MacOS – Are these results of arp and ifconfig normal

macosNetworkSecurityviruswifi

After finding my virus's on my Android phone I'm attempting to secure everything. I believe my Mac is infected at the recovery partition and reinstalling does no good. I need help going through some Wireshark data and also the results of the arp -a and ifconfig. 

Johns-MacBook-Pro:~ john$ arp -a
? (192.168.0.1) at 78:71:9c:fa:93:87 on en1 ifscope [ethernet]
? (192.168.0.5) at 80:7d:3a:62:5a:2c on en1 ifscope [ethernet]
? (192.168.0.6) at 5c:f7:e6:5c:de:0 on en1 ifscope [ethernet]
? (192.168.0.8) at 78:4f:43:2e:a2:9a on en1 ifscope [ethernet]
? (192.168.0.9) at 20:32:33:22:f4:98 on en1 ifscope [ethernet]
? (192.168.0.10) at 58:b3:fc:cb:c3:d7 on en1 ifscope [ethernet]
? (192.168.0.11) at 38:30:f9:5b:d1:9e on en1 ifscope [ethernet]
? (192.168.0.12) at 80:7d:3a:62:55:e3 on en1 ifscope [ethernet]
? (192.168.0.13) at 7c:d1:c3:8f:86:22 on en1 ifscope permanent [ethernet]
? (192.168.0.255) at ff:ff:ff:ff:ff:ff on en1 ifscope [ethernet]
? (224.0.0.251) at 1:0:5e:0:0:fb on en1 ifscope permanent [ethernet]
Johns-MacBook-Pro:~ john$ 

Johns-MacBook-Pro:~ john$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
    inet 127.0.0.1 netmask 0xff000000 
    inet6 ::1 prefixlen 128 
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
    nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
EHC26: flags=0<> mtu 0
EHC29: flags=0<> mtu 0
XHC20: flags=0<> mtu 0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
    ether 40:6c:8f:4e:be:44 
    nd6 options=201<PERFORMNUD,DAD>
    media: autoselect (none)
    status: inactive
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether 7c:d1:c3:8f:86:22 
    inet6 fe80::14c6:ee16:6def:6b9%en1 prefixlen 64 secured scopeid 0x8 
    inet6 2607:fcc8:8c40:bd00:43a:f381:cd90:9ed5 prefixlen 64 autoconf secured 
    inet6 2607:fcc8:8c40:bd00:407f:1588:1a79:ff33 prefixlen 64 autoconf temporary 
    inet 192.168.0.13 netmask 0xffffff00 broadcast 192.168.0.255
    nd6 options=201<PERFORMNUD,DAD>
    media: autoselect
    status: active
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
    ether 0e:d1:c3:8f:86:22 
    media: autoselect
    status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484
    ether 66:6e:4e:8b:b0:fa 
    inet6 fe80::646e:4eff:fe8b:b0fa%awdl0 prefixlen 64 scopeid 0xa 
    nd6 options=201<PERFORMNUD,DAD>
    media: autoselect
    status: active
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
    lladdr 00:3e:e1:ff:fe:28:6e:00 
    nd6 options=201<PERFORMNUD,DAD>
    media: autoselect <full-duplex>
    status: inactive
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    options=60<TSO4,TSO6>
    ether d2:00:12:86:e0:00 
    media: autoselect <full-duplex>
    status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    options=63<RXCSUM,TXCSUM,TSO4,TSO6>
    ether d2:00:12:86:e0:00 
    Configuration:
        id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
        maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
        root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
        ipfilter disabled flags 0x2
    member: en2 flags=3<LEARNING,DISCOVER>
            ifmaxaddr 0 port 12 priority 0 path cost 0
    nd6 options=201<PERFORMNUD,DAD>
    media: <unknown type>
    status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
    inet6 fe80::ffc7:d3f6:cf5c:281c%utun0 prefixlen 64 scopeid 0xe 
    nd6 options=201<PERFORMNUD,DAD>
Johns-MacBook-Pro:~ john$

Please let me know if any of the results I have posted are out of the ordinary and what else I can do. I'm pretty sure they can see everything I type and changing my wifi security is pointless. The android phone was infected with trojan.lezok.as and I have not yet been able to remove it and it just comes back after a hard reset. I'm using a MacBook Pro Mid 2012 running Mojave 10.14.6. Malwarebytes scan shows clean on the laptop so I think the intrusion is network based and phone.

Best Answer

The results of arp -a just show the other devices connected on your LAN's 192.168.1.x subnet.
1 is likely to be your router and 255 the broadcast address. 13 is your Mac. There seem to be 7 other devices connected to it. You can always set a whitelist of devices in your router's web control panel.

224.0.0.251 is a multicast mDNS address.

The results of ipconfig are, unsurprisingly, just configuration settings for your network interfaces.

If Malwarebytes finds nothing, then in the absence of any other evidence or data, I would be quietly confident that there was no infection. If your Android phone was infected, it is almost impossible that the same malware would work on a Mac.

The best thing you can do is check in System Prefs > Network that your DNS settings point to known, good servers. I recommend 1.1.1.1.

Related Question