1

I've been the target of a harassment and doxxing campaign so I'm spending a lot of time securing my devices and my families devices.

I noticed that my systems files creation date had been change to the 16th of August as if they'd been recreated. No update was done, and unless they're lying Apple support told me that this is not normal system behavior.

I noticed that since this Friday the 15th, there has been an attempt to login as private in opendirectory:

Screenshot of log

How do I figure out what thing, file, process or call is causing that?

opendirectoryd: (PlistFile) [com.apple.opendirectoryd:auth] Authentication failed for <private> (#): ODErrorCredentialsInvalid

… that started regularly since Friday the 15th, which coincides with when I looked at the history of logging there's a weird discrepancy: Fri 15 is right when those opendirectoryd queries started

Additional details:

  • Firewall is activated
  • Router is not port forwarding - although I couldn't get them to confirm UPnP is disabled
  • I'm using LittleSnitch for filtering

My goal is to really figure out what is making those attempts whether it's a genuine login/touchid for some or system process or other files/plist/process etc., ...

Improve this question
5
  • 7
    You‘ve got four answers stating that, based on the information you‘ve shared with us, there is no indication that your computer got hacked. If you still believe otherwise, it might be better to bring the Mac to an Apple Store or dealer to have it checked. Or to boot into recovery and reinstall everything. Commented Aug 19 at 14:22
  • I went to the Apple store because yesterday someone tried to hack into my Apple ID has attested by the Apple Genius...the information we got as far as -this- occurence and information goes is that it's actually a local file that is trying to access those files. Also when someone tried to hack into my Apple ID a weird process of the name AKFollowUpServerExtension asked for my user and login Commented Aug 20 at 2:32
  • 3
    So what was the recommendation you got in the store? Commented Aug 20 at 3:51
  • They couldn't find the source of those request and had limited knowledge in shell...I'm just going to a friend's cybersecurity/forensics since it seems most people are trying to gaslight instead of answering very clear questions in here Commented Aug 22 at 9:05
  • 3
    Please don't post text as an image; see Why are images of text, code and mathematical expressions discouraged?. Commented Aug 26 at 13:57

4 Answers 4

Reset to default
12

You are utterly not being hacked.

There might be hacking attempts, but as the log entry says “Authentication failed…” I would chalk this up to attempts to hack any IP address in the world by armies of bots and/or script kiddies. Any and every IP address that is exposed to the Internet gets scanned by armies of bots and/or script kiddies daily.

That they are getting past your router to begin with is a concern, but they are not logged in.

The TTY000 and console logins are just normal logins via your user on macOS. Here, look at the similar last output from my system; real username redacted to nope for example’s sake:

nope       ttys000                         Mon Aug 18 08:45   still logged in
nope       ttys000                         Mon Aug 18 08:40 - 08:40  (00:00)
nope       ttys000                         Mon Aug 18 08:40 - 08:40  (00:00)
nope       ttys000                         Mon Aug 18 08:22 - 08:22  (00:00)
nope       ttys000                         Mon Aug 18 08:21 - 08:21  (00:00)
[Repeated lines removed]
nope       ttys000                         Sat Aug  2 22:21 - 22:21  (00:00)
nope       ttys000                         Sat Aug  2 21:37 - 21:37  (00:00)
nope       ttys004                         Sat Aug  2 21:36 - 21:36  (00:00)
nope       ttys003                         Sat Aug  2 21:33 - 21:33  (00:00)
nope       ttys002                         Sat Aug  2 21:31 - 21:31  (00:00)
nope       ttys001                         Sat Aug  2 21:29 - 21:29  (00:00)
nope       ttys000                         Sat Aug  2 21:29 - 21:29  (00:00)
nope       ttys000                         Sat Aug  2 21:28 - 21:28  (00:00)
nope       ttys000                         Sat Aug  2 21:28 - 21:28  (00:00)
nope       ttys000                         Sat Aug  2 21:09 - 21:09  (00:00)
nope       ttys000                         Sat Aug  2 21:07 - 21:07  (00:00)
nope       ttys001                         Sat Aug  2 20:49 - 20:49  (00:00)
nope       ttys000                         Sat Aug  2 20:47 - 20:47  (00:00)
nope       ttys003                         Sat Aug  2 20:30 - 20:30  (00:00)
nope       ttys004                         Sat Aug  2 20:27 - 20:27  (00:00)
nope       ttys006                         Sat Aug  2 20:24 - 20:24  (00:00)
nope       ttys005                         Sat Aug  2 20:23 - 20:23  (00:00)
nope       ttys004                         Sat Aug  2 20:23 - 20:23  (00:00)
nope       ttys003                         Sat Aug  2 20:23 - 20:23  (00:00)
nope       ttys002                         Sat Aug  2 20:23 - 20:23  (00:00)
nope       ttys001                         Sat Aug  2 20:22 - 20:22  (00:00)
nope       ttys000                         Sat Aug  2 20:17 - 20:17  (00:00)
nope       ttys000                         Sat Aug  2 20:17 - 20:17  (00:00)
nope       ttys000                         Sat Aug  2 20:16 - 20:16  (00:00)
nope       ttys000                         Sat Aug  2 20:16 - 20:16  (00:00)
nope       console                         Sat Aug  2 20:10   still logged in

The line from Aug 18 that reads:

nope       ttys000                         Mon Aug 18 08:45   still logged in

…is me currently logged in to the Terminal. And the Aug 2 line:

nope       console                         Sat Aug  2 20:10   still logged in

…is when I rebooted my MacBook Air completely.

Meaning, console is for macOS as a whole and stays the same until restart/reboot. The other ttys000 entries are when you are actually logged in. The console session relates to the OS state and the ttys000 relates to the user state when the user is in the Terminal.

Reboot your machine to see this in action. When you do you should see a console and ttys000 on the same exact date.

What you are seeing is normal macOS behavior that you are misinterpreting in the context of you being supposedly a “target of a harassment and doxxing campaign.”

Update: In response to your recent edit that asks:

“How to I figure out what thing is causing that???”

The issue you are asking about are unsuccessfully login attempts like this:

opendirectoryd: (PlistFile) [com.apple.opendirectoryd:auth] Authentication failed for <private> (#): ODErrorCredentialsInvalid

To restate what I state above.

“There might be hacking attempts, but as the log entry says “Authentication failed…” I would chalk this up to attempts to hack any IP address in the world by armies of bots and/or script kiddies. Any and every IP address that is exposed to the Internet gets scanned by armies of bots and/or script kiddies daily.

That they are getting past your router to begin with is a concern, but they are not logged in.”

The reason those login attempts (100% unsuccessful) is because you are connecting to a network or a router that is no properly blocking such attempt. Questions only you can answer are:

  • Is your macOS firewall active?
  • Is the firewall on your router active?
  • Are you connecting to a Wi-Fi hotspot that has questionable security practices?

If any/all of these are in play that would create log entries with tons of unsuccessful login attempts.

Again…

You are utterly not being hacked or targeted in any way, shape or form.

You are simply overanalyzing things you (honestly) barely understand and are projecting your fears onto them. Please wind that down; you are 100% safe.

Update: You say in this comment on the original question; bold emphasis is mine:

“I went to the Apple store because yesterday someone tried to hack into my Apple ID has attested by the Apple Genius...the information we got as far as -this- occurence and information goes is that it's actually a local file that is trying to access those files. Also when someone tried to hack into my Apple ID a weird process of the name AKFollowUpServerExtension asked for my user and login.”

The key word here is “tried.” Someone tried to hack into your Apple ID. They were not successful. It is not hard to see how someone can attempt to hack an Apple ID since most often your Apple ID is a very publicly known email address.

But just because someone tried to hack into your Apple ID does not mean it is related to any other logs and activity you have noticed. Again, you are projecting your worst fears onto system activity that is fairly boring at best.

Please take a step back and realize you have not been successfully hacked in any way, shape or form. Utterly nobody is gaslighting you.

Improve this answer
0
11

You seem to be conflating local shell logins, which happen every time you open a terminal window, with remote logins, which don’t happen at all unless you enable Remote Login in the Sharing settings. You haven’t shown evidence of malicious activity.

If you have reason to think you might be targeted by a very powerful and unusual attack, such as an unknown zero-click exploit in Messages or Mail, you have the option of enabling Lockdown Mode (apple.com) on your Apple devices. This is something you would do only if you rationally believe you are the target of the intelligence agency of a government or corporation, not because you’re being harassed by some random moron on social media.

Otherwise, you should pay attention to password hygiene, making sure to use only strong passwords for online services, and above all, never using the same password for more than one purpose.

I advise against using any kind of “antivirus” or “endpoint security” software from a third party, as it is all worse than useless and at best duplicates the function of the built-in security of macOS. All it will do is give you a false sense of security, which really is dangerous because it may lead you to take risks that you wouldn’t otherwise take.

Improve this answer
2
  • But why are there happening? opendirectoryd: (PlistFile) [com.apple.opendirectoryd:auth] Authentication failed Commented Aug 18 at 15:45
  • 4
    If it makes you feel better, I have those same messages in my log. So either I've been hacked too, or they just don't mean anything out of context, like all log messages. Commented Aug 18 at 17:15
8

attempt to login as private

No, <private> is just a placeholder to replace (possibly) sensitive data.

The UUID that is shown after <private> is most likely your own UUID. You can check your own UUID using:

dscl /Search -read "/Users/$USER" GeneratedUID

(replace $USER with your username)

I have plenty of those messages when my Mac is locked and I unlock it using Touch ID. Probably starts trying to authenticate you as soon as it detects at least a little bit of a fingerprint, before it has enough of one, which fails repeatedly, until it finally goes through when the fingerprint is good enough.

The console login session is just your own GUI session, which takes control of the screen, keyboard, touchpad... It starts the first time you log into your Mac, and is of course still active as long as you are logged in. So you logged into your Mac on August 1st at 4:14 and haven't logged out since (you make have locked the session, or more likely it make have locked automatically on timeout or when closing the lid of your Mac, but you did not log out).

The ttys000, ttys0001, etc. sessions are Terminal sessions. The one "still logged in", started on Aug 15 at 15:28, is when you started the Terminal session you used to get this info.

The apparently very short ones (0:00 duration) are actually past Terminal sessions. For some reason the end of the Terminal session does not seem to be recorded (I have the same on my Mac), but it still knows the session is no longer active.

So no, based on those logs, everything is fine and normal, it's all just your own activity.

Improve this answer
9
  • Thanks but the problem remains the login attempts which I want to entirely prevents since remotelogin is supposed to be disabled Commented Aug 19 at 12:27
  • 6
    @yazze There are no remote login attempts. It was just you using Touch ID. Commented Aug 19 at 12:28
  • Okay, thanks but there are more than 200 of those in a day, which another thread says could be used by a file to test for password. How can I find the files or processes trying to access this process opendirectoryd: (PlistFile) [com.apple.opendirectoryd:auth] Authentication failed for <private> (#): ODErrorCredentialsInvalid Commented Aug 20 at 2:34
  • How often do you use Touch ID in a day? There will be several such logs each time you use it, so it can quickly grow to dozens or hundreds per day. Commented Aug 20 at 7:43
  • @jcaron Would switching off the router be a useful way to show that there is not a remote entity trying to access the computer? Commented Aug 20 at 16:08
6

I presume you're using the last command. That is entirely normal.

enter image description here

As long as you maintain good security 'hygiene':

  • Don't go to sketchy websites.
  • Think before clicking OK.
  • Be more careful using public Wifi.
  • Use strong, unique passwords.
  • And maybe scan your computer with Malwarebytes or similar regularly.

The probability of being 'attacked' from outside your router's network are very low.

You haven't really shown any evidence of any hacking attempts. If you want to do that, I'd recommend using something like Little Snitch to monitor outgoing network activity, and see if any purported malware is trying to send something to some unknown server.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.