iMac accused of attempting to gain access to another computer
in [Mac Systems]
|
Prev: Adding print drivers in OSX Server (10.6)
Next: 618038 Reserch anything, nerw content up to date all sites 62
From: Jeffrey Goldberg on 24 Mar 2010 08:55 On 2010-03-24 6:35 AM, Warren Oates wrote: > The OP didn't mention if he had a wireless router behind his Telus > modem, did he? He explicitly said that he did not. He has no local network. His iMac is plugged directly into his ether/ADSL modem. -j -- Jeffrey Goldberg http://goldmark.org/jeff/ I rarely read HTML or poorly quoting posts Reply-To address is valid
From: Jamie Kahn Genet on 24 Mar 2010 11:01 Jeffrey Goldberg <nobody(a)goldmark.org> wrote: > On 2010-03-22 9:36 PM, Brian Crawford wrote: > > > Modem is a Thompson Speedtouch ST516 v6. > > OK, thanks. Your description was accurate. This is just an ADSL modem. > It is not a router/firewall. Hold on, yes it is! Take a look at the user's guide - the very first hit on googling for "Thompson Speedtouch ST516 v6". Plus I've used Speedtouch models and the ethernet models are all excellent ADSL routers with a very decent firewall. I would only avoid the cheap USB only models (not that they'll work on a Mac anyway). -- If you're not part of the solution, you're part of the precipitate.
From: Jamie Kahn Genet on 24 Mar 2010 11:01 Jeffrey Goldberg <nobody(a)goldmark.org> wrote: > On 2010-03-23 6:40 PM, Lewis wrote: > > > (and where did they get it from? They aren't transmitted > > out) > > He isn't using a router, just a Ether/ADSL bridge. So his Mac's MAC > address can get as far as the Telus CO. He IS using a router. -- If you're not part of the solution, you're part of the precipitate.
From: Jamie Kahn Genet on 24 Mar 2010 11:01 Brian Crawford <crawford.bd(a)geemale.com> wrote: > In article > <crawford.bd-604105.18531122032010@[74.223.185.199.nw.nuvox.net]>, > Brian Crawford <crawford.bd(a)geemale.com> wrote: > > > I recently received an email from my iSP (Telus) saying that I had been > > using my account to "scan, flood or attempt to gain unauthorized access > > to another computer". I wouldn't even know how to begin to do this even > > it I wanted to and was shocked at this email. They said that my IP > > address and modem hardware address pointed directly at me and that they > > would be suspending or cancelling my service if it happens again. > > Apparently there was only one incident of my computer doing this. They > > did suggest that the problem could be caused by a virus, but I did not > > think that there were any Mac viruses out there that could cause this > > problem. I scanned for viruses using ClamXav and nothing was detected. > > My Intel iMac's (Snow Leopard) firewall was on. I connect to the > > Internet directly with a modem. No other computers use the connection > > and no one other than my wife (definitely innocent) uses the computer. > > And, I wasn't even home at the time the incident supposedly happened. I > > also use Little Snitch. Any ideas as to what may be going on? > > > > Brian > > I just read the Telus email again, and there is more info that I > probably should have mentioned. > > They said that the "unique physical address" identifies the network > adapter or router connected to my ADSL modem. I have no "network > adapter" or router connected to my modem. Indeed the unique identifier > (MAC no.?) is not the MAC of my modem. > > Here's the clincher. It seems they narrowed it down to a Windows spyware > program, Sinowal. Quoting from the email: > > "Sinowal is a sophisticated, configurable spyware program that is > designed to steal personal information and credentials from online > banking sites and other sites. Once this infection gathers enough > information it sends this data to the attacker. > Sinowal is often packaged with a rootkit known as Mebroot to hide its > presence on the system making it difficult to detect and remove. This > means antivirus software installed on an infected computer may not > detect this infection and advise no infection has been detected. > Because of this, we recommend scanning with a reputable online virus > scanner - links have been included in this email. > > Affected Platforms and Versions > Sinowal affects the following systems: > Windows 2003 > Windows XP > Windows 2000 > Windows NT > > Malicious Code Aliases > Trojan.Anserin (Symantec Corp.) > Win32/PSW.Sinowal (Microsoft Corp.) > Trojan.Spy.Sinowal (ClamAV) > Sinowal (Microsoft Corp.) > TSPY_SINOWAL (Trend Micro Inc.) > Trojan.Pws.Sinowal (Bitdefender) > Trojan-PSW.Win32.Sinowal (Kaspersky Lab Inc. ) > Troj/Torpig-Gen (Sophos Plc.) > > > Detected Infection: Trojan.Sinowal Variants" > Time of Detection: 2010-03-21 04:57:36 GMT > Timestamp at your location: Sat Mar 20 2010 10:57 PM" > > As stated earlier in other postings, we did not find anything on my > computer after using ClamXav or the rootkit checker. > > Brian Your Thompson Speedtouch ST516 v6 _is_ a router. See it's user guide for details. -- If you're not part of the solution, you're part of the precipitate.
From: Jeffrey Goldberg on 24 Mar 2010 12:19
On 2010-03-24 10:01 AM, Jamie Kahn Genet wrote: > Jeffrey Goldberg <nobody(a)goldmark.org> wrote: > >> On 2010-03-22 9:36 PM, Brian Crawford wrote: >> >>> Modem is a Thompson Speedtouch ST516 v6. >> >> OK, thanks. Your description was accurate. This is just an ADSL modem. >> It is not a router/firewall. > > Hold on, yes it is! Take a look at the user's guide - the very first hit > on googling for "Thompson Speedtouch ST516 v6". I stand corrected. Now I need to hope that the OP is still reading and doesn't waste money on my erroneous advice! -j -- Jeffrey Goldberg http://goldmark.org/jeff/ I rarely read HTML or poorly quoting posts Reply-To address is valid |