02-25-2010, 08:01 AM

I have a friend here at school who is majoring in computer engineering. I use the term losely because its more of a social friendship. We drink and socialize at college. At the begining of the year, maybe about 6 days after i got a new computer, He called me up over the phone and wanted me to build a website with me. Told me I can be an admin for a fraternal social networking site he wanted to start. Thusly I agreed and made an admin account using my password thats used for everything. After getting back to school for this semester, he invited me out to lunch to just talk and get back in touch. We mulled over ideas for the site, but it ended up going no where.

Recently I have been experience several hour long lag spikes. I am talking about 48 kbs internet through a wired connection with a Dlink router. I assumed it was my room mate downloading music. I then accessed the router using 192.168.1.1 and blocked all websites with the name torrent bit isohunt and such. The problem didn't resolve. I then proceeded to block access from his computer to the router, so his internet wouldn't work. The problem didn't stop. I then disconnected the router, and directly connected to my computer and then ran a bandwidth test. It showed a speed of 700 kbs.

Then I went and downloaded Little Snatch, a program used to check outgoing data. I had it running in the back round.

After doing that, I created a membership here and started typing away. From about 4 in the morning to 6, I had been doing Due Diligence about hacking and OSX. I learned to look for files that looked out of place. I found one.

In the documents folder


A folder called Microsoft User Data





In this folder was an Entourage folder that was dated before I bought my mac.



In the Entourage folder were files I could click on as read the script.



There were also files in the Automator.



Also, is this activity in my library/prefernces suspicious?



At the point I thought i was being hacked, and thought the hacker was looking at my computer, it was 6:30am...after two hours of Due Diligence.

I typed into a text document..

YOU HACKER I KNOW YOUR LOOKING AT THIS RIGHT NOW. YOU THINK YOU CAN STOP ME. I AM ABOUT TO FIND OUT WHO YOU ARE.

...and started writing this article.


Now the first time I tried typing this in, My browser froze half way through the article. At this point, I had kept disconnecting and reconnecting my computer to the router because I was paranoid. Then, at one point i just decided to connect directly to the router. When i went back to the web, my internet jumped from 48 kbs on the bandwidth site to 400 kbs. I was then asked by an unknown source with an IP in columbus ohio (I'm located 2 hours away from columbus) to access my computer. A notification send by Little Snitch. I kept the message up while writting down its ip, and while writting this article for the second time. My internet web browser soon froze. It was in the middle of looking up the Ip and typing this.

The third time around i blocked everything accessing my computer.
Little snitches connection history shows

dns-cac-lb-02.rr.com
dns-cac-lb-0a.rr.com
10.24.17.107
10.24.17.102

At the point I thought i was being hacked, and thought the hacker was looking at my computer, it was 6:30am...after two hours of Due Diligence.

I typed into a text document..

Another suspicious thing. Before I got all paranoid and started blocking connections through Little Snitch.....I was observing the Activity Monitor and saw constant and blinking usage form MDworker. It was only flickering at around 1 percent, and stopped doing this as soon as I started managing Little Snitch.

Im constantly looking for more stuff. Let me know if I'm paranoid of if I'm on to something here. Im deeply worried.

02-25-2010, 08:15 AM

Another suspicious thing.

At one point I was so paranoid about this that i started typing this post offline. When i got back online, I had another lag spike and had to restarted my browser.
Here is a folder i found, edited at about the time I came back on the internet. Notice the time it was edited.

Today, 7:03



But then within the file, there are different dates.

02-25-2010, 08:32 AM

Sounds like you're dealing with a mess. Do a clean reinstall of OS X, or at least delete that other admin account and change your password. That was a really stupid thing to do in the first place.

02-25-2010, 08:40 AM

I just changed my password. Is there any definitive way to find a ghosted trail of someone accessing your computer. Maybe even in the kernal. I found two logs that im reading through in the console that were dated Feb 12. I cant make any sense of them, if you want me to email them or look for anything particular in them. let me know.

02-25-2010, 08:51 AM

Can someone make sense of this message, particularly the code setugid

-MacBook-Pro UserNotificationCenter[2251]: The application with bundle ID (null) is running setugid(), which is not allowed.

02-25-2010, 08:52 AM

and this

1
Feb 25 06:41:13 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter): Throttling respawn: Will start in 10 seconds
Feb 25 06:41:21 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[488]): posix_spawn("/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd", ...): No such file or directory
Feb 25 06:41:21 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[488]): Exited with exit code: 1
Feb 25 06:41:21 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd): Throttling respawn: Will start in 10 seconds
Feb 25 06:41:23 cpe-174-102-116-115 UserNotificationCenter[489]: The application with bundle ID (null) is running setugid(), which is not allowed.
Feb 25 06:41:23 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter[489]): Exited with exit code: 1
Feb 25 06:41:23 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter): Throttling respawn: Will start in 10 seconds
Feb 25 06:41:31 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[490]): posix_spawn("/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd", ...): No such file or directory
Feb 25 06:41:31 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[490]): Exited with exit code: 1
Feb 25 06:41:31 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd): Throttling respawn: Will start in 10 seconds
Feb 25 06:41:33 cpe-174-102-116-115 UserNotificationCenter[491]: The application with bundle ID (null) is running setugid(), which is not allowed.
Feb 25 06:41:33 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter[491]): Exited with exit code: 1
Feb 25 06:41:33 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter): Throttling respawn: Will start in 10 seconds
Feb 25 06:41:41 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[492]): posix_spawn("/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd", ...): No such file or directory
Feb 25 06:41:41 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[492]): Exited with exit code: 1
Feb 25 06:41:41 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd): Throttling respawn: Will start in 10 seconds
Feb 25 06:41:43 cpe-174-102-116-115 UserNotificationCenter[493]: The application with bundle ID (null) is running setugid(), which is not allowed.
Feb 25 06:41:43 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter[493]): Exited with exit code: 1
Feb 25 06:41:43 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter): Throttling respawn: Will start in 10 seconds
Feb 25 06:41:51 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[494]): posix_spawn("/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd", ...): No such file or directory
Feb 25 06:41:51 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[494]): Exited with exit code: 1
Feb 25 06:41:51 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd): Throttling respawn: Will start in 10 seconds
Feb 25 06:41:53 cpe-174-102-116-115 UserNotificationCenter[495]: The application with bundle ID (null) is running setugid(), which is not allowed.
Feb 25 06:41:53 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter[495]): Exited with exit code: 1
Feb 25 06:41:53 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter): Throttling respawn: Will start in 10 seconds
Feb 25 06:42:01 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[496]): posix_spawn("/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd", ...): No such file or directory
Feb 25 06:42:01 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[496]): Exited with exit code: 1
Feb 25 06:42:01 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd): Throttling respawn: Will start in 10 seconds
Feb 25 06:42:03 cpe-174-102-116-115 UserNotificationCenter[497]: The application with bundle ID (null) is running setugid(), which is not allowed.
Feb 25 06:42:03 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter[497]): Exited with exit code: 1
Feb 25 06:42:03 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter): Throttling respawn: Will start in 10 seconds
Feb 25 06:42:11 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[498]): posix_spawn("/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd", ...): No such file or directory
Feb 25 06:42:11 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[498]): Exited with exit code: 1
Feb 25 06:42:11 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd): Throttling respawn: Will start in 10 seconds
Feb 25 06:42:13 cpe-174-102-116-115 UserNotificationCenter[499]: The application with bundle ID (null) is running setugid(), which is not allowed.
Feb 25 06:42:13 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter[499]): Exited with exit code: 1
Feb 25 06:42:13 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter): Throttling respawn: Will start in 10 seconds
Feb 25 06:42:21 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[500]): posix_spawn("/System/Library/Frameworks/ApplicationServices.framework/Frameworks/ATS.framework/Support/fontd", ...): No such file or directory
Feb 25 06:42:21 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd[500]): Exited with exit code: 1
Feb 25 06:42:21 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.fontd): Throttling respawn: Will start in 10 seconds
Feb 25 06:42:23 cpe-174-102-116-115 UserNotificationCenter[501]: The application with bundle ID (null) is running setugid(), which is not allowed.
Feb 25 06:42:23 cpe-174-102-116-115 com.apple.launchd[1] (com.apple.UserNotificationCenter[501]): Exited with exit code: 1

02-25-2010, 09:08 AM

I have blocked the ip address, which is an ohio ip address-my school is located in ohio. It is denied any UDP connections to port 67 (bootps), though I' m worried it still has a connection through any of the thousands of ports.


/usr/libexec/configd

Deny UDP connections to port 67 (bootps) of 65.24.14.18 until configd quits

IP Address: 65.24.14.18

wants to connect to cncnoh-dhcp-03.ohiordc.rr.com on UDP port 67 (bootps).

02-25-2010, 12:45 PM

In my view, this thread is not going anywhere ...

My suggestion is t backup your documents and other stuff you need, do a clean install, reload your documents and stuff .... that should do it.

Cheers ... McBie

02-25-2010, 04:02 PM

Some folk should never be allowed near a computer. Pop in your OS X install DVD, erase the HDD, zeroing if it makes you happy, and do a clean install.

02-25-2010, 04:12 PM

I have now decided that since there was such a drastic decrease in my internet speed-48kbs down from 700kbs-My computer wasn't the only one being looked at. If there was a hacker in our network, He had to be looking at every computer. It's sad.

02-25-2010, 04:18 PM

Quote:

Originally Posted by harryb2448

Some folk should never be allowed near a computer. Pop in your OS X install DVD, erase the HDD, zeroing if it makes you happy, and do a clean install.

Wise words.

02-26-2010, 01:03 AM

I have tried to block ports that are associated with mdworker. Every time I tried using little snitch, a new port becomes assigned to mdworker. How can I prevent this.

Also, I have used barely used safari today. At one point, about a half hour ago. I was unable to move my windows. Usually i can scroll my pointer on the screen to the bottom left/right of my desktop to shuffle windows and to show the desktop. At one point while using safari, I was unable to do both functions until I rebooted the computer.

I also am noticing popups from safari that just do not seem to respond.








I also noticed something that may or may not be important in Network connections.

**notice the bypass proxy settings for these host and domains**

02-26-2010, 01:45 AM

Quote:

Originally Posted by McBie

In my view, this thread is not going anywhere ...

My suggestion is t backup your documents and other stuff you need, do a clean install, reload your documents and stuff .... that should do it.

Cheers ... McBie

Quote:

Originally Posted by harryb2448

Some folk should never be allowed near a computer. Pop in your OS X install DVD, erase the HDD, zeroing if it makes you happy, and do a clean install.

In case you missed it, I have posted these 2 resposes for you to read!

Follow their advise, and then you are done, and you can stop freaking yourself out

02-26-2010, 04:57 AM

Wow I am such a noob. I just finally looked to see if my firewall was on. It has been turned off in system preferences/security/firewall.

There was also no Master password set.

Also there were no security settings enabled except use secure virtual memory.

02-26-2010, 06:17 AM

Macnoob5:

1. There is no hacker. Nothing you reported is in any way out of the ordinary.

For example, "mdworker" is SPOTLIGHT. It's not stalking you, its trying to index all those files you keep altering.

2. You don't need a software firewall. At all. You don't need "secure virtual memory" and you *absolutely* don't need Filevault.

3. With this level of paranoia, and assuming you're not on some kind of medication, I'm going to suggest you go back to Windows where at least this irrational fear is justified.

4. Finally, you've had a simple, thorough solution that will solve your imaginary "problems" posted to you at least three times. That you haven't done it says a lot about you, but nothing good.