I really think I have an os x virus!

S

stefania

Registered
Help! The last few days, I have been having problems connecting to any irc network. For example, I try to connect to bararcade, and it redirects me to localhost.localdomain 2.8/hybrid-6.2 oOiwszcrkfydnxb biklmnopstve, where I auto join a channel called #martian, where there is another user called Marvin. That user (a bot) types .bot.remove / .remove / .uninstall / !bot.remove / !remove / !uninstall
The same thing happens when I try to connect to any IRC server. This is a new problem, I think I have a virus! I can't get rid of it with any software.
 
Have a look at this:

http://www.dslreports.com/forum/remark,12922412

I've just read a bit there bit if I understand it correct this is a 'problem' with cox.net in order to protect their customers.

They redirect their customers to their own irc server and use this to remove a virus. So if you're using cox.net just try again to connect to another IRC server or contact your provider. But this isn't a virus so don't panic. ::angel::
 
Hi Stefania. Welcome to MacOSX.com.

Viro's question is important. Also, what IRC client are you using? How long have you been using it?

I think that rbuenger is probably right about Cox. However, I am a little worried about your IRC client being redirected to 'localhost.localdomain', which is your computer's way of referring to itself. If you really are being redirected to your own machine AND you are successfully connecting AND there is a bot running there AND all of this is news to you, you probably should be very worried.

It may be a good idea to find out 1) where "localhost" goes and 2) where else you are connected when you run your IRC client.

Go to Applications > Utilities > Network Utility.

1) Localhost
Click on the 'Ping' tab. Enter 'localhost' into the text box. Hit enter. You should see 127.0.0.1. If you don't, something extremely bad is going on.

2) Network connections
It really, really helps to run this after rebooting, without any programs running that access the Internet (other than your IRC program). Click on the 'Netstat' tab. Click on the radio button that reads, 'Display the state of all current socket connections'. Click the blue 'Netstat' button. You should get a read out of outbound and inbound connections. The fourth column represents the computer that initiated the connection, while the fifth represents the destination computer. If someone is up to no good, he will show up in this list.

It is also important that you check your firewall settings in the System Preferences > Sharing window. Make sure that you only allow the services you actually use. If you don't know what the service does, turn it off. If you click on the icon of the lock at the bottom of the window, it will prevent anyone from making changes (including yourself) without entering the system password.

It might be a good idea to look for any unusual programs that might be running by going to the activity monitor, also in the Utilities folder.

IRC is a very common way for hackers to send messages to machines they control. It is unusual, though, to have an IRC server installed on an 0wn3d machine. For that reason, I wouldn't be too, too worried.

Please report back here what you find.
 
Hmm, I guess this are two completely different things? And stefania never mentioned anything about this Trojan (or better the false positive). I still bet this is just a 'problem' with the provider who redirect irc traffic with 'faked' dns entrys to his own server to remove a (windows) virus/trojan that uses irc to spread.
 
Good call rbuenger - strange behaviour on cox.net's part, but understandable on some level...
 
You must log in or register to reply here.
Back
Top