Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

My Macbook's MAC Address has been compromised

T

TheYoungHustla

macrumors newbie
Original poster
Apr 16, 2009
15
0
Hello, I'm a new member here and need you guy's help. I've taken many steps since March of this year to keep my wireless network from being hacked, from upgrading to WPA from WEP, changing the password, MAC Filtering(which I found out is useless), and decreasing the transmit channel. Then sometimes I would see my Mail.app launch on it's own, and decided to use Little Snitch. I noticed a lot of things going on that were still connecting to my computer w/o any apps running at all, just by being connected to the internet. Especially things trying to connect to Finder and a lot of connections in mDNSResponder(shows all things connected to wireless network)(usually shows about 6 connections!!!). I'm on Comcast, and they require us to use these Netgear routers that are distributed by them that do not currently have WPA2 enabled. So, I log into my router and decided to add 'Parental Controls' with websites that had keywords "porn", "murder", "sex", etc. Since I'm the only one that really uses my home network, so I suppose, and I don't associate myself with any websites that deal with murder, sex or porn, this would possibly exposed if my network was STILL compromised. And after checking the 'Parental Control Internet Activity Log' from logging into my router connected to the Comcast Home Networking system, I noticed constant attempts to access sites w/ porn, and sex. It shows the time and the MAC address that attempted to connect to the website. Now this perv has used my MAC address and is using that to access my wireless network. I've tried changing my MAC Address by following some tutorial online using Terminal, but it went back to my original MAC address once I restarted..Not to say someone here can successfully guide me to change my MAC Address, then hide it, to stop this..I need to figure out how to eliminate this problem, ONCE AND FOR ALL.....hopefully the experts here at MacRumors can help me.

Current setup:
Macbook Pro
Leopard 10.5.6
Comcast Home Network
WPA
 
Did you download CS4 or iWork lately? :) It could be that trojan thats connecting from your mac...
 
Try connected straight to the router via cable and turn off wireless network to see if your wireless network is actually compromised. If it isn't compromised, you probably have a trojan.
 
go into your router settings and change your dhcp server settings, change the ending address to something like 2 or 3. this will only let 2-3 computers access your network regardless of the other settings. if you only have one computer then change this number to 2. One is for router and 2 will be your computer connecting to the router.

this will block all other users trying to access your wifi or direct connect network.
 
WPA is secure as long as you use a long, non-dictionary password.

If someone has the storage space and computing power to brute force a strong WPA key, they'll know how to defeat MAC address spoofing (it's simple.)

If you suspect a trojan, you could download something like iAntiVirus to do a scan of your system (but backup your data first.)
 
Wow..thanks for the help so far...

No I don't have kids.
Didn't know any Trojans or any type of virus was floating around on Mac's
I have downloaded Photoshop & Flash CS4, but they're legit directly from the Adobe website, non-pirated software.

Try connected straight to the router via cable and turn off wireless network to see if your wireless network is actually compromised. If it isn't compromised, you probably have a trojan.
Click to expand...
Ok, I've tried that before, my MAC Address changed obviously because I was on an Ethernet cable, checked my 'Parental Control Internet Activity Log' and the constant attempts matched that MAC address as well.

go into your router settings and change your dhcp server settings, change the ending address to something like 2 or 3. this will only let 2-3 computers access your network regardless of the other settings. if you only have one computer then change this number to 2. One is for router and 2 will be your computer connecting to the router.

this will block all other users trying to access your wifi or direct connect network.
Click to expand...
Comcast doesn't allow that option to change the DHCP server settings, it just says it's "enabled"


WPA is secure as long as you use a long, non-dictionary password.

If someone has the storage space and computing power to brute force a strong WPA key, they'll know how to defeat MAC address spoofing (it's simple.)

If you suspect a trojan, you could download something like iAntiVirus to do a scan of your system (but backup your data first.)
Click to expand...

Thanks for that tip, installed iAntivirus and nothing came up so far, while doing a full scan of my entire HD.

I am using a long 26-character alphanumeric passphrase that is not something you can easily think of or is in the dictionary/encyclopedia.
Let it be known, I'm also using FileVault, enabled Stealth Mode in my Firewall and under my sharing section in System Preference, I share NOTHING!
EDIT:Screenshots removed
 
Calm down, no one has hacked your computer, MAC address or wireless network, a few minutes reading the directions that go with little snitch and a couple of googles would have answered all your questions.

Notice the giant icon in the upper left corner of the little snitch pop-up window? That's the icon of the program on your computer that is trying to open a port, below that it list the name and path of the program on your computer.

In the first one it is the copy of word that you are running trying to connect to port 3368. Word does this in order to scan your network for other copies of Word or Office using the same license key. It's an anti-piracy measure.

In the second and third screenshots your copy of iAntivirus is using nmblookup to check your network for Netbios or Samba directories to scan. Finder does the same thing, it calls nmblookup periodically to discover shared directories.

The automountd access may have to do with timemachine or some other process on your machine looking for a shared directory.

I'm not sure how comcasts parental controls work, but just because a website has the word porn or murder on it doesn't mean it is a pornsite, tons of websites have those words on them, even macrumors. They could well be false hits, or a normal website might have ads on it from servers that also serve ads to pornsites, so the adserver has gotten on comcasts blacklist.
 
ihabime said:
Calm down, no one has hacked your computer, MAC address or wireless network, a few minutes reading the directions that go with little snitch and a couple of googles would have answered all your questions.

Notice the giant icon in the upper left corner of the little snitch pop-up window? That's the icon of the program on your computer that is trying to open a port, below that it list the name and path of the program on your computer.

In the first one it is the copy of word that you are running trying to connect to port 3368. Word does this in order to scan your network for other copies of Word or Office using the same license key. It's an anti-piracy measure.

In the second and third screenshots your copy of iAntivirus is using nmblookup to check your network for Netbios or Samba directories to scan. Finder does the same thing, it calls nmblookup periodically to discover shared directories.

The automountd access may have to do with timemachine or some other process on your machine looking for a shared directory.

I'm not sure how comcasts parental controls work, but just because a website has the word porn or murder on it doesn't mean it is a pornsite, tons of websites have those words on them, even macrumors. They could well be false hits, or a normal website might have ads on it from servers that also serve ads to pornsites, so the adserver has gotten on comcasts blacklist.
Click to expand...

Thanks for taking the time to explain that to me..
In the final portion of what I read, I don't have TimeMachine installed or any type of backup/storage device, so idk where that's coming from. why would anything be looking for a shared directory in the first place if I don't have anything set to share in my Sharing settings of System Prefereces?
And those attempts pop up once I connect to my network; without even opening up a browser (I've tested this and didn't open up a browser for a few hours and the attempts happened during that time), and stops whenever I disconnect from Airport. I just find all of this wierd, that's all. The Mail.app opening on it's own and my settings being changed w/o me doing it myself is what had me suspicious.
 
Oh I set it up correctly, it's just that many would agree w/ me that many immoral hackers will go out of their way and "sniff" for Mac addresses and spoof their own to get onto your network...
 
You are looking at the wrong problem.

Sounds like you have installed some kind of trojan.

If someone has access to your computer via a trojan, changing your MAC address will not change anything.

Backup your data and reinstall the system.
 
emt1 said:
It is useless. So is WEP. WPA can be useless if you use a weak password.
Click to expand...
If you are using it as your main security option obviously. :rolleyes: .. It has many other uses.
use it along with WPA for one thing.

You could also use it to easily seperate networks. So one user on your network does not have access to another subnet.

Calling it outright useless is incorrect. It has its uses.
 
VPrime said:
If you are using it as your main security option obviously. :rolleyes: .. It has many other uses.
use it along with WPA for one thing.

You could also use it to easily seperate networks. So one user on your network does not have access to another subnet.

Calling it outright useless is incorrect. It has its uses.
Click to expand...

It doesn't do anything for security, in any combination of encryption methods. MAC addresses are broadcast and are easy to spoof.
 
Saladinos said:
It doesn't do anything for security, in any combination of encryption methods. MAC addresses are broadcast and are easy to spoof.
Click to expand...
It is usually enough to stop the typical person trying to steal your wireless..

same could be said about any encryption. WPA can be cracked in minutes, the number of people that use dictionary words for the WPA password is insane.
If some one wants in they will get in. But usually if the typical person looking for free wifi cant get in by the first few attempts they move along.
 
mDNSresponder is, essentially, "Bonjour" which is used by devices on the same network to talk to each other by name. This includes your router, laptop, and anything else including non-computer internet devices.

Anther dumb question... do you have Parallels, VMware, or VirtualBox?
 
snowmoon said:
mDNSresponder is, essentially, "Bonjour" which is used by devices on the same network to talk to each other by name. This includes your router, laptop, and anything else including non-computer internet devices.

Anther dumb question... do you have Parallels, VMware, or VirtualBox?
Click to expand...

I had VMware Fusion, before I did a clean install about a month or so ago. And it was constantly trying to connect online to with something like "vmnet". Now I just have the stock apps and installed Reason 4 from the Software package, and CS4 directly from Adobe. Most of the time, I don't even have those apps running at all.
 
TheYoungHustla said:
Thanks for taking the time to explain that to me..
In the final portion of what I read, I don't have TimeMachine installed or any type of backup/storage device, so idk where that's coming from. why would anything be looking for a shared directory in the first place if I don't have anything set to share in my Sharing settings of System Prefereces?
Click to expand...

The open ports are part of how bonjour, netbios and samba work, even if you don't have anything shared they will open a port to listen on your network for services shared by other computers. They aren't a symptom of any trojan or hacking, just your OS doing what it is supposed to.

TheYoungHustla said:
The Mail.app opening on it's own and my settings being changed w/o me doing it myself is what had me suspicious.
Click to expand...

The only settings you mentioned changing back was your MAC address, can you post a link to how you did this? It may not have been a permanent change.

Mail.app opening by itself is odd, but there have been a couple of posts here about that happening, but nothing definitive.

Try checking your System Preferences->Accounts->Login Items and make sure Mail is not listed there.

You can also try trashing a couple of preference files.
Home Directory->Library->Preferences->com.apple.loginitems.plist
Home Directory->Library->Preferences->com.apple.mail.plist
Drag them to the trash, but don't empty the trash, then reboot and see if the problem persists.
 
OK, I've did a clean install and archive install since March and now I've been back to a fresh install of Leopard for about a week now...

Gotta question tho,
22clzb.jpg

What does this IP address starting w/ fe80: mean?
The other 192.168.0.1 is Comcast (I guess, since it's always there at all time) and 192.168.0.3 is my iMac. But that "fe80.." IP address kept popping up like it was actively using my network and never seen that before
BTW, the last "chic-cns" is Comcast (Pretty sure of that one)

But I'm too confused about that "fe80:" what does that IP address mean? Only two of my computers are connected(Macbook Pro & iMac) and both have a 192.168... IP address
 
Just a side note, WPA is proof of concept cracked. You should use WPA2 for actual security.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back