked post a few mins ago, if anyone spotted that - one thing that it is too easy to do on my new MBP is release a post accidentally)


Just a quick note...

If you reinstalled El Capitan on that old Mac that did not originally ship with El Capitan, then your AppleID is still likely associated with that El Capitan install in the form of it being required to reinstall El Capitan in the future. In other words, if you boot to the recovery partition (Command-R) and do a reinstall from it, it will require you to enter your AppleID and password to complete the install. That is just due to how Apple "sells" macOS upgrades. To effectively remove that, you typically need reinstall the macOS version that originally come with that model. This is done with newer Macs by using the Internet recovery option (i.e. Option-Command-R). For a Mac that old, however, you would need the original recovery discs that shipped with that Mac as it would not support Internet Recovery.

More on topic, I really don't believe a reinstall for the original poster is needed, but if it will help settle their mind, then it certainly will not hurt. If they do want to do the reinstall with no ties to the past, then they will want to use the Internet Recovery option (if their Mac model supports it) to by pass the recovery partition. While the recovery partition is hidden and generally not accessible (other than through the Command-R while booting up) to the user or any malware/hack that might affect the Mac, I suppose it is not completely impossible that it could be affected by some malware/hack...at least to my knowledge. So, if one is truly worried, then the safest option would be to use the Internet Recovery option (if available). Just be forewarned that it will take quite a while, especially if one has a slow Internet connection as you are downloading the macOS installer from Apple's servers.

#13 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:58 AM

Posted 09 June 2017 - 08:44 PM

One thing however - did any data get restored after the OS re-install could logs have been overwritten as part of that restore?


Not likely...although I will admit that it will depend on how the data was restored. I suppose there might be some methods that might overwrite a system log, but they should be the exception, not the rule. Most ways that I can think of would not touch a system log.

#14 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:12:58 PM

Posted 10 June 2017 - 01:04 AM

@smax013 "I really don't believe a reinstall for the original poster is needed,"

In terms of the original router possible router compromise - Yes, I agree that there is no indication that the Mac was originally attacked, and that was not a factor in writing my post above. However showing that the 'install.log' file did not persist across the OS installations did lend weight to the OP's suspicion that the Mac had not been fully wiped (in the sense that we would have expected it).  As such 'something' (no reason at all to think it was 'malicious') was done to it that we cannot enumerate. So yes, my recommendation same from the OP's peace of mind and also the uncertainty as to the mac's current state.

 

The log file in question is /private/var/log/install.log, and for me on my re-install, that log that starts within the hour before the official installer kicks off and does not show any evidence of the old MBPs previous life.

 

I did state that my old MBPs re-install started with me deliberately wiping the old partition. Could not manually removing that partition have allowed the OP's re-install to have been some kind of 'over the top refresh' as opposed to an entire clean install? does that kind of thing exist for same version re-installs in the Mac world?

 

x64



#15 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:12:58 PM

Posted 10 June 2017 - 06:23 AM

Thanks for all your input guys. 
 
Sorry X64, so in layman's terms, your recent log check doesn't compare to mine (e.g. having previous install information), leading you to assume that it wasn't wiped, or at least not fully? What does the 'Cleans-iMac system_installd' refer to in the log, the old system? I am really not tech savvy, so don't understand a fair amount of the more technical language.  
 
I'm really exhausted by this,  if it turns out all along the guy didn't do it out of his pig-headedness (he was very dismissive of my security concerns, to the point of beligerence frankly), then he could have left me open to all kinds of potentialities.  But that's life i suppose, what's done is done (or not as the case may be...) and there's not point raising it with him. 
 
Frankly there's not much on here that i would care about losing, so i suppose i could wipe it again, but like i say, i'm really feeling worn down by all this. I don't even like computers, or have any interest or skills in them. The fact this has brought such stress just makes me think to get rid of it. 
 
Is there anything in the Logs itself that look suspicious at all?  
 
I really can't get to the bottom of this as it is. There's a lot which just doesn't seem right. why have a years logs and none further, and on the other hand if wiped why have any logs pre-wipe? I admitably know little about tech, but doesn't seem logical to me. The fact that X64's pre wipe logs are not there would echo that, surely?
 
When added together with my previous Router concern, you can see how it'd make me somewhat paranoid. It seems a lot of coincidences are occurring. Get threatened with hack, then find router 'owned' followed by weird log files post wipe... I mean, it could all well be coincidence or false leads, but you have to admit it is a concerning sequence of events... 


Edited by JimmyRiddle, 10 June 2017 - 08:05 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users