Welcome to the MacNN Forums.

AirRon · Aug 2, 2005, 09:37 PM

I noticed today at work that my copy of Bookends 8.1 spontaneously tried to connect to several remote sites. Little snitch threw up a dialog asking for permission to let Bookends attach to <some ip address>. I said no.

I emailed the developer of Bookends (these guys have been around for a while- they're not fly-by-night) and one promptly wrote back saying their software should connect only to pubmed in the background, and only with my permission. These ip addresses were to MIT and to U of arizona IP addresses (and no, I did not access OVID or some other database at those Universities.)

Here is what the console log showed:

2005-07-28 10:36:13.529 LittleSnitchDaemon[244] Little Snitch: The application "Bookends 8" wants to connect to aion.mit.edu (18.63.1.76) on UDP port 2114 (newheights)
2005-07-29 09:44:19.382 LittleSnitchDaemon[244] Little Snitch: The application "Bookends 8" wants to connect to aion.mit.edu (18.63.1.76) on UDP port 2114 (newheights)
2005-08-01 09:40:34.097 LittleSnitchDaemon[244] Little Snitch: The application "Bookends 8" wants to connect to aion.mit.edu (18.63.1.76) on UDP port 2114 (newheights)
2005-08-02 11:39:21.402 Quicksilver[250] files /Library/PreferencePanes/Little Snitch.prefPane
2005-08-02 14:52:44.330 Quicksilver[250] files /Library/PreferencePanes/Little Snitch.prefPane
2005-08-02 15:55:11.236 LittleSnitchDaemon[244] Little Snitch: The application "Bookends 8" wants to connect to aion.mit.edu (18.63.1.76) on UDP port 2114 (newheights)

There was also another attempt that did not make it to the log (I think) because I said no when the dialog came up.

Notes:
1. My Mac at home also has Bookends installed and has not done this ever.
2. I also noticed that "System Events" was hogging CPU every ten seconds or so (though I am pretty sure this was because I had activated folder scripts.)
3. I do not use limewire or acq or whatever the download warez, etc. All downloads are via versiontracker, apple, or links from macnn, macintouch, etc.

Questions:
1. Thoughts?
2. Can an application spoof its identity to Little Snitch?
3. what is port 2114?

Thanks. Sorry if there is some lame and easy answer . . . I tried to google this stuff and search the forums first . . .

airron

ghporter · Aug 2, 2005, 09:45 PM

I would say that it's unlikely you've been hacked. This behavior, though, doesn't seem "normal." Are you using the same version of everything at home? A version difference could explain what's going on to some degree.

oscar · Aug 3, 2005, 02:52 AM

System Events can be used heavily in Applescript, I suggest killing this program, and see if resolves the issue. I would search for invisable files, and see if anything looks strange

analogika · Aug 3, 2005, 03:21 AM

Port 2114 is registered to the newheights service, which is apparently a Voice-over-IP service.

?

Judge_Fire · Aug 3, 2005, 04:46 AM

Does this only occur when Bookends is running?

Any weird Dashboard widgets running?

J

AirRon · Aug 3, 2005, 09:12 AM

Thanks for the replies.

I killed a bunch of dashboard widgets and killed the system events process. I am not sure that worked, but these accesses happen every 1-2 hours, so I will have to give it some time.

I will retry today, to see if I can reproduce the behavior. I will update the thread if I learn more (especially if I learn of a - hopefully - benign explanation).

airron

budster101 · Aug 3, 2005, 11:14 AM

It would appear as if your computer is wishing to make a telephone call...

AirRon · Aug 3, 2005, 10:12 PM

Originally Posted by budster101

It would appear as if your computer is wishing to make a telephone call...

I ran all the widgets I could, opened all the possible offending apps and could not reproduce the issue today . . . . Hmmm.

Oh well.

Nevermind . . . .

Salty · Aug 4, 2005, 12:10 AM

Originally Posted by budster101

It would appear as if your computer is wishing to make a telephone call...

OS X phone home...

Gavin · Aug 4, 2005, 02:17 PM

is it possible that aion.mit.edu is a mirror to pubmed, so this connection is legit?

Thain Esh Kelch · Aug 4, 2005, 07:53 PM

It shouldnt be this program? http://www.sonnysoftware.com/

AirRon · Aug 5, 2005, 01:38 AM

As I have said before, I cannot reproduce this behavior, despite trying.

To answer some questions . . .
I do not think that aion.mit.edu is a PubMed mirror - but if it were, why would a program try to access it on a different port than normal (usually, PubMed connections are via port 80)?

Yes, Bookends, from Sonny Software. But I do not think this reflects on them poorly (at all). In fact, there support person was very responsive and insisted he did not see that behavior with Little Snitch and that this sort of connection is not made by their software. I still use Bookends extensively and it has not behaved oddly.

Again, I have not seen this behavior since a reboot . . .. I am just confused. It seems more and more like a glitch.

thanks for the questions/thoughts . . ..

NeXTLoop · Aug 5, 2005, 08:56 AM

Here's the most obvious questions: Are you behind a router? Is your computer on a protected network? If not, is the OS X firewall enabled in the Sharing preferences?

AirRon · Aug 5, 2005, 02:10 PM

Originally Posted by NeXTLoop

Here's the most obvious questions: Are you behind a router? Is your computer on a protected network? If not, is the OS X firewall enabled in the Sharing preferences?

This computer is on the university's network. I am unsure the extent to which they block garbage.

Firewall is on. (Of course!

) IPFW documents about 8-12 unsuccessful firewall accesses per day.

airron