I’ve used Apple Remote Desktop heavily for business and personal uses for the last couple of years. I've always kept the remote management icon (binoculars) in my menu bar on my systems and a couple days ago it changed to the "active monitoring" icon when I did not initiate it from another machine…
A little background on the setup: I have an iMac and a MacBook Pro on my home network, both with ARD. They can manage each other or VPN to my workplace and manage five Mac Pro systems there. I also have ARD on one Mac Pro at work, that one can manage the other systems at work but cannot tap into my home network.
Shortly after 5PM, I had logged into the iMac at home for the first time that day. It had been running but just on the lock screen up to this point. I was using Quicktime Player to screen record a workflow to send someone. I did this a few times until I was satisfied with the recording and proceeded to export it. Moments later, around 5:45, I saw the icon change. I wasn’t sure how that would be possible, but clicked the icon to “message the administrator” to which it returned an error to the effect of the administrator being unavailable. I quickly went to my sharing settings to disable remote management. It returned a prompt that said this would end a screen sharing session in-progress. I proceeded and the checkmark became greyed out for about a minute or so before actually disabling. I then unplugged the ethernet cable, saved console logs, and shut down.
I’m hoping someone may be able to offer clarity about what happened here. It seems far fetched to me that someone would gain access to my network and system passwords or be able to hack my ARD. I’m also wondering if the Quicktime screen recording may have triggered some similar process to screen sharing. The only other variable I can think of was that the MacBook Pro, which was in sleep mode at the time, did have the ARD app open before going to sleep (but wasn't managing the iMac at the time). Not sure if it may have been running some process automatically that may have triggered this incident. Here is all the relevant info I could find in console within that timeframe:
iMac (system.log)
Aug 23 17:30:45 iMac-5K com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit
Aug 23 17:31:15 --- last message repeated 1 time ---
Aug 23 17:40:26 iMac-5K syslogd[41]: ASL Sender Statistics
Aug 23 17:44:36 iMac-5K com.apple.xpc.launchd[1] (com.apple.screensharing[70860]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.screensharing.server
Aug 23 17:44:36 iMac-5K com.apple.xpc.launchd[1] (com.apple.ReportCrash[70863]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.ReportCrash
Aug 23 17:44:37 iMac-5K com.apple.xpc.launchd[1] (com.apple.ReportCrash.Root[70864]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.ReportCrash.DirectoryService
Aug 23 17:47:24 iMac-5K com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit
Aug 23 17:47:45 --- last message repeated 1 time ---
Aug 23 17:47:45 iMac-5K com.apple.xpc.launchd[1] (com.apple.quicklook[70926]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
Aug 23 17:49:12 iMac-5K com.apple.xpc.launchd[1] (com.apple.Kerberos.kdc[116]): Service exited due to signal: Killed: 9 sent by launchd[1]
iMac Diagnostic Messages (2018.08.23.asl)
17:44:36.822893 -0700 screensharingd com.apple.message.domain: com.apple.screensharing.logViewerVersion
com.apple.message.viewerversion: 3.889
SenderMachUUID: I removed it but there is an unidentified UUID here ending in 596A
17:44:36.978985 -0700 spindump com.apple.message.domain: com.apple.telemetry.memory_hwm.event
com.apple.message.signature: ScreensharingAgent
com.apple.message.result: com.apple.screensharing.agent
com.apple.message.summarize: YES
SenderMachUUID: I removed it but there is an unidentified UUID here ending in DDD2
17:48:29.382106 -0700 screensharingd com.apple.message.domain: com.apple.screensharing.logSessionAccelerated
com.apple.message.acceleratedsession: 1
com.apple.message.summarize: YES
SenderMachUUID: I removed it but there is an unidentified UUID here ending in 596A
17:53:39.284270 -0700 Remote Desktop com.apple.message.domain: com.apple.remotedesktop.scannerType
com.apple.message.signature: Network Range
com.apple.message.summarize: YES
SenderMachUUID: I removed it but there is an unidentified UUID here ending in D8A9
MacBook Pro Diagnostic Messages
17:44:39.233587 -0700 Remote Desktop com.apple.message.domain: com.apple.screensharing.connectionStarted
com.apple.message.netaddresstype: IPV4
SenderMachUUID: I removed it but there is an unidentified UUID here ending in D8A9
17:44:39.233708 -0700 Remote Desktop com.apple.message.domain: com.apple.screensharing.addressResolutionEnded
com.apple.message.addressresolutionfailurereason: kResolverStatusParsingSucceeded
com.apple.message.result: pass
SenderMachUUID: I removed it but there is an unidentified UUID here ending in D8A9
MacBook Pro (system.log)
Aug 23 16:43:45 MacBook-Pro syslogd[35]: ASL Sender Statistics
Aug 23 17:44:32 MacBook-Pro syslogd[35]: ASL Sender Statistics
Aug 23 17:54:32 MacBook-Pro syslogd[35]: ASL Sender Statistics
Aug 23 17:57:16 MacBook-Pro com.apple.xpc.launchd[1] (com.apple.quicklook[10002]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
I’ll admit I’m not fluent in Console language and this all may be nothing. I don’t know the significance of the UUID numbers it’s showing, they aren’t my machines. But I do find that the icon changing to “active monitoring,” in addition to the screen sharing messages in these logs, to be concerning since I did not initiate any such sessions. Coincidentally, I was running the MalwareBytes realtime protection trial on both machines. Nothing came up from MalwareBytes and they both scan clean. What steps do I take next? I’m happy to answer any questions you may have to get to the bottom of this. Thanks for any assistance!