Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

suspicious & persistant Power_report.sh in usr/bin survive after reinstall

X

xx4lkq

macrumors newbie
Original poster
Feb 15, 2025
5
0
Hi there,



I have been under persistent targeted cyber attack from a person I know in real life for over 2 years. These days, I discovered a very suspicious / persistent file in usr/bin/power_report.sh on all my Mac devices. Although it looks like a system file, it is really suspicious due to the following reasons:



1. It is not signed.

2. Returns after deletion in safe mode, recovery mode, with sudo permission.

3. Returns immediately after I conducted a full disk formatting and reinstall from internet - without any backup, not from Time Machine, no backup from iCloud, set as new.

4. Not present in the system snapshot.

5. Not found in the data volume.

6. Has restricted compressed flags despite being unsigned.

7. I reinstalled the Mac today (Feb 15, 2025), but the file stating created on Feb 25, 2025 (10 days in the future).

8. Not tracked by package management (pkgutil shows "vacant").

9. Cannot be modified even with root privileges

10. Collects extensive system performance data using multiple tools:

- powermetrics

- timer_analyser.d

- cpu_profiler.d

- iosnoop

- execsnoop



Can anyone please advise what should I do about it? I've already conducted full-disk format and internet recovery without backing any data tens of times so far. I am really tired about being continuously monitored and hacked, and continue reinstalling my devices while still continue to be hacked...



Thank you so much! Appreciate any help!
 
I also have /usr/bin/power_report.sh. It's a regular system file. I'm pretty sure you are under no kind of "cyber attack" from a person you know - and if you were, that's a legitimate reason to report them to the police.

I think the person is just harassing you (which depending on the country may be illegal in itself, but I'm not a lawyer) or making fun of you making you believe they are cyber attacking you. There's no easy way to perform a cyber attack on modern Macs or iPhones for someone who isn't some government agency.

But I can assure you, that power_report.sh is completely normal. Don't waste time analyzing stuff that isn't an issue.
 
ManuCH said:
I also have /usr/bin/power_report.sh. It's a regular system file. I'm pretty sure you are under no kind of "cyber attack" from a person you know - and if you were, that's a legitimate reason to report them to the police.

I think the person is just harassing you (which depending on the country may be illegal in itself, but I'm not a lawyer) or making fun of you making you believe they are cyber attacking you. There's no easy way to perform a cyber attack on modern Macs or iPhones for someone who isn't some government agency.

But I can assure you, that power_report.sh is completely normal. Don't waste time analyzing stuff that isn't an issue.
Click to expand...
Hi ManuCH,

Thank you for your reply. I am 100% being attacked, as there are a lot of signs that I am - e.g. Someone started to work on the same google document as I do. Some email is sent from my gmail without me knowing it, unexpected logged out google for a period time with all recovery method failed etc.

With that said, I don't know if this file is related to all the events above though. The system file being all those weird property caught my attention. Just wonder if there is any legitimate reason for that file to be there.
 
ManuCH said:
I also have /usr/bin/power_report.sh. It's a regular system file. I'm pretty sure you are under no kind of "cyber attack" from a person you know - and if you were, that's a legitimate reason to report them to the police.

I think the person is just harassing you (which depending on the country may be illegal in itself, but I'm not a lawyer) or making fun of you making you believe they are cyber attacking you. There's no easy way to perform a cyber attack on modern Macs or iPhones for someone who isn't some government agency.

But I can assure you, that power_report.sh is completely normal. Don't waste time analyzing stuff that isn't an issue.
Click to expand...
Also, that person is a government agent.
 
xx4lkq said:
Hi ManuCH,

Thank you for your reply. I am 100% being attacked, as there are a lot of signs that I am - e.g. Someone started to work on the same google document as I do. Some email is sent from my gmail without me knowing it, unexpected logged out google for a period time with all recovery method failed etc.

With that said, I don't know if this file is related to all the events above though. The system file being all those weird property caught my attention. Just wonder if there is any legitimate reason for that file to be there.
Click to expand...

It's one of many Apple system files and used for diagnostic purposes. You don't need to worry about it as all macOS systems have it.

If someone is accessing your Google documents or sending emails from your Gmail, someone accessed your Google account. Not a smart hacker, probably it was some password leak and you were not careful. Change your password, enable 2FA. Also change your iCloud password and enable 2FA there too.

Even if that person works for the government they can't just hack you. That's not how it works and nothing a single person can do, unless you use very easy to guess passwords and never change them.
 
  • Like
Reactions: kitKAC, burgman and It’s always something
xx4lkq said:
Hi ManuCH,

Thank you for your reply. I am 100% being attacked, as there are a lot of signs that I am - e.g. Someone started to work on the same google document as I do. Some email is sent from my gmail without me knowing it, unexpected logged out google for a period time with all recovery method failed etc.

With that said, I don't know if this file is related to all the events above though. The system file being all those weird property caught my attention. Just wonder if there is any legitimate reason for that file to be there.
Click to expand...
Must be very stressful living through this. Use passkeys wherever available with 2FA to an authenticator app, or better yet a YubiKey or similar. Google, Apple, Microsoft have options to lock down accounts further if needed. I know some who had to change out all their equipment, closed all accounts and start over. Get professional help in dealing with this.
 
ManuCH said:
It's one of many Apple system files and used for diagnostic purposes. You don't need to worry about it as all macOS systems have it.

If someone is accessing your Google documents or sending emails from your Gmail, someone accessed your Google account. Not a smart hacker, probably it was some password leak and you were not careful. Change your password, enable 2FA. Also change your iCloud password and enable 2FA there too.

Even if that person works for the government they can't just hack you. That's not how it works and nothing a single person can do, unless you use very easy to guess passwords and never change them.
Click to expand...
Thank you for you kind reply.

The initial hack could be due to a password leak, as things progress, I've enabled 2FA, and update password regularly, and pay close attention to who has active session on my gmail and iCloud, making sure only 1 active session. But it just happened last week, right after I reinstalled system, and changed password of google iCloud etc, I noticed being monitored on my device. As I text someone with iMessage, I receive a robot call about the text message content... and then my gmail font start to look strange, and I found a new launchdaemon file that don't belong there... Things like this... on going forever...
 
burgman said:
Must be very stressful living through this. Use passkeys wherever available with 2FA to an authenticator app, or better yet a YubiKey or similar. Google, Apple, Microsoft have options to lock down accounts further if needed. I know some who had to change out all their equipment, closed all accounts and start over. Get professional help in dealing with this.
Click to expand...
Thank you for your kind reply Burgman. At this point, I no longer back up anything on the cloud. I am in the process of changing equipment one by one, and every time I reinstall or get a new device, I start fresh with google, iCloud. But it seems like they still able to "play" with me somehow, including seeing my text messages, tampering my gmail font, put strange launch daemon file on my computer or so... I am suspicious about phone number. I've already got a new phone with the physical SIM card. Hopefully that won't be found.

They know everything about me, as they have been stalking me for many many years (someone from a past relationship)....
 
xx4lkq said:
Thank you for your kind reply Burgman. At this point, I no longer back up anything on the cloud. I am in the process of changing equipment one by one, and every time I reinstall or get a new device, I start fresh with google, iCloud. But it seems like they still able to "play" with me somehow, including seeing my text messages, tampering my gmail font, put strange launch daemon file on my computer or so... I am suspicious about phone number. I've already got a new phone with the physical SIM card. Hopefully that won't be found.

They know everything about me, as they have been stalking me for many many years (someone from a past relationship)....
Click to expand...

The thing is, you don't need to "change equipment one by one" and you don't need to start fresh with Google and iCloud. If you do things correctly, there is virtually no chance that anyone can hack you, but you must be careful with how you handle your credentials. Even if someone has been stalking you for years, their will isn't enough to magically bypass all the security put in place by Apple and Google. No way.

It's a bit hard to give you a cyber security lesson over these forums, but you need to be rational and distinguish things that are actually an issue, from those you think they might be but really are not. For example you mention "a launch daemon that doesn't belong there": that's not something anyone can do without physical access to your computer and your administrator password. It's likely something innocuous (feel free to post it here so we can look at it).

Things that do make sense:
  • change all passwords to strong ones
  • do not write down your passwords in places that could be accessed by others (for example, if you think you may have a compromised iCloud for any reason, do not write the password of the new one in shared notes)
  • enable 2FA everywhere using an authenticator app
  • use PassKeys where available

Things that do not make sense (under a regular security risk profile):

  • replace all your devices
  • create new fresh accounts for everything
These are not necessary as your existing accounts and devices can be secured fairly easily. But you need to take some time to learn and understand what is a true risk and what is a purely theoretical/imagined risk. You could also hire someone to have a look at your setup, so they can check and secure everything, and explain those concepts to you to make you feel safer.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back