After finding my virus's on my Android phone I'm attempting to secure everything. I believe my Mac is infected at the recovery partition and reinstalling does no good. I need help going through some Wireshark data and also the results of the arp -a and ifconfig.
Johns-MacBook-Pro:~ john$ arp -a
? (192.168.0.1) at 78:71:9c:fa:93:87 on en1 ifscope [ethernet]
? (192.168.0.5) at 80:7d:3a:62:5a:2c on en1 ifscope [ethernet]
? (192.168.0.6) at 5c:f7:e6:5c:de:0 on en1 ifscope [ethernet]
? (192.168.0.8) at 78:4f:43:2e:a2:9a on en1 ifscope [ethernet]
? (192.168.0.9) at 20:32:33:22:f4:98 on en1 ifscope [ethernet]
? (192.168.0.10) at 58:b3:fc:cb:c3:d7 on en1 ifscope [ethernet]
? (192.168.0.11) at 38:30:f9:5b:d1:9e on en1 ifscope [ethernet]
? (192.168.0.12) at 80:7d:3a:62:55:e3 on en1 ifscope [ethernet]
? (192.168.0.13) at 7c:d1:c3:8f:86:22 on en1 ifscope permanent [ethernet]
? (192.168.0.255) at ff:ff:ff:ff:ff:ff on en1 ifscope [ethernet]
? (224.0.0.251) at 1:0:5e:0:0:fb on en1 ifscope permanent [ethernet]
Johns-MacBook-Pro:~ john$
Johns-MacBook-Pro:~ john$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
EHC26: flags=0<> mtu 0
EHC29: flags=0<> mtu 0
XHC20: flags=0<> mtu 0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
ether 40:6c:8f:4e:be:44
nd6 options=201<PERFORMNUD,DAD>
media: autoselect (none)
status: inactive
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 7c:d1:c3:8f:86:22
inet6 fe80::14c6:ee16:6def:6b9%en1 prefixlen 64 secured scopeid 0x8
inet6 2607:fcc8:8c40:bd00:43a:f381:cd90:9ed5 prefixlen 64 autoconf secured
inet6 2607:fcc8:8c40:bd00:407f:1588:1a79:ff33 prefixlen 64 autoconf temporary
inet 192.168.0.13 netmask 0xffffff00 broadcast 192.168.0.255
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
ether 0e:d1:c3:8f:86:22
media: autoselect
status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484
ether 66:6e:4e:8b:b0:fa
inet6 fe80::646e:4eff:fe8b:b0fa%awdl0 prefixlen 64 scopeid 0xa
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
lladdr 00:3e:e1:ff:fe:28:6e:00
nd6 options=201<PERFORMNUD,DAD>
media: autoselect <full-duplex>
status: inactive
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=60<TSO4,TSO6>
ether d2:00:12:86:e0:00
media: autoselect <full-duplex>
status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
ether d2:00:12:86:e0:00
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x2
member: en2 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 12 priority 0 path cost 0
nd6 options=201<PERFORMNUD,DAD>
media: <unknown type>
status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
inet6 fe80::ffc7:d3f6:cf5c:281c%utun0 prefixlen 64 scopeid 0xe
nd6 options=201<PERFORMNUD,DAD>
Johns-MacBook-Pro:~ john$
Please let me know if any of the results I have posted are out of the ordinary and what else I can do. I'm pretty sure they can see everything I type and changing my wifi security is pointless. The android phone was infected with trojan.lezok.as and I have not yet been able to remove it and it just comes back after a hard reset. I'm using a MacBook Pro Mid 2012 running Mojave 10.14.6. Malwarebytes scan shows clean on the laptop so I think the intrusion is network based and phone.
Best Answer
The results of
arp -a
just show the other devices connected on your LAN's 192.168.1.x subnet.1 is likely to be your router and 255 the broadcast address. 13 is your Mac. There seem to be 7 other devices connected to it. You can always set a whitelist of devices in your router's web control panel.
224.0.0.251 is a multicast mDNS address.
The results of
ipconfig
are, unsurprisingly, just configuration settings for your network interfaces.If Malwarebytes finds nothing, then in the absence of any other evidence or data, I would be quietly confident that there was no infection. If your Android phone was infected, it is almost impossible that the same malware would work on a Mac.
The best thing you can do is check in System Prefs > Network that your DNS settings point to known, good servers. I recommend 1.1.1.1.