LuxPro

I see what you mean about the logs. Was hoping someone here might have the right training to understand them. The machines should not have been open to the outside world. I did not set up port forwarding to access them from outside the local network, only from within. So it seems to me they would have had to hack my local wifi, in addition to the machine's password, in order to pull this off. It seems, if true, that it would have been a sophisticated and targeted attack. This would be worrisome. So I'm trying to figure out if it could have been some bug with ARD or something else, but it's tough to find any real answers without understanding the logs.

Thanks so much for the reply, Thomas. I do use these machines to connect to a different network, but this incident occurred only on my local network (that I know of). Would you be able to determine more from the full log? Is there generally any information in the system.log that I should be wary about sending out for analysis? There are at least three different SenderMachUUIDs and none of them match the hardware UUID of my systems... But I'm not entirely clear on the significance of those as looking at the diagnostic logs it seems like every process reports a different UUID - even for things like Spotlight, AddressBook, Adobe, etc.

I’ve used Apple Remote Desktop heavily for business and personal uses for the last couple of years. I've always kept the remote management icon (binoculars) in my menu bar on my systems and a couple days ago it changed to the "active monitoring" icon when I did not initiate it from another machine… A little background on the setup: I have an iMac and a MacBook Pro on my home network, both with ARD. They can manage each other or VPN to my workplace and manage five Mac Pro systems there. I also have ARD on one Mac Pro at work, that one can manage the other systems at work but cannot tap into my home network. Shortly after 5PM, I had logged into the iMac at home for the first time that day. It had been running but just on the lock screen up to this point. I was using Quicktime Player to screen record a workflow to send someone. I did this a few times until I was satisfied with the recording and proceeded to export it. Moments later, around 5:45, I saw the icon change. I wasn’t sure how that would be possible, but clicked the icon to “message the administrator” to which it returned an error to the effect of the administrator being unavailable. I quickly went to my sharing settings to disable remote management. It returned a prompt that said this would end a screen sharing session in-progress. I proceeded and the checkmark became greyed out for about a minute or so before actually disabling. I then unplugged the ethernet cable, saved console logs, and shut down. I’m hoping someone may be able to offer clarity about what happened here. It seems far fetched to me that someone would gain access to my network and system passwords or be able to hack my ARD. I’m also wondering if the Quicktime screen recording may have triggered some similar process to screen sharing. The only other variable I can think of was that the MacBook Pro, which was in sleep mode at the time, did have the ARD app open before going to sleep (but wasn't managing the iMac at the time). Not sure if it may have been running some process automatically that may have triggered this incident. Here is all the relevant info I could find in console within that timeframe: iMac (system.log) Aug 23 17:30:45 iMac-5K com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit Aug 23 17:31:15 --- last message repeated 1 time --- Aug 23 17:40:26 iMac-5K syslogd[41]: ASL Sender Statistics Aug 23 17:44:36 iMac-5K com.apple.xpc.launchd[1] (com.apple.screensharing[70860]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.screensharing.server Aug 23 17:44:36 iMac-5K com.apple.xpc.launchd[1] (com.apple.ReportCrash[70863]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.ReportCrash Aug 23 17:44:37 iMac-5K com.apple.xpc.launchd[1] (com.apple.ReportCrash.Root[70864]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.ReportCrash.DirectoryService Aug 23 17:47:24 iMac-5K com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): Unknown key for integer: _DirtyJetsamMemoryLimit Aug 23 17:47:45 --- last message repeated 1 time --- Aug 23 17:47:45 iMac-5K com.apple.xpc.launchd[1] (com.apple.quicklook[70926]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook Aug 23 17:49:12 iMac-5K com.apple.xpc.launchd[1] (com.apple.Kerberos.kdc[116]): Service exited due to signal: Killed: 9 sent by launchd[1] iMac Diagnostic Messages (2018.08.23.asl) 17:44:36.822893 -0700 screensharingd com.apple.message.domain: com.apple.screensharing.logViewerVersion com.apple.message.viewerversion: 3.889 SenderMachUUID: I removed it but there is an unidentified UUID here ending in 596A 17:44:36.978985 -0700 spindump com.apple.message.domain: com.apple.telemetry.memory_hwm.event com.apple.message.signature: ScreensharingAgent com.apple.message.result: com.apple.screensharing.agent com.apple.message.summarize: YES SenderMachUUID: I removed it but there is an unidentified UUID here ending in DDD2 17:48:29.382106 -0700 screensharingd com.apple.message.domain: com.apple.screensharing.logSessionAccelerated com.apple.message.acceleratedsession: 1 com.apple.message.summarize: YES SenderMachUUID: I removed it but there is an unidentified UUID here ending in 596A 17:53:39.284270 -0700 Remote Desktop com.apple.message.domain: com.apple.remotedesktop.scannerType com.apple.message.signature: Network Range com.apple.message.summarize: YES SenderMachUUID: I removed it but there is an unidentified UUID here ending in D8A9 MacBook Pro Diagnostic Messages 17:44:39.233587 -0700 Remote Desktop com.apple.message.domain: com.apple.screensharing.connectionStarted com.apple.message.netaddresstype: IPV4 SenderMachUUID: I removed it but there is an unidentified UUID here ending in D8A9 17:44:39.233708 -0700 Remote Desktop com.apple.message.domain: com.apple.screensharing.addressResolutionEnded com.apple.message.addressresolutionfailurereason: kResolverStatusParsingSucceeded com.apple.message.result: pass SenderMachUUID: I removed it but there is an unidentified UUID here ending in D8A9 MacBook Pro (system.log) Aug 23 16:43:45 MacBook-Pro syslogd[35]: ASL Sender Statistics Aug 23 17:44:32 MacBook-Pro syslogd[35]: ASL Sender Statistics Aug 23 17:54:32 MacBook-Pro syslogd[35]: ASL Sender Statistics Aug 23 17:57:16 MacBook-Pro com.apple.xpc.launchd[1] (com.apple.quicklook[10002]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook I’ll admit I’m not fluent in Console language and this all may be nothing. I don’t know the significance of the UUID numbers it’s showing, they aren’t my machines. But I do find that the icon changing to “active monitoring,” in addition to the screen sharing messages in these logs, to be concerning since I did not initiate any such sessions. Coincidentally, I was running the MalwareBytes realtime protection trial on both machines. Nothing came up from MalwareBytes and they both scan clean. What steps do I take next? I’m happy to answer any questions you may have to get to the bottom of this. Thanks for any assistance!