[SirCastor]

About 1:45 last night, my computer woke abruptly from it's sleep. It had been asleep for probably 15-20 minutes, as I had just barely gotten in bed and was reading.

I went to investigate, but found little. I like to think that my passwords are secure, but there's a chance that they aren't. I'm probably being a bit crazy here in assuming that someone could be logging onto my computer, or that someone would, but I'm not sure. I've noticed this kind of thing happen probably twice before, but i can't recall the particulars.


I know there are some UNIX scripts that run during the night, but I was under the impression that those wouldn't run if the computer is asleep.

Are there any logs I can read through to see what's been going on?

[Chuckit]

The last command will list the last several logins.

[tooki]

If the computer was asleep, then nobody could have logged in, because the network card is turned off. The one exception is if you have it set to "wake for ethernet network administrator access" in Energy Saver. Then, a special kind of packet can be used to wake the machine. But that can only be done on your local network, not through a router (AFAIK).

Most likely, a USB bug woke it up (e.g. a power brownout deep enough to cause your USB hub to reset, but that the Mac didn't care about). I've had that happen one or two times.

tooki

[Horsepoo!!!]

Wow...all the talk about trojans, viruses, and exploits have really gotten to some people on the forums.

[SirCastor]

Originally Posted by tooki

If the computer was asleep, then nobody could have logged in, because the network card is turned off. The one exception is if you have it set to "wake for ethernet network administrator access" in Energy Saver. Then, a special kind of packet can be used to wake the machine. But that can only be done on your local network, not through a router (AFAIK).

Most likely, a USB bug woke it up (e.g. a power brownout deep enough to cause your USB hub to reset, but that the Mac didn't care about). I've had that happen one or two times.

tooki

That's encouraging. My network option to login from a different machine has been checked, but I didn't realize it couldn't be utilized from outside the local network...

[Chips G]

Note tooki's "as far as I know", don't rely on that fact. When it comes to security it can never hurt to be 'too' safe

[ShotgunEd]

Originally Posted by tooki

If the computer was asleep, then nobody could have logged in, because the network card is turned off. The one exception is if you have it set to "wake for ethernet network administrator access" in Energy Saver. Then, a special kind of packet can be used to wake the machine. But that can only be done on your local network, not through a router (AFAIK).

Most likely, a USB bug woke it up (e.g. a power brownout deep enough to cause your USB hub to reset, but that the Mac didn't care about). I've had that happen one or two times.

tooki

Its a UDP packet sent over port 80. It can be used from outside the LAN but the hacker would need the IP and the MAC address of the machine.

Sounds like a USB bug like Tooki says.

[alphasubzero949]

I've had that happen and it was due to USB. If you're really paranoid run "last" in the Terminal (without the quotes).

[Chito]

Don't rule out George Bush spying on you. You know he's to blame for everything....

[tooki]

Originally Posted by SirCastor

That's encouraging. My network option to login from a different machine has been checked, but I didn't realize it couldn't be utilized from outside the local network...

That's not quite what I said.

The "wake for network administrator access" "magic bullet" is entirely separate from what Sharing preferences you have. File sharing, SSH login, etc. most certainly can be accessed from outside your network -- but only if the machine is already awake and your router is explicitly configured to pass the necessary ports to that machine. (It won't happen by accident.) If someone tries to log in to a machine that is asleep, it will receive no response, because for all intents and purposes, the network card is turned off. While asleep, the only thing the network card will "see" is a "magic bullet" specifically addressed to it.

The "magic bullet" is very difficult to send from outside your network, unless you have explicitly configured your router, and somehow the intruder has gotten extra information.

tooki

[SirCastor]

My router is setup to forward a few ports to my machine. Namely ssh, ftp, and http. I do this so I can access my machine from school or other places if I need to. Obviously it's secure. The only way I can think about my login/pass being compromised is the School is using WEP rather than WPA, which means that the encryption can rather easily be cracked.

I'm going to guess that it was in fact just the USB bug. For the moment, I've turned off the "wake for network access".
I appreciate everyone's help.


BTW, I ran last, and I didn't see anything unusual.

[kman42]

Is there a tutorial on the magic bullet? I'm always trying to access my machine and am disappointed when it is sleeping. At the same time, I don't do it often enough to justify the electricity of not having it sleep after a reasonable amount of inactivity.
kman

[Kevin]

Originally Posted by Chito

Don't rule out George Bush spying on you. You know he's to blame for everything....

[SirCastor]

from SNL's 3rd Presidential debate:

Mr. Vice-President, as an undecided neutral voter, not committed to either candidate, trying to make up my mind - I'm wondering about Governor Bush's risky tax scheme to steal the trillion dollar surplus from Social Security and Medicare, wasting it on a tax cut for the rich, and taking us back to those awful times when his father nearly brought our economy to its knees, and caused AIDS and homelessness. Tell me, how would your plan differ, so I can decide which one of you to vote for?

[Detrius]

Originally Posted by SirCastor

Power Mac G4 400 AGP/896 RAM/Radeon 8500 (64MB)/120 GB/Pioneer DVR-109/Mac OS X 10.4.5
PowerBook G4 867 12"/256 RAM/40 GB/Combo Drive/ Mac OS X 10.4.4
iPod Photo 20 Gig
"It's not the fastest crayon in the box"

Why on earth do you have a G4 PowerBook with only 256MB of RAM??? That's barely enough to boot the thing.

[SirCastor]

Originally Posted by Detrius

Why on earth do you have a G4 PowerBook with only 256MB of RAM??? That's barely enough to boot the thing.

I'm computer-sitting for a friend over the course of the next year. Although having more Ram would definately be a benefit, I've used it with Illustrator and Photoshop quite effectively. Investing more cash into it at this point Is not my top priority. (I intend to upgraded the processor in my Tower first.) and since it's not permanently mine, it has less priority. It's not my primary machine. If I run into a spare $100, I'll upgrade it.

[Kevin]

Originally Posted by SirCastor

from SNL's 3rd Presidential debate:

Sounds like the PL.

[ghporter]

It is difficult to get through a NAT router to do anything, whether you're the rightful owner of the thing or not. That's on purpose, because NAT hides the LAN side of the network from the WAN side to allow multiple computers to share a single IP-and a number of broadband ISPs initially made it a violation of their user agreements to put more than one computer on the connection. The NAT router (being itself a tiny computer) gets around that, and makes use of the single ISP-provided IP address for as many computers as you want.

Now, in order to get through this NAT router, you not only need to know the LAN address of the target computer, you need to know the router's particular port-mangling scheme. In order to share the connection, the NAT function translates (as in Network Address Translation) the port portion of each packet's address to uniquely identify each computer on the LAN and still send and receive all the traffic as if it were from one computer. That means that one computer's port 80 traffic may show up as port 3480 and another's on the LAN may be on 298. Typically the router uses some randomness to keep the translation un-obvious.

The typical way to intentionally get traffic through a router to a computer is to either put the computer in a DMZ, or to forward the required ports to that computer's LAN IP (both of which require a fixed LAN IP).

Finally, put your computer on an UPS and you'll KNOW that it won't wake up from a power dip or surge-and it'll be safer from just about all other electrical problems as well.

[Gee4orce]

If you're worried, simplest solution is to change the passwords on your machine. Click on the little key icon in the password sheet of the Accounts pref, and you'll get some help creating really secure passwords....

[jamil5454]

Originally Posted by SirCastor

My router is setup to forward a few ports to my machine. Namely ssh, ftp, and http. I do this so I can access my machine from school or other places if I need to. Obviously it's secure. The only way I can think about my login/pass being compromised is the School is using WEP rather than WPA, which means that the encryption can rather easily be cracked.

I'm going to guess that it was in fact just the USB bug. For the moment, I've turned off the "wake for network access".
I appreciate everyone's help.


BTW, I ran last, and I didn't see anything unusual.

Just remember that new exploits for Apache and OpenSSH etc are found often, and even if there are no security holes in the versions you are running, a good cracker can learn to look for and punch new ones.

Also keep in mind that unless it was a script kiddie, the attacker would have done a few things to hide his/her existence on your machine. This would include replacing "last" with one of his own.

However, skilled malicious attackers rarely target the average consumer unless they've got a good reason to. If you're finding suspicious activity on your machine, it's almost certainly an automated script sweeping a range of IPs looking to compromise a box to use as a torrent/warez server.

[mactopsuit]

Do a lock screen as well just to be sure.

[SirCastor]

Originally Posted by jamil5454

Just remember that new exploits for Apache and OpenSSH etc are found often, and even if there are no security holes in the versions you are running, a good cracker can learn to look for and punch new ones.

Also keep in mind that unless it was a script kiddie, the attacker would have done a few things to hide his/her existence on your machine. This would include replacing "last" with one of his own.

However, skilled malicious attackers rarely target the average consumer unless they've got a good reason to. If you're finding suspicious activity on your machine, it's almost certainly an automated script sweeping a range of IPs looking to compromise a box to use as a torrent/warez server.

That's the thing about it. I doubt anyone would come after my machine. There's nothing Critical on my machine that anyone would want. Not that I can think of anyway. No Suspicious activity that I'm seeing. My computer's runing smoothly, and I don't see any decline in performance or anything.

I consider myself an advanced user, but when it comes to the UNIX side of things, I'm a little bit further than a beginner.

[ghporter]

Originally Posted by SirCastor

That's the thing about it. I doubt anyone would come after my machine. There's nothing Critical on my machine that anyone would want. Not that I can think of anyway. No Suspicious activity that I'm seeing. My computer's runing smoothly, and I don't see any decline in performance or anything.

I consider myself an advanced user, but when it comes to the UNIX side of things, I'm a little bit further than a beginner.

If things are running fine and there's no suspicious activity, I'd go get an UPS and stop worrying about bad guys.

Most of the time "bad" external access will happen rather noticably-your computer will be noticably slower when another user is accessing it. You'll also see network activity that doesn't make sense, like your broadband modem passing plenty of traffic when you're not doing anything to warrant it.

And rather unsurprisingly, a lot of truly malicious hackers are in different timezones from most of the rest of us, so leaving your computer on and awake all night is pretty much a Bad Thing™ in terms of noticing suspicious behavior. Turn off "wake on LAN" functions and put your machine to sleep when you're not using it, and you'll prevent this sort of intrusion from ever happening.

A sophisticated user starts out as one who knows what his computer is supposed to do, and does not ignore oddness. It sounds like you are indeed suspicious, but concerned.

[IEEE1394]

Interesting side related note, I found out my computer (iMac DV) would wake up when I turned off my bedside light (both are in my bedroom). So ignoring hackers/the paranormal it could be explained by an appliance in your house/apartment/whatever turning off/on.

As far as I know unless you have wake-on-lan turn on your computer will not wake unless you hit a button on your keyboard, it is impossible to awaken otherwise.

[brza]

it's a good ide ato have a network monitor running at all times so you know what sort of traffic flow is going in and out.
my roomate, for instance, was at his computer one day and had nothing running but a few Kb/s of data was going in and out. after a minute of investigating, he found that it was an automated machine trying to brute-force its way into his computer.

I can't remember the name of mine but I've got one that sits in the menu bar and just displays the data flow going in and going out.

that way if your computer wakes up, you can watch a network monitor and see if there's data going in and out when there shouldn't be (im assuming here that when it wakes up, there aren't programs running that would already be sending/receiving data, cause then you wont know if it's your app or someone else or what)