[michelle03]

Please help.
I have a G4 with OS 10.3.8 and a cable modem that's connected to my ethernet port.

A week or so ago, the activity light on my modem started blinking all the time. Usually, it only blinks when I'm using the connection with Firefox, Mail or what have you. I thought, "something's going on that I don't know about."

I have the OSX firewall up with no communication allowed to any services or ports. I run Norton AntiVirus. I run Allume's SpyAlert and NetBlockade (for outgoing traffic, keeps all the apps from phoning home). I require an administrator's password to install programs. And I keep reading how there are no Mac viruses, no Mac spyware, OSX is incredibly secure, etc, etc..

But I have a suspicious mind, and the little blinking light kept nagging me.

First I tried the Activity Monitor, to see if I could identify something that wasn't supposed to be there. I called a friend who knows more than I do and read the list of processes. He said they all sounded like they should be there. (he's a Mac guy)

Then I wanted to find out how to listen to my ethernet port and discovered Terminal and tcpdump and hit a learning curve like cliff. Ouch.

In the tcpdumps that I've run, there were lots and lots of ARP who-has...tell somedestination lines. A lot of the somedestination's there were the address listed in my Network preferences as "router". Now, I don't have a router here, so I'm guessing this is the router I'm connected to at my ISP. Some somedestination's were to an address that's "near" my own, but not exactly.

And sometimes there's get an ARP statement asking for an address, and then another one a bit later that seems to be talking about the same address. Like this:

15:20:39.298479 arp who-has 68-234-107-186.chvlva.adelphia.net tell 68-234-104-1-gate.chvlva.adelphia.net
...
15:20:40.178948 (tos 0x0, ttl 251, length: 223) nscache1.chvlva.adelphia.net.domain > 69-172-50-80.chvlva.adelphia.net.49355: [udp sum ok] 15567 1/3/3 186.107.234.68.in-addr.arpa. PTR 68-234-107-186.chvlva.adelphia.net. (195) (DF)

OR

15:22:02.635948 (tos 0x0, ttl 64, length: 72) 69-172-50-80.chvlva.adelphia.net.49560 > nscache1.chvlva.adelphia.net.domain: [udp sum ok] 65182+ PTR? 112.61.172.69.in-addr.arpa. (44)
...
15:22:02.676532 (tos 0x0, ttl 251, length: 221) nscache1.chvlva.adelphia.net.domain > 69-172-50-80.chvlva.adelphia.net.49560: [udp sum ok] 65182 1/3/3 112.61.172.69.in-addr.arpa. PTR 69-172-61-112.chvlva.adelphia.net. (193) (DF)

If it doesn't get an answer to it's who-has request about a certain address, it'll ask again and again every second or so.
But I don't know what any of this means.

I talked with my friend who knows something, and he said that sometimes cable companies configure everything so that your modem can "see" other stuff that's going on in your part of their network. OK...so I called my cable company and asked and he said "oh, no...never". He listened to my modem with his company machine and said that there was a good deal of suspicious UPD traffic on ports 135-139 (I only have the vaguest idea of what this means) that he would say is spyware. "But, there is no Mac spyware," quoting the tribal position. "Well...but there's something."

So now, I am prostrating myself. My ignorance knows no bounds.

I don't want to be a contributor to the malware problems of the internet. I don't want to reformat my hard drives. I have tried and failed to locate an out-of-place process (using Peek-a-Boo). I dumped all my caches and .plist files and tmp files and cleared the java cache. The light is still blinking.

Maybe they sent a modem update that changed things so that I can "see" traffic that's not mine. Maybe I've been hacked. Maybe, it's such a well-stealthed nastiness that nothing can see it and the only trace of it is the modem light. Maybe I've banged my head against this so long that I'm hallucinating. Can anyone tell me what's going on?

Thank you,
Michelle

--I can post more listings from a tcpdump if that would be helpful. --M

[ghporter]

I'm not big on Terminal either, but that's an awful lot of activity for "nothing happening."

Here's a listing of UDP and TCP ports and their uses. 134, particularly is called "ingressnet," which sends up a BIG red flag to me.

Anyone else available to translate?

[WJMoore]

My first suggestion would be to disconnect the modem from the computer. If the light still flashes then it's some external thing accessing (possibly randomly) your IP address and may not have anything to do with the computer at all. It also sounds like the computer is well secured with the firewall and if it is just random snooping it's unlikely to be able to achieve anything.

If the activity stops when the computer is disconnected then you have some more looking to do to try and find the app that causing it.

WM

[michelle03]

Thanks ghporter and WHMoore for responding,

I disconnected the cable from the back of the modem. The light went out but the tcpdump was still catching a lot of info. It seems to have a different flavor, though. It seems like to me, that the network software is panicking a little about being alone: "Hey! Who turned the lights out? I can't see anything!...This isn't funny....George? George, is this you? Look George I said I was sorry about the....consarnit. HELLO-O! Where is everybody?" (partial tcpdump output below-- Would y'all take a look?)

So, could it be that I have worried for nothing? That all those arp who-has requests _weren't_ some bit of nastiness using my computer to trawl for others? The the UDP output from my machine was not the nastiness broadcasting to others but was instead...something I don't know about? (Vast, vast are the things I don't know about)

I really hope so because I'm flat out of ideas on how to catch this little nightmare, if there is one. My fear is that I brought this on myself by downloading something. Now, mind you, I don't _remember_ downloading anything during the week in question, or even the week before, but my not remembering something doesn't necessarily mean it didn't happen. It would have to be a finely crafted little daemon like thing. Wiley enough to fool the average user on a ps command. Very low memory and CPU consumption. Shoot.

Thanks so much for helping,
Michelle


******tcpdump out with cable disconnected from modem:
06:59:24.571687 arp who-has localhost tell localhost
06:59:27.518443 (tos 0x18, ttl 255, length: 152) localhost.mdns > 224.0.0.251.mdns: [udp sum ok] 0 [7q] PTR? _afpovertcp._tcp.local.[|domain]
06:59:28.269735 (tos 0x18, ttl 255, length: 465) localhost.mdns > 224.0.0.251.mdns: [udp sum ok] 0*- [0q] 9/0/0 MichelleM-bM-^@M-^Ys Computer [00:30:65:41:92:d8]._workstation._tcp.local. (Class 32769) SRV, MichelleM-bM-^@M-^Ys Computer [00:30:65:41:92:d8]._workstation._tcp.local. (Class 32769) TXT , _services._dns-sd._udp.local. PTR _workstation._tcp.local., _workstation._tcp.local. PTR MichelleM-bM-^@M-^Ys Computer [00:30:65:41:92:d8]._workstation._tcp.local., Michelles-Computer.local. (Class 32769) AAAA michelles-computer.local, 8.D.2.9.1.4.E.F.F.F.5.6.0.3.2.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.8.E.F.ip6.arpa. (Class 32769) PTR Michelles-Computer.local., Michelles-Computer.local. (Class 32769) HINFO, Michelles-Computer.local. (Class 32769) A localhost, 11.100.168.192.in-addr.arpa. (Class 32769) PTR Michelles-Computer.local. (437)
06:59:28.548760 michelles-computer.local > ff02::2: icmp6: router solicitation (src lladdr: 00:30:65:41:92:d8) (len 16, hlim 255)
06:59:30.407877 (tos 0x0, ttl 255, length: 75) localhost.51103 > 239.255.255.253.svrloc: [udp sum ok] udp 47
06:59:30.415045 (tos 0x0, ttl 255, length: 77) localhost.51104 > 239.255.255.253.svrloc: [udp sum ok] udp 49
06:59:37.400019 michelles-computer.local > ff02::2: icmp6: router solicitation (src lladdr: 00:30:65:41:92:d8) (len 16, hlim 255)
06:59:37.430413 (tos 0x0, ttl 255, length: 75) localhost.51105 > 239.255.255.253.svrloc: [udp sum ok] udp 47
06:59:38.100623 (tos 0x0, ttl 64, length: 78) localhost.51106 > 192.168.100.255.netbios-ns: [udp sum ok] NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST


*****tcpdump output with modem reconnected:
07:28:03.236878 arp who-has 69.172.51.188 tell 69.172.48.1
07:28:03.279319 arp who-has 69.172.50.175 tell 69.172.48.1
07:28:03.341307 arp who-has 69.172.51.162 tell 69.172.48.1
07:28:03.521036 (tos 0x0, ttl 64, length: 339) 10.12.208.1.bootps > 255.255.255.255.bootpc: [udp sum ok] BOOTP/DHCP, length: 311
Reply, hops:2, xid:0x85c12400, secs:27841
Your IP: 69.172.49.162
Server IP: 68.232.108.202
Gateway IP: 10.12.208.1
Client Ethernet Address: 00:e0:29:55:b0:19
Vendor-rfc1048:
DHCP:OFFER
SID:68.232.108.202
LT:43200
RN:21600
RB:37800
SM:255.255.248.0
DG:69.172.48.1
NS:24.51.159.130,24.51.159.133
DN:"chvlva.adelphia.net"
07:28:03.535086 arp who-has 68.234.104.158 tell 68.234.104.1
07:28:03.579032 arp who-has 69.172.53.245 tell 69.172.48.1
07:28:03.685403 arp who-has 69.172.55.40 tell 69.172.48.1
07:28:04.063527 arp who-has 69.172.55.40 tell 69.172.48.1
07:28:04.086522 arp who-has 69.172.63.42 tell 69.172.60.1
07:28:04.229664 arp who-has 69.172.50.244 tell 69.172.48.1
07:28:04.282062 (tos 0x0, ttl 255, length: 75) localhost.51798 > 239.255.255.253.svrloc: [udp sum ok] udp 47
07:28:04.289675 (tos 0x0, ttl 255, length: 77) localhost.51799 > 239.255.255.253.svrloc: [udp sum ok] udp 49
07:28:04.460116 arp who-has 69.172.51.108 tell 69.172.48.1
07:28:04.635338 arp who-has 69.172.60.191 tell 69.172.60.1

[michelle03]

PS
I have absolutely no Microsoft products on my machine, so I don't think Visual Basic macros are a problem.
Well, actually, I used to have Explorer, but have long since deleted it.
--M

[yeabil]

The arp is the protocol that obtains and maps the MAC addresses to the host's IP addresses. This completly normal. It is used to know where to send the packets in the local area network as well as to the gateway to the internet. This arp table is stored in RAM on your computer and if you had others on your network they would also have this. This information can be obtain by broadcast as in this case. Your gateway is 69.172.48.1 is broadcasting these requests and this device is obtaining this information through the "tell" who has this IP address so it knows which addresses are on the nework so when it recieves information from the outside it knows the packets need to be sent to an IP address in your network. These request only happen within the local network so this information ends at the Gateway.

The first part of your dump is your computer obtaining its IP address automatically from you ISP and "leasing" that address and confirming this. This is because you disconnected the modem. The latter part is just the broadcasting.

[michelle03]

yeabil, thank you for replying.

If I understand all you've written, then you're saying that from what you've seen that I have nothing to worry about? I'm not some malware-spewing dupe?

Can I ask another question?

I've become very interested in the info I can get from tcpdump. It's so dense yet thorough.
I've been looking at it and I found the paired statements listed below. I listed a similar pair in my first post.

I _think_ that these are examples of the UDP traffic the guy at the cable company was concerned about.

I _think_ that the first part of each is my computer asking the cable company's computer if they have a PTR record for the address listed. And the PTR has to do with the DNS--??? The second part of a pair is the company's computer confirming that they have that address-- only in reverse.

The thing I'm clueless about is this: is my computer asking the cable network about other _users_ on their network?
69-172-54-5.chvlva.adelphia.net looks a lot like _my_ user address as listed by tcpdump. If my thinking about this is true, if my computer is asking for dozens of IP addresses per minute of _other users_, then this is of great concern to me. I hope someone here can point out my mistakes, pat me on the head and tell me everything's OK.

Oh, another thing: do you see how every request goes out from a different port number? And those port numbers are consecutive and up there in the really high undefined spaces? Is that important? And what process is doing all this, nslookup?

Many thanks again for helping me to work this out,
Michelle

(I added the asterisks at the beginning of each row in hopes clarifying things a little)

***15:21:49.871950 (tos 0x0, ttl 64, length: 70) 69-172-50-80.chvlva.adelphia.net.49533 > nscache1.chvlva.adelphia.net.domain: [udp sum ok] 50945+ PTR? 5.54.172.69.in-addr.arpa. (42)
***15:21:49.909713 (tos 0x0, ttl 251, length: 217) nscache1.chvlva.adelphia.net.domain > 69-172-50-80.chvlva.adelphia.net.49533: [udp sum ok] 50945 1/3/3 5.54.172.69.in-addr.arpa. PTR 69-172-54-5.chvlva.adelphia.net. (189) (DF)

***15:21:49.913442 (tos 0x0, ttl 64, length: 72) 69-172-50-80.chvlva.adelphia.net.49534 > nscache1.chvlva.adelphia.net.domain: [udp sum ok] 29834+ PTR? 220.63.172.69.in-addr.arpa. (44)
***15:21:49.956284 (tos 0x0, ttl 251, length: 221) nscache1.chvlva.adelphia.net.domain > 69-172-50-80.chvlva.adelphia.net.49534: [udp sum ok] 29834 1/3/3 220.63.172.69.in-addr.arpa. PTR 69-172-63-220.chvlva.adelphia.net. (193) (DF)

***15:21:49.960264 (tos 0x0, ttl 64, length: 71) 69-172-50-80.chvlva.adelphia.net.49535 > nscache1.chvlva.adelphia.net.domain: [udp sum ok] 35393+ PTR? 34.52.172.69.in-addr.arpa. (43)
***15:21:50.000903 (tos 0x0, ttl 251, length: 219) nscache1.chvlva.adelphia.net.domain > 69-172-50-80.chvlva.adelphia.net.49535: [udp sum ok] 35393 1/3/3 34.52.172.69.in-addr.arpa. PTR 69-172-52-34.chvlva.adelphia.net. (191) (DF)

***15:21:50.005443 (tos 0x0, ttl 64, length: 71) 69-172-50-80.chvlva.adelphia.net.49536 > nscache1.chvlva.adelphia.net.domain: [udp sum ok] 8815+ PTR? 21.63.172.69.in-addr.arpa. (43)
***15:21:50.047473 (tos 0x0, ttl 251, length: 219) nscache1.chvlva.adelphia.net.domain > 69-172-50-80.chvlva.adelphia.net.49536: [udp sum ok] 8815 1/3/3 21.63.172.69.in-addr.arpa. PTR 69-172-63-21.chvlva.adelphia.net. (191) (DF)

[TCPport22]

yeabil is correct, this traffic is nothing you need to worry about. TCPdump is showing ALL traffic that your ethernet interface "sees." Ethernet (as well as broadband cable) is a broadcast medium -- everything that is sent over the wire is "seen" by all other devices on the network. A device will only pay attention to broadcasts or packets addressed to itself. The reason you are able to see everything with TCPdump is that you have placed your network card in "promiscuous" mode (nothing bad, just tells it to pay attention to everything so TCPdump can see all packets.)

Bottom line -- your firewall is protecting your system against unwanted requests, based on the way you said you have it configured.

The reason you are seeing incrementing port (or socket) numbers is that these are the source ports which can be anything. It is the destination port that tells the listening interface what application needs to deal with the traffic.

If you are interested in learning more, I would suggest picking up a book on how TCP/IP operates. You can spend months exploring this fascinating world.

[michelle03]

TCPport22, thank you so much for putting my mind at ease!

As concerned as I've been about this, I can't say it's been a bad thing because I've learned so much. You're right, it's a fascinating world.

Thanks again,
Michelle

[ink]

If you have Apple's X11 program installed, you can run Ethereal, which is a lot more informative, flexible and fun than tcpdump in many ways. I still like tcpdump, but I find myself using tethereal and ethereal more often nowadays. I just used it yesterday on my iBook so that I could sniff the ARP packets that a mystery network-attached storage (maxtor) device was using at work. We needed to get to the web admin page to change the address, but we had no idea what the address was. It came up yelling "who has x.x.x.x tell y.y.y.y", which told me its address.

michelle03, it sounds like your ISP sends a lot of data to your ethernet port than they possibly should (cable modem perhaps?). It is rather fun to take the time to understand all those packets; enjoy yourself!