Intrusion attempts, please help! (Is my computer compromised?)

Posted:
in Genius Bar edited January 2014
Hey there,



yesterday my computer started lagging something incredible. So I made a quick check around the system and found that I had incoming traffic of around 30-40Kb/sec, even though I had no network app running. So I went and shut off my services, and started my firewall (which I didn't have running, don't ask).



I had around 7 attempts per second from different computers trying to connect to mine. So I shut off my internet connection and waited for my ISP to update my IP. With my new IP, I had around 2 attempts every 2 minutes.



So I started scanning my computer for malware/viruses (waving a dead chicken?) using MacScan and ClamXav, found nothing. Even started going manually through all of the system files, searching by latest updated, to see where all that traffic was going, or if some app had been modified. Nothing.



Running Little Snitch, all the "suspected" outgoing traffic I can find are made by mDNSserver, configd and lookupd, which I guess in any case can't be malicious, unless someone has modified these apps. All of them try to connect to various different ip:s though, and from what I can tell not all of them are my ISP's.



I'm concerned someone might have entered my computer while the firewall was off, since I DID have personal file sharing running (yes, I'm a fool!).



The scary part for me isn't as much the denied acceses in the firewall, but the fact that I still have 4-8Kb/sec of incoming traffic, with NO network apps running.



So what do you all think? May I have some malware installed or are these "just" regular hacking attempts?



Examples of denied connections (mine is the xxx.xxx):



Feb 1 12:09:58 Computer ipfw: 12190 Deny TCP 201.214.60.127:2014 201.214.xxx.xxx:445 in via en1

Feb 1 12:10:01 Computer ipfw: 12190 Deny TCP 201.214.60.127:2014 201.214.xxx.xxx:445 in via en1

Feb 1 12:12:00 Computer ipfw: 12190 Deny TCP 201.214.61.151:1603 201.214.xxx.xxx:445 in via en1

Feb 1 12:12:03 Computer ipfw: 12190 Deny TCP 201.214.61.151:1603 201.214.xxx.xxx:445 in via en1

Feb 1 12:12:34 Computer ipfw: 12190 Deny TCP 201.214.60.127:4136 201.214.xxx.xxx:139 in via en1

Feb 1 12:12:37 Computer ipfw: 12190 Deny TCP 201.214.60.127:4136 201.214.xxx.xxx:139 in via en1

Feb 1 12:15:09 Computer ipfw: Stealth Mode connection attempt to UDP 201.214.xxx.xxx:137 from 212.112.168.201:3542

Feb 1 12:15:12 Computer ipfw: Stealth Mode connection attempt to UDP 201.214.xxx.xxx:137 from 212.112.168.201:3542



Any comments deeply appreciated.

Comments

  • Reply 1 of 9
    Quote:

    Originally posted by Whyatt Thrash

    The scary part for me isn't as much the denied acceses in the firewall, but the fact that I still have 4-8Kb/sec of incoming traffic, with NO network apps running.



    So what do you all think? May I have some malware installed or are these "just" regular hacking attempts?



    Examples of denied connections (mine is the xxx.xxx):



    Feb 1 12:09:58 Computer ipfw: 12190 Deny TCP 201.214.60.127:2014 201.214.xxx.xxx:445 in via en1

    Feb 1 12:10:01 Computer ipfw: 12190 Deny TCP 201.214.60.127:2014 201.214.xxx.xxx:445 in via en1

    Feb 1 12:12:00 Computer ipfw: 12190 Deny TCP 201.214.61.151:1603 201.214.xxx.xxx:445 in via en1

    Feb 1 12:12:03 Computer ipfw: 12190 Deny TCP 201.214.61.151:1603 201.214.xxx.xxx:445 in via en1

    Feb 1 12:12:34 Computer ipfw: 12190 Deny TCP 201.214.60.127:4136 201.214.xxx.xxx:139 in via en1

    Feb 1 12:12:37 Computer ipfw: 12190 Deny TCP 201.214.60.127:4136 201.214.xxx.xxx:139 in via en1

    Feb 1 12:15:09 Computer ipfw: Stealth Mode connection attempt to UDP 201.214.xxx.xxx:137 from 212.112.168.201:3542

    Feb 1 12:15:12 Computer ipfw: Stealth Mode connection attempt to UDP 201.214.xxx.xxx:137 from 212.112.168.201:3542



    Any comments deeply appreciated.




    2 Questions for you ...



    1) Are you on a college campus???

    2) Are you running Mac OS X 10.4???



    If you're running Tiger, chances are your dashboard is using the network. Could also be your clock if you have it set for network time.



    The reason I ask about whether or not you are on a college campus (or I guess any network behind a firewall) is that when I check my firewall log, I get the same kinds of messages. Usually its the same IP trying to contact you. I looked up the IP address and it was an IP on my college campus network.



    In any case, it probably isn't anything to worry about...
  • Reply 2 of 9
    progmacprogmac Posts: 1,850member
    you haven't anything to worry about. it is showing that incoming traffic because even if the firewall blocks it, the computer still sees the traffic (even though it is probably being denied). My guess is there are some windows machines on your branch of the network passing around malware/junk packets.



    In any case, there isn't much you could do...you could get a hardware router/firewall that would stop you from 'seeing' the incoming junk, but it wouldn't protect you any more, since you aren't vulnerable in the first place
  • Reply 3 of 9
    Quote:

    Originally posted by AgNuke1707



    1) Are you on a college campus???

    2) Are you running Mac OS X 10.4???




    1) No, I'm not on a campus.

    2) Yes



    I could try disabling Dashboard and network time. In fact (hang on), OK, done. Let's see if that changes anything.



    Quote:

    Originally posted by progmac

    you haven't anything to worry about. it is showing that incoming traffic because even if the firewall blocks it, the computer still sees the traffic (even though it is probably being denied). My guess is there are some windows machines on your branch of the network passing around malware/junk packets.





    That was more or less the conclusion I came to as well... Just to clarify, to date there doesn't exist any OS X malware that "phones home" and spawns a similar behaviour? Anyways, it still seems far-fetched, since the malware's scanning for known Window$ filesharing ports... Yeah, I guess you must be right. But still, it doesn't exist, right?



    Thanks for the replies, guys! You've calmed me down a lot..
  • Reply 4 of 9
    progmacprogmac Posts: 1,850member
    Quote:

    Originally posted by Whyatt Thrash

    That was more or less the conclusion I came to as well... Just to clarify, to date there doesn't exist any OS X malware that "phones home" and spawns a similar behaviour? Anyways, it still seems far-fetched, since the malware's scanning for known Window$ filesharing ports... Yeah, I guess you must be right. But still, it doesn't exist, right?





    correct-o-mundo. good thing you aren't a windows user tracking attacks on your computer, or your head might exlode
  • Reply 5 of 9
    Quote:

    Originally posted by Whyatt Thrash

    That was more or less the conclusion I came to as well... Just to clarify, to date there doesn't exist any OS X malware that "phones home" and spawns a similar behaviour? Anyways, it still seems far-fetched, since the malware's scanning for known Window$ filesharing ports... Yeah, I guess you must be right. But still, it doesn't exist, right?



    Thanks for the replies, guys! You've calmed me down a lot..




    No problem ... I've found that it's always things you don't realize (like network time) that still use your network. You really do have nothing to worry about ... happy safe and virus free web-browsing!
  • Reply 6 of 9
    Ok, I disabled Dashboard and Network Time, and a few hours later I'm still experiencing ~5Kb of constant download.



    At least with enabling the firewall (and running a bunchload of other system checks), my computer is back to being Teh Snappy..
  • Reply 7 of 9
    kickahakickaha Posts: 8,760member
    Okay, here's one for you...



    I'm getting the following:



    Code:


    Feb 2 15:34:08 Mercury ipfw: Stealth Mode connection attempt to UDP 192.168.37.8:137 from 192.168.37.1:15180

    Feb 2 15:34:09 Mercury ipfw: Stealth Mode connection attempt to UDP 192.168.37.8:137 from 192.168.37.1:15180

    Feb 2 15:34:09 Mercury ipfw: Stealth Mode connection attempt to UDP 192.168.37.8:137 from 192.168.37.1:15181

    Feb 2 15:34:11 Mercury ipfw: Stealth Mode connection attempt to UDP 192.168.37.8:137 from 192.168.37.1:15181

    Feb 2 15:34:11 Mercury ipfw: Stealth Mode connection attempt to UDP 192.168.37.8:137 from 192.168.37.1:15182

    Feb 2 15:34:13 Mercury ipfw: Stealth Mode connection attempt to UDP 192.168.37.8:137 from 192.168.37.1:15182









    Here's the interesting bit: 192.168.37.1 is my WiFi router. Inside my LAN. It has a firewall. Which is on. And not set up to DMZ to the laptop. And yet, somehow, it is apparently scanning my laptop's 137 port (Window Remote Access), using consecutive ports on the originating end.



    Anyone want to comment on that one? It's had me stumped for weeks.
  • Reply 8 of 9
    lundylundy Posts: 4,466member
    Quote:

    Originally posted by Kickaha

    Okay, here's one for you...





    Here's the interesting bit: 192.168.37.1 is my WiFi router. Inside my LAN. It has a firewall. Which is on. And not set up to DMZ to the laptop. And yet, somehow, it is apparently scanning my laptop's 137 port (Window Remote Access), using consecutive ports on the originating end.



    Anyone want to comment on that one? It's had me stumped for weeks.




    A shot in the dark - is the router looking for Universal Plug and Play connections?
  • Reply 9 of 9
    kickahakickaha Posts: 8,760member
    Oooooh, I hadn't thought of that, thanks. I'll look into it.
Sign In or Register to comment.