Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

mDNSResponder - running under user "nobody" - have i been hacked?

R

rabatjoie

macrumors member
Original poster
Jun 21, 2003
53
0
Paris
hi,

i'm running osx 10.2.8 on a pb g4 667

i had some weird problems with my internet/internal network lately and so i looked into process viewer, and there i noticed that a process called "mDNSResponder" was running under the username "nobody" - although no such user is installed on my system. after doing a research on the internet, i found out that mDNSResponder is something used by rendezvous, but i also found a webpage where some guy described a rendezvous hack, mentioning that he is running the thin under the username "nobody", an "non-privileged user" how he called it...

after this it might be stupid to ask, but was i hacked in some kind of way? ... i just want to make sure that i do not delete something important... :confused:

thanks for any answers!
 
Do not worry, this is normal. mDNSResoponder is part of Rendevous (sp?). The nobody user is normal in Unix. It is a user without the ability to do much so most daemons (like this one) run as that user so if they get comprimised nothing bad can happen.
 
ok. that answers the question about the mDNSResponder... but i still have the feeling that i'm being hacked (sorry for being so paranoid)...

i am behind a draytek router with integrated DSL modem and WLAN; my roomate is connected to the router via ethernet with his two laptops and we share the DSL connection to the internet. now what happens is that from time to time there seem to be ip address conflicts, that display at my roomies computers (running win XP) as severe system failures (or something like that). my computer gives me the same messages about ip address conflicts, showing addresses referring to our internal network that we do not use; the same error keeps popping up, with the last number in the ip addresses increasing (example: 192.168.1.55, ...56, ...57, ...58 etc. me and my roomie use the last digits .10, .12, and .13). Another effect of this is that we lose the connection to the internet and also to the router; only after a restart of the router things work again.

the router's built-in firewall blocks the common hacker attacks, and i use brickhouse on my computer, with the default features enabled. the wlan is set to only accept the MAC address of my airport card...

any ideas?
 
Something similar to this has recently made me paranoid. I'm aware sometimes the 'find' command and others are used by 'nobody' as some form of routine thing, but I just found 5+ instances of sh running as root and nobody, along with cat, cp, rm and rmdir, and this freaked me out as the evil side of me suddenly thought maybe someone was remotely "rm -rf /"-ing me... (Terminal wasn't open) Obviously I force quitted them all, and I'm pretty sure it wasn't an 'attack' but scary nonetheless. Does anyone have the real explanation behind this? I also noticed cron had started running for the past 3 or so days (which I'm unable to force quit, it immediately restarts), and I haven't created any scheduled jobs.
 
mrchinchilla said:
Something similar to this has recently made me paranoid. I'm aware sometimes the 'find' command and others are used by 'nobody' as some form of routine thing, but I just found 5+ instances of sh running as root and nobody, along with cat, cp, rm and rmdir, and this freaked me out as the evil side of me suddenly thought maybe someone was remotely "rm -rf /"-ing me... (Terminal wasn't open) Obviously I force quitted them all, and I'm pretty sure it wasn't an 'attack' but scary nonetheless. Does anyone have the real explanation behind this? I also noticed cron had started running for the past 3 or so days (which I'm unable to force quit, it immediately restarts), and I haven't created any scheduled jobs.
Click to expand...

You Mac runs a set of scripts every day/week/month that clean up the system/rotate logs etc. You should not have killed them.
 
robbieduncan said:
You Mac runs a set of scripts every day/week/month that clean up the system/rotate logs etc. You should not have killed them.
Click to expand...

This is the conclusion I came to about 30 minutes after I posted.. But oh well, no harm done, I just panicked. :p
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back