Is my Mac being hacked or hijacked by DNS tampering?

[stanleywxc]

I found a really suspicious traffic on my Mac, the process 'com.apple.photomoments' sending a strange traffic to a very suspicious server:

com.apple 379 4u IPv4 0x52332f3f383fb82d 0t0 TCP 10.10.1.100:49170->72.191.188.61.broad.nc.sc.dynamic.163data.com.cn:http (ESTABLISHED)
com.apple 379 6u IPv4 0x52332f3f383fb82d 0t0 TCP 10.10.1.100:49170->72.191.188.61.broad.nc.sc.dynamic.163data.com.cn:http (ESTABLISHED)

Then I found out it is the 'com.apple.photomoments' process:

sh-3.2# ps -Al | grep 379
501 379 1 4004 0 4 0 2486088 17912 - Ss 0 ?? 0:00.17 /System/Library/PrivateFrameworks/PhotoLibraryPrivate.framework/Versions/A/Frameworks/PhotoLibraryServices.framework/Versions/A/XPCServices/com.apple.photomoments.xpc/Contents/MacOS/com.apple.photomoments

Does anyone know about this 'com.apple.photomoments' process? Why does it send internet traffic if it is for photo related? And Why does it send the traffic to this very suspicious server? I found out that server is located in China's Telecom ISP datacenter. I suspect Chinese government somehow hijacked the DNS server query or tampered the DNS server, or my Mac simply was hacked by Chinese government hackers?

Anyone? Please help!

 

[JohnDS]

I suspect that com.apple.photomoments has to do with iCloud photo synching. Do you have that turned on?

If you think your DNS is being hijacked, the first thing to do is to check the DNS server shown in your Network prefs panel. If these are not your ISP's DNS servers, or public ones like DYNDNS or Google, you may have a trojan.

Try downloading and running the free MalwareBytes for Mac: https://www.malwarebytes.com/antimalware/mac/

You could also download and run the free Avast antivirus software https://www.avast.com/en-ca/free-mac-security , but I would be inclined to uninstall it after running a full scan as I find it a bit obtrusive.

 

[stanleywxc]

I am using Chinese ISP, the problem is Chinese government tampering DNS server with MITM DNS attack, which hijacks the connection to Chinese servers instead of apple's server. My question is if it is iCloud's photo syncing, why it is sending traffic to that server, that server is an actual Chinese government's server(72.191.188.61.broad.nc.sc.dynamic.163data.com.cn) inside Chinese ISP. I am sure Apple will not setup a server like that. Does anyone knows which server or servers that iCloud photo sharing sending traffic to?

 

[BorderingOn]

deleted...misread the destination

 

[JohnDS]

China Telcom: http://tools.tracemyip.org/lookup/61.188.191.72 See line for reverse DNS pointer.
[doublepost=1478980024][/doublepost]According to this: http://www.cultofmac.com/291620/apple-moves-chinese-icloud-state-controlled-servers/

"Apple is now using China Telecom’s servers instead of its own to power iCloud for Chinese customers. The switch took place on August 8th [2014], and now the carrier is Apple’s only cloud service provider in China."​

so it would appear that iCloud photosharing is correctly using a Chinese server.

 

[KALLT]

Apple uses Chinese data centres to store data of users located in that country. Many big companies do this. It is simply more efficient (faster network requests) and it appeases the Chinese Government. Use a VPN if you want to avoid this.

 

[stanleywxc]

Yup, it is really dangerous to sync my photo to the server under Chinese government control. I will never know if my photo or documents being stolen or hacked. Even Apple has encrypted the content, Chinese government may have means to crack the encryption, you never know. I stop using my iCloud sync while in China.

China Telcom: http://tools.tracemyip.org/lookup/61.188.191.72 See line for reverse DNS pointer.
[doublepost=1478980024][/doublepost]According to this: http://www.cultofmac.com/291620/apple-moves-chinese-icloud-state-controlled-servers/

"Apple is now using China Telecom’s servers instead of its own to power iCloud for Chinese customers. The switch took place on August 8th [2014], and now the carrier is Apple’s only cloud service provider in China."​

so it would appear that iCloud photosharing is correctly using a Chinese server.