iMac accused of attempting to gain access to another computer
in [Mac Systems]
|
Prev: Adding print drivers in OSX Server (10.6)
Next: 618038 Reserch anything, nerw content up to date all sites 62
From: Jeffrey Goldberg on 22 Mar 2010 21:50 On 2010-03-22 8:12 PM, Jeffrey Goldberg wrote: > They probably won't do it, but ask if they can send you the logs. Actually insist on getting the log. It is necessary to diagnose the problem. > I'm wondering whether there are rootkits that Clamav doesn't catch. Let > me look around for a good root kit scanner for OS X. I've done some looking, and I recommend that you install and run OS X Rootkit Hunter: http://www.versiontracker.com/dyn/moreinfo/macosx/30622 The app is just a wrapper for a shell script. The first time you run it you should do an "update database". After you run that, you will get warnings (typically that things like sshd are out of date). This is because updates from Apple don't come immediately when there is an update in a third party (open source) component of the system. If you have questions about the scan results post that log. >> I connect to the Internet directly with a modem. > > Tell us about your modem (brand, model). It is also a router providing > NAT service? If not, your machine is far more vulnerable to attacks > from outside then if you had a NAT-ing router. Let me repeat this. If you are plugging your iMac directly into a modem with no NAT-ing firewall, then your system will be vulnerable to the kinds of remote attacks that are launched against any Unix system. A Unix rootkit could well be installed on your system even though there are no Mac viruses. (Of course your modem may also be a router, but I won't know until you tell us more about it.) However, given that you were running Little Snitch, and if this root kit hunter and ClamXav report nothing, I am inclined to believe that your system is clean and your ISP has the wrong suspect. Please try to get the relevant logs from them. None-the-less, I've had Unix systems directly connected to the snet which were compromised. There is no reason to believe that OS X is immune from what can happen with other Unix systems. And get yourself a router to put between your iMac and your modem. -j -- Jeffrey Goldberg http://goldmark.org/jeff/ I rarely read HTML or poorly quoting posts Reply-To address is valid
From: Brian Crawford on 22 Mar 2010 22:06 In article <ho95bv$bv3$1(a)news.eternal-september.org>, Wes Groleau <Groleau+news(a)FreeShell.org> wrote: > Is your IP address DHCP assigned? Maybe they are wrong about > it being the same MAC. I'd bet looking at the packets in that > log would show that it was a Windows malware. Yes, DHCP assigned. Could this be part of the problem? Do you mean that if they were to do some digging into the log packets that they may be able to tell that the problem did not emanate from my computer? Sorry, I'm not too literate when it comes to these types of issues.
From: Jeffrey Goldberg on 22 Mar 2010 22:14 On 2010-03-22 9:06 PM, Brian Crawford wrote: > In article <ho95bv$bv3$1(a)news.eternal-september.org>, > Wes Groleau <Groleau+news(a)FreeShell.org> wrote: >> Is your IP address DHCP assigned? Maybe they are wrong about >> it being the same MAC. I'd bet looking at the packets in that >> log would show that it was a Windows malware. > Yes, DHCP assigned. Could this be part of the problem? Do you mean that > if they were to do some digging into the log packets that they may be > able to tell that the problem did not emanate from my computer? Exactly. > Sorry, I'm not too literate when it comes to these types of issues. Few people are. And that is why you ask for help as you have done. -j -- Jeffrey Goldberg http://goldmark.org/jeff/ I rarely read HTML or poorly quoting posts Reply-To address is valid
From: Jeffrey Goldberg on 22 Mar 2010 22:21 On 2010-03-22 8:50 PM, Jeffrey Goldberg wrote: > Let me repeat this. If you are plugging your iMac directly into a modem > with no NAT-ing firewall, then your system will be vulnerable to the > kinds of remote attacks that are launched against any Unix system. I am going to run a scan of your current IP. Nothing will be trying to break in, it is just to see whether your system is openly listening for incoming network traffic. The scan will come from somewhere in 72.64.118.112/29. Little Snitch or other firewall tools may warn about this (though probably not, as these sorts of scans happen all the time). If I find a well concealed system, I will agree with my fellows here who say that it couldn't be your system. But if your system is connected to the net in a way that I fear it might be from what you've said, I will continue to suspect that you do have a problem (although it seems unlikely that a rooted system would only attack once). -j -- Jeffrey Goldberg http://goldmark.org/jeff/ I rarely read HTML or poorly quoting posts Reply-To address is valid
From: Jeffrey Goldberg on 22 Mar 2010 22:30
On 2010-03-22 9:21 PM, Jeffrey Goldberg wrote: > I am going to run a scan of your current IP. > > If I find a well concealed system, I will agree with my fellows here who > say that it couldn't be your system. Your system seems well protected from outside scans. Indeed, it is blocking enough that it appears to not be on-line at all. I could scan more aggressively to see whether it really is off-line, but such a scan would start getting me in trouble with my provider. So if the current state of your connecting is typical, then I would say that it is very unlikely that you've been compromised via a remote attack. Chances are that the Telus abuse people messed up in correlating customer to IP address when the attack happened. Again, getting hold of their logs would be a big help in discovering what kind of malware was at work (and whether it could plausibly come from a Mac). The good news here is that I, as the most pessimistic of the commenters here, am pretty much persuaded that you do not have a malware problem on your iMac. Still do tell us what brand and model modem you have. If it is from your provider, it will still have some numbers on it somewhere. Cheers, -j -- Jeffrey Goldberg http://goldmark.org/jeff/ I rarely read HTML or poorly quoting posts Reply-To address is valid |