Mac being Hacked?

Discussion in 'OS X Mountain Lion (10.8)' started by immobilus, Oct 25, 2012.

  1. immobilus macrumors member

    May 5, 2012

    My Mac has been running extremely slow, and I noticed the lights on my router have been blinking like crazy (lots of network activity). I downloaded Nmap for Mac, and the findings were interesting.

    Starting Nmap 6.01 ( ) at 2012-10-25 09:09 MST
    NSE: Loaded 93 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating ARP Ping Scan at 09:09
    Scanning [1 port]
    Completed ARP Ping Scan at 09:09, 0.01s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 09:09
    Completed Parallel DNS resolution of 1 host. at 09:09, 0.05s elapsed
    Initiating SYN Stealth Scan at 09:09
    Scanning [65535 ports]
    Discovered open port 80/tcp on
    Discovered open port 23/tcp on
    Discovered open port 53/tcp on
    Discovered open port 443/tcp on
    SYN Stealth Scan Timing: About 45.41% done; ETC: 09:10 (0:00:37 remaining)
    Discovered open port 52869/tcp on
    Discovered open port 52900/tcp on
    Discovered open port 1111/tcp on
    Completed SYN Stealth Scan at 09:10, 67.58s elapsed (65535 total ports)
    Initiating Service scan at 09:10
    Scanning 7 services on
    Completed Service scan at 09:11, 21.21s elapsed (7 services on 1 host)
    Initiating OS detection (try #1) against
    NSE: Script scanning
    Initiating NSE at 09:11
    Completed NSE at 09:11, 16.32s elapsed
    Nmap scan report for
    Host is up (0.0039s latency).
    Not shown: 65528 closed ports
    23/tcp open telnet BusyBox telnetd
    53/tcp open upnp Intel UPnP reference SDK 1.2 (Linux 2.4.17_mvl21-malta-mips_fp_le; UPnP 1.0)
    80/tcp open http i3 micro or Linksys SPA400 VoIP gateway http config
    |_http-title: Qwest Modem Configurator
    443/tcp open ssl/http thttpd
    |_sslv2: server still supports SSLv2
    |_http-title: Qwest Modem Configurator
    | ssl-cert: Subject: commonName=threefigs/organizationName=Actiontec/stateOrProvinceName=CA/countryName=US
    | Issuer: commonName=Steven/organizationName=Actiontec/stateOrProvinceName=CA/countryName=US
    | Public Key type: rsa
    | Public Key bits: 1024
    | Not valid before: 2006-08-31 02:59:16
    | Not valid after: 2022-02-18 02:59:16
    | MD5: 6c65 6329 a6c4 6ab1 9c6b ab8e 2959 5a15
    |_SHA-1: c191 8256 a80e 78dc bbea b48d 575e 2afb 86a3 ab71
    1111/tcp open telnet BusyBox telnetd
    52869/tcp open upnp Intel UPnP reference SDK 1.2 (Linux 2.4.17_mvl21-malta-mips_fp_le; UPnP 1.0)
    52900/tcp open upnp Intel UPnP reference SDK 1.2 (Linux 2.4.17_mvl21-malta-mips_fp_le; UPnP 1.0)
    MAC Address: 00:24:7B:27:19:34 (Actiontec Electronics)
    Device type: general purpose
    Running: MontaVista Linux 2.4.X
    OS CPE: cpe:/o:montavista:linux:2.4
    OS details: MontaVista embedded Linux 2.4.17
    Uptime guess: 0.995 days (since Wed Oct 24 09:18:36 2012)
    Network Distance: 1 hop
    TCP Sequence Prediction: Difficulty=203 (Good luck!)
    IP ID Sequence Generation: All zeros
    Service Info: OS: Linux; Device: VoIP adapter; CPE: cpe:/o:linux:kernel

    1 3.86 ms

    NSE: Script Post-scanning.
    Read data files from: /usr/local/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at .
    Nmap done: 1 IP address (1 host up) scanned in 108.27 seconds
    Raw packets sent: 66909 (2.945MB) | Rcvd: 65833 (2.650MB)

    It found a telnet process (which does not appear in activity monitor and which closed itself as I began typing this), when telnet was not opened. I noticed one of the protocols is a voiceover IP. I've had two strange processes open, and one is listed as VDCassistant. The other I can't remember the name of and disappeared as I was typing this.

    I did a Port Scan with Network Utility and got the following information:

    Port Scan has started…

    Port Scanning host:

    Open TCP Port: 23 telnet
    Open TCP Port: 53 domain
    Open TCP Port: 80 http
    Open TCP Port: 443 https
    Open TCP Port: 1111 lmsocialserver
    Open TCP Port: 52869
    Open TCP Port: 52900
    Port Scan has completed…

    The actiontec modem is mine, but there shouldn't be any telnet or linux boxes running, e.g. "Montavista Linux." I understand lmsocialserver is a remote access trojan, but I believe it only works on windows. ClamVA did not alert to it.

    Lastly, I've had unknown devices connected to my router. The Mac addresses trace to Akamai in Phoenix (strange because I live in Tucson).





    Does this sound like my Mac is being hacked? What should I do, and how can I tell who it is? Also, how do I close connections on the devices that are connected to my router?

  2. 50548 Guest

    Apr 17, 2005
    Currently in Switzerland
    I can't really tell; but for all it's worth, Apple uses Akamai servers extensively in order to serve software updates - I don't think hacking activities would originate from Akamai servers...not to mention that the chances of having your Mac hacked are close to zero (unless you have downloaded pirated stuff from shady sites or were a victim of social engineering attacks).
  3. immobilus thread starter macrumors member

    May 5, 2012
    I plead the fifth there...

    Thanks for the response though...

    Anyone else have an idea?
  4. robgendreau macrumors 68040

    Jul 13, 2008
    The linux box is your Actiontec. And some of that communication may be your "linux box," as it should be.
  5. mrapplegate macrumors 68030

    Feb 26, 2011
    Cincinnati, OH
    Most modems run linux and it appears your modem is running it:
    MAC Address: 00:24:7B:27:19:34 (Actiontec Electronics)
    Device type: general purpose
    Running: MontaVista Linux 2.4.X

    Busybox appears to be using the telnet.
    I'm not seeing any problems here, but that's just my opinion.

Share This Page