mDNSResponder - running under user "nobody" - have i been hacked?

Discussion in 'Mac Apps and Mac App Store' started by rabatjoie, Jan 10, 2004.

  1. rabatjoie macrumors member

    Joined:
    Jun 21, 2003
    Location:
    Paris
    #1
    hi,

    i'm running osx 10.2.8 on a pb g4 667

    i had some weird problems with my internet/internal network lately and so i looked into process viewer, and there i noticed that a process called "mDNSResponder" was running under the username "nobody" - although no such user is installed on my system. after doing a research on the internet, i found out that mDNSResponder is something used by rendezvous, but i also found a webpage where some guy described a rendezvous hack, mentioning that he is running the thin under the username "nobody", an "non-privileged user" how he called it...

    after this it might be stupid to ask, but was i hacked in some kind of way? ... i just want to make sure that i do not delete something important... :confused:

    thanks for any answers!
     
  2. robbieduncan Moderator emeritus

    robbieduncan

    Joined:
    Jul 24, 2002
    Location:
    London
    #2
    Do not worry, this is normal. mDNSResoponder is part of Rendevous (sp?). The nobody user is normal in Unix. It is a user without the ability to do much so most daemons (like this one) run as that user so if they get comprimised nothing bad can happen.
     
  3. rabatjoie thread starter macrumors member

    Joined:
    Jun 21, 2003
    Location:
    Paris
    #3
    ok. that answers the question about the mDNSResponder... but i still have the feeling that i'm being hacked (sorry for being so paranoid)...

    i am behind a draytek router with integrated DSL modem and WLAN; my roomate is connected to the router via ethernet with his two laptops and we share the DSL connection to the internet. now what happens is that from time to time there seem to be ip address conflicts, that display at my roomies computers (running win XP) as severe system failures (or something like that). my computer gives me the same messages about ip address conflicts, showing addresses referring to our internal network that we do not use; the same error keeps popping up, with the last number in the ip addresses increasing (example: 192.168.1.55, ...56, ...57, ...58 etc. me and my roomie use the last digits .10, .12, and .13). Another effect of this is that we lose the connection to the internet and also to the router; only after a restart of the router things work again.

    the router's built-in firewall blocks the common hacker attacks, and i use brickhouse on my computer, with the default features enabled. the wlan is set to only accept the MAC address of my airport card...

    any ideas?
     
  4. mrchinchilla macrumors 6502

    mrchinchilla

    Joined:
    Mar 6, 2009
    #4
    Something similar to this has recently made me paranoid. I'm aware sometimes the 'find' command and others are used by 'nobody' as some form of routine thing, but I just found 5+ instances of sh running as root and nobody, along with cat, cp, rm and rmdir, and this freaked me out as the evil side of me suddenly thought maybe someone was remotely "rm -rf /"-ing me... (Terminal wasn't open) Obviously I force quitted them all, and I'm pretty sure it wasn't an 'attack' but scary nonetheless. Does anyone have the real explanation behind this? I also noticed cron had started running for the past 3 or so days (which I'm unable to force quit, it immediately restarts), and I haven't created any scheduled jobs.
     
  5. robbieduncan Moderator emeritus

    robbieduncan

    Joined:
    Jul 24, 2002
    Location:
    London
    #5
    You Mac runs a set of scripts every day/week/month that clean up the system/rotate logs etc. You should not have killed them.
     
  6. mrchinchilla macrumors 6502

    mrchinchilla

    Joined:
    Mar 6, 2009
    #6
    This is the conclusion I came to about 30 minutes after I posted.. But oh well, no harm done, I just panicked. :p
     

Share This Page