Why do you want to delete it?
Get around your Mac Disks
Your Mac hard disk drive is one of those assets, that you need to know your way around.
medium.com
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Digital life destroyed from Hacker/Malware
- Thread starter antiq25
- Start date
- Sort by reaction score
- Status
medium.com
This reminds me of a post in a similar thread by someone else who was desperate to remove the unmounted snapshot in Disk Utility.
It's because they don't understand the operating system and can't be told. Once they've got something in their head, it must be true. *sigh*
So, this is where it becomes more clear that a non-trivial part of this is actually a giant mis-understanding of how modern Macs work. In short, nothing I see here is particularly concerning.
/dev/disk3 is not a physical disk here, it's a logical disk. What follows is at least as much for other readers as it is for the OP, and you can get a more complete picture of what's going on at ecleticlight's article on the subject along with their other articles on how Apple's been evolving the filesystem in the last decade:
The only physical disk here is disk0. Inside it is 3 partitions:
- The ISC container which contains pre-boot data. Prior to Apple Silicon, much of this would live in firmware. But with Apple Silicon, this contains a couple different bits of software used to boot the system, as well as contain secure storage that the Secure Enclave uses.
- The Recovery container which contains the macOS recovery tools. Unlike Intel systems, this is a stand-alone recovery system that is not coupled to the OS version.
- The APFS container is the actual system + user data. This container is disk3, and is where everything the user interacts with lives.
The APFS container for a boot volume is multiple APFS volumes. These are not partitions in the classic sense, as each volume shares the same pool. So a container is the partition on the physical drive, and volumes are ways to organize things within the container.
When macOS boots, it boots a sealed snapshot of the OS volume (Macintosh HD in this case). This snapshot cannot be altered without breaking the seal (in principle at least), which will cause iBoot to halt the boot process. Because this snapshot is sealed and read-only, you need a R/W data volume to hold the user's actual data. This is the Data volume in the screenshot above. So really, when you boot an Arm Mac, you are booting the snapshot + an overlay of your Data volume.
But what about Preboot, Recovery, and VM? Recovery contains the 'paired recoveryOS' for that version of macOS that is installed. You'll get multiples of these if you install multiple OSes (say you created a new volume for Sonoma Betas while still running macOS 13 as your primary system), and it allows some of the more complex security options ARM Macs allow where you can set certain Startup Security settings per OS install. A neat trick, but takes some duplicating of data. Preboot contains some additional bits of boot data that is held outside the sealed OS volume, with Ventura it contains extra data to enable things like rapid security responses. VM holds virtual memory caches.
Disk Utility intentionally protects these extra volumes as someone messing with them will cause problems. So it will seem a little unusual to run across them in the terminal when the GUI only shows the OS and Data volumes.
MacOS does include Apache, and it can be turned on. The default webpage will show "It works!", and the file in question lives at /Library/Webserver/Documents/index.html.en. Can't say why Apache got enabled on your specific machine though. If you did some digging around '/private/etc/apache2/', you might be able to get more details on what virtual hosts have been created, or understand who enabled it. Stuff like Xcode Server will turn it on, for example.
Yeah, it's kinda unfortunate just how many interfaces get configured these days, even if they are all inactive 99% of the time, and only a couple are in use at a time.
Reading the OP's post, not even the wannacry ransomware virus that caused millions to billions $$$ of damage around the world was as sophisticated as to what is allegedly happening to the OP. As another member in this thread pointed out, the OP would have to be somebody of extreme importance to have such a hack attack placed upon them.
Experience of this forum tells us that these kind of elaborate posts made by the OP tend to be fake. They make a thread of something that would appear to be outrageous, they hang around for 2-3 days to see how the thread is behaving and then disappear never to be heard of again.
Do we give the OP the benefit of the doubt? History of these type of threads is not on the OP's side.
Experience of this forum tells us that these kind of elaborate posts made by the OP tend to be fake. They make a thread of something that would appear to be outrageous, they hang around for 2-3 days to see how the thread is behaving and then disappear never to be heard of again.
Do we give the OP the benefit of the doubt? History of these type of threads is not on the OP's side.
There should be a standard checklist for these security-related posts to filter out the trolls and the unreasonably paranoid.
I spent way too much time on this one:
Help please horrible malware
I need help eradicating malware that seems to be attached to an iCloud or Apple ID. I’ve since abandoned those accounts but the malware remains. There is a second user named the same as me that has admin privileges which can be seen in terminal and the console. Symptoms include… 1) disk utility...
forums.macrumors.com
It does seem quite far fetched that someone would go thru all the trouble to attack someone's personal network like he describes, unless that person is connected to a major player in the world..... or maybe has very bad information about a person..... Maybe the current white house occupant has something to do with it, however I do not think he has the brain power to do it himself, but to shut the poster up because of very damaging intel on the occupant..... maybe
Not a whole lot of understanding on show here about how malware works. Not much of it is 'intelligent' enough to go after just important people, and much of it is self-aggregating, so a user poking around in the wrong place can get hit badly.
I'm not sure I believe the OP's story, and the details don't fit together right, but it isn't exactly unique. Nor would the fact there's been no follow up posts indicate anything more than that the infected system and OP have been knocked offline. As an IS specialist, I'd have that system totally isolated for a forensic deconstruction and rebuild anyway.
One thing for sure, if the OP was that important, he'd have people he could call on to pull it apart and do the cleanup. Indeed, those people would demand the system be handed over to them, not left for him to mess with, and potentially spread the problem. And if he's an isolated individual experiencing this kind of potential malware problem, Macrumors is pretty low down on the list of best places to post about it.
I'm not sure I believe the OP's story, and the details don't fit together right, but it isn't exactly unique. Nor would the fact there's been no follow up posts indicate anything more than that the infected system and OP have been knocked offline. As an IS specialist, I'd have that system totally isolated for a forensic deconstruction and rebuild anyway.
One thing for sure, if the OP was that important, he'd have people he could call on to pull it apart and do the cleanup. Indeed, those people would demand the system be handed over to them, not left for him to mess with, and potentially spread the problem. And if he's an isolated individual experiencing this kind of potential malware problem, Macrumors is pretty low down on the list of best places to post about it.
Moderator Note:
Looks like OP has left the building.
Thread closed.
Looks like OP has left the building.
Thread closed.
- Status