|
|
Help! Have I been hacked?
|
|
|
|
Junior Member
Join Date: Jul 2001
Location: around
Status:
Offline
|
|
I noticed today at work that my copy of Bookends 8.1 spontaneously tried to connect to several remote sites. Little snitch threw up a dialog asking for permission to let Bookends attach to <some ip address>. I said no.
I emailed the developer of Bookends (these guys have been around for a while- they're not fly-by-night) and one promptly wrote back saying their software should connect only to pubmed in the background, and only with my permission. These ip addresses were to MIT and to U of arizona IP addresses (and no, I did not access OVID or some other database at those Universities.)
Here is what the console log showed:
2005-07-28 10:36:13.529 LittleSnitchDaemon[244] Little Snitch: The application "Bookends 8" wants to connect to aion.mit.edu (18.63.1.76) on UDP port 2114 (newheights)
2005-07-29 09:44:19.382 LittleSnitchDaemon[244] Little Snitch: The application "Bookends 8" wants to connect to aion.mit.edu (18.63.1.76) on UDP port 2114 (newheights)
2005-08-01 09:40:34.097 LittleSnitchDaemon[244] Little Snitch: The application "Bookends 8" wants to connect to aion.mit.edu (18.63.1.76) on UDP port 2114 (newheights)
2005-08-02 11:39:21.402 Quicksilver[250] files /Library/PreferencePanes/Little Snitch.prefPane
2005-08-02 14:52:44.330 Quicksilver[250] files /Library/PreferencePanes/Little Snitch.prefPane
2005-08-02 15:55:11.236 LittleSnitchDaemon[244] Little Snitch: The application "Bookends 8" wants to connect to aion.mit.edu (18.63.1.76) on UDP port 2114 (newheights)
There was also another attempt that did not make it to the log (I think) because I said no when the dialog came up.
Notes:
1. My Mac at home also has Bookends installed and has not done this ever.
2. I also noticed that "System Events" was hogging CPU every ten seconds or so (though I am pretty sure this was because I had activated folder scripts.)
3. I do not use limewire or acq or whatever the download warez, etc. All downloads are via versiontracker, apple, or links from macnn, macintouch, etc.
Questions:
1. Thoughts?
2. Can an application spoof its identity to Little Snitch?
3. what is port 2114?
Thanks. Sorry if there is some lame and easy answer . . . I tried to google this stuff and search the forums first . . .
airron
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
I would say that it's unlikely you've been hacked. This behavior, though, doesn't seem "normal." Are you using the same version of everything at home? A version difference could explain what's going on to some degree.
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Oct 1999
Location: Minneapolis
Status:
Offline
|
|
System Events can be used heavily in Applescript, I suggest killing this program, and see if resolves the issue. I would search for invisable files, and see if anything looks strange
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Feb 2005
Location: 888500128
Status:
Offline
|
|
Port 2114 is registered to the newheights service, which is apparently a Voice-over-IP service.
?
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jan 2001
Location: Helsinki, Finland
Status:
Offline
|
|
Does this only occur when Bookends is running?
Any weird Dashboard widgets running?
J
|
|
|
|
|
|
|
|
|
Junior Member
Join Date: Jul 2001
Location: around
Status:
Offline
|
|
Thanks for the replies.
I killed a bunch of dashboard widgets and killed the system events process. I am not sure that worked, but these accesses happen every 1-2 hours, so I will have to give it some time.
I will retry today, to see if I can reproduce the behavior. I will update the thread if I learn more (especially if I learn of a - hopefully - benign explanation).
airron
|
|
|
|
|
|
|
|
|
Baninated
Join Date: Dec 2004
Location: Illinois might be cold and flat, but at least it's ugly.
Status:
Offline
|
|
It would appear as if your computer is wishing to make a telephone call...
|
|
|
|
|
|
|
|
|
Junior Member
Join Date: Jul 2001
Location: around
Status:
Offline
|
|
Originally Posted by budster101
It would appear as if your computer is wishing to make a telephone call...
I ran all the widgets I could, opened all the possible offending apps and could not reproduce the issue today . . . . Hmmm.
Oh well.
Nevermind . . . .
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jul 2005
Location: Winnipeg, MB
Status:
Offline
|
|
Originally Posted by budster101
It would appear as if your computer is wishing to make a telephone call...
OS X phone home...
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Oct 2000
Location: Seattle
Status:
Offline
|
|
is it possible that aion.mit.edu is a mirror to pubmed, so this connection is legit?
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: May 2001
Location: Denmark
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Junior Member
Join Date: Jul 2001
Location: around
Status:
Offline
|
|
As I have said before, I cannot reproduce this behavior, despite trying.
To answer some questions . . .
I do not think that aion.mit.edu is a PubMed mirror - but if it were, why would a program try to access it on a different port than normal (usually, PubMed connections are via port 80)?
Yes, Bookends, from Sonny Software. But I do not think this reflects on them poorly (at all). In fact, there support person was very responsive and insisted he did not see that behavior with Little Snitch and that this sort of connection is not made by their software. I still use Bookends extensively and it has not behaved oddly.
Again, I have not seen this behavior since a reboot . . .. I am just confused. It seems more and more like a glitch.
thanks for the questions/thoughts . . ..
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Aug 2002
Status:
Offline
|
|
Here's the most obvious questions: Are you behind a router? Is your computer on a protected network? If not, is the OS X firewall enabled in the Sharing preferences?
|
"Design is not just what it looks like and feels like. Design is how it works." - Steve Jobs
|
|
|
|
|
|
|
|
Junior Member
Join Date: Jul 2001
Location: around
Status:
Offline
|
|
Originally Posted by NeXTLoop
Here's the most obvious questions: Are you behind a router? Is your computer on a protected network? If not, is the OS X firewall enabled in the Sharing preferences?
This computer is on the university's network. I am unsure the extent to which they block garbage.
Firewall is on. (Of course! ) IPFW documents about 8-12 unsuccessful firewall accesses per day.
airron
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|