iMac accused of attempting to gain access to another computer
in [Mac Systems]
|
Prev: Adding print drivers in OSX Server (10.6)
Next: 618038 Reserch anything, nerw content up to date all sites 62
From: Brian Crawford on 22 Mar 2010 22:36 In article <80qis5Fr92U1(a)mid.individual.net>, Jeffrey Goldberg <nobody(a)goldmark.org> wrote: > I'm wondering whether there are rootkits that Clamav doesn't catch. Let > me look around for a good root kit scanner for OS X. In looking for > tools, can you let me know how comfortable you are with Terminal > commands? Also do you have the Developer Tools installed? Hopefully not a rootkit. Thanks for checking into this for me. I've used Terminal a bit. Developer Tools is not installed. > Tell us about your modem (brand, model). It is also a router providing > NAT service? If not, your machine is far more vulnerable to attacks > from outside then if you had a NAT-ing router. Modem is a Thompson Speedtouch ST516 v6. > > So no wireless? OK, ignore my previous questions. I should learn to > read the whole message before responding. I answered the questions anyway just in case. > > Was your machine on at the time? Little Snitch really should caught > this stuff if it was coming from your machine. Yes, it was on. Thanks. Brian
From: Brian Crawford on 22 Mar 2010 22:52 In article <80qmt0FdciU1(a)mid.individual.net>, Jeffrey Goldberg <nobody(a)goldmark.org> wrote: > On 2010-03-22 8:50 PM, Jeffrey Goldberg wrote: > > > Let me repeat this. If you are plugging your iMac directly into a modem > > with no NAT-ing firewall, then your system will be vulnerable to the > > kinds of remote attacks that are launched against any Unix system. > > I am going to run a scan of your current IP. Nothing will be trying to > break in, it is just to see whether your system is openly listening for > incoming network traffic. The scan will come from somewhere in > 72.64.118.112/29. Little Snitch or other firewall tools may warn about > this (though probably not, as these sorts of scans happen all the time). > > If I find a well concealed system, I will agree with my fellows here who > say that it couldn't be your system. But if your system is connected to > the net in a way that I fear it might be from what you've said, I will > continue to suspect that you do have a problem (although it seems > unlikely that a rooted system would only attack once). > > -j Thanks! I wondered what the bells were. B
From: Jeffrey Goldberg on 22 Mar 2010 23:18 On 2010-03-22 9:36 PM, Brian Crawford wrote: > Modem is a Thompson Speedtouch ST516 v6. OK, thanks. Your description was accurate. This is just an ADSL modem. It is not a router/firewall. Unless you really know what you are doing with firewall settings on your Mac, I very strongly recommend that you get a cheap router. It will sit between your modem and your Mac. It will also act as a very good firewall. Basically, it will mean that no data will reach your computer from the outside world which wasn't part of a conversation initiated by you computer. You do appear to have the firewall on your computer set properly for your circumstances (that is my probe of your system didn't get anywhere). But these things are easy to get wrong, particularly because your set up of how you are connected to the network is no longer the norm. So when looking at whether your machine is compromised, there are things for and against it. Against compromise are: (1) There is no Mac specific malware (but there is Unix malware) (2) Your firewall settings appear to be effective. (3) There was just a single burst (typical malware would continue spewing) (4) ClamXav found no problems. (5) Little Snitch didn't report any peculiar outbound traffic at the time. Evidence in favor of your system being compromised: (1) Your ISP reported scans/probes/hostile behavior from your modem/IP (2) Your machine is connected more directly to the net than it should be, without the protection of NAT. When you feel comfortable with it, try running that rootkit checker I mentioned. If you are not quite ready to accept my word that that is a safe thing to install and run (and it does have to be installed and run by an admin user), let's hope that others here will take a look at it and confirm that it is indeed safe. Also, I take no offense if you are not ready to accept my word about installing and running some weird bit of Unix security freeware. Indeed, it would show good sense for you to have some qualms about blindly following such advice. At least talk to your more technically knowledgeable friends about the value of having a router doing NAT. I worry about home machines connected directly to the network unless they are managed by professionals. Cheers, -j -- Jeffrey Goldberg http://goldmark.org/jeff/ I rarely read HTML or poorly quoting posts Reply-To address is valid
From: Brian Crawford on 23 Mar 2010 01:18 In article <80qq8oFs59U1(a)mid.individual.net>, Jeffrey Goldberg <nobody(a)goldmark.org> wrote: > When you feel comfortable with it, try running that rootkit checker I > mentioned. If you are not quite ready to accept my word that that is a > safe thing to install and run (and it does have to be installed and run > by an admin user), let's hope that others here will take a look at it > and confirm that it is indeed safe. Also, I take no offense if you are > not ready to accept my word about installing and running some weird bit > of Unix security freeware. Indeed, it would show good sense for you to > have some qualms about blindly following such advice. > > At least talk to your more technically knowledgeable friends about the > value of having a router doing NAT. I worry about home machines > connected directly to the network unless they are managed by professionals. > I ran the checker and it came up negative for the rootkits. Thanks again for all your help. You have provided lots of valuable information that, I'm sure, others could also benefit from. From what you say the router is a must; I will take appropriate action. Perhaps a Timecapsule, since we have two computers that could use it. I know it's not cheap, but I could use the backup capability. I'll also request the log files for the day/time of the incident. Any tips about interpreting the log files? One last thing, would peer-to-peer file sharing protocols such as Bittorrent cause such a problem? Brian
From: Geoffrey S. Mendelson on 23 Mar 2010 01:39
Brian Crawford wrote: > One last thing, would peer-to-peer file sharing protocols such as > Bittorrent cause such a problem? That's a loaded question. The short answer is bittorrent no, anything else maybe. It depends upon what it is and how it is configured. The longer answer is that bittorrent does not share files unless you explicitly want to. You have to download or create a torrent file and have it active for the files it defines to be shared. Other packages don't work that way. They share anything in a shared directory and any subdirectories underneath it. That's fine if the shared directory is something like "sharing programs shared directory" in your Downloads directory, it's hard to get into trouble that way (but not impossible). If by some mistake or accident the shared directory is set to the root of your computer's hard drive or your home directory, anything goes (and it will). Geoff. -- Geoffrey S. Mendelson, Jerusalem, Israel gsm(a)mendelson.com N3OWJ/4X1GM New word I coined 12/13/09, "Sub-Wikipedia" adj, describing knowledge or understanding, as in he has a sub-wikipedia understanding of the situation. i.e possessing less facts or information than can be found in the Wikipedia. |