Munix hacked? Valid files for install of Leopard?

Status
Not open for further replies.
I agree... I smell fish, and it just doesn't make sense.

If you're getting hacked during the install process, as HelloMac has insinuated, then something is drastically wrong with your network setup.

HelloMac, if I remember correctly, even claimed that s/he was "hacked" during the install process even when not connected via any network interface... and wondered if, perhaps, the install DVD was compromised. This is just completely unrealistic... no legitimate copies of Mac OS X have trojans/viruses/rootkits on the install media, period, so this is completely impossible.

If either HelloMac or NewMacUser-TX are willing, I'd like to please ask them to post some screenshots of the error messages they're receiving. Simply press Shift-Command-3 to generate a picture of the screen, then post it here. I'd especially like to see the screenshot of "Apple suggests I install "Growl" for network management", since no error message anywhere within Mac OS X contains the verbage "Apple suggests you install...".

Not to be too stereotypical of a forum dissenter, but pics or it didn't happen.
 
If I am able to capture a screen shot I will. The Windows computers are dead as every new hard drive I have installed has become corrupted and as such, I have given up on trying to use them for anything. I am not sure if it is possible, but I believe that the MBR changes have been written to the motherboard or something as every hard drive I have installed has become corrupted.

As I mentioned, I do not believe they are writing to install discs, but I do believe they are creating hidden, encrypted drives that the computer boots from whenever you try to reinstall or restore Windows. I also believe the Trojan "tricks" you into thinking you are installing "a", when in reality, you are installing "x". There have been many strange things happening that are just unexplainable.

As for my Mac, I agree that I do not know enough yet about Mac to understand many of the errors, etc. that I see. But again, after a 7 pass erase, reformat and reinstall, should my user bin still be where I showed? Especially if X-11 had not been installed? How could it be in the X-11 directory if there is no X-11 program on the computer?

As for the Growl message, if it happens again I will gladly capture a screen shot and put it up. I don't think it will happen again though as I had a local Apple tech come out at $100 an hour and assist me in finally getting the Airport Extreme to configure properly, etc. Even he could not explain the log entries, etc. that he was seeing and thought it was something he should investigate.

I am not sure why you have to think people are lying just because you haven't seen what they say? Sure, seeing is believing, but I have no reason to make stuff up. These issues have cost me in my business and put a burden me financially and mentally. I have lost all of this year's financial data and have to rebuild everything as I am too afraid my back-ups are compromised and will not take a chance.
 
Hello again all. I thought this thread was dead and I was dismissed. And I see there continue to be folks who can't see how this is taking place. I will in fact post some screen shots within the next day in order to show file system examples. DTD files and other strangeness.

New - Ser - TX. What you describe is very similar to my issue.

This week I reached the same conclusion that part of the problem is a DNS hijack.

All - the following are elements that help combine to make the system fail. The initial entry point is through a takeover of DNS and the cgi-bin of a modem which uses BusyBox, a Linux based operating system to DSL/Cable modems.

Need to open a port for ssh? No problem, I own your modem so I'll do whatever I want. In fact I'll write a script that automater will execute the next time you boot the machine and let you do the work for me.

Man AWK and readup on this old technology that works with all Unix flavored systems:
"Function declarations can be placed in a program wherever a match-action clause can. All parameters are local to the function. Local variables can be defined inside the function.

* A second improvement is a new function, "getline", that allows input from files other than those specified in the command line at invocation (as well as input from pipes). "Getline" can be used in a number of ways:
getline Loads $0 from current input.
getline myvar Loads "myvar" from current input.
getline myfile Loads $0 from "myfile".
getline myvar myfile Loads "myvar" from "myfile".
command | getline Loads $0 from output of "command".
command | getline myvar Loads "myvar" from output of "command".
* A related function, "close", allows a file to be closed so it can be read from the beginning again:
close("myfile")
* A new function, "system", allows Awk programs to invoke system commands:
system("rm myfile")
* Command-line parameters can be interpreted using two new predefined variables, ARGC and ARGV, a mechanism instantly familiar to C programmers. ARGC ("argument count") gives the number of command-line elements, and ARGV ("argument vector") is an array whose entries store the elements individually.

* There is a new conditional-assignment expression, known as "?:", which is used as follows:
status = (condition == "green")? "go" : "stop"
This translates to:
if (condition=="green") {status = "go"} else {status = "stop"}
This construct should also be familiar to C programmers.

* There are new math functions, such as trig and random-number functions:
sin(x) Sine, with x in radians.
cos(x) Cosine, with x in radians.
atan2(y,z) Arctangent of y/x, in range -PI to PI.
rand() Random number, with 0 <= number < 1.
srand() Seed for random-number generator.
* There are new string functions, such as match and substitution functions:

match(<target string>,<search string>)

Search the target string for the search string; return 0 if no match, return starting index of search string if match. Also sets built-in variable RSTART to the starting index, and sets built-in variable RLENGTH to the matched string's length."

http://www.vectorsite.net/tsawk_3.html#m1

Strings, arrays - sound familiar? Oh yes all those .plist files.


UDP communication is used to output and input information to the system through channels the MAC considers normal.

CUPS printing system that is part of MAC OS is capable of so much more than handling print jobs. It has a built in http server that can be logged on through port 80 just like any other url. Cups will open a port through the firewall and listen for connections. Man cups and learn.

ARD has a vulnerability that allows takeover of the machine through escalating permissions. Google Slashdot and read up on it.

LittleSnitch shows activity flowing out of my machine to host names including "time.apple.com" or other similar unusual names, but if one drills down on the host name and looks at the actual IP address one will find that connections are being made to places including http://www.sarialtin.com "Zero Ground Condition". TURN OFF JAVA SCRIPT IN SAFARI BEFORE YOU VISIT THAT URL. Use the Dev tools and have a look under the skin at that site. Esp /test/pakdost.txt

Java VM
Active Directory
nmblookup
MDNSResponder
Those three system processes play a roll in discovering internal settings on the MAC and sending an update outside the system.

Duplicate filesystems are in place on my iMAC and my MacBook that duplicate private frameworks for system\library, but the directories are located ...

file:// *
file:/// *

Multiple IPs that I trace resolve to 169.###.##.##-addr-arpa. Good luck finding from there.

NEWMACUSR-TX - do you ever see msdosfs.kextd load? ALL - Kernel Extenions as you all know, of course, according to Apple docs, only load into memory when they are needed. I do not have a windows or dos/ntfs based file system installed on the machine so why does the system need it?

There's room for one. Disk Utility provides the space formatted FAT in the same area where the initial bootup files for the EFI are stored. There isn't supposed to be anything there but I don't know how to look at it. Perhaps the seed of this problem inhabits the FAT formatted part of the system partition? Maybe that's why I also see something called EFISYNC.KEXT run on occassion? Usually around the same time that msdosfs.kextd loads? Oh wait, I'm a troll and paranoid.

I'm up for additional education gentlemen. Usually the responses on this thread are answers to things that are explainable, but the hard questions are ignored.

Why does my ISight camera turn on by itself when the machine is on the web? IChat is NOT running. No IM software is running. But hi "smile for the camera"!

If you are willing to actually be of assistance in this I'm happy to post up additional information including log files and screen shots, but if you just want to tell me that I'm stupid or a troll and that my Mac is bulletproof, then I'll leave it alone as I was. But the fellow in Texas described issues I had with my PC's almost to a T before I gave up and bought TWO macs thinking hey, now I'll be in good shape.

I'm on my third brand of modem/router.
I've switched from cable to DSL.
I've formatted my HD's multiple times. AppleCare can't figure it out. The local Genius tells me it's a software problem so call AppleCare.

Even so, I still enjoy my Mac more than I ever enjoyed using a PC. The problem is that I can only use it for three or four days, then have to tear it back down and start over. It's annoying.
 
Look, I'm not a troll. I'll post some screen shots and some logs and you can beat me up about it or give it a go. I stopped posting because my last two posts were blocked by the moderator.

A quicker synopsis. TURN OFF JAVA in Safari and visit sarialtn.com/test/pakdost.txt. Littlesnitch tells me all the time about this process or that who wnats to connect there. Also look under the hood at sarialtin.com.

Read the man for AWK - it's an old technology but it works on every unix flavored box.
Google ATA over Ethernet. It's low level, it works and leaves no trace on the logs about what it's doing. I've seen it listed by System Profiler in my applications. Just realized what it was this week.

The initial entry to the MAC is through a compromized cable or DSL modem using a scaled down version of Linux called BusyBox. Gain control of the cgi-bin and welcome to the MAC. Need a port opened for ssh? Coming right up!

CUPS built into the mac is SO capable. You should read the man for it. It includes an http server built in. Combine it with BACKENDS and go to town. Oh yeah, just open a port and listen to IPv6 and instructions on what to do next. Send a script to automator? Sure, it's run on the next boot. Thanks.

Mr TX just saved my sanity. The extra files I though were on the install DVD are in fact on my HD. Duplicate files at file:// * and file:/// *.

Upon install Disk Utlity puts EFI into a special hidden partition. It also creates some space formatted FAT. No files, just the space. Standard procedure.

My system loads msdofs.kextd once or twice after a fresh drive wipe. WIthin a few minutes something called EFISync.kextd runs too. Is the seed of this problem living on that FAT partition? Remember kids - MAC OS X only loads a kernel extension when it needs to be used so I wonder why the MSDOS FILE SYSTEM KERNEL EXTENSION IS LOADED BY OS X? I'm not running boot camp, or Fusion or Parrallels, or windows or a VM for pong.

I'll talk to you later, gotta go reformat my hard drive again.
 
MR- TX -

Usual suspects that are always invloved. Run Little Snitch and watch and tell me what you see in order to learn if we are both living the same dream.

mDNSresponder
nmblookup
directory service
ntpd - notice that this always lights up everytime you press the enter key? Is it REALLY checking the time on that schedule?

Don't rely on the hostnames when those processes attempt to make a connection, but drill down to the actual IP address. Go over to DNSStuff.com and run some searches. In most cases, the IP does not end up where you think it's going.

My bet is you'll find variants of 169.xxx.xxx.x-in-addr-arpa most of the time.

Take a look at YOUR ip address. If it's been assigned to the machine for more than a day (DHCP) it might not actually be your ISP's assignment. Take a close look and see if you find srcip= xxxxxxx url=XXXXXXX etc. Redirected.
 
So... what you two are trying to say is that this has nothing to do with the Mac, nothing to do with the Windows box, and everything to do with your router and/or cable modem?

HelloMac said:
My system loads msdofs.kextd once or twice after a fresh drive wipe. WIthin a few minutes something called EFISync.kextd runs too. Is the seed of this problem living on that FAT partition? Remember kids - MAC OS X only loads a kernel extension when it needs to be used so I wonder why the MSDOS FILE SYSTEM KERNEL EXTENSION IS LOADED BY OS X? I'm not running boot camp, or Fusion or Parrallels, or windows or a VM for pong.
Click to expand...

Maybe because Mac OS X supports reading and writing to MS-DOS formatted disks out-of-the-box and all the time. Gotta have a kernel extension for that functionality. When you plug in an MS-DOS formatted disk, the computer mounts it. In order to mount it, it has to understand the format. One way for Mac OS X to "understand" the MS-DOS format is via kernel extension.

Although that extension is not present on my system.

EFISync.kext I don't know about.

I'm not calling anyone a liar -- the quip about "pics or it didn't happen" is a reference to forum trolls who don't believe a thing unless there's pics. It, and the "I smell fish" comment, were typed tongue-in-cheek. I'm just saying that something fishy is going on here -- with you, your computer, your router, or the electromagnetic fields around your location.
 
but I did notice the following in my logs this morning:

Deny configd data in from 10.198.242.1:67 uid = 0 proto=17
Deny mDNSResponder data in from fe80::21f:5bff:feee:446c:5353 uid = 0 proto=17

From what I can learn from searches, this is my Mac denying my ISP from configuring my DHCP settings which should be allowed.

I also continually notice that CUPSD is "listening" on a port... why? My printer is connected directly to my MAC and I am not running a network.
 
Modem/Router log

(GMT)16:01:15 Tue May 15 2007 syslogd started: BusyBox v0.61.pre

(GMT)16:01:15 Tue May 15 2007 init: Waiting for enter to start '/bin/sh' (pid 86, terminal /dev/tts/0)
(GMT)16:01:16 Tue May 15 2007 logic: qos_prepare:iptables -t mangle -N EGRESS

(GMT)16:01:16 Tue May 15 2007 logic: qos_prepare:iptables -t mangle -N INGRESS

(GMT)16:01:17 Tue May 15 2007 logic: qos_prepare:iptables -t mangle -A INGRESS -j IMQ

(GMT-05:00)16:01:17 Tue May 15 2007 logic: Stunnel conf 2: TR-069 1 /var/etc/stunnel2.conf https://cpe-ems.verizon.com/cwmpWeb/CPEMgt 1 8080

(GMT-05:00)16:01:19 Tue May 15 2007 logic: dhcps starting
(GMT-05:00)16:01:24 Tue May 15 2007 udhcpd: udhcp server (v0.9.7) started

(GMT-05:00)16:01:24 Tue May 15 2007 udhcpd: ADD 00:1f:f3:52:b9:39 192.168.1.75 1000 unknownpc1

(GMT-05:00)16:01:24 Tue May 15 2007 udhcpd: ADD 00:1f:5b:b6:e8:16 192.168.1.76 1000 unknownpc1

(GMT-05:00)16:01:24 Tue May 15 2007 udhcpd: ADD 00:1e:c2:32:d5:4e 192.168.1.77 1000 unknownpc1

(GMT-05:00)16:01:24 Tue May 15 2007 udhcpd: ADD 00:1f:5b:b6:e8:16 192.168.1.78 1000 unknownpc1

(GMT-05:00)16:01:24 Tue May 15 2007 udhcpd: interface: br0, start : 4b01a8c0 end : 5001a8c0

(GMT-05:00)16:01:35 Tue May 15 2007 udhcpd: Received SIGTERM

(GMT-05:00)16:01:35 Tue May 15 2007 udhcpd: udhcp server (v0.9.7) started
(GMT-05:00)16:01:35 Tue May 15 2007 udhcpd: ADD 00:1f:f3:52:b9:39 192.168.1.75 989

unknownpc1
(
GMT-05:00)16:01:35 Tue May 15 2007 udhcpd: ADD 00:1f:5b:b6:e8:16 192.168.1.76 989 unknownpc1
(GMT-05:00)16:01:35 Tue May 15 2007 udhcpd: ADD

00:1e:c2:32:d5:4e 192.168.1.77 989 unknownpc1

(GMT-05:00)16:01:35 Tue May 15 2007 udhcpd: ADD 00:1f:5b:b6:e8:16 192.168.1.78 989 unknownpc1

(GMT-05:00)16:01:35 Tue May 15 2007 udhcpd: interface: br0, start : 4b01a8c0 end : 5001a8c0

(GMT-05:00)16:01:39 Tue May 15 2007 logic: launch stunnel 0, 0
(GMT-05:00)16:01:42 Tue May 15 2007 udhcpd: SENDING OFFER to daddy-macs-imac
(GMT-05:00)16:01:42 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.76 60 daddy-macs-imac

(GMT-05:00)16:01:42 Tue May 15 2007 udhcpd: sending OFFER of 192.168.1.76

(GMT-05:00)16:01:42 Tue May 15 2007 udhcpd: SENDING OFFER to daddy-macs-imac

(GMT-05:00)16:01:42 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.76 60 daddy-macs-imac

(GMT-05:00)16:01:42 Tue May 15 2007 udhcpd: sending OFFER of 192.168.1.76

(GMT-05:00)16:01:43 Tue May 15 2007 udhcpd: SENDING ACK to daddy-macs-imac

(GMT-05:00)16:01:43 Tue May 15 2007 udhcpd: sending ACK to 192.168.1.76

(GMT-05:00)16:01:43 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.76 1000 daddy-macs-imac
(GMT-05:00)16:01:46 Tue May 15 2007 pppd[262]: Plugin

pppoe loaded.

(GMT-05:00)16:01:46 Tue May 15 2007 pppd[262]: PPPoE Plugin Initialized
(GMT-05:00)16:01:46 Tue May 15 2007 pppd[262]: Plugin pppoe called.
(GMT-05:00)16:01:46 Tue

May 15 2007 pppd[262]: pppd 2.4.1 started by DHLM, uid 0

(GMT-05:00)16:01:46 Tue May 15 2007 pppd[262]: setting line discipline hook
(GMT-05:00)16:01:46 Tue May 15 2007 pppd[262]: don't turn led red when auto-detecting
(GMT-05:00)16:01:46 Tue May 15 2007 pppd[262]: Sending PADI
(GMT-05:00)16:01:49 Tue May 15 2007 pppd[278]: Plugin pppoe loaded.

(GMT-05:00)16:01:49 Tue May 15 2007 pppd[278]: PPPoE Plugin Initialized
(GMT-05:00)16:01:49 Tue May 15 2007 pppd[278]: Plugin pppoe called.

(GMT-05:00)16:01:49 Tue May 15 2007 pppd[278]: pppd 2.4.1 started by DHLM, uid 0
(GMT-05:00)16:01:49 Tue May 15 2007 pppd[278]: setting line discipline hook
(GMT-05:00)16:01:49 Tue May 15 2007 pppd[278]: don't turn led red when auto-detecting
(GMT-05:00)16:01:49 Tue May 15 2007 pppd[278]: Sending PADI
(GMT-05:00)16:01:55 Tue May 15 2007 udhcpc: udhcp client (v0.9.7) started

(GMT-05:00)16:01:55 Tue May 15 2007 udhcpc: Sending discover...

(GMT-05:00)16:01:55 Tue May 15 2007 udhcpd: ADD 00:1f:5b:b6:e8:16 192.168.1.78 60 unknown

(GMT-05:00)16:01:55 Tue May 15 2007 udhcpd: sending OFFER of 192.168.1.78

(GMT-05:00)16:01:56 Tue May 15 2007 udhcpd: sending ACK to 192.168.1.78

(GMT-05:00)16:01:56 Tue May 15 2007 udhcpd: ADD 00:1f:5b:b6:e8:16 192.168.1.78 1000

(GMT-05:00)16:01:57 Tue May 15 2007 udhcpc: Sending discover...

(GMT-05:00)16:01:59 Tue May 15 2007 udhcpc: Sending discover...
(
GMT-05:00)16:02:01 Tue May 15 2007 pppd[306]: Plugin pppoe loaded.

(GMT-05:00)16:02:01 Tue May 15 2007 pppd[306]: PPPoE Plugin Initialized

(GMT-05:00)16:02:01 Tue May 15 2007 pppd[306]: Plugin pppoe called.

(GMT-05:00)16:02:01 Tue May 15 2007 pppd[306]: pppd 2.4.1 started by DHLM, uid 0
(
GMT-05:00)16:02:01 Tue May 15 2007 pppd[306]: setting line discipline hook

(GMT-05:00)16:02:01 Tue May 15 2007 pppd[306]: don't turn led red when auto-detecting

(GMT-05:00)16:02:01 Tue May 15 2007 pppd[306]: Sending PADI

(GMT-05:00)16:02:06 Tue May 15 2007 udhcpc: udhcp client (v0.9.7) started
(
GMT-05:00)16:02:06 Tue May 15 2007 udhcpc: Sending discover...

(GMT-05:00)16:02:07 Tue May 15 2007 udhcpd: SENDING OFFER to daddy-macs-imac

(GMT-05:00)16:02:07 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.79 60 daddy-macs-imac

(GMT-05:00)16:02:07 Tue May 15 2007 udhcpd: sending OFFER of 192.168.1.79

(GMT-05:00)16:02:07 Tue May 15 2007 udhcpd: SENDING OFFER to daddy-macs-imac

(GMT-05:00)16:02:07 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.79 60 daddy-macs-imac

(GMT-05:00)16:02:07 Tue May 15 2007 udhcpd: sending OFFER of 192.168.1.79

(GMT-05:00)16:02:08 Tue May 15 2007 udhcpc: Sending discover...

(GMT-05:00)16:02:08 Tue May 15 2007 udhcpd: SENDING ACK to daddy-macs-imac

(GMT-05:00)16:02:08 Tue May 15 2007 udhcpd: sending ACK to 192.168.1.79

(GMT-05:00)16:02:08 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.79 1000 daddy-macs-imac

(GMT-05:00)16:02:08 Tue May 15 2007 logic: 00-1e-52-86-be-17/192.168.1.79 now is 192.168.1.79

(GMT-05:00)16:02:10 Tue May 15 2007 udhcpc: Sending discover...

(GMT-05:00)16:02:48 Tue May 15 2007 udhcpd: SENDING ACK to daddy-macs-imac
(
GMT-05:00)16:02:48 Tue May 15 2007 udhcpd: sending ACK to 192.168.1.79

(GMT-05:00)16:02:48 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.79 1000 daddy-macs-imac
(
GMT-05:00)16:03:04 Tue May 15 2007 udhcpd: SENDING ACK to daddy-macs-imac

(GMT-05:00)16:03:04 Tue May 15 2007 udhcpd: sending ACK to 192.168.1.79

(GMT-05:00)16:03:04 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.79 1000 daddy-macs-imac

(GMT-05:00)16:03:27 Tue May 15 2007 logic: fw_trans_query kp.key = report_all_clients_act0

(GMT-05:00)16:03:27 Tue May 15 2007 logic: fw_trans_query kp.key = report_all_clients_act0

(GMT-05:00)16:04:10 Tue May 15 2007 pppd[262]: HOST_UNIQ successful match

(GMT-05:00)16:04:10 Tue May 15 2007 pppd[262]: HOST_UNIQ successful match

(GMT-05:00)16:04:10 Tue May 15 2007 pppd[262]: Got connection: 1f09

(GMT-05:00)16:04:10 Tue May 15 2007 pppd[262]: Saved Session ID: 0

(GMT-05:00)16:04:10 Tue May 15 2007 pppd[262]: Connecting PPPoE socket: 00:90:1a:a0:57:82 1f09 br0 0x1000d538
(
GMT-05:00)16:04:10 Tue May 15 2007 pppd[262]: Using interface ppp0

(GMT-05:00)16:04:10 Tue May 15 2007 pppd[262]: Connect: ppp0 -> br0

(GMT-05:00)16:04:10 Tue May 15 2007 pppd[262]: MRU: 1500

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read start 192.168.1.75
(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read end 192.168.1.80

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read interface br0

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read opt router 192.168.1.1

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read opt domain dslhighway

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read opt dns 192.168.1.1 192.168.1.1 38.8.82.2

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read opt subnet 255.255.255.0

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read opt renew 20
(
GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read opt lease 1000

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read conflict_time 1000

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: read lease_file /var/tmp/landhcps0.leases

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: local IP address 72.66.59.80

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: remote IP address 10.1.48.1
(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: primary DNS address 71.252.0.12

(GMT-05:00)16:04:11 Tue May 15 2007 pppd[262]: secondary DNS address 71.242.0.12
(
GMT-05:00)16:04:11 Tue May 15 2007 syslog: config.name_server[0]=71.252.0.12

(GMT-05:00)16:04:14 Tue May 15 2007 logic: got wan ip launch stunnel

(GMT-05:00)16:04:14 Tue May 15 2007 logic: launch stunnel 1, 0
(GMT-05:00)16:04:14 Tue May 15 2007 udhcpd: Received SIGTERM

(GMT-05:00)16:04:15 Tue May 15 2007 udhcpd: udhcp server (v0.9.7) started

(GMT-05:00)16:04:15 Tue May 15 2007 udhcpd: ADD 00:1f:f3:52:b9:39 192.168.1.75 830 unknownpc1

(GMT-05:00)16:04:15 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.76 852 daddy-macs-imac
(
GMT-05:00)16:04:15 Tue May 15 2007 udhcpd: ADD 00:1e:c2:32:d5:4e 192.168.1.77 830 unknownpc1

(GMT-05:00)16:04:15 Tue May 15 2007 udhcpd: ADD 00:1f:5b:b6:e8:16 192.168.1.78 862 unknownpc1
(
GMT-05:00)16:04:15 Tue May 15 2007 udhcpd: ADD 00:1e:52:86:be:17 192.168.1.79 930 daddy-macs-imac

(GMT-05:00)16:04:15 Tue May 15 2007 udhcpd: interface: br0, start : 4b01a8c0 end : 5001a8c0

(GMT-05:00)16:04:18 Tue May 15 2007 logic: stunnel message type 1
(
GMT-05:00)16:04:18 Tue May 15 2007 logic: stunnel report start,stunnel2,517

(GMT-05:00)16:04:20 Tue May 15 2007 logic: tr-69-client exist, do not restart it
(
GMT-05:00)23:32:56 Wed Jun 18 2008 logic: fw_trans_query kp.key = report_all_clients_act0

(GMT-05:00)23:32:57 Wed Jun 18 2008 logic: fw_trans_query kp.key = report_all_clients_act0
(
GMT-05:00)23:33:19 Wed Jun 18 2008 syslog: No response for DNS request to server 71.252.0.12 yet.

(GMT-05:00)23:33:19 Wed Jun 18 2008 pc: act_hnm not exist, restart it

(GMT-05:00)23:33:20 Wed Jun 18 2008 logic: fw_trans_query kp.key = report_all_clients_act0

(GMT-05:00)23:33:21 Wed Jun 18 2008 logic: fw_trans_query kp.key = report_all_clients_act0

(GMT-05:00)23:33:22 Wed Jun 18 2008 syslog: No response for DNS request to server 71.242.0.12 yet.

(GMT-05:00)23:33:22 Wed Jun 18 2008 syslog: All DNS servers tried, no response.
(
GMT-05:00)23:33:22 Wed Jun 18 2008 syslog: failed dns request len=71,srcip=192.168.1.1, url=79.1.168.192.in-addr.arpa

(GMT-05:00)23:34:28 Wed Jun 18 2008 syslog: No response for DNS request to server 71.252.0.12 yet.

(GMT-05:00)23:34:30 Wed Jun 18 2008 syslog: No response for DNS request to server 71.242.0.12 yet.

(GMT-05:00)23:34:30 Wed Jun 18 2008 syslog: All DNS servers tried, no response.

(GMT-05:00)23:34:30 Wed Jun 18 2008 syslog: failed dns request len=71,srcip=192.168.1.1, url=79.1.168.192.in-addr.arpa

(GMT-05:00)23:35:41 Wed Jun 18 2008 stunnel[587]: remote connect #2 (192.168.0.1:443): Connection timed out (145)

(GMT-05:00)23:35:41 Wed Jun 18 2008 stunnel[587]: Failed to initialize remote connection
 
No offense or anything, but at this point it seems like much ado about nothing. I don't see anything that's out of the ordinary here in this entire thread...maybe that "unknownpc" in your router log, but other than that it looks like the status quo to me. :confused:
 
NewMacUser-TX said:
I also continually notice that CUPSD is "listening" on a port... why? My printer is connected directly to my MAC and I am not running a network.
Click to expand...
CUPS manages all printers, local and networked.

CUPS also runs a website on port 631. You can access the CUPS setup page by opening a browser and pointing it to http://127.0.0.1:631 or http://localhost:631.

If you're seeing listening happening on port 631, that's why, and it's normal.
 
Let me more clear, when msdosfs.kext loads, nothing is happening that would require the mac to "understand" a non mac file format. No disc is inserted, no usb drive attatched, just the hard disc humming away doing it's dance with RAM.
 
Most every app on a Unix-based system listens to ports (you'll also find this in Windows as well). Some are local, some are not. Just type "netstat" on the command shell of any Windows or UNIX-like system and you'll see all the ports that are being used. CUPS is always listening at that port since it is a server daemon running in the background, as most other processes on Unix tend to be. Again, I still fail to see what the major problem (other than that "unknownpc" in your router log) is even after reading through this whole thread and the logs more than once.
 
HelloMac said:
Let me more clear, when msdosfs.kext loads, nothing is happening that would require the mac to "understand" a non mac file format. No disc is inserted, no usb drive attatched, just the hard disc humming away doing it's dance with RAM.
Click to expand...

It's possible that the Mac is probably preconfigured to load that kernel extension on boot time. The same thing is done in any GNU/Linux or BSD system so that it can read MS-DOS filesystems right from the get go. Otherwise, you would have to MANUALLY load the kernel extension or module each time. It's just sitting there idle until it's time to be used. Again, nothing out of the norm here.

BTW, in classic Mac OS you had Control Panels and Extensions that would load on startup in order to provide you the functionality you needed once at the desktop. One of these was an extension that would allow you to mount an MS-DOS disk or volume. Sure, it would sit there idle while not being used, but it was always enabled to allow you to use it when needed....otherwise, you would not be able to access those MS-DOS volumes.

Again, I think you're making more of this than is actually the case. Though I understand your frustration, the end is not nigh.
 
"CUPS also runs a website on port 631. You can access the CUPS setup page by opening a browser and pointing it to http://127.0.0.1:631 or http://localhost:631.

If you're seeing listening happening on port 631, that's why, and it's normal."

Are you just messing with me? I know that's normal. But the flipside is that CUPS can be manipulated to penetrate the system. Do you drink seven or eight gallons of the kool-Aid daily?
 
TURN OFF JAVA in Safari and visit sarialtn.com/test/pakdost.txt. Littlesnitch tells me all the time about this process or that who wnats to connect there. Also look under the hood at sarialtin.com.
 
Just one more post, then I'll drop it for today till I can get some screen shots.

Mac TX and I both have reported that the OS installer does not follow instructions for installation. When told NOT to install X11 and extra language packes, the installer ignores the custom options and installs those components anyway. Every. Single. Time.

I've repeated that on my iMac AND my MacBook. Different install media. Same results.

Educate me. I have an open mind.
 
HelloMac said:
"CUPS also runs a website on port 631. You can access the CUPS setup page by opening a browser and pointing it to http://127.0.0.1:631 or http://localhost:631.

If you're seeing listening happening on port 631, that's why, and it's normal."

Are you just messing with me? I know that's normal. But the flipside is that CUPS can be manipulated to penetrate the system. Do you drink seven or eight gallons of the kool-Aid daily?
Click to expand...

Yes, but this is why there are things called security patches that are to be installed when they come out for said packages. There's never going to be a patch for a zero day exploit until there is one available, and nothing is ever going to be invulnerable forever. The best you can do is secure yourself through defense in depth.

If you don't patch your packages (whatever they may be), then you're asking to get owned. Seriously, there's only so much you can do. The only true secure computer is one that's disconnected, covered in 3 feet of concrete, and buried 6 feet under. :rolleyes:
 
HelloMac said:
"CUPS also runs a website on port 631. You can access the CUPS setup page by opening a browser and pointing it to http://127.0.0.1:631 or http://localhost:631.

If you're seeing listening happening on port 631, that's why, and it's normal."

Are you just messing with me? I know that's normal. But the flipside is that CUPS can be manipulated to penetrate the system. Do you drink seven or eight gallons of the kool-Aid daily?
Click to expand...
My response was a direct response to something that NewMacUser-TX wrote, not you.

EVERYthing can be manipulated to penetrate the system. That doesn't mean that everything IS penetrating the system.
 
Status
Not open for further replies.
Back
Top