Munix hacked? Valid files for install of Leopard?
- Thread starter HelloMac
- Start date
- Status
ElDiabloConCaca
U.S.D.A. Prime
Does anyone else have physical access to the machine?
The only other person with physical access is my wife, but she only knows how to turn it on and use applications.
I've had another thought about this...
Is it possible that when I'm logged into my account that I'm actually interacting with the computer within a virtual machine environment?
Here's whay I ask...
When logging in from the initial screen that is set up for me to type in my user name and pass word the screen will accept my information and then briefly display the login screen that has my account picture. As if it was passing through the credentials and then logs in.
If I enter Terminal and examine the file and folder list from / , I cannot get into any folder except /user. If I cd vol or cd bin and then type pwd, it always shows that I've been put into the /user folder. It appears that all my folders are aliases.
When I log out Finder goes through the process but istead of a smooth visual transition back to the log in screen, my screen fades to black, hold there a half second of so and then the default desktop picture pops onto the screen with the login boxes. Sometimes during that little blip of black screen I can see a solid white cursor in the top left hand corner of the screen.
Whenever I shut down the machine I see an error that /home and /net volumes fail to dismount.
I've had another thought about this...
Is it possible that when I'm logged into my account that I'm actually interacting with the computer within a virtual machine environment?
Here's whay I ask...
When logging in from the initial screen that is set up for me to type in my user name and pass word the screen will accept my information and then briefly display the login screen that has my account picture. As if it was passing through the credentials and then logs in.
If I enter Terminal and examine the file and folder list from / , I cannot get into any folder except /user. If I cd vol or cd bin and then type pwd, it always shows that I've been put into the /user folder. It appears that all my folders are aliases.
When I log out Finder goes through the process but istead of a smooth visual transition back to the log in screen, my screen fades to black, hold there a half second of so and then the default desktop picture pops onto the screen with the login boxes. Sometimes during that little blip of black screen I can see a solid white cursor in the top left hand corner of the screen.
Whenever I shut down the machine I see an error that /home and /net volumes fail to dismount.
My machine would not boot today. Had to reset npram/nvram in
order to get it to boot from install disc. It would get to the gray logo screen
and the turning gears but go no farther.
Reset partition, erase, zero out, reinstall.
At the end of the install log there multiple entries of folders in private framework/version a/* that metadata was updated with "actual metadata" from a similarly named folder.
One of the last lines on the log says
"if diskobject (null) was set with a nil dmdisk object"
I found a .plist file with setting references to World of Warcraft, starfighter, com.blizzard.launch, com.blizzard.download and otherstuff like that. I have never played wow and don't know the reference to blizzard.
The machine has not been allowed on the net, everything is locked down. Installed little snitch and set rules to deny outgoing communications.
Will look at the path question tommorrow when I'm more fresh so I can be sure to carefully see where I can move around on the he from the command line.
order to get it to boot from install disc. It would get to the gray logo screen
and the turning gears but go no farther.
Reset partition, erase, zero out, reinstall.
At the end of the install log there multiple entries of folders in private framework/version a/* that metadata was updated with "actual metadata" from a similarly named folder.
One of the last lines on the log says
"if diskobject (null) was set with a nil dmdisk object"
I found a .plist file with setting references to World of Warcraft, starfighter, com.blizzard.launch, com.blizzard.download and otherstuff like that. I have never played wow and don't know the reference to blizzard.
The machine has not been allowed on the net, everything is locked down. Installed little snitch and set rules to deny outgoing communications.
Will look at the path question tommorrow when I'm more fresh so I can be sure to carefully see where I can move around on the he from the command line.
I wish it was a hoax and my life would be easier.
Through more trial and error and using a program called RootKit Hunter I've learned that after a HD erase, zero out, OS install, combo update to 10.5.3 I'm left with a system that is configured for SSH protocol 2:
ssh config file - yes
ssh root access allowed - yes
ssh protocol v1 allowed - no
syslog daemon? found
syslog remote logging? yes warning
install.*@127.0.0.1:3236
I also find that a hidden file /usr/share/man/man5/.rhosts.5gz:gzip compressed was changed from ".rhosts.5" from Unix.
These settings persist through the various setting updates I make in the account preferences regarding sharing, etc.
If I try to edit the files (with TextEditor.app), the system will not allow me to save the changes. I'm attempting through Finder and I modify the file and folder permissions for my account to write, but still am blocked.
What's this from my DSL modem's system log this morning?
"Connecting PPPoE socket: 00:90:1a:a0:57:82 9702 br0 0x1000d538"
I don't recognize 00:90:1a:a0:57:82.
The date is May 2007 until several lines in when it changes to today's date. This modem was purchased on Saturday and configured on Sunday.
Verizon DSL modem log 060308 07:52
(GMT)16:01:15 Tue May 15 2007 syslogd started: BusyBox v0.61.pre
(GMT)16:01:15 Tue May 15 2007 init: Waiting for enter to start '/bin/sh' (pid 88, terminal /dev/tts/0)
(GMT)16:01:16 Tue May 15 2007 logic: qos_prepare:iptables -t mangle -N EGRESS
(GMT)16:01:16 Tue May 15 2007 logic: qos_prepare:iptables -t mangle -N INGRESS
(GMT)16:01:17 Tue May 15 2007 logic: qos_prepare:iptables -t mangle -A INGRESS -j IMQ
(GMT-05:00)16:01:18 Tue May 15 2007 logic: Stunnel conf 2: TR-069 1 /var/etc/stunnel2.conf https://cpe-ems.verizon.com/cwmpWeb/CPEMgt 1 8080
(GMT-05:00)16:01:19 Tue May 15 2007 logic: dhcps starting
(GMT-05:00)16:01:24 Tue May 15 2007 udhcpd: udhcp server (v0.9.7) started
(GMT-05:00)16:01:25 Tue May 15 2007 udhcpd: ADD - (my mac address) 192.168.1.64 86400 bigmacs-imac
Later:
GMT-05:00)16:02:00 Tue May 15 2007 udhcpd: udhcp server (v0.9.7) started
(GMT-05:00)16:02:00 Tue May 15 2007 udhcpd: interface: br0, start : 4001a8c0 end : fe01a8c0
(GMT-05:00)07:44:16 Tue Jun 03 2008 pc: act_hnm not exist, restart it
(GMT-05:00)07:45:24 Tue Jun 03 2008 udhcpd: SENDING ACK to bigmacs-imac
(GMT-05:00)07:45:24 Tue Jun 03 2008 udhcpd: sending ACK to 192.168.1.67
(GMT-05:00)07:45:24 Tue Jun 03 2008 udhcpd: ADD 192.168.1.67 86400 bigmacs-imac
(GMT-05:00)07:45:24 Tue Jun 03 2008 logic: 192.168.1.67 now is 192.168.1.67
(GMT-05:00)07:45:27 Tue Jun 03 2008 syslog: No response for DNS request to server 71.252.0.12 yet.
(GMT-05:00)07:45:27 Tue Jun 03 2008 syslog: No response for DNS request to server 71.252.0.12 yet.
(GMT-05:00)07:45:27 Tue Jun 03 2008 syslog: No response for DNS request to server 71.252.0.12 yet.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: No response for DNS request to server 71.242.0.12 yet.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: All DNS servers tried, no response.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: No response for DNS request to server 71.242.0.12 yet.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: All DNS servers tried, no response.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: No response for DNS request to server 71.242.0.12 yet.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: All DNS servers tried, no response.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: failed dns request
len=71,srcip=192.168.1.1, url=67.1.168.192.in-addr.arpa
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: failed dns request len=61,srcip=192.168.1.1, url=dslmodem.domain
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: failed dns request len=61,srcip=192.168.1.1, url=dslmodem.domain
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: failed dns request len=71,srcip=71.252.0.12, url=67.1.168.192.in-addr.arpa
Through more trial and error and using a program called RootKit Hunter I've learned that after a HD erase, zero out, OS install, combo update to 10.5.3 I'm left with a system that is configured for SSH protocol 2:
ssh config file - yes
ssh root access allowed - yes
ssh protocol v1 allowed - no
syslog daemon? found
syslog remote logging? yes warning
install.*@127.0.0.1:3236
I also find that a hidden file /usr/share/man/man5/.rhosts.5gz:gzip compressed was changed from ".rhosts.5" from Unix.
These settings persist through the various setting updates I make in the account preferences regarding sharing, etc.
If I try to edit the files (with TextEditor.app), the system will not allow me to save the changes. I'm attempting through Finder and I modify the file and folder permissions for my account to write, but still am blocked.
What's this from my DSL modem's system log this morning?
"Connecting PPPoE socket: 00:90:1a:a0:57:82 9702 br0 0x1000d538"
I don't recognize 00:90:1a:a0:57:82.
The date is May 2007 until several lines in when it changes to today's date. This modem was purchased on Saturday and configured on Sunday.
Verizon DSL modem log 060308 07:52
(GMT)16:01:15 Tue May 15 2007 syslogd started: BusyBox v0.61.pre
(GMT)16:01:15 Tue May 15 2007 init: Waiting for enter to start '/bin/sh' (pid 88, terminal /dev/tts/0)
(GMT)16:01:16 Tue May 15 2007 logic: qos_prepare:iptables -t mangle -N EGRESS
(GMT)16:01:16 Tue May 15 2007 logic: qos_prepare:iptables -t mangle -N INGRESS
(GMT)16:01:17 Tue May 15 2007 logic: qos_prepare:iptables -t mangle -A INGRESS -j IMQ
(GMT-05:00)16:01:18 Tue May 15 2007 logic: Stunnel conf 2: TR-069 1 /var/etc/stunnel2.conf https://cpe-ems.verizon.com/cwmpWeb/CPEMgt 1 8080
(GMT-05:00)16:01:19 Tue May 15 2007 logic: dhcps starting
(GMT-05:00)16:01:24 Tue May 15 2007 udhcpd: udhcp server (v0.9.7) started
(GMT-05:00)16:01:25 Tue May 15 2007 udhcpd: ADD - (my mac address) 192.168.1.64 86400 bigmacs-imac
Later:
GMT-05:00)16:02:00 Tue May 15 2007 udhcpd: udhcp server (v0.9.7) started
(GMT-05:00)16:02:00 Tue May 15 2007 udhcpd: interface: br0, start : 4001a8c0 end : fe01a8c0
(GMT-05:00)07:44:16 Tue Jun 03 2008 pc: act_hnm not exist, restart it
(GMT-05:00)07:45:24 Tue Jun 03 2008 udhcpd: SENDING ACK to bigmacs-imac
(GMT-05:00)07:45:24 Tue Jun 03 2008 udhcpd: sending ACK to 192.168.1.67
(GMT-05:00)07:45:24 Tue Jun 03 2008 udhcpd: ADD 192.168.1.67 86400 bigmacs-imac
(GMT-05:00)07:45:24 Tue Jun 03 2008 logic: 192.168.1.67 now is 192.168.1.67
(GMT-05:00)07:45:27 Tue Jun 03 2008 syslog: No response for DNS request to server 71.252.0.12 yet.
(GMT-05:00)07:45:27 Tue Jun 03 2008 syslog: No response for DNS request to server 71.252.0.12 yet.
(GMT-05:00)07:45:27 Tue Jun 03 2008 syslog: No response for DNS request to server 71.252.0.12 yet.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: No response for DNS request to server 71.242.0.12 yet.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: All DNS servers tried, no response.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: No response for DNS request to server 71.242.0.12 yet.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: All DNS servers tried, no response.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: No response for DNS request to server 71.242.0.12 yet.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: All DNS servers tried, no response.
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: failed dns request
len=71,srcip=192.168.1.1, url=67.1.168.192.in-addr.arpa
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: failed dns request len=61,srcip=192.168.1.1, url=dslmodem.domain
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: failed dns request len=61,srcip=192.168.1.1, url=dslmodem.domain
(GMT-05:00)07:45:29 Tue Jun 03 2008 syslog: failed dns request len=71,srcip=71.252.0.12, url=67.1.168.192.in-addr.arpa
ElDiabloConCaca
U.S.D.A. Prime
Yup, standard Mac OS X Server config... SSH2 is used for remote logins among other things.
Because you need to edit that file as root, and you can't do that with TextEdit by simple double-clicking the "TextEdit" icon. If you're versed in vi or nano, try editing the file from the command-line with "sudo".
Could that be your ISP's Mac address?
Could it also be that your DSL modem's DNS has been poisoned? Can you do a "hard reset" of the modem -- in other words, can you purge the settings on the modem to their default state, then reconfigure the modem to be sure that it's not some poisoned modem settings?
I will try a reset on the modem, but I've attempted that on the previous DSL modem a couple of times and ended up with the same thing. Thus my decision to buy a new modem. And here I am again.
I haven't looked up the man file on it yet, but do you know what the default config for Raccoon should be upon a fresh install? My system has a config setting that allows anonymous login right off the bat.
Here's a bit more of the log from this morning that I meant to post.
The second remote connection attempt to port 443 is what worries me. I have that port blocked by the firewall that is built into the modem.
GMT-05:00)07:45:44 Tue Jun 03 2008 syslog: failed dns request len=136,srcip=71.252.0.12, url=dslmodem.domain
(GMT-05:00)07:45:50 Tue Jun 03 2008 logic: fw_trans_query kp.key = report_all_clients_act0
(GMT-05:00)07:45:51 Tue Jun 03 2008 logic: fw_trans_query kp.key = report_all_clients_act0
(GMT-05:00)07:46:11 Tue Jun 03 2008 stunnel[377]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:46:11 Tue Jun 03 2008 stunnel[377]: Failed to initialize remote connection
(GMT-05:00)07:46:17 Tue Jun 03 2008 logic: fw_trans_query kp.key = report_all_clients_act0
(GMT-05:00)07:46:18 Tue Jun 03 2008 logic: fw_trans_query kp.key = report_all_clients_act0
(GMT-05:00)07:46:27 Tue Jun 03 2008 stunnel[455]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:46:27 Tue Jun 03 2008 stunnel[455]: Failed to initialize remote connection
(GMT-05:00)07:46:57 Tue Jun 03 2008 stunnel[464]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:46:57 Tue Jun 03 2008 stunnel[464]: Failed to initialize remote connection
(GMT-05:00)07:47:27 Tue Jun 03 2008 stunnel[479]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:47:27 Tue Jun 03 2008 stunnel[479]: Failed to initialize remote connection
(GMT-05:00)07:47:56 Tue Jun 03 2008 stunnel[486]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:47:56 Tue Jun 03 2008 stunnel[486]: Failed to initialize remote connection
(GMT-05:00)07:48:26 Tue Jun 03 2008 stunnel[497]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:48:26 Tue Jun 03 2008 stunnel[497]: Failed to initialize remote connection
I haven't looked up the man file on it yet, but do you know what the default config for Raccoon should be upon a fresh install? My system has a config setting that allows anonymous login right off the bat.
Here's a bit more of the log from this morning that I meant to post.
The second remote connection attempt to port 443 is what worries me. I have that port blocked by the firewall that is built into the modem.
GMT-05:00)07:45:44 Tue Jun 03 2008 syslog: failed dns request len=136,srcip=71.252.0.12, url=dslmodem.domain
(GMT-05:00)07:45:50 Tue Jun 03 2008 logic: fw_trans_query kp.key = report_all_clients_act0
(GMT-05:00)07:45:51 Tue Jun 03 2008 logic: fw_trans_query kp.key = report_all_clients_act0
(GMT-05:00)07:46:11 Tue Jun 03 2008 stunnel[377]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:46:11 Tue Jun 03 2008 stunnel[377]: Failed to initialize remote connection
(GMT-05:00)07:46:17 Tue Jun 03 2008 logic: fw_trans_query kp.key = report_all_clients_act0
(GMT-05:00)07:46:18 Tue Jun 03 2008 logic: fw_trans_query kp.key = report_all_clients_act0
(GMT-05:00)07:46:27 Tue Jun 03 2008 stunnel[455]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:46:27 Tue Jun 03 2008 stunnel[455]: Failed to initialize remote connection
(GMT-05:00)07:46:57 Tue Jun 03 2008 stunnel[464]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:46:57 Tue Jun 03 2008 stunnel[464]: Failed to initialize remote connection
(GMT-05:00)07:47:27 Tue Jun 03 2008 stunnel[479]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:47:27 Tue Jun 03 2008 stunnel[479]: Failed to initialize remote connection
(GMT-05:00)07:47:56 Tue Jun 03 2008 stunnel[486]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:47:56 Tue Jun 03 2008 stunnel[486]: Failed to initialize remote connection
(GMT-05:00)07:48:26 Tue Jun 03 2008 stunnel[497]: remote connect #2 (192.168.0.1:443): Connection timed out (145)
(GMT-05:00)07:48:26 Tue Jun 03 2008 stunnel[497]: Failed to initialize remote connection
And another question -
I've never specified an WINS name in any of the MAC's interfaces, though I've noticed that a name gets used. It usallsally is MACINTOSH-77777777 or something generic like that.
My computer does have a name as specified in the Sharing preferences, though file sharing is outlawed on my machine. The two names don't match up.
I've created a new "Location" and deleted the automatic location and have found over time that the generic mac name will get used again.
I'd get it if the mac needs to default to a name as a placeholder but what I don't get is why the WINS name doesn't default to the computer name defined in Sharing preferences, since WINS is to help the machine share with Windows. Right? There must be a setting somewhere that I'm missing. Just want to make sure the machine isn't sharing files through some config file that has been modified or overlooked.
I've never specified an WINS name in any of the MAC's interfaces, though I've noticed that a name gets used. It usallsally is MACINTOSH-77777777 or something generic like that.
My computer does have a name as specified in the Sharing preferences, though file sharing is outlawed on my machine. The two names don't match up.
I've created a new "Location" and deleted the automatic location and have found over time that the generic mac name will get used again.
I'd get it if the mac needs to default to a name as a placeholder but what I don't get is why the WINS name doesn't default to the computer name defined in Sharing preferences, since WINS is to help the machine share with Windows. Right? There must be a setting somewhere that I'm missing. Just want to make sure the machine isn't sharing files through some config file that has been modified or overlooked.
Viro
Registered
http://en.wikipedia.org/wiki/Https
http://www.grc.com/port_443.htm
That's a HTTP connection over SSL, i.e. secure HTTP, the protocol that you'll use when communicating with secure sites like your bank.
Viro
Registered
I don't think that your system is compromised. From where I'm sitting, it looks as though you are already believing that your system is compromised and that is leading you to see "intrusions" everywhere.
Try scanning your computer against https://www.grc.com/x/ne.dll?bh0bkyd2 and see what it says.
Try scanning your computer against https://www.grc.com/x/ne.dll?bh0bkyd2 and see what it says.
I understand your skepticism. It's true that I'm watching every movement of the system.
I want to join your side on this issue and will as soon as I can find someone who can explain to me what might be legitimate reasons for:
su commands on the logs
anonymous logins on the logs
sections of logs that dissappear
time changes by a few seconds on the logs
"race conditions" on the logs
"window replay" on the logs
"recall volume changes" on the logs
preference settings changing over time
Hand me my alimuinum foil hat please.
I want to join your side on this issue and will as soon as I can find someone who can explain to me what might be legitimate reasons for:
su commands on the logs
anonymous logins on the logs
sections of logs that dissappear
time changes by a few seconds on the logs
"race conditions" on the logs
"window replay" on the logs
"recall volume changes" on the logs
preference settings changing over time
Hand me my alimuinum foil hat please.
NewMacUser-TX
Registered
I am reading the last few posts of this thread with much interest. I too have been encountering strange issues with both Windows and Mac machines. To start with, I had three computers in my home office become compromised through MBR/Downloader and DNS Hijack Trojans. At one time I too thought they were re-writing CD's but eventually what I realized they are doing is emulating CD's for the purpose of preventing my being able to reinstall Windows and to covertly install files that will give them control of the machine. I noticed this on a Windows machine when re-installing drivers after completing FDISK and Format on my hard drive. Earlier I had inspected the files on the CD and saw there were 10 drivers. However, when trying to install them the "disk" showed 14 driver files. They copy the disk to the hard drive, make you think you are accessing the CD in the CD drive but then install from the HD the files they want. I know this sounds crazy, but it is happening.
I got fed up with Windows, after going through THREE new hard drives in less than a week trying to "beat" the hackers, and bought an iMac:
Hardware Overview:
Model Name: iMac
Model Identifier: iMac7,1
Processor Name: Intel Core 2 Duo
Processor Speed: 2 GHz
Number Of Processors: 1
Total Number Of Cores: 2
L2 Cache: 4 MB
Memory: 1 GB
Bus Speed: 800 MHz
Boot ROM Version: IM71.007A.B03
SMC Version: 1.20f4
Serial Number: QP816056X85
It wasn't long after connecting this machine (never could get Airport Extreme to configure properly) that I noticed it was being used as a DNS server. I am not familiar with Macs so it took a while before I figured out how to block incoming traffic, etc. I too was getting "fake" log-in screens, etc. popping up asking for my password and even had a message pop saying that Apple suggests I install "Growl" for network management. I also noticed that some of my documents were being copied into image files and somehow interfacing with X-11 to send them over the net (also not yet familiar with X-11). In doing some research I learned how to see where my user bin location is and, from what I understand, it was in the wrong place and in a strange place (when I perform the command echo $PATH in the terminal this is what I get: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin). After seeing this I erased the hard drive with a 7 pass erase and reinstalled OSX and this time I did not install X-11 or anything else other than the core requirements. However is I perform the command echo $PATH in the terminal it STILL gives me /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin. I also noticed that although I chose not to install any of the language packs other than English, all the languages are installed.
On the Windows computers I was getting error messages in Chinese and Korean. From what I have learned through some online research (when my searches aren't being re-directed), there is some serious hacking taking place and it is being done by a sophisticated and organized group out of China and possibly North Korea. Their primary goal is identity theft. This is a serious issue that is not getting much press and needs to be addressed by companies such as Microsoft and Apple.
I know I am not imaging things because my bank recently notified me that my account was locked due to repeated attempts to access my account from a foreign IP address.
I got fed up with Windows, after going through THREE new hard drives in less than a week trying to "beat" the hackers, and bought an iMac:
Hardware Overview:
Model Name: iMac
Model Identifier: iMac7,1
Processor Name: Intel Core 2 Duo
Processor Speed: 2 GHz
Number Of Processors: 1
Total Number Of Cores: 2
L2 Cache: 4 MB
Memory: 1 GB
Bus Speed: 800 MHz
Boot ROM Version: IM71.007A.B03
SMC Version: 1.20f4
Serial Number: QP816056X85
It wasn't long after connecting this machine (never could get Airport Extreme to configure properly) that I noticed it was being used as a DNS server. I am not familiar with Macs so it took a while before I figured out how to block incoming traffic, etc. I too was getting "fake" log-in screens, etc. popping up asking for my password and even had a message pop saying that Apple suggests I install "Growl" for network management. I also noticed that some of my documents were being copied into image files and somehow interfacing with X-11 to send them over the net (also not yet familiar with X-11). In doing some research I learned how to see where my user bin location is and, from what I understand, it was in the wrong place and in a strange place (when I perform the command echo $PATH in the terminal this is what I get: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin). After seeing this I erased the hard drive with a 7 pass erase and reinstalled OSX and this time I did not install X-11 or anything else other than the core requirements. However is I perform the command echo $PATH in the terminal it STILL gives me /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin. I also noticed that although I chose not to install any of the language packs other than English, all the languages are installed.
On the Windows computers I was getting error messages in Chinese and Korean. From what I have learned through some online research (when my searches aren't being re-directed), there is some serious hacking taking place and it is being done by a sophisticated and organized group out of China and possibly North Korea. Their primary goal is identity theft. This is a serious issue that is not getting much press and needs to be addressed by companies such as Microsoft and Apple.
I know I am not imaging things because my bank recently notified me that my account was locked due to repeated attempts to access my account from a foreign IP address.
NewMacUser-TX
Registered
And that a hacker will use to communicate with his bank.
NewMacUser-TX
Registered
A question: Tonight I noticed the following "critical" notification in the log:
6/19/08 8:21:38 PM localhost fseventsd[26] fseventsd Critical log dir: /.fseventsd getting new uuid: 8B590C92-EBAE-4C8B-8441-8C61DD440BCB
Any ideas?
Or this error:
6/19/08 8:22:01 PM imac /usr/sbin/screenreaderd[68] /usr/sbin/screenreaderd Error SCREENREADER[68]: Stopping screen reader because login happened
6/19/08 8:21:38 PM localhost fseventsd[26] fseventsd Critical log dir: /.fseventsd getting new uuid: 8B590C92-EBAE-4C8B-8441-8C61DD440BCB
Any ideas?
Or this error:
6/19/08 8:22:01 PM imac /usr/sbin/screenreaderd[68] /usr/sbin/screenreaderd Error SCREENREADER[68]: Stopping screen reader because login happened
Last edited:
First of all: I can't see anything that even remotely resembles a root kit or any other type of foul play in any of these logs.
Second: if you don't know what to look for, don't look. Seriously. If you want to learn, then by all means look, and then google every log entry you don't understand, and learn what process caused the log entry and why. If you're not prepared to learn, don't look. You'll only grow (more) paranoid.
I agree with g/re/p though, this smells lika a hoax. HelloMac seems more like a troll/flamebait than a seriously concerned user.
Second: if you don't know what to look for, don't look. Seriously. If you want to learn, then by all means look, and then google every log entry you don't understand, and learn what process caused the log entry and why. If you're not prepared to learn, don't look. You'll only grow (more) paranoid.
I agree with g/re/p though, this smells lika a hoax. HelloMac seems more like a troll/flamebait than a seriously concerned user.
- Status