# Some hacker attack on my computer?



## coolio2654 (Jan 28, 2010)

I have my Peer Gaurdian on all the time, as an extra firewall.  One moment I'm looking at completely normal readings, then WHAM I get this shit on my log (in attached thumbnails).  I regularly see a red address once in a while and I never found anything online telling me what it means so I guessed it was nothing bad, but this is ridiculous.  I got like a hundred reading in a row, and the IP addresses were changing in the readings?!  I immediately reseted my router a few times, turned off my wireless, and spiked up my regular firewall.  Once the smoke cleared, I use my network utility and use the options "lookup, traceroute, Port Scan" to try to find out my attacker but host was said to 
"be invalid."  A few minutes later I get more readings and the first traceroute notification attempt.  And it stops again and 10 minutes later I'm typing this message because I'm crapping my pants.  I've had serious viruses (scareware, porn popups and 234% lag at the same time) before and I don't want to go through that horrible experience again, let alone a hacker this time.
What should I do?

P.S.  The last thumbnail is what I ALWAYS get on peer gaurdian log.


----------



## ElDiabloConCaca (Jan 28, 2010)

First off, you have never gotten a virus on any of your Macs running Mac OS X.  There exists not a single virus for the Mac OS X operating system.

You may have been infected by a trojan -- more specifically, the DNSChanger trojan -- but a trojan is most _definitely_ not a virus.  A virus can infect your computer without interaction from you at all (which is impossible on Mac OS X if you have a strong password on your user account)... a trojan cannot.

Second, those logs don't look like anything out of the ordinary.  The first screenshot shows a blocking of the ntpd process, which is the process that sets your clock automatically.  It looks like you have some firewall rule that's blocking your computer from auto-setting your clock while simultaneously having the "Set time automatically" option checked in the System Preferences.

Are you sure you completely disabled your firewall(s) when you ran the portscan, traceroute and ping operations (and do you know what, exactly, those utilities are used for)?  The rest of the screenshots look like some kind of portscan/traceroute operation with a firewall set to "ON".

There is one and only one thing needed to keep every, single hacker in the world out of your Mac OS X computer: a strong password on every user account.  A strong password consists of at least 8 characters, with a mixture of upper- and lower-case letters, numbers, and symbols (#, $, %, ^, &, !, _, -, etc.).  With a strong password like that, you could put your Mac completely exposed on the internet and no one would be able to get in without your permission.  No firewall, no NAT, no nothing needed.  Just a strong password on everything you want to protect.


----------



## coolio2654 (Jan 28, 2010)

You're right, I have never gotten that virus on mac, but I sure did on my XP, which is the main reason I changed to mac.
Second, I never encountered that many hits before, EVER.  I hope you can understand a teenager with little experience to panic when seeing this type of thing.  
Third, what is the possible reason I've gotten so many hits this time?
Fourth, What is the "traceroute" thing (which I also never encountered before) in the third thumbnail.  
Fifth, I had my firewall on when  did the scans.  If the last three thumbnails are my fault, then I'm sorry for bothering you but I thought peer gaurdian only blocked incoming connections, not my outgoing scans?  
Sixth,  what does this trojan do and how do I get rid of it?!?!?!!!?
Seventh, I have no idea what my scans mean but they helped me identify origins of connection attempts in the past.
And eight, how do I become as smart as you so I'm able to solve these problems on my own


----------



## ElDiabloConCaca (Jan 28, 2010)

> Second, I never encountered that many hits before, EVER.  I hope you can understand a teenager with little experience to panic when seeing this type of thing.


Yes, I can understand... but you have to think realistically when something like this concerns you -- what is on your computer that could possibly cause you harm?  So what if a hacker downloads your homework?  Is it really a huge concern if an intruder gets ahold of last year's Christmas pictures?

I'm not belittling the importance of your data -- I'm simply saying, what do you have of value stored on your computer that a hacker could possibly want to spend their time trying to hack you for?



> Third, what is the possible reason I've gotten so many hits this time?


Traceroute and ping generate a lot of network traffic.  If you have firewall rules to alert you to certain types of traffic (port scans, traceroutes, etc.), then that's one possibility that your firewall is alerting you to that activity.


> Fourth, What is the "traceroute" thing (which I also never encountered before) in the third thumbnail.


Traceroute is a program that is used to determine how many "hops" a TCP packet takes from your computer to the final destination.  It's used to determine how many and what kind of routers/gateways exist between you and another host, say, for example, apple.com.  

Open up Terminal, and type "man traceroute" and press enter (without the quotes, of course).  Be prepared for a very technical (but worthwhile) read.


> Fifth, I had my firewall on when  did the scans.  If the last three thumbnails are my fault, then I'm sorry for bothering you but I thought peer gaurdian only blocked incoming connections, not my outgoing scans?


No bother at all, and no need to apologize -- knowledge is what we're here for.

A firewall can block both incoming and outgoing connections, depending on how you have it configured.  A firewall can be used to, say, block incoming traffic on port 22 if you don't want people logging in remotely via ssh.  Or, it can be used to block all outbound traffic on port 22, preventing anyone on your computer from establishing an ssh connection to a remote computer.  A firewall is basically a configurable "traffic cop" for your network traffic, allowing certain things to go certain ways, and disallowing other things from going other ways.


> Sixth,  what does this trojan do and how do I get rid of it?!?!?!!!?


This trojan, _if_ you have it, redirects you from valid sites to other sites.  For example, it may, when you type "apple.com" in your web browser, instead take you to some porn or false banking site.  It is acquired by visiting a malicious website that tries to get you to install some fake Quicktime codec to view some kind of content on the site -- the Quicktime codec you download from the site is an installer, which, when double-clicked, will ask you for your password then change your DNS settings.

Plenty of removal tools available with a super-simple Google search:

http://www.google.com/search?client=safari&rls=en&q=remove+dnschanger&ie=UTF-8&oe=UTF-8




> Seventh, I have no idea what my scans mean but they helped me identify origins of connection attempts in the past.


True, but if you don't know anything about those hosts or don't know how to interpret the data about those hosts, it's useless.


> And eight, how do I become as smart as you so I'm able to solve these problems on my own


I'm no smarter than anyone else, I just put a lot of time, effort, and money into learning very specific things about computers.  If I could offer some pieces of advice, they would be (in descending order of importance):

1. Go to college and major in computer science.
2. Learn to love majoring in computer science, even if you don't at first.
3. Never assume that just because one thing works that it's the best and only way for something to work.
4. Really understand what you're doing (both the execution and the theory behind it)... if you don't, then you might as well not have done it at all.
5. Don't get cocky, and remain humble.  No matter how much you think you know, there's always someone else out there that knows so much you look like a simpleton in comparison.  Use that opportunity for learning, not sulking.


----------



## g/re/p (Jan 29, 2010)

Go to https://www.grc.com/x/ne.dll?bh0bkyd2 to check your computer for possible vulnerabilities


----------



## coolio2654 (Jan 30, 2010)

Thx a lot Eldiablo and g/re/p.
I'm sorry to say but I recently encountered more issues on my log and I'm putting them in the last thumbnails, and they can't possible be caused by me.
I was downloading blacktrack out of curiosity on Vuze when I got all this.  I believe blacktrack is a legit free program so I don't really understand why I'm getting my readings.


----------



## ElDiabloConCaca (Jan 30, 2010)

Vuse is a P2P program written in Java that utilizes the gnutella network.  I see absolutely nothing out of the ordinary in those logs.  Your traffic is being flagged as p2p traffic by a lot of the servers that Vuse is connecting to.  Some networks disallow, log, or modify this kind of traffic.  Those are the "errors" (which aren't errors at all, simply informative messages) you're seeing.

If you want to download BlackTrack, there's no need to grab it from Vuse.  You can download it for free from here:

http://www.blacktracklog.com/

If that's not the same BlackTrack, then... well, disregard!  

I think what you're really experiencing is a combination of over-zealous network traffic monitors (Peer Guardian, firewalls, etc.) combined with an alarmist approach to what are ordinary log messages.


----------



## coolio2654 (Feb 19, 2010)

Well, I got some new readings which I'm almost 100% sure I didn't cause.
I've recently visited a site called "4chan.org" because I heard I can find good lolcats pics on it, well, I didn't like the site very much (you'll know if you go there) so I left and from then on I'm getting new readings on my PG.  
So, how do I get rid of these readings, and what do they mean?  

Oh, and quite recently I'm not being able to access certain websites that I could before.  I check the websites with the internet service "down or not" (checks if servers for websites you input are working or not) and they gave positive readings that the sites are up.  I also tried accessing the sites using Opera but I get the same result.
P.S.  The last pic is the virus or whatnot trying to get through my Opera browser now.


----------



## ElDiabloConCaca (Feb 19, 2010)

I think it's time to stop reading log files.  Unless you know exactly what you're looking at when looking at a log file, then you'll likely be alarmed and worried about every log entry you see.

Nothing I see in those logs is out of the ordinary.  A couple of blocks on Flash banner ads, nothing to get excited about at all.

I think what you've done is load so much protection software on your Mac that it's interfering with normal operation.  You're now being warned about EVERYthing that occurs on your Mac, whether it's actually malicious activity or not.

You are not running a Windows PC -- you do not need several layers of malware protection, antivirus protection and registry cleaners, all working at the same time.  A simple firewall would be more than adequate to protect you from the evil internet pirates.


----------



## coolio2654 (Feb 19, 2010)

Oh, nvm all that.  I just decided to turn my PG off and all the websites work!  I guess the messages were just incoming packets from the servers.


----------



## coolio2654 (Feb 28, 2010)

ElDiabloConCaca said:


> I think it's time to stop reading log files.  Unless you know exactly what you're looking at when looking at a log file, then you'll likely be alarmed and worried about every log entry you see.
> 
> Nothing I see in those logs is out of the ordinary.  A couple of blocks on Flash banner ads, nothing to get excited about at all.
> 
> ...


Yeah, you're right, I'll calm down.  Those dreadful viruses I once had on my Windows XP must sill be haunting me.


----------

