Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
VIRUS, Trojan or something on my macbook! Can someone recommend a free virus scanner?
- Thread starter steve111
- Start date
- Sort by reaction score
Thank you for your quick replies.
I am not very technical, would it be alright to paste 'stats' from my firewall?
If so, which stats would be useful?
Macbook pro os x 10.5.8
My website has been hacked...(I think!) I know I have code on my site that is causing problems. I have run scan on my site and have malicious code. It's hacked, a trojan or something.
Thank you for your help
I am not very technical, would it be alright to paste 'stats' from my firewall?
If so, which stats would be useful?
Macbook pro os x 10.5.8
My website has been hacked...(I think!) I know I have code on my site that is causing problems. I have run scan on my site and have malicious code. It's hacked, a trojan or something.
Thank you for your help
Where is your website hosted?
How did you run a scan on it? Can you provide us with the results of this scan?
I can try to get the results.
It is a wordpress blog.
My site is hosted with httpme.
I asked them to restore my site from a previous restore date, the site had the code back on it before long.
I also have this in my firewall log, a lot more than this. Is it safe to post this?
Oct 26 21:28:47 steve Firewall[39]: Deny nmblookup data in from 192.168.1.72:137 uid = 0 proto=17
Oct 26 21:29:17: --- last message repeated 4 times ---
Oct 26 21:34:47 steve Firewall[39]: Deny nmblookup data in from 192.168.1.72:137 uid = 0 proto=17
Oct 26 21:35:17: --- last message repeated 5 times ---
Oct 26 21:40:47 steve Firewall[39]: Deny nmblookup data in from 192.168.1.72:137 uid = 0 proto=17
Oct 26 21:41:17: --- last message repeated 5 times ---
Oct 26 21:46:47 steve Firewall[39]: Deny nmblookup data in from 192.168.1.72:137 uid = 0 proto=17
Oct 26 21:47:17: --- last message repeated 5 times ---
Oct 26 21:52:47 steve Firewall[39]: Deny nmblookup data in from 192.168.1.7
Oct 27 17:52:01 steve Firewall[39]: Deny nmblookup data in from 192.168.1.69:137 uid = 0 proto=17
Oct 28 09:19:01 steve Firewall[38]: Stealth Mode connection attempt to TCP 192.168.1.64:49161 from 74.125.79.100:80
Oct 28 09:19:02 steve Firewall[38]: Stealth Mode connection attempt to TCP 192.168.1.64:49161 from 74.125.79.100:80
Oct 28 09:19:32: --- last message repeated 4 times ---
Oct 28 13:03:39 steve Firewall[38]: Stealth Mode connection attempt to TCP 192.168.1.64:49422 from 209.85.229.106:443
Oct 28 13:03:40 steve Firewall[38]: Stealth Mode connection attempt to TCP 192.168.1.64:49422 from 209.85.229.106:443
Oct 28 13:04:10: --- last message repeated 4 times ---
Oct 28 13:12:00 steve Firewall[38]: Stealth Mode connection attempt to TCP 192.168.1.64:49549 from 209.85.227.101:80
Oct 28 13:12:30: --- last message repeated 5 times ---
Oct 28 14:38:25 steve Firewall[38]:
See my edit above. I jumped the gun, I ran a whois and those external IPs are owned by Google. I doubt Google is trying to get you.
They are coming in on the http port 80 and https port 443. Are you using Google for Analytics? AdSense? Are you collocating your httpme site at home?
The nbmlookups are from an internal IP. So what device has an IP of 192.168.1.72?
First of all, it's very unlikely that this problem has anything to do with your Mac itself. Perhaps another device or machine on the network is causing a problem of some sort?
If you'd like, you can install ClamXav and check your Mac for viruses, but keep in mind that it is extremely unlikely that your Mac would be affected by any virus ClamXav finds.
Second, what is happening that leads you to believe your site contains malicious code? What kind of problems are resulting because of this?
Finally, I'd contact Customer Support at httme, or whoever hosts your site, and talk to them about it a little more. Perhaps they can help shed some light on the situation.
If you'd like, you can install ClamXav and check your Mac for viruses, but keep in mind that it is extremely unlikely that your Mac would be affected by any virus ClamXav finds.
Second, what is happening that leads you to believe your site contains malicious code? What kind of problems are resulting because of this?
Finally, I'd contact Customer Support at httme, or whoever hosts your site, and talk to them about it a little more. Perhaps they can help shed some light on the situation.
Analytics! I don't know, I don't want to start conspiracies but google and skynet have a few things in common. lol
Do you know much about websites, analytics ect?
Thanks for your help
Haven't a clue about this sort of stuff but did the obvious: Googled one of the ip addresses that has done a stealth sniff on you and its 'owner' lives in Santa Cruz. Mountain View to be exact. Ring any bells? Is it yourself?
See here: http://www.ipaddresser.com/reverse.php/209.85-7
EDIT: Just saw some guys post while I was writing this...
See here: http://www.ipaddresser.com/reverse.php/209.85-7
EDIT: Just saw some guys post while I was writing this...
Hint: Put 209.85.229.106 in your address bar and hit Enter.
To the OP, it sounds like Google is simply crawling your page. Nothing to worry about there. Are you actually experiencing a problem of any kind?
EDIT: I can see, now that your threads have been merged, that you have had plenty of helpful suggestions made thus far. I think we have made enough progress here to conclude that, while you may have some sort of configuration issue with your website, it is very unlikely that there are any issues with your Mac.
From here, I'd contact Customer Support at your hosting service company and discuss with them any issues you are having.
Hint: Put 209.85.229.106 in your address bar and hit Enter.
To the OP, it sounds like Google is simply crawling your page. Nothing to worry about there. Are you actually experiencing a problem of any kind?
Google is clearly looking for something index, as it is looking at port 80 and 443.
OP, have you done any custom DNS records with your host httpme? Such as an A record to your home IP? It doesn't make much sense for them to be crawling his home IP address if his site is hosted elsewhere.
I will have to run a scan on my site to get those 'stats' (will do that now)
I can't think of any connection with santa cruz
calderone, I'm not exactly sure what you mean by 'custom DNS records' I can'
I have an ftp program.
But why would google be on my os x firewall log?
I can't think of any connection with santa cruz
calderone, I'm not exactly sure what you mean by 'custom DNS records' I can'
I have an ftp program.
But why would google be on my os x firewall log?
I hope this is a lesson. You need to be more careful in what you install, and what you input into password boxes. Steer clear from the get rich quick ****. They are scams. Only input your passwords on trusted sites that you know. Steer clear of craptastical programs. Call your bank, tell them what happened, their fraud dept. can trace the routing number for the transfered money to the other party's bank. File suit or something.
You don't need our help, just some logical thought and course of action.
Not chastising you, just telling you how it is. I am a felon and have done this sort of crap to people before.
Search next time. Hundreds of previous, identical threads, with identical answers, no virus on OS X:
Giz Explains: Why OS X Shrugs Off Viruses Better Than Windows
http://i.gizmodo.com/5101337/giz-explains-why-os-x-shrugs-off-viruses-better-than-windows
The Mac Malware Myth
http://www.roughlydrafted.com/2009/01/29/the-mac-malware-myth/
The Unavoidable Malware Myth
http://www.roughlydrafted.com/2008/...-apple-wont-inherit-microsofts-malware-crown/
Market Share Myth
http://blogs.bellinghamherald.com/i...uter_virus_record_straig&more=1&c=1&tb=1&pb=1
How to check for Trojans
http://www.macworld.com/article/60823/2007/10/trojanhorse.html
Giz Explains: Why OS X Shrugs Off Viruses Better Than Windows
http://i.gizmodo.com/5101337/giz-explains-why-os-x-shrugs-off-viruses-better-than-windows
The Mac Malware Myth
http://www.roughlydrafted.com/2009/01/29/the-mac-malware-myth/
The Unavoidable Malware Myth
http://www.roughlydrafted.com/2008/...-apple-wont-inherit-microsofts-malware-crown/
Market Share Myth
http://blogs.bellinghamherald.com/i...uter_virus_record_straig&more=1&c=1&tb=1&pb=1
How to check for Trojans
http://www.macworld.com/article/60823/2007/10/trojanhorse.html
And yet after all these posts, we still have no idea exactly why the OP thinks there is a virus or trojan in his Mac.
Most likely something embarrassing. Like porn, or something unethical, like downloading pirated software. Pirated porn maybe? Or the OP fell victim to a scammer, and is too embarrassed to admit it. Perhaps the trojan opens up a web port, or perhaps the OP was trying to run a web server off his computer which invited an exploit.
Truth is, at this point, the speculation is probably more damaging than if he had just fessed up in the first place
To summarize the thread so far: Mac OS X trojans do exist, but only if you invite them into your Mac. The most common place this happens is via shady software sources. Practice safe computing and common sense, don't give your password authorization to just any app that wants it, and you'll be fine. Also, some activity (firewall intrusion attempts) are normal.
Most likely something embarrassing. Like porn, or something unethical, like downloading pirated software. Pirated porn maybe? Or the OP fell victim to a scammer, and is too embarrassed to admit it. Perhaps the trojan opens up a web port, or perhaps the OP was trying to run a web server off his computer which invited an exploit.
Truth is, at this point, the speculation is probably more damaging than if he had just fessed up in the first place
To summarize the thread so far: Mac OS X trojans do exist, but only if you invite them into your Mac. The most common place this happens is via shady software sources. Practice safe computing and common sense, don't give your password authorization to just any app that wants it, and you'll be fine. Also, some activity (firewall intrusion attempts) are normal.
Why some people can't admit the simplest things, is beyond me. I look at porn, I even got my wife liking it. bahahaha. But I don't go "link clicking."
Noobs are destined to fail in that regard.
This thread feels awfully similar to another recent "Help, I have a virus" thread.
Remember the lady who was on here just a short while ago, insisting that she had a virus but refusing to provide any specifics at all?
It went on for a few pages before it became abundantly clear she was suffering delusions of persecution.
![1253612165_cat_running_around.gif]()
^ Whether or not something similar is going on here, it really doesn't matter if the OP is going to continue doing this.
Remember the lady who was on here just a short while ago, insisting that she had a virus but refusing to provide any specifics at all?
It went on for a few pages before it became abundantly clear she was suffering delusions of persecution.
^ Whether or not something similar is going on here, it really doesn't matter if the OP is going to continue doing this.
Yeah, I was having flashbacks too.
They weren't delusions. She was being lambasted by MacRumors members who got carried away in mocking her. Maybe we shouldn't make the same mistake twice, hmm?