iMac accused of attempting to gain access to another computer
in [Mac Systems]
|
Prev: Adding print drivers in OSX Server (10.6)
Next: 618038 Reserch anything, nerw content up to date all sites 62
From: Brian Crawford on 22 Mar 2010 20:53 I recently received an email from my iSP (Telus) saying that I had been using my account to "scan, flood or attempt to gain unauthorized access to another computer". I wouldn't even know how to begin to do this even it I wanted to and was shocked at this email. They said that my IP address and modem hardware address pointed directly at me and that they would be suspending or cancelling my service if it happens again. Apparently there was only one incident of my computer doing this. They did suggest that the problem could be caused by a virus, but I did not think that there were any Mac viruses out there that could cause this problem. I scanned for viruses using ClamXav and nothing was detected. My Intel iMac's (Snow Leopard) firewall was on. I connect to the Internet directly with a modem. No other computers use the connection and no one other than my wife (definitely innocent) uses the computer. And, I wasn't even home at the time the incident supposedly happened. I also use Little Snitch. Any ideas as to what may be going on? Brian
From: nospam on 22 Mar 2010 20:56 In article <crawford.bd-604105.18531122032010@[74.223.185.199.nw.nuvox.net]>, Brian Crawford <crawford.bd(a)geemale.com> wrote: > I recently received an email from my iSP (Telus) saying that I had been > using my account to "scan, flood or attempt to gain unauthorized access > to another computer". I wouldn't even know how to begin to do this even > it I wanted to and was shocked at this email. They said that my IP > address and modem hardware address pointed directly at me and that they > would be suspending or cancelling my service if it happens again. > Apparently there was only one incident of my computer doing this. They > did suggest that the problem could be caused by a virus, but I did not > think that there were any Mac viruses out there that could cause this > problem. I scanned for viruses using ClamXav and nothing was detected. there aren't, and that's why you didn't find anything. > My Intel iMac's (Snow Leopard) firewall was on. I connect to the > Internet directly with a modem. No other computers use the connection > and no one other than my wife (definitely innocent) uses the computer. > And, I wasn't even home at the time the incident supposedly happened. I > also use Little Snitch. Any ideas as to what may be going on? someone may have spoofed your ip address, or they're wrong. ask for more evidence. chances are there's something that shows it was *not* done by an imac.
From: Jeffrey Goldberg on 22 Mar 2010 21:12 On 2010-03-22 7:53 PM, Brian Crawford wrote: > I recently received an email from my iSP (Telus) saying that I had been > using my account to "scan, flood or attempt to gain unauthorized access > to another computer". I wouldn't even know how to begin to do this even > it I wanted to and was shocked at this email. They said that my IP > address and modem hardware address pointed directly at me and that they > would be suspending or cancelling my service if it happens again. They probably won't do it, but ask if they can send you the logs. Knowing what the thing is attacking (which ports in particular) would be a big help in identifying the malware. Also it will give you information that might allow you to set your router/firewall to block certain out-going traffic. For example, if you never use IRC you could block any outbound IRC traffic from your network. Likewise you should block outgoing traffic that is destined for ports 137-145. > Apparently there was only one incident of my computer doing this. They > did suggest that the problem could be caused by a virus, This is certainly the first thing that comes to mind. > but I did not think that there were any Mac viruses out there that > could cause this problem. Is there a possibility that some other machine was connected to your network other than your iMac? Did a friend bring over a laptop and connect wirelessly. > I scanned for viruses using ClamXav and nothing was detected. > My Intel iMac's (Snow Leopard) firewall was on. I'm wondering whether there are rootkits that Clamav doesn't catch. Let me look around for a good root kit scanner for OS X. In looking for tools, can you let me know how comfortable you are with Terminal commands? Also do you have the Developer Tools installed? > I connect to the Internet directly with a modem. Tell us about your modem (brand, model). It is also a router providing NAT service? If not, your machine is far more vulnerable to attacks from outside then if you had a NAT-ing router. > No other computers use the connection > and no one other than my wife (definitely innocent) uses the computer. So no wireless? OK, ignore my previous questions. I should learn to read the whole message before responding. > And, I wasn't even home at the time the incident supposedly happened. I > also use Little Snitch. Any ideas as to what may be going on? Was your machine on at the time? Little Snitch really should caught this stuff if it was coming from your machine. -j -- Jeffrey Goldberg http://goldmark.org/jeff/ I rarely read HTML or poorly quoting posts Reply-To address is valid
From: Wes Groleau on 22 Mar 2010 21:26 Brian Crawford wrote: > also use Little Snitch. Any ideas as to what may be going on? Is your IP address DHCP assigned? Maybe they are wrong about it being the same MAC. I'd bet looking at the packets in that log would show that it was a Windows malware. I have a solution, though, to avoid being "disconnected if it happens again"--join Comcast. I sent Comcast log excerpts on two different days showing that one of their customers had a very active Nimda. Seven months later, it was still happening from the same IP address. -- Wes Groleau Worksheet for “Central American Migrants” Video http://Ideas.Lang-Learn.us/russell?itemid=1009
From: Doug Anderson on 22 Mar 2010 21:31
Brian Crawford <crawford.bd(a)geemale.com> writes: > I recently received an email from my iSP (Telus) saying that I had been > using my account to "scan, flood or attempt to gain unauthorized access > to another computer". I wouldn't even know how to begin to do this even > it I wanted to and was shocked at this email. They said that my IP > address and modem hardware address pointed directly at me and that they > would be suspending or cancelling my service if it happens again. > Apparently there was only one incident of my computer doing this. They > did suggest that the problem could be caused by a virus, but I did not > think that there were any Mac viruses out there that could cause this > problem. I scanned for viruses using ClamXav and nothing was detected. > My Intel iMac's (Snow Leopard) firewall was on. I connect to the > Internet directly with a modem. No other computers use the connection > and no one other than my wife (definitely innocent) uses the computer. > And, I wasn't even home at the time the incident supposedly happened. I > also use Little Snitch. Any ideas as to what may be going on? Do you have a wireless network? It is possible (though unlikely) that someone else connected to the internet through your wireless network. Still less likely: your iMac has a wireless card. It is possible to configure your iMac to share the internew via its wireless card, and someone could be using that connection to connect to your internet. I don't know how you could _accidentally_ share the internet via your wireless card though. .. |