Unknown network traffic reported by little snitch

[Pimptastic]

Just got home from work and Little Snitch is reporting that the following processes...

sshd
launchproxy
Mac OS X kernal

...are pretty much constantly connecting to 78.107.128.250

Looked at bit suspicious so i told Little Snitch to block all application from accessing that IP address, but it doesn't seem to have done anything. Little Snitch is still reporting those processes are accessing that IP

If you type the IP address into firefox, it brings up a (Russian?) website.

If i turn off Remote Sharing in System preferences, the connections disappear.

I have tried changing my user password, but the connections still persist.

Anyone have any ideas what that IP address relates to? And if so, how to stop it?

Thanks

 

[ElectricSheep]

A few things...

Open up Activity Monitor, and use the little pop-up menu to display All Processes, Hierarchically.

Take a screen shot of all the entries listed there and post it here.

Also, in a Terminal window, type the following command:

sudo ps -ax

And paste the output here.

 

[lostngone]

Does your /var/log/system.log show anything and what shows up when you type the "last" or "w" command?

Those can be easily tampered with if the system was compromised but it doesn't hurt to look...

 

[crazzyeddie]

Any chance you downloaded iWork '09 illegally when it came out?

 

[Pimptastic]

A few things...

Open up Activity Monitor, and use the little pop-up menu to display All Processes, Hierarchically.

Take a screen shot of all the entries listed there and post it here.

Also, in a Terminal window, type the following command:

sudo ps -ax

And paste the output here.

hi mate, here is the info you requested. I have turned remote login off for the time being. Pictures of Activity Monitor are attached

  1 ??         0:05.27 /sbin/launchd
   10 ??         0:00.77 /usr/libexec/kextd
   11 ??         0:26.00 /usr/sbin/DirectoryService
   12 ??         0:04.64 /usr/sbin/notifyd
   13 ??         0:10.80 /usr/sbin/syslogd
   14 ??         0:25.29 /usr/sbin/configd
   15 ??         0:02.21 /usr/sbin/distnoted
   16 ??         0:03.65 /usr/sbin/mDNSResponder -launchd
   22 ??         0:06.11 /usr/sbin/securityd -i
   26 ??         0:06.40 /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g
   27 ??         0:01.79 /usr/sbin/cupsd -l
   28 ??         0:00.79 /usr/sbin/cron
   29 ??         0:56.77 /usr/sbin/update
   30 ??         0:00.01 /sbin/SystemStarter
   34 ??         0:00.03 /System/Library/CoreServices/RemoteManagement/AppleVNC
   35 ??         3:32.09 /System/Library/Frameworks/CoreServices.framework/Fram
   36 ??         0:00.84 /System/Library/CoreServices/loginwindow.app/Contents/
   37 ??         0:00.01 /usr/sbin/KernelEventAgent
   38 ??         0:04.89 /usr/sbin/kdcmond -n -a
   40 ??         0:00.01 /usr/libexec/hidd
   41 ??         1:00.58 /System/Library/Frameworks/CoreServices.framework/Vers
   43 ??         0:00.01 /sbin/dynamic_pager -F /private/var/vm/swapfile
   46 ??         0:01.25 /usr/sbin/diskarbitrationd
   50 ??         0:00.22 /usr/sbin/blued
   51 ??         0:00.01 autofsd
   53 ??         0:01.81 /usr/libexec/ApplicationFirewall/socketfilterfw
   54 ??         0:00.20 /usr/local/sbin/dnsupdate daemon
   56 ??         0:00.02 /bin/sh /Library/Parallels/Parallels Service.app/Conte
   57 ??         0:01.39 /Library/Little Snitch/lsd
   73 ??         0:03.81 /System/Library/CoreServices/coreservicesd
   90 ??         0:00.04 /usr/sbin/krb5kdc -n -r LKDC:SHA1.38741A8FE8A8BB2B2C47
   91 ??        16:48.92 /System/Library/Frameworks/ApplicationServices.framewo
   97 ??         0:01.22 /usr/local/sbin/dyndnsd daemon
  106 ??         0:00.38 /usr/sbin/racoon -e -x
  109 ??         0:00.15 /Library/Application Support/VMware Fusion/vmnet-natd 
  142 ??         0:00.15 /Library/Application Support/VMware Fusion/vmnet-dhcpd
  146 ??         0:00.00 /Library/Application Support/VMware Fusion/vmnet-netif
  151 ??         0:00.00 /Library/Application Support/VMware Fusion/vmnet-netif
  156 ??         0:00.18 /Library/Application Support/VMware Fusion/vmnet-dhcpd
  157 ??         0:00.99 /sbin/launchd
  161 ??         0:00.00 /Library/Application Support/VMware Fusion/vmnet-bridg
  170 ??         0:06.77 /Library/Parallels/Parallels Service.app/Contents/MacO
  182 ??         0:59.42 /Library/Parallels/Parallels Service.app/Contents/MacO
  185 ??         0:00.44 /usr/sbin/coreaudiod
  203 ??         0:00.17 /Users/Mark/Library/Application Support/Plex/PlexHelpe
  204 ??         8:18.75 /Library/Little Snitch/Little Snitch Network Monitor.a
  205 ??         0:00.54 /Library/Little Snitch/Little Snitch UIAgent.app/Conte
  207 ??         0:00.13 /System/Library/CoreServices/AirPort Base Station Agen
  210 ??         0:00.14 /System/Library/CoreServices/RemoteManagement/ARDAgent
  212 ??         0:00.25 /System/Library/CoreServices/Spotlight.app/Contents/Ma
  213 ??         0:00.28 /usr/sbin/UserEventAgent -l Aqua
  214 ??         0:00.21 aped
  215 ??         0:00.00 /usr/sbin/pboard
  216 ??         0:00.09 /System/Library/CoreServices/RemoteManagement/AppleVNC
  217 ??         0:00.00 /System/Library/CoreServices/RemoteManagement/AppleVNC
  218 ??         0:08.12 /System/Library/Frameworks/ApplicationServices.framewo
  219 ??        11:53.15 /System/Library/CoreServices/Dock.app/Contents/MacOS/D
  220 ??        12:39.59 /System/Library/CoreServices/SystemUIServer.app/Conten
  221 ??         0:54.93 /System/Library/CoreServices/Finder.app/Contents/MacOS
  225 ??         0:06.20 /System/Library/CoreServices/Dock.app/Contents/Resourc
  238 ??         0:02.16 /usr/sbin/nmbd -F
  317 ??         0:00.01 /System/Library/Services/AppleSpell.service/Contents/M
15387 ??         4:20.78 /Applications/Firefox.app/Contents/MacOS/firefox-bin -
15523 ??         0:09.91 /System/Library/PrivateFrameworks/DiskImages.framework
15524 ??         0:04.51 /System/Library/PrivateFrameworks/DiskImages.framework
15528 ??         0:00.45 /System/Library/PrivateFrameworks/DiskImages.framework
15542 ??         0:00.00 /System/Library/Frameworks/JavaVM.framework/Versions/A
15605 ??         7:20.54 /Applications/ClamXav.app/Contents/MacOS/ClamXav -psn_
15710 ??       105:16.68 /usr/local/clamXav/bin/clamscan --stdout -v -r -i --no
17340 ??         0:00.37 /System/Library/Frameworks/CoreServices.framework/Fram
18130 ??         0:00.25 /System/Library/Image Capture/Devices/PTPCamera.app/Co
18134 ??         0:00.82 /System/Library/Image Capture/Support/Image Capture Ex
18141 ??         0:00.89 /System/Library/Frameworks/CoreServices.framework/Fram
18236 ??         0:05.01 /Applications/Mail.app/Contents/MacOS/Mail -psn_0_1061
18243 ??         0:00.30 /System/Library/Frameworks/SyncServices.framework/Vers
18245 ??         0:00.08 /usr/sbin/smbd -F
18246 ??         0:00.00 /usr/sbin/smbd -F
18259 ??         0:05.83 /Applications/Utilities/Activity Monitor.app/Contents/
18260 ??         0:03.31 /Applications/Utilities/Activity Monitor.app/Contents/
18283 ??         0:00.42 /System/Library/PrivateFrameworks/DiskImages.framework
18310 ??         0:00.82 /Applications/Utilities/Terminal.app/Contents/MacOS/Te
18339 ttys000    0:00.02 login -pf Mark
18340 ttys000    0:00.01 -bash
18351 ttys000    0:00.04 ps -ax

Any chance you downloaded iWork '09 illegally when it came out?

I did cos i couldn't wait for my copy to arrive, but it didn't have the virus, i checked before installing, and after installing

 

[angelwatt]

You should probably read this MacWorld article.

Foolish Pirates beware

 

[ElectricSheep]

You should probably check your crontabs.

In the terminal:

sudo cat /etc/crontab

and for your user crontab:

crontab -l

Might as well check root's crontab:

sudo crontab -l

 

[Pimptastic]

You should probably check your crontabs.

In the terminal:

sudo cat /etc/crontab

and for your user crontab:

crontab -l

Might as well check root's crontab:

sudo crontab -l

Only thing that came up was with the last command

* * * * * /var/root/.access.log/y2kupdate >/dev/null 2>&1

Did you see anything suspicious in my previous post?

 

[ElectricSheep]

That entry should definitely NOT be there.

First, change the permissions on that file so that it is no longer executable (You'll be working in the Terminal):

sudo chmod a-x /var/root/.access.log/y2kupdate

Next, you can either delete it, or move it to your home directory where you may examine it to see what its doing.

To move:

sudo mv /var/root/.access.log/y2kupdate /Users/Mark/malware

View its contents:

sudo cat /Users/Mark/malware

To delete it right where it is:

sudo rm /var/root/.access.log/y2kupdate

And clean up your root's crontab file:

sudo crontab -r

When you have moved/deleted that file, you should verify that some other process is not attempting to recreate it. Wait a little while, and then run:

ls /var/root/.access.log/

 

[Pimptastic]

Thanks for that, appreciate it.

This is the content of that file. Any idea what it was?

iMac:~ Mark$ sudo cat /Users/Mark/malware
#!/bin/sh
if test -r /var/root/.access.log/psybnc.pid; then
pid=$(cat /var/root/.access.log/psybnc.pid)
if $(kill -CHLD $pid >/dev/null 2>&1)
then
exit 0
fi
fi
cd /var/root/.access.log
./run &>/dev/null

 

[ElectricSheep]

You've got some more cleaning to do.

In the terminal:

cat /var/root/.access.log/psybnc.pid

If you get output, it should be a number. You are going to feed this number to a command to examine the process its attached to:

sudo ps -ax -p [number] -- replace [number] with the above output. Omit the braces.

Also, check the contents of the following:

sudo cat /var/root/.access.log/run

 

[Pimptastic]

Did the first command but get permission denied

iMac:~ Mark$ cat /var/root/.access.log/psybnc.pid
cat: /var/root/.access.log/psybnc.pid: Permission denied

 

[ElectricSheep]

Another followup:

If its available, you should examine the contents of your bash history:

less ~/.bash_history (use the space page to scroll output one page at a time)

 

[ElectricSheep]

Did the first command but get permission denied

iMac:~ Mark$ cat /var/root/.access.log/psybnc.pid
cat: /var/root/.access.log/psybnc.pid: Permission denied

You'll need to prepend the cat command with sudo to gain elevated privileges.

sudo cat /var/root/.access.log/psybnc.pid

 

[Pimptastic]

Another followup:

If its available, you should examine the contents of your bash history:

less ~/.bash_history (use the space page to scroll output one page at a time)

Just done that, nothing suspicious in there

You'll need to prepend the cat command with sudo to gain elevated privileges.

sudo cat /var/root/.access.log/psybnc.pid

iMac:~ Mark$ sudo cat /var/root/.access.log/psybnc.pid
Password:
cat: /var/root/.access.log/psybnc.pid: No such file or directory

 

[ElectricSheep]

Is there anything else in that /var/root/.access.log/ directory? You can see with an ls command.

sudo ls -al /var/root/.access.log/

 

[Pimptastic]

Is there anything else in that /var/root/.access.log/ directory? You can see with an ls command.

sudo ls -al /var/root/.access.log/

Definately some suspicious stuff in there.

There is something in there called f u c k (without spaces).. as you can see, the swear filter caught it below

iMac:~ Mark$ sudo ls -al /var/root/.access.log/
total 608
drwxr-xr-x   19 504   504       646 27 Feb 21:33 .
drwxr-x---+  16 root  wheel     544  7 Jan 18:12 ..
-rw-r--r--    1 504   504     33557 10 Mar  2004 README
-rwxr-xr-x    1 504   504       320 31 May  2004 config
-rw-------    1 504   504      1002 10 Mar  2004 config.h
-rw-r--r--    1 root  504        58  3 Jan 11:35 cron.d
-rwxr-xr-x    1 504   504       347 31 May  2004 ****
drwxr-xr-x  245 504   504      8330 31 May  2002 help
-rwxr-xr-x    1 504   504    202544 10 Mar  2004 httpd
drwxr-xr-x    6 504   504       204 26 Jul  2004 lang
-rw-r--r--    1 root  504       139 26 Dec 12:41 livezone
-rw-r--r--    1 root  504        22  3 Jan 11:35 livezone.dir
drwxr-xr-x    3 504   504       102  6 May  2004 log
drwxr-xr-x    2 504   504        68  4 Jun  2004 motd
-rwxr-xr-x    1 504   504     14306 13 Nov  2003 proc
drwxr-xr-x   34 1001  admin    1156  3 Jan 11:34 pulamea
-rwxr-xr-x    1 504   504        68  4 Jun  2004 run
drwxr-xr-x    3 504   504       102 10 Mar  2004 scripts
-rwxr--r--    1 504   504     21516 25 Sep  2002 xh

 

[ElectricSheep]

Definately some suspicious stuff in there.

There is something in there called f u c k (without spaces).. as you can see, the swear filter caught it below

iMac:~ Mark$ sudo ls -al /var/root/.access.log/
total 608
drwxr-xr-x   19 504   504       646 27 Feb 21:33 .
drwxr-x---+  16 root  wheel     544  7 Jan 18:12 ..
-rw-r--r--    1 504   504     33557 10 Mar  2004 README
-rwxr-xr-x    1 504   504       320 31 May  2004 config
-rw-------    1 504   504      1002 10 Mar  2004 config.h
-rw-r--r--    1 root  504        58  3 Jan 11:35 cron.d
-rwxr-xr-x    1 504   504       347 31 May  2004 ****
drwxr-xr-x  245 504   504      8330 31 May  2002 help
-rwxr-xr-x    1 504   504    202544 10 Mar  2004 httpd
drwxr-xr-x    6 504   504       204 26 Jul  2004 lang
-rw-r--r--    1 root  504       139 26 Dec 12:41 livezone
-rw-r--r--    1 root  504        22  3 Jan 11:35 livezone.dir
drwxr-xr-x    3 504   504       102  6 May  2004 log
drwxr-xr-x    2 504   504        68  4 Jun  2004 motd
-rwxr-xr-x    1 504   504     14306 13 Nov  2003 proc
drwxr-xr-x   34 1001  admin    1156  3 Jan 11:34 pulamea
-rwxr-xr-x    1 504   504        68  4 Jun  2004 run
drwxr-xr-x    3 504   504       102 10 Mar  2004 scripts
-rwxr--r--    1 504   504     21516 25 Sep  2002 xh

First, remove execution permissions from everything in that folder:

sudo chmod -R a-x /var/root/.access.log/*

Next, dump the contents of that "run" file:

sudo cat /var/root/.access.log/run

This is starting to look like you got "pwned", and someone may have dropped a rootkit into your system. If you had a weak password (a word in the dictionary, for example), someone could have easily cracked it when you had Remote Access enabled. From there, it would have been trivial to log into your system and download a *nix rootkit to set up your machine to act as a zombie on a bot net.

 

[Pimptastic]

First, remove execution permissions from everything in that folder:

sudo chmod -R a-x /var/root/.access.log/*

Next, dump the contents of that "run" file:

sudo cat /var/root/.access.log/run

This is starting to look like you got "pwned", and someone may have dropped a rootkit into your system. If you had a weak password (a word in the dictionary, for example), someone could have easily cracked it when you had Remote Access enabled. From there, it would have been trivial to log into your system and download a *nix rootkit to set up your machine to act as a zombie on a bot net.

Running the first command returns this message

iMac:~ Mark$ sudo chmod -R a-x /var/root/.access.log/*
chmod: /var/root/.access.log/*: No such file or directory

The content of that run file is

#!/bin/sh
./proc "/usr/local/apache/bin/httpd -DSSL" httpd livezone

Yeah, looks like ive been hacked. My password it two words joined together with a number on the end.

 

[ElectricSheep]

Running the first command returns this message

iMac:~ Mark$ sudo chmod -R a-x /var/root/.access.log/*
chmod: /var/root/.access.log/*: No such file or directory

The content of that run file is

#!/bin/sh
./proc "/usr/local/apache/bin/httpd -DSSL" httpd livezone

Yeah, looks like ive been hacked. My password it two words joined together with a number on the end.

My guess is that the httpd there is just a front end to spawn other processes that are tripping Little Snitch.

If you can, package up this .access.log directory and send it to me. I'd like to do some digging through them so I can get a better idea what is going down on your machine.

First, move that sucker to your home directory:

sudo mv /var/root/.access.log /Users/Mark/bad_directory

Next, change ownership on it so you can manipulate it:

sudo chown -R Mark /Users/Mark/bad_directory

Then, use the Finder to compress it and send me the resulting zip file. Either PM it to me as an attachment, or if you would like to email it to me I will PM you my email address.

I also have AIM/iChat if that is more convenient for you.

 

[jw2002]

This thread got me to wondering about my sister's mac. After doing a little digging, I discovered that a script kiddie got in and installed an energymech IRC robot 4 days ago. The machine had weak security: password same as username plus incoming ssh open. After cleaning up that mess, my sister is now using far stronger passwords and has unchecked all the sharing settings.

 

[crazzyeddie]

Where are most of these processes installed? Startup items?

 

[lostngone]

This thread got me to wondering about my sister's mac. After doing a little digging, I discovered that a script kiddie got in and installed an energymech IRC robot 4 days ago. The machine had weak security: password same as username plus incoming ssh open. After cleaning up that mess, my sister is now using far stronger passwords and has unchecked all the sharing settings.

Did you format and re-install?
If you didn't the chances are good that they still own your sister's computer.
Without running a checksum on every system file you will not know what files have been replaced. With a good rootkit they can hide almost anything.

 

[dmmcintyre3]

This thread got me to wondering about my sister's mac. After doing a little digging, I discovered that a script kiddie got in and installed an energymech IRC robot 4 days ago. The machine had weak security: password same as username plus incoming ssh open. After cleaning up that mess, my sister is now using far stronger passwords and has unchecked all the sharing settings.

I have a hardware firewall with no ports open and a completely random 128 bit length encryption code like password that nobody could remember by watching me type it.

 

[lostngone]

I have a hardware firewall with no ports open and a completely random 128 bit length encryption code like password that nobody could remember by watching me type it.

They installed software on that computer! How hard would it have been to install a key logger along with the Bot(hint... not hard). You say you have no ports open, I will assume you mean no in-bound ports open, what happens if your box is the one opening the ports and sending out the data. Programs like Little Snitch do little if they have/had admin access into the system.

You can not trust anything on that system. If they had root/admin access they can make it appear you have a clean system, all they do is replace programs like ls, ps, top, df, who, last, passwd, etc and replace them with their own that ignore the files and processes they are running, add a system log cleaner to cover their tracks and no one is the wiser...