Hello: My Mac has been running extremely slow, and I noticed the lights on my router have been blinking like crazy (lots of network activity). I downloaded Nmap for Mac, and the findings were interesting. Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-25 09:09 MST NSE: Loaded 93 scripts for scanning. NSE: Script Pre-scanning. Initiating ARP Ping Scan at 09:09 Scanning 192.168.0.1 [1 port] Completed ARP Ping Scan at 09:09, 0.01s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:09 Completed Parallel DNS resolution of 1 host. at 09:09, 0.05s elapsed Initiating SYN Stealth Scan at 09:09 Scanning 192.168.0.1 [65535 ports] Discovered open port 80/tcp on 192.168.0.1 Discovered open port 23/tcp on 192.168.0.1 Discovered open port 53/tcp on 192.168.0.1 Discovered open port 443/tcp on 192.168.0.1 SYN Stealth Scan Timing: About 45.41% done; ETC: 09:10 (0:00:37 remaining) Discovered open port 52869/tcp on 192.168.0.1 Discovered open port 52900/tcp on 192.168.0.1 Discovered open port 1111/tcp on 192.168.0.1 Completed SYN Stealth Scan at 09:10, 67.58s elapsed (65535 total ports) Initiating Service scan at 09:10 Scanning 7 services on 192.168.0.1 Completed Service scan at 09:11, 21.21s elapsed (7 services on 1 host) Initiating OS detection (try #1) against 192.168.0.1 NSE: Script scanning 192.168.0.1. Initiating NSE at 09:11 Completed NSE at 09:11, 16.32s elapsed Nmap scan report for 192.168.0.1 Host is up (0.0039s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 23/tcp open telnet BusyBox telnetd 53/tcp open upnp Intel UPnP reference SDK 1.2 (Linux 2.4.17_mvl21-malta-mips_fp_le; UPnP 1.0) 80/tcp open http i3 micro or Linksys SPA400 VoIP gateway http config |_http-title: Qwest Modem Configurator 443/tcp open ssl/http thttpd |_sslv2: server still supports SSLv2 |_http-title: Qwest Modem Configurator | ssl-cert: Subject: commonName=threefigs/organizationName=Actiontec/stateOrProvinceName=CA/countryName=US | Issuer: commonName=Steven/organizationName=Actiontec/stateOrProvinceName=CA/countryName=US | Public Key type: rsa | Public Key bits: 1024 | Not valid before: 2006-08-31 02:59:16 | Not valid after: 2022-02-18 02:59:16 | MD5: 6c65 6329 a6c4 6ab1 9c6b ab8e 2959 5a15 |_SHA-1: c191 8256 a80e 78dc bbea b48d 575e 2afb 86a3 ab71 1111/tcp open telnet BusyBox telnetd 52869/tcp open upnp Intel UPnP reference SDK 1.2 (Linux 2.4.17_mvl21-malta-mips_fp_le; UPnP 1.0) 52900/tcp open upnp Intel UPnP reference SDK 1.2 (Linux 2.4.17_mvl21-malta-mips_fp_le; UPnP 1.0) MAC Address: 00:24:7B:27:19:34 (Actiontec Electronics) Device type: general purpose Running: MontaVista Linux 2.4.X OS CPE: cpe:/o:montavista:linux:2.4 OS details: MontaVista embedded Linux 2.4.17 Uptime guess: 0.995 days (since Wed Oct 24 09:18:36 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=203 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; Device: VoIP adapter; CPE: cpe:/o:linux:kernel TRACEROUTE HOP RTT ADDRESS 1 3.86 ms 192.168.0.1 NSE: Script Post-scanning. Read data files from: /usr/local/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 108.27 seconds Raw packets sent: 66909 (2.945MB) | Rcvd: 65833 (2.650MB) It found a telnet process (which does not appear in activity monitor and which closed itself as I began typing this), when telnet was not opened. I noticed one of the protocols is a voiceover IP. I've had two strange processes open, and one is listed as VDCassistant. The other I can't remember the name of and disappeared as I was typing this. I did a Port Scan with Network Utility and got the following information: Port Scan has started Port Scanning host: 192.168.0.1 Open TCP Port: 23 telnet Open TCP Port: 53 domain Open TCP Port: 80 http Open TCP Port: 443 https Open TCP Port: 1111 lmsocialserver Open TCP Port: 52869 Open TCP Port: 52900 Port Scan has completed The actiontec modem is mine, but there shouldn't be any telnet or linux boxes running, e.g. "Montavista Linux." I understand lmsocialserver is a remote access trojan, but I believe it only works on windows. ClamVA did not alert to it. Lastly, I've had unknown devices connected to my router. The Mac addresses trace to Akamai in Phoenix (strange because I live in Tucson). unknown 192.168.0.4 10:9a:dd:9d:95:9b ￼ Unavailable ￼ unknown 192.168.0.3 00:e0:91:d2:10:a9 ￼ Unavailable Does this sound like my Mac is being hacked? What should I do, and how can I tell who it is? Also, how do I close connections on the devices that are connected to my router? Thanks!