 |
 |
Being Hacked? Spyware? or Worse?
|
|
|
|
|
Mac Enthusiast
Join Date: Jan 2001
Location: Toronto, Canada.
Status:
Offline
|
|
I recently installed norton personal firewall, and have it open looking at the incoming and outgoing logs, and there is alot of suspicious activity going on that I didn't know about before.
The only apps I have open right now are Safari, ShowDesktop, Norton AntiVirus 9, Norton Personal Firewall. Here is a section from when i set to view the blocked outgoing connections. I have cleared the log a few times, there were many more attempts not shown below on seemingly random and weird ports.
In addition, i noticed the eDonkey/Overnet/BitTorrent ports having incoming/outgoing activity but i don't have anything open.
Some blocked outgoing:
---
08/20/2003 00:09:16 -0400 Denied Outgoing 80.50.121.140 Unknown 3348 TCP Custom si140.neoplus.adsl.tpnet.pl
08/20/2003 00:09:07 -0400 Denied Outgoing 80.50.121.140 Unknown 3348 TCP Custom si140.neoplus.adsl.tpnet.pl
08/20/2003 00:08:35 -0400 Denied Outgoing 80.37.93.85 Unknown 1980 TCP Custom 85.Red-80-37-93.pooles.rima-tde.net
08/20/2003 00:08:31 -0400 Denied Outgoing 80.50.121.140 Unknown 4847 TCP Custom si140.neoplus.adsl.tpnet.pl
08/20/2003 00:08:29 -0400 Denied Outgoing 80.37.93.85 Unknown 1980 TCP Custom 85.Red-80-37-93.pooles.rima-tde.net
08/20/2003 00:08:26 -0400 Denied Outgoing 80.37.93.85 Unknown 1980 TCP Custom 85.Red-80-37-93.pooles.rima-tde.net
08/20/2003 00:08:23 -0400 Denied Outgoing 80.50.121.140 Unknown 4847 TCP Custom si140.neoplus.adsl.tpnet.pl
08/20/2003 00:08:05 -0400 Denied Outgoing 239.255.255.253 Service Location (SLP) 427 UDP Custom 239.255.255.253
08/20/2003 00:07:51 -0400 Denied Outgoing 80.37.93.85 Unknown 1716 TCP Custom 85.Red-80-37-93.pooles.rima-tde.net
08/20/2003 00:07:45 -0400 Denied Outgoing 80.37.93.85 Unknown 1716 TCP Custom 85.Red-80-37-93.pooles.rima-tde.net
08/20/2003 00:07:43 -0400 Denied Outgoing 80.37.93.85 Unknown 1716 TCP Custom 85.Red-80-37-93.pooles.rima-tde.net
08/20/2003 00:07:42 -0400 Denied Outgoing 217.81.102.80 Unknown 56329 TCP Custom pD9516650.dip.t-dialin.net
08/20/2003 00:07:13 -0400 Denied Outgoing 217.81.102.80 Unknown 56329 TCP Custom pD9516650.dip.t-dialin.net
08/20/2003 00:07:08 -0400 Denied Outgoing 80.37.93.85 prm-sm-np 1402 TCP Custom 85.Red-80-37-93.pooles.rima-tde.net
08/20/2003 00:07:01 -0400 Denied Outgoing 217.81.102.80 Unknown 56329 TCP Custom pD9516650.dip.t-dialin.net
08/20/2003 00:06:57 -0400 Denied Outgoing 80.37.93.85 prm-sm-np 1402 TCP Custom 85.Red-80-37-93.pooles.rima-tde.net
08/20/2003 00:05:17 -0400 Denied Outgoing 80.178.100.203 Unknown 4127 TCP Custom 80.178.100.203.forward.012.net.il
08/20/2003 00:04:33 -0400 Denied Outgoing 80.178.100.203 Unknown 3964 TCP Custom 80.178.100.203.forward.012.net.il
08/20/2003 00:03:59 -0400 Denied Outgoing 80.178.100.203 Unknown 3798 TCP Custom 80.178.100.203.forward.012.net.il
08/20/2003 00:03:52 -0400 Denied Outgoing 80.178.100.203 Unknown 3798 TCP Custom 80.178.100.203.forward.012.net.il
08/20/2003 00:03:52 -0400 Denied Outgoing 195.29.80.38 Unknown 2214 TCP Custom LASO.net.hinet.hr
08/20/2003 00:03:46 -0400 Denied Outgoing 195.29.80.38 Unknown 2214 TCP Custom LASO.net.hinet.hr
---
|
|
|
| |
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Jan 2001
Location: Toronto, Canada.
Status:
Offline
|
|
via Diablotin prefpane, i turned off some things that were on in startup items: SendMail, Qmaster, LDAP. Now the outgoing traffic noted above seems to have disappeared. Was it related to one of those services, or is one of them not what they seem to be?
Now, the outgoing seems to be UDP traffic:
Rendevouz (port 5353) to some ip - should i allow this?
I also received an incoming attempt from my own ip.
SLP traffic - anyone have a clue why? i also run timbuktu if that might be it.
Also some really high ports seem to be doing something now: 40960.
Norton also reports that port 10 has just closed when i first start up (dont know why it would be open).
Can someone help me with some info?
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Apr 2002
Location: Los Angeles, CA
Status:
Offline
|
|
You seems to have partially self-diagnosed the problem. The denied outgoing traffic was probably related to startup items working in the background, though I can't be sure since I don't have any of those utilities installed on my computer.
However, the SLP and Rendezvous traffic I can explain. SLP is the predecessor to Rendezvous that is used to locate other services on the network. Norton Personal Firewall blocks this traffic as part of its Stealth Mode feature. If you have logging for Stealth mode enabled, you'll see a lot of this traffic, as SLP is quite a chatty protocol.
The Rendezvous traffic is also normal. It is not blocked by Norton Personal Firewall by default, but using the "Enable Stealth mode for Rendezvous" feature, you can block this traffic to totally hide your Mac on the network. If you are unfamiliar with Rendezvous, it is a way of finding what services are running on your network (e.g. finding which printers are shared, which computers are running FTP servers, etc.). The address you are seeing (224.0.0.x) is the "multicast" address which is used by Rendezvous to make announcements to the rest of the computers on your network. Because of how multicast works (it sends a message to all computers on the network, including your own) it's normal to receive traffic from your own IP address using the Rendezvous port.
If you have a home network setup, you may want to leave Rendezvous enabled, but if you only have one computer and are connected directly to a DSL or cable modem, you can "stealth" Rendezvous traffic using Norton Personal Firewall's Enable Stealth mode for Rendezvous feature.
As for the ports being opened, I can't really help you without knowing more. I'm assuming that an AutoSetup alert is coming up. If so, does it tell you what program is opening or closing the ports? Sometimes a program opens and closes a port so fast, AutoSetup can't give you the program name. If that's the case, we'll need to do something else to verify what's going on here. For port 10, it's very interesting that anybody would be opening or closing that port; it's a very old Unix port number that isn't even registered to anybody anymore. The high ports can be used by any program (they're not registered to any specific person) and it's common to see programs open and close these ports occassionally (but don't worry, Personal Firewall still blocks them).
(Yes, I do work for Symantec, but the views expressed here do not reflect those of Symantec or its employees. So there.)
-- Ryan
|
|
---- Ryan
sig > /dev/null
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Jul 2003
Location: Asia
Status:
Offline
|
|
hi,
running si140.neoplus.adsl.tpnet.pl (80.50.121.140) through the smart who-is at
http://www.all-nettools.com/
shows an isp in poland:
SmartWhois si140.neoplus.adsl.tpnet.pl (80.50.121.140)
80.48.0.0 - 80.55.255.255
Polish Telecom
PROVIDER
so unless you know someone in poland, i WOULD indeed be concerned about being hacked.
best wishes,
rich (pismo g3 500)
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Feb 2003
Location: Mt. Ararat, chillin' with Noah in the Ark's broken hull.
Status:
Offline
|
|
when I have ftp or web sharing turned on, it is very common to get access attempts from oconus (outside the cont. US) IP addresses. Guess some Polish folks are just pinging you to see what's open.
|
All-seeing and all-knowing since 2000 B.C.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Top
