Munix hacked? Valid files for install of Leopard?

[HelloMac]

And another question -

I've never specified an WINS name in any of the MAC's interfaces, though I've noticed that a name gets used. It usallsally is MACINTOSH-77777777 or something generic like that.

My computer does have a name as specified in the Sharing preferences, though file sharing is outlawed on my machine. The two names don't match up.

I've created a new "Location" and deleted the automatic location and have found over time that the generic mac name will get used again.

I'd get it if the mac needs to default to a name as a placeholder but what I don't get is why the WINS name doesn't default to the computer name defined in Sharing preferences, since WINS is to help the machine share with Windows. Right? There must be a setting somewhere that I'm missing. Just want to make sure the machine isn't sharing files through some config file that has been modified or overlooked.

[Viro]

Quote:

Originally Posted by HelloMac

The second remote connection attempt to port 443 is what worries me. I have that port blocked by the firewall that is built into the modem.

http://en.wikipedia.org/wiki/Https
http://www.grc.com/port_443.htm

That's a HTTP connection over SSL, i.e. secure HTTP, the protocol that you'll use when communicating with secure sites like your bank.

[Viro]

I don't think that your system is compromised. From where I'm sitting, it looks as though you are already believing that your system is compromised and that is leading you to see "intrusions" everywhere.

Try scanning your computer against https://www.grc.com/x/ne.dll?bh0bkyd2 and see what it says.

[NewMacUser-TX]

I am reading the last few posts of this thread with much interest. I too have been encountering strange issues with both Windows and Mac machines. To start with, I had three computers in my home office become compromised through MBR/Downloader and DNS Hijack Trojans. At one time I too thought they were re-writing CD's but eventually what I realized they are doing is emulating CD's for the purpose of preventing my being able to reinstall Windows and to covertly install files that will give them control of the machine. I noticed this on a Windows machine when re-installing drivers after completing FDISK and Format on my hard drive. Earlier I had inspected the files on the CD and saw there were 10 drivers. However, when trying to install them the "disk" showed 14 driver files. They copy the disk to the hard drive, make you think you are accessing the CD in the CD drive but then install from the HD the files they want. I know this sounds crazy, but it is happening.

I got fed up with Windows, after going through THREE new hard drives in less than a week trying to "beat" the hackers, and bought an iMac:

Hardware Overview:

Model Name: iMac
Model Identifier: iMac7,1
Processor Name: Intel Core 2 Duo
Processor Speed: 2 GHz
Number Of Processors: 1
Total Number Of Cores: 2
L2 Cache: 4 MB
Memory: 1 GB
Bus Speed: 800 MHz
Boot ROM Version: IM71.007A.B03
SMC Version: 1.20f4
Serial Number: QP816056X85

It wasn't long after connecting this machine (never could get Airport Extreme to configure properly) that I noticed it was being used as a DNS server. I am not familiar with Macs so it took a while before I figured out how to block incoming traffic, etc. I too was getting "fake" log-in screens, etc. popping up asking for my password and even had a message pop saying that Apple suggests I install "Growl" for network management. I also noticed that some of my documents were being copied into image files and somehow interfacing with X-11 to send them over the net (also not yet familiar with X-11). In doing some research I learned how to see where my user bin location is and, from what I understand, it was in the wrong place and in a strange place (when I perform the command echo $PATH in the terminal this is what I get: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin). After seeing this I erased the hard drive with a 7 pass erase and reinstalled OSX and this time I did not install X-11 or anything else other than the core requirements. However is I perform the command echo $PATH in the terminal it STILL gives me /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin. I also noticed that although I chose not to install any of the language packs other than English, all the languages are installed.

On the Windows computers I was getting error messages in Chinese and Korean. From what I have learned through some online research (when my searches aren't being re-directed), there is some serious hacking taking place and it is being done by a sophisticated and organized group out of China and possibly North Korea. Their primary goal is identity theft. This is a serious issue that is not getting much press and needs to be addressed by companies such as Microsoft and Apple.

I know I am not imaging things because my bank recently notified me that my account was locked due to repeated attempts to access my account from a foreign IP address.

[NewMacUser-TX]

Quote:

Originally Posted by Viro

http://en.wikipedia.org/wiki/Https
http://www.grc.com/port_443.htm

That's a HTTP connection over SSL, i.e. secure HTTP, the protocol that you'll use when communicating with secure sites like your bank.

And that a hacker will use to communicate with his bank.

[NewMacUser-TX]

A question: Tonight I noticed the following "critical" notification in the log:

6/19/08 8:21:38 PM localhost fseventsd[26] fseventsd Critical log dir: /.fseventsd getting new uuid: 8B590C92-EBAE-4C8B-8441-8C61DD440BCB

Any ideas?

Or this error:

6/19/08 8:22:01 PM imac /usr/sbin/screenreaderd[68] /usr/sbin/screenreaderd Error SCREENREADER[68]: Stopping screen reader because login happened

[elander]

First of all: I can't see anything that even remotely resembles a root kit or any other type of foul play in any of these logs.

Second: if you don't know what to look for, don't look. Seriously. If you want to learn, then by all means look, and then google every log entry you don't understand, and learn what process caused the log entry and why. If you're not prepared to learn, don't look. You'll only grow (more) paranoid.

I agree with g/re/p though, this smells lika a hoax. HelloMac seems more like a troll/flamebait than a seriously concerned user.

[ElDiabloConCaca]

I agree... I smell fish, and it just doesn't make sense.

If you're getting hacked during the install process, as HelloMac has insinuated, then something is drastically wrong with your network setup.

HelloMac, if I remember correctly, even claimed that s/he was "hacked" during the install process even when not connected via any network interface... and wondered if, perhaps, the install DVD was compromised. This is just completely unrealistic... no legitimate copies of Mac OS X have trojans/viruses/rootkits on the install media, period, so this is completely impossible.

If either HelloMac or NewMacUser-TX are willing, I'd like to please ask them to post some screenshots of the error messages they're receiving. Simply press Shift-Command-3 to generate a picture of the screen, then post it here. I'd especially like to see the screenshot of "Apple suggests I install "Growl" for network management", since no error message anywhere within Mac OS X contains the verbage "Apple suggests you install...".

Not to be too stereotypical of a forum dissenter, but pics or it didn't happen.