What the hell is starting up (or running) on my Mac ?
The goal of this document is to help a NERD track down a
VIRUS or something silly running on an OS-X system.
This document will NOT try to explain the,
/System/Library/CoreServices/BootX
or the
/System/Library/CoreServices/boot.efi
or the
/etc/rc.xxxx
startup files.
Shortcuts:
- Items that start on power up.
- Items that start for all users on power up.
- Items that start at user login time.
- MANDATORY TOOLS you should have.
serveradmin will be your number one tool.i.e.
sudo serveradmin fullstatus networkThis has bit me in the ass more then one time,
we often check the USER loginwindow.plist file and forget the SYSTEM .plist file!
more /Library/Preferences/loginwindow.plistif it is a binary file, convert it to ASCII via,
/usr/bin/plutil -convert xml1 /Library/Preferences/loginwindow.plistthen edit with your fav ascii editor,
nano /Library/Preferences/loginwindow.plist... and look for silly things starting up !
Do NOT forget to monitor your USER
~/Library/LaunchAgents/folder for a plist file called, com.google.keystone.agent.plist
This application is SpyWare. And is installed by many gOOgle applications including but not limited to:
Picasa, Earth, Desktop and Voice (more too i suspect).
For more info see this guide.
- If you ever install a HP ScanJet or Retrospect (RetroRunSL), it MAY prevent you from shutting down or re-starting correctly.
- The HP ScanJet installer may install, THREE background programs which do NOT shutdown when HUP'ed.
SECRET TIP:
Prevent BOTH
/Library/Preferences/loginwindow.plist and ~/Library/Preferences/loginwindow.plistfrom running at user login, by doing a
safe login.- Hold down the SHIFT key AFTER you type your password and BEFORE you click the "login" button.
- The LaunchDaemons folders contain items that will run as root, generally background processes.
- The LaunchAgents folders contain jobs, called agent applications, that will run as a user or in the context of userland.
- If your job needs to run even when no users are logged in, put it in /Library/LaunchDaemons.
- If it is only useful when users are logged in, put it in /Library/LaunchAgents,
or in the personal LaunchAgents directories of specific users. - Do not put your job in /System/Library, which is reserved for system-provided daemons.
- Startup files are found in various locations, some are provided in the following tables.
Provided by the user:
| |
| Location | Type |
| ~/Library/LaunchAgents/ | Per-user agents. |
| ~/Library/Preferences/loginwindow.plist | Per-user applications. |
Optionally installed by MacPorts:
| |
/opt/local/etc/LaunchDaemons/
| |
SoftLinked to /Library/LaunchDaemons/
|
Provided by the administrator:
| |
| Location | Type |
| /Library/LaunchAgents/ | Per-user agents. |
| /Library/LaunchDaemons/ | System wide daemons. |
| /System/Library/LaunchAgents/ | Per-user agents. |
| /System/Library/LaunchDaemons/ | System wide daemons. |
| /Library/Preferences/loginwindow.plist | System wide applications. |
- /Library/StartupItems/
- /System/Library/StartupItems/
- /etc/rc.local
- /etc/mach_init.d/
- /etc/mach_init_per_login_session.d/
- /etc/mach_init_per_user.d/
- See what NON-APPLE kernel extensions are being loaded in
/System/Library/Extensions/,kextstat | grep -v apple
Some examples of what you might find are listed below:com.subrosasoft.watcher = FileDefense from SubrosaSoft. at.obdev.KUC = Little Snitch, 1.x at.obdev.nke.LittleSnitch = Little Snitch, 2.x com.vmware.kext.vmx86 = vmWare, 1 of 4 com.vmware.kext.vmci = vmWare, 2 of 4 com.vmware.kext.vmioplug = vmWare, 3 of 4 com.vmware.kext.vmnet = vmWare, 4 of 4 com.macally.driver.ICEKey = Macally ICEKey keyboard. com.cisco.nke.ipsec = VPN client from Cisco. net.pocketmac.driver.BlackberryUSBDev = Blackberry USB iSync hack. org.openafs.filesystems.afs = OpenAFS client. com.AmbrosiaSW.AudioSupport = AudioHijack or WireTap. com.symantec.kext.SymEvent2 = Symantec AntiVirus, 1 of 2. com.Symantec.kext.SAVAPComm = Symantec AntiVirus, 2 of 2. com.sophos.kext.sav = Sophos Anti-Virus. com.bresink.driver.BRESINKx86Monitoring = Assorted tools from Marcel Bresink. com.airgrab.driver.AirGrabFirewallModule = Hawking HWUG1A (RT73) USB WiFi NIC
- To STOP the kernel extension "com.bresink.driver.BRESINKx86Monitoring" do,sudo kextunload -b com.bresink.driver.BRESINKx86Monitoring
- To prevent it from starting again on re-boot, move it OUT of StartupItems to your desktop.sudo mv /Library/StartupItems/BRESINKx86Monitoring ~/Desktop/
and or move it OUT of/System/Library/Extensions/to your desktop.
Diablotin and or Lingon (see below) will disable them to.
- See also:ls -asl /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ~/DownLoads
- If your Mac will ONLY work in safe mode,
you may have a bad kernel extension or the permissions are set wrong.- Make sure they are all OWNED by root and the GROUP is set to wheel.
- Especially items NOT made by Apple like the BUG in the
Lexar JumpDrive Secure II Plus USB Flash Drive installation software!!!
Example fix below:sudo chown -R root /System/Library/Extensions/LexarFilterScheme.kext
sudo chgrp -R wheel /System/Library/Extensions/LexarFilterScheme.kext
See Bubba too...
- To rebuild the kernel extensions, do:
sudo rm /System/Library/Extensions.mkext sudo kextcache -k /System/Library/Extensions sudo reboot
or trysudo touch /System/Library/Extensions, which Snow LEOpard likes more.
- All will be rebuilt on next boot.
See also:kextfind.
- Make sure they are all OWNED by root and the GROUP is set to wheel.
- Learn to use and understand launchctl,
to manage your Agents and Daemons in locations below (and above)!~/Library/LaunchAgents Per-user agents provided by the user. /Library/LaunchAgents Per-user agents provided by the administrator. /Library/LaunchDaemons System wide daemons provided by the administrator. /System/Library/LaunchAgents Mac OS X Per-user agents. /System/Library/LaunchDaemons Mac OS X System wide daemons.
sudo launchctl helpsudo launchctl list |more
So to see just a active service, we would do,sudo launchctl bslist |grep "A "
(you will see a lot of services, not to worry)
The three states a service can be in, they are:
- active "A"
- inactive "I"
- on-demand "D"
EXAMPLE:com.apple.SafariBookmarksSyncer.plist
- Is in your ~/Library/LaunchAgents/ folder and used by Apple's MobileMe service to sync bookmarks between multiple computers, even if this feature is NOT used!!!
* The *NEW* version of Lingon (see below) may help you get started.
- Running system_profiler will show you the info much better then
/etc/hostconfig (below).
Running/usr/sbin/system_profiler SPHardwareDataType
will give you a nice brief overview of the system./usr/sbin/system_profiler SPStartupItemDataType, will list some startup items./usr/sbin/system_profiler SPSoftwareDataTypewill list your OS version./usr/sbin/system_profiler -listDataTypesfor a complete list of what you can querry.
The above is also avail via the GUI,open "/Applications/Utilities/System Profiler.app".
NOTE: Good old Panther (10.3)/usr/sbin/AppleSystemProfiler -usagedoes it this way.
- By default, you may be starting a few demons.
PLEASE review your hostconfig file,more /etc/hostconfig. - To MANAGE a running service like AppleShare'ing (AFPSERVER=-YES-) do,
sudo /sbin/SystemStarter stop AppleShare - You should know what services have the ABILTY to be started (apache etc.), via:
sudo grep -r -e YES -e AUTOMATIC /System/Library/StartupItems - Now look for programs accessing the os via:
sudo fs_usage -f filesys | grep -v iTerm | grep -v Finder | grep -v grep
(add more to filter out known good services.)
or to see just what iTunes is doing do:sudo fs_usage -f filesys | grep iTunes
- Start by knowing what is in your:
ls -asl /Library/StartupItems/ls -asl /System/Library/StartupItems/ ls -asl /Library/LaunchDaemons/
- Little Snitch etc are in here.ls -asl /System/Library/LaunchDaemons/
- You will see a LOT of items here. Trust me, use Lingon to see if and when they are started.
- loginwindow searches this file (if exists) each time a user logs in.
more ~/.MacOSX/environment.plist - - The below item is the SAME one located via the user accounts GUI preference pane.
This is the MOST IMPORTANT LOCATION for USER stuff !!!!!:open ~/Library/Preferences/loginwindow.plist
if binary convert to ASCII by doing,/usr/bin/plutil -convert xml1 ~/Library/Preferences/loginwindow.plist
This is how the ClamXav
Sentry 
is started:/usr/bin/grep ClamXavSentry ~/Library/Preferences/loginwindow.plist
and again, if you can not read it, convert it to ASCII via,/usr/bin/plutil -convert xml1 ~/Library/Preferences/loginwindow.plist - The current "proper" way to start stuff is the:
ls -asl ~/Library/LaunchAgents/
folder.
- ALWAYS start your mac in VERBOSE MODE,
so you can see what it is doing behind the splash screen.sudo /usr/sbin/nvram boot-args="-v" - REDUCE the amount of stuff you need to analyze by doing a SAFE BOOT.
Hold down the SHIFT key after the boot tone, or mod your nvRAM bysudo /usr/sbin/nvram boot-args="-x"
then reboot.
Now login via the user name of >console trick.
- When was the last time you investigated what was in your TMPDIR,
/private/var/folders/folders ?
Especially the "-Caches-" directory ... Many things "hide" here you know...cd $TMPDIR/../../to find out more.
Or better yet, use lynx for poke around a lot faster !/opt/local/bin/lynx $TMPDIR
- Is cron doing something you do not know about ?
rOOt:sudo crontab -l -u root
Yourself:sudo crontab -l -u $USER
... now do this for ALL your user accounts!
MANDATORY TOOLS:
- Ports Collection How to install and use the Mac Ports Collection. - Lynx Via the Mac Ports Collection. May be the MOST important tool of all ! - WaterRoof http://www.hanynet.com/ - Little Snitch http://www.obdev.at/ - Diablotin http://s.sudre.free.fr/ - Leopard Cache Cleaner http://www.northernsoftworks.com/ Has BOTH a Virus and rOOt Kit checker! - Transmit http://www.panic.com/ Best darn file transfer program out their !
All three below are from Peter Borg. http://homepage.mac.com/pgw3/ Now avail at Source Forge. - Lingon http://sourceforge.net/projects/lingon/files/ - Smultron http://sourceforge.net/projects/smultron/files/ - Hallon http://sourceforge.net/projects/hallon/files/
RECOMENDED TOOLS:
- iTerm http://iterm.sourceforge.net/ - RCDefaultApp http://www.rubicode.com/Software/ Fix broken mime types. - AppCleaner http://www.freemacsoft.net/ Better then AppZapper, free too. - AppZapper http://www.appzapper.com/ - Preferential Treatment http://www.jonn8.com/ - tcpFlow Via the Mac Ports Collection. - nMap Via the Mac Ports Collection. - TinkerTool System http://www.bresink.de/ Kick ass NFS tools too !!! - Geek Tool http://projects.tynsoe.org/ - Mac Pilot http://www.koingosw.com/ Nice WiFi AirRadar tool. - Cocktail http://www.maintain.se/ Cocktail, nice maintence tool like LCC. - OnyX http://www.titanium.free.fr/ OnyX, nice maintence tool like LCC. - Pacifist http://www.charlessoft.com/ - Visage http://keakaj.com/ - Postfix Enabler http://www.cutedgesystems.com/ - HenWen http://seiryu.home.comcast.net/ - nTop Via the Mac Ports Collection. - Carbon Copy Cloner http://www.bombich.com/ - AppleJack http://applejack.sourceforge.net/ - Printer Setup Repair http://www.fixamacsoftware.com/ Fix Cups and free up a few gigs of space too. - MPEG Streamclip http://www.squared5.com/ Will need MPEG-2 codec from Apple. - minicom Via the Mac Ports Collection. Terminal supports /dev/cu.Bluetooth-Modem and the KeySpan USB Adapter. - Monolingual http://monolingual.sourceforge.net/ Delocalizer like Leopard Cache Cleaner above. - Gutenprint http://gimp-print.sourceforge.net/ - Flip4Mac http://www.telestream.net/ Play Windows .WMV Media files using QuickTime - NTFS http://www.paragon-software.com/ Read and Write NTFS partitions. - OpenOffice http://www.openoffice.org/ Better then MS Office, and FREE too !
- RipIt http://ripitapp.com/ Need I say more ? - Touch Copy http://www.wideanglesoftware.com/ Best BackUp and RECOVER program for you iPhone or iPod. - File Juicer http://echoone.com/filejuicer/ Extract images from, PDF, PPT and flash cards. - Better Zip http://macitbetter.com/ Password protect zips, and a LOT more !
- Check for pending files here too,
ls /Library/Updates/ - For detailed information see, Mac OS X Internals: A Systems Approach, by Amit Singh.
- And to get even more confused, see the Apple developer website.
- The very nice FREE app called "iStat Server", has a hidden precess that "phones home" every time we boot.
- And yes, is started via/Library/LaunchDaemons/com.bjango.istatserver.plist
- So lets do,strings "/Library/Application Support/iStat Server/iStatServer" |grep Updater, and see what we find...sudo /usr/libexec/StartupItemContext /usr/bin/open -a /Library/Application\ Support/iStat\ Server/iStat\ Server\ Updater.app/Contents/Resources/UpdateChecker.app /usr/bin/open -a /Library/Application\ Support/iStat\ Server/iStat\ Server\ Updater.app/Contents/Resources/UpdateChecker.app
- Some may call this "UpdateChecker.app" Spyware....
Lets investigate "UpdateChecker" some more...
- Do a strings, and see what we can find...connectionWithRegisteredName:host http://bjango.com/istat/version.php /Library/Application Support/iStat Server/iStat Server Updater.app
Bottom line ? Yup, its Spyware...
