Has someone hacked into my network?

Discussion in 'Mac OS X Server, Xserve, and Networking' started by Thorbjorn, Oct 6, 2009.

  1. Thorbjorn macrumors regular

    Joined:
    Jan 14, 2008
    #1
    I've got a small home network with Time Capsule as my base station and (usually) my iMac and my MacBook Air and printer connected. In finder windows on my iMac, no one else shows up. In finder windows on my MBA, however, fairly frequently there's an unknown computer that pops up under "Shared" listed as "macintosh-2" (sic, lower-case). I've got the firewall set up, and yesterday I changed both the Time Capsule password and the network password, but lo and behold that macintosh-2 remounted today. Should I be worried? Should I change anything?

    And weird that it doesn't show in my iMac's finder windows--but then again, neither does my MBA. I haven't bothered to work that in, since it works the other way 'round.
     
  2. dazey macrumors 6502

    Joined:
    Dec 9, 2005
    #2
    If you change the wifi network password and its still there straight away then no, it can't be someone hacking in. It takes time and traffic to hack wifi networks. If it pops back after a length of time and your network is active and you are running wep then it could have been re-hacked.

    If you are running wep, change to WPA, much harder to crack.
     
  3. MasterDev macrumors 65816

    Joined:
    Sep 14, 2009
    #3
    No matter what kind of network it is, if you know what you are doing, then it's easy to hack it.

    @OP - Any chance one of your macs is named Macintosh-2?
     
  4. Thorbjorn thread starter macrumors regular

    Joined:
    Jan 14, 2008
    #4
    Dazey, I'm already on WPA/WPA-2. And, yeah, MasterDev, I've been scratching my head about possible other computers in-house. My iBook G4 is turned off. Ditto my old iMac, which I've never used wirelessly and isn't hooked up to ethernet right now. My son was here with his macs this summer, but they're all gone. My Pismo hasn't worked in a couple of years, and my Duo, well, 'nuff said... I'm plain old puzzled.
     
  5. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #5
    Is one of your computers named simply "Macintosh"? The naming pattern "macintosh-2" suggests mDNS is seeing a collision with "macintosh" (canonical lower-case form) and the colliding host is generating a unique name.

    As to why there might be a collision in the first place, is one of your hosts using both wired and wireless at the same time? Perhaps with DHCP, so it might get different IP addresses for each transport mode.

    If you use both wired and wireless, does the spurious host disappear if you disable one of the transport modes in the Network prefspane?

    If you use Network Utility.app and ping or lookup "macintosh-2", what IP address does it return?

    If you run Bonjour Browser.app, does it show separate hosts or IP addresses for every known computer and "macintosh-2"?

    http://en.wikipedia.org/wiki/Bonjour_Browser
     
  6. Thorbjorn thread starter macrumors regular

    Joined:
    Jan 14, 2008
    #6
    Thanks, Chown33. I tried your suggestions. I pinged from both networked computers (both wireless only, not wired), and both returned "unknown host" when queried about "macintosh-2". I downloaded and ran BonjourBrowser on both (thanks for that, by the way: a nice little app). Nothing there that would raise an eyebrow.

    Earlier I did a restart on my MBA, which is the computer which shows the macintosh-2 under the Shared files. When it rebooted, mac-2 was gone--for a while--but I just took a look and it/he/she is back. And, FWIW, the little automatic icon for it looks like an older Mac. Total mystery.
     
  7. dmmcintyre3 macrumors 68020

    Joined:
    Mar 4, 2007
    #7
    Turn off your iMac, it might go away. If it does it's your iMac
     
  8. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #8
    I suspect it's a vestigial "misremembered" host identifier of some kind. I wish I could be more specific, but I've seen "phantom" hosts before on my local network, though they've always eventually gone away.

    I got them when I was messing around to see how mDNS resolved name collisions, invalid characters in hostnames, duplicate manually assigned IP addresses, etc. That was done as part of some networking investigation I was doing shortly after Leopard came out. Wireless was turned off, so it definitely wasn't due to multiple transport medium.

    One other thing to try: create a new non-admin account on the MBA, log out from your current acct, log into the new one, and see if the phantom appears. If not, then it suggests there's a prefs file or something on your original account that's holding this vestigial host reference.

    I'll also mention that if the name doesn't resolve (i.e. you can't ping it or contact it), then it's probably a phantom. Maybe it's the mDNS cache or something similar, but that's just a guess. I'm hardly a networking expert.

    Another thing to look for is your NAT router's list of hosts and ports. If it doesn't show any unexpected IP addresses, then the phantom isn't going outside the subnet.
     
  9. calderone macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #9
    Try running the following on your machines:

    Code:
    scutil --get ComputerName 
    Code:
    scutil --get LocalHostName 
    Code:
    scutil --get HostName 
    Tell use what comes out. Also, check your NETBIOS Name in Network--> Advanced--> WINS
     
  10. Les Kern macrumors 68040

    Les Kern

    Joined:
    Apr 26, 2002
    Location:
    Alabama
    #10
    They do, and it's a collision of short names. Happens all the time for me at work. This isn't hacking or some security breach, it's merely the result of the voodoo they call "networking" or "DNS" or "Bonjour".
    Relax.
     
  11. dazey macrumors 6502

    Joined:
    Dec 9, 2005
    #11
    Not without time it isn't. If your in London I will seriously bet you up to £2k that you can't hack into my network in 15 minutes. You can sit outside the windows, the router will be on but there won't be any traffic. Turn up with the cash please.
     
  12. polaris20 macrumors 68020

    Joined:
    Jul 13, 2008
    #12
    Wirelessly posted (Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1_1 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7C145 Safari/528.16)

    Within 15 minutes outside someone's window is pretty impossible, given the right setup. For example, my network is WPA2/AES with long non-dictionary passphrase, MAC address control list, no broadcast SSID, no DHCP, and wireless has to VPN into my wired network to access my servers. I am not too concerned. :)
     
  13. barbu macrumors regular

    barbu

    Joined:
    Jul 8, 2013
    Location:
    ott.on.ca
    #13
    Be careful. None of those are really security features. In fact, by not broadcasting your SSID, your machines may end up more vulnerable since they will have to probe for the network instead. This means that when you take your machine out of the house, you may run into someone running something nasty (like hotspotter, evil twin, etc) that will respond to those probes and you could end up MITMed. Just something to think about.
    MAC whitelisting doesn't accomplish much either, since anyone can sniff your Wi-Fi to learn what MAC addresses are in use, and just use one of those. And no DHCP, well, that's just inconvenient ;-) So while there is nothing wrong with what you've done, I am afraid you have made your network much more difficult to use without really increasing security. Food for thought.
     
  14. inkswamp macrumors 68030

    inkswamp

    Joined:
    Jan 26, 2003
    #14
    How closely do you live to your neighbors? Is it possible some kind of ad hoc network between your Mac and a neighbor could be happening? It doesn't seem likely if you live in a house, but in an apartment, it's definitely possible. Look in your wifi menu to see if there are any machine-to-machine networks listed (i.e., a network generated by another computer) and make sure you're not inadvertently connecting to it.

    Secondly (and maybe this is too obvious) have you tried just clicking on it to see what's in the share? If you see stuff you recognize, then you can be reasonably sure this is some kind of UI fluke and ignore it.
     
  15. millerj123 macrumors 6502a

    Joined:
    Mar 6, 2008
    #15
    Somehow I doubt Thorbjorn is still trying to solve this conundrum. Hasn't posted in 5 years.
     
  16. inkswamp macrumors 68030

    inkswamp

    Joined:
    Jan 26, 2003
    #16
    LOL! That's hilarious. Guess that's what I get for not looking at the dates.

    Weird then that it was highlighted on the righthand side of the site. That's where I noticed it. Assumed it was current.

    Oh well, maybe it will help someone in the future searching to fix the same problem. :^)
     
  17. millerj123 macrumors 6502a

    Joined:
    Mar 6, 2008
    #17
    I thought it was funny, too. I seem to recall at least one recent update that caused a single computer to look like two on networks, but that was when I looked at the first post date. Usually, when things sound too wonky, I wonder what pesky little details the OPs leave out.

    No worries, let's hope his network is back up and running.
     
  18. mlts22 macrumors 6502a

    Joined:
    Oct 28, 2008
    #18
    I think the moral of this story is to have a very long WPA2 passphrase. Even if it is a relatively simple typed in sentence, getting over 20-30 characters pretty much makes brute-forcing not feasible. Other items like MAC restrictions, hiding the SSID are just theater and don't really add much.

    Of course, there is always running RADIUS and going with WPA2-Enterprise, or having the Wi-Fi access point go to a network connected to nothing but a hardened server, and the client makes a VPN to go from there.
     
  19. polaris20 macrumors 68020

    Joined:
    Jul 13, 2008
    #19
    Not really, no. Everything's set in network profiles, and I don't get new machines every day, so it's really not at all inconvenient. And you're also leaving out part of my post that says I VPN into the inner, wired network. Don't leave that important detail out. I highly doubt 95% of this forum's wireless networks are as secure as mine. I'm fully aware MAC address control lists, non-broadcasting SSID's, and non-DHCP aren't "security features". However, given the small farm town I live in, it's highly unlikely that once someone's sniffed the wireless well enough to determine what address to spoof, what subnet to use, etc., they still have to crack the long WPA2 passphrase, AND 256-bit AES encryption to get past the VPN connection to the inner network. Given that that's shared key + passphrase, that's pretty unlikely. Tell me, what's your setup?
     
  20. barbu macrumors regular

    barbu

    Joined:
    Jul 8, 2013
    Location:
    ott.on.ca
    #20
    Well sniffing the wireless to learn MAC addresss takes seconds, if they are communicating. You only need one to defeat MAC filtering. I'm sorry, indeed I missed the detail about your VPN into your own network in your own house. I do question the use of a VPN (massive overhead), it is very unusual since you could most likely accomplish the same sort of segregation with a decent switch and VLANs. And I am not sure what you mean by "shared key + passphrase" because those words are synonyms.
    My set up is very modest. I use an AirPort Extreme (ac) with Wpa2. That's it. My iMac is a server and I run a few custom pf chains. I am extremely confident in this arrangement.
     
  21. barbu macrumors regular

    barbu

    Joined:
    Jul 8, 2013
    Location:
    ott.on.ca
    #21
    W
    I also wonder what your servers are for if they are segregated behind your internal VPN. Are servers not meant to be accessible? Maybe I am missing something.
     
  22. polaris20, Aug 4, 2015
    Last edited: Aug 4, 2015

    polaris20 macrumors 68020

    Joined:
    Jul 13, 2008
    #22
    There's not really massive overhead at all; it's quite fast actually. I could accomplish something with VLANs, but it wouldn't be as secure. Shared key+passphrase aren't always the same thing. In this case, it's a shared key file plus the passphrase.

    Really, any of it is likely overkill, as there's no one in this area that has the skill required to crack a WPA2 passphrase. I just do this stuff because it's entertaining to see how it works, doesn't work, if it's too much of a hindrance, etc.

    It would take a lot of compute power to crack WPA2, and by then I'd have changed the passphrase anyway; I never keep them very long.
     
  23. polaris20 macrumors 68020

    Joined:
    Jul 13, 2008
    #23
    They are accessible. Via VPN, and that's only for wireless. Wired it works without.
     

Share This Page