bin/sh wants to listen to incoming connections?

Discussion in 'Mac OS X Server, Xserve, and Networking' started by Boomish69, Nov 30, 2015.

  1. Boomish69 macrumors 6502

    Boomish69

    Joined:
    Sep 13, 2012
    Location:
    London
    #1
    I got this warning from my Hands Off firewall today after booting and wondered what it was
    "bin/sh wants to listen to incoming connections"
    I had a previous warning which was apple time clock , which I allowed, then this warning, so I wondered what it could be, I did some updates yesterday and installed some software , can anyone tell me if it is safe to allow?
    I can't find any other info on it well none I can understand anyway..

    Appreciate the help..
     
  2. 556fmjoe macrumors 65816

    Joined:
    Apr 19, 2014
    #2
    Block it; the shell should never be allowed to access the internet, nor should it be trying to. What software have you installed and from where did you get it?
     
  3. Boomish69 thread starter macrumors 6502

    Boomish69

    Joined:
    Sep 13, 2012
    Location:
    London
    #3
    thanks for the reply, hmm I installed bunch of things and some updates, I have no cracks or weird software, the address was a strange unixcode type of number starting fe80 and another starting fd00 on port 123 ntp, is this something to go with the Apple Clock? I can see a connection to 17.253.52.125 on the same port and that links to Apple in Cupertino..

    Realy apreciate the advice
     
  4. cqexbesd macrumors regular

    Joined:
    Jun 4, 2009
    #4
    Yes. NTP is the network time protocol and is used for keeping clocks in sync across the Internet. The 2 addresses you mention sound like IPv6 addresses. The one beginning with fe80 is a link local address (https://en.wikipedia.org/wiki/Link-local_address).

    I would still be suspicious if /bin/sh wants to accept network connections. Did your firewall give you any details about that? If so try posting them. I wouldn't expect it is related to your clock.
     
  5. Boomish69 thread starter macrumors 6502

    Boomish69

    Joined:
    Sep 13, 2012
    Location:
    London
    #5
    Thanks again for the reply, I deleted the rules shown in the firewall to see if it warned me again, but it hasn't! now I'm confused, thanks for the reply, I'll def keep a watch on bin accessing the net.

    upload_2015-12-1_15-27-36.png

    Maybe I should close these too?

    Sorry maybe I'm just being paranoid.
     
  6. 556fmjoe macrumors 65816

    Joined:
    Apr 19, 2014
    #6
    ntpd is the NTP daemon and you'd have to allow it outgoing access in order for it to set your clock from other NTP servers on the internet. You do not have to allow incoming connections to ntpd though, unless you were trying to set up your computer as an NTP server.

    I would not recommend allowing incoming connections to ntpd, as the version Apple uses has had a history of very bad vulnerabilities and the code quality is poor.
     
  7. Boomish69, Dec 2, 2015
    Last edited: Dec 3, 2015

    Boomish69 thread starter macrumors 6502

    Boomish69

    Joined:
    Sep 13, 2012
    Location:
    London
    #7
    Really appreciate the advice, dam I wonder how long thats been there, might be time for a fresh install, I occasionally do some beta testing & have ran all kinds of installers but it's all legit stuff maybe it's left over from some of that. I shall close those ports now!
    Time to do some security software research..I ran a Malware check and that was fine.

    Thanks again for all the help everyone.

    UPDATE..
    I had a warning today for the NTPD to connect to ip 17.253.34.125 , which it seems to my searching is a well known hacking site! damm not sure what to do now, is there any cleanup software anyone recommends I should check my system with? How do I disinfect the ntpd?

    Thanks so much for the help in finding this..god knows how it got there..
     
  8. cqexbesd macrumors regular

    Joined:
    Jun 4, 2009
    #8
    Belonging to that well known hacking company Apple Inc. 17.0.0.0/8 is all Apple.

    I recommend trying Google again :) From the name I expect that is an apple NTP server though I haven't tried it.
     
  9. theSeb macrumors 604

    theSeb

    Joined:
    Aug 10, 2010
    Location:
    Poole, England

Share This Page