| Author | Thread |
|
|
06/22/2011 08:13:27 PM · #1 |
I've finally noticed in the log that something on my network was generating packets my Zyxel ZyWall is identifying as attacks. I've isolated this to my Mac.
I've moved things around and watched the IPs, which left me suspecting the Mac. I turned off the Mac for two days, the attacks stopped, as soon as I turned it back on, they resumed.
Any idea what this could be? Is my Mac powned?
Examples:
No. Time Source IP Destination IP Note
1|06/22/2011 17:04:11 |192.168.0.37:56953 |204.245.162.35:80 |ATTACK
syn flood TCP
End of Alert
No. Time Source IP Destination IP Note
1|06/20/2011 18:06:17 |192.168.0.35:60939 |128.242.186.249:80 |ATTACK
syn flood TCP
End of Alert
Note that I moved/isolated the Mac to the IP above to isolate and verify it. Here is another attack from it's prior IP:
No. Time Source IP Destination IP Note
1|06/18/2011 22:58:18 |192.168.0.37 |74.70.96.1 |ATTACK
ping of death. ICMP(type:8, code:0)
End of Alert
No. Time Source IP Destination IP Note
1|06/18/2011 22:58:18 |192.168.0.37 |74.70.96.1 |ATTACK
ping of death. ICMP(type:8, code:0)
End of Alert
|
|
|
|
06/22/2011 08:18:44 PM · #2 |
| I know nothing of Mac's so hopefully someone answers your question. But I have to say "ping of death" sounds pretty ominous! |
|
|
|
06/22/2011 08:22:03 PM · #3 |
I know nothing of what you posted, but I have a Mac and now I'm worried...
I'm w/ Kelli, "ping of death" can't be good!!! |
|
|
|
06/22/2011 08:27:40 PM · #4 |
"ping of death?" I don't know what that means but I love that kind of talk.
Seriously, sorry about your situation. Are you running security software? I'm a Mac guy and don't believe the hype that Mac's are immune. I run security software. Maybe installing that if you're not already running it might isolate the issue. |
|
|
|
06/22/2011 08:36:49 PM · #5 |
I have run a few different Mac scanners...
I normally run ClamXav..never found anything
I ran the scanner from PC Tools (forget the name and it's in the other room -- it didn't find anything)
I am running Mac Scan right now, so far it's only found 1 tracking cookie. (and I ran their tool to find Mac Defender or whatever that's called, it didn't find anything either).
I saw some info on checking for cron processes, but I have to recover my sudo password first (I don't use the Mac anymore, and I don't recall what it's set to...if it is...and it seems to be, because it rejects all my pws I tried!)
Message edited by author 2011-06-22 20:38:22. |
|
|
|
06/22/2011 08:41:19 PM · #6 |
If you don't use it anymore, take it the frack off your network and move on.
And maybe if it's worth it to you, consider re-imaging the machine, or getting one of the professional security suites. I had many bad experiences with Norton but they seem to have cleaned up their act and that's what I use now. |
|
|
|
06/22/2011 08:41:56 PM · #7 |
I use Clean My Mac, but now wonder if there is something else I need??
I have Onyx, but don't really know how to use it!! :0
Message edited by author 2011-06-22 20:43:44. |
|
|
|
06/22/2011 08:51:56 PM · #8 |
hmmm, i though Macs were invulnerable to this stuff :P
reinstall always worked for me when things get compromised. it may be faster and easier than finding a solution. |
|
|
|
06/22/2011 09:58:49 PM · #9 |
My family uses the Mac now, so disconnect isn't an option.
But I have no problem with a reformat and reinstall if I have to...just prefer not to have to spend the time. The MacScan scan is still going.
I blocked all but ports 80 and 443 on the router it's on (it's on its own router, then that's plugged into my firewall which is what's connected to the internet), so it won't be attacking through my firewall again unless it does it on those ports this time. |
|
|
|
06/22/2011 10:07:23 PM · #10 |
I fwd-ed your orig post to my nephew. His girlfriend is working at the local Apple store, and she should be able to find out something about it, and what to do to fix it.
Here is a link you may find useful. I have a .mac account, and this came from their on line support. I don't know if the link will work for you unless you have a .mac account, but it's worth a try.
mac support/ ping of death discussions
Message edited by author 2011-06-22 22:15:13.
|
|
|
|
06/22/2011 10:49:07 PM · #11 |
|
|
|
06/22/2011 11:01:49 PM · #12 |
| Not sure if it helps Neil, but thanks anyway...good for all of Mac peeps! :) |
|
|
|
06/22/2011 11:42:15 PM · #13 |
Not necessarily infected, but someone is either scanning for random networks or looking for machines to compromise.
The Syn Flood is similar to a DOS (Denial of Service Attack) where the hacker sends more packets than the computer can interpret and handle. They could be scanning for open TCP ports etc. for unprotected servers etc.
The ping of death is another form of attack where fragmented packets...larger than what the computer would normally expect to see and process are bombarding the network in hopes of crashing the operating system or rebooting the computer. A way of putting the computer in a more vulnerable position. It sounds like your Zyzel firewall is catching the attacks and alerting you to their presence.
Dave |
|
|
|
06/23/2011 12:24:13 AM · #14 |
Originally posted by DCNUTTER:
Not necessarily infected, but someone is either scanning for random networks or looking for machines to compromise.
The Syn Flood is similar to a DOS (Denial of Service Attack) where the hacker sends more packets than the computer can interpret and handle. They could be scanning for open TCP ports etc. for unprotected servers etc.
The ping of death is another form of attack where fragmented packets...larger than what the computer would normally expect to see and process are bombarding the network in hopes of crashing the operating system or rebooting the computer. A way of putting the computer in a more vulnerable position. It sounds like your Zyzel firewall is catching the attacks and alerting you to their presence.
Dave |
Yes, that would be "expected" if they were coming from the Internet side of the Firewall...the problem is they are coming from my Mac!
|
|
|
|
06/23/2011 12:27:16 AM · #15 |
Mac Scan didn't find anything...nor did the other utilities.
I did a sudo crontab and there's no cron jobs at the root level.
So nothing points to an infection other than the fact that the computer is periodically attacking!
I did install the security update per Shannon's post. But it didn't indicate any infection. (I had read about that...but I'm surprised this was not automatically installed, I had checked for software updates and the only thing the Mac offered was an update to the air port software.)
On the bright side, so far the Zywall hasn't seen any more activity, so blocking most of the ports on the router connected to the Mac seems to have quieted it down for now. Unfortunately, that leaves the Mac limited to web browsing (iChat etc. would require that I open more ports). But my wife mainly uses the web for email and shopping anyway :)
Message edited by author 2011-06-23 00:29:32. |
|
|
|
06/23/2011 01:07:18 AM · #16 |
Originally posted by Neil:
Originally posted by DCNUTTER:
Not necessarily infected, but someone is either scanning for random networks or looking for machines to compromise.
The Syn Flood is similar to a DOS (Denial of Service Attack) where the hacker sends more packets than the computer can interpret and handle. They could be scanning for open TCP ports etc. for unprotected servers etc.
The ping of death is another form of attack where fragmented packets...larger than what the computer would normally expect to see and process are bombarding the network in hopes of crashing the operating system or rebooting the computer. A way of putting the computer in a more vulnerable position. It sounds like your Zyzel firewall is catching the attacks and alerting you to their presence.
Dave |
Yes, that would be "expected" if they were coming from the Internet side of the Firewall...the problem is they are coming from my Mac! |
Oh, read your OP again...I see what you were saying. Then I would suspect that your Mac somehow got infected. Do you have kids that use the computer and install games etc. on it? My niece and nephew were always infecting their computers when they were younger by installing games off the internet and Napster files back in the day. I can't tell you how many times I had to either clean their computers or do a fresh install. At least you've narrowed it down and closed off the ports until you can figure out what file(s) etc. might be causing the problem.
Keep us informed on what you discover. |
|
|
|
06/23/2011 07:11:19 PM · #17 |
Reply to your O P from my nephew's Mac geek friend;
"See if he has back to my mac turned on in mobile me prefs.
It pings the servers pretty constantly to let the service know that the computer is there. "
Hope it's the problem.
|
|
|
|
08/22/2011 09:54:22 AM · #18 |
Macs cannot be infected, therefore your Mac is not infected. If your Mac is infected, Macs cannot be infected, therefore your infected computer is no longer a Mac.
My wife is all over the internet on ours, constantly. Opens any file she sees. Guess I better check it out.... |
|
|
|
08/22/2011 10:17:49 AM · #19 |
| Maybe one of your kids is a hacker. ;) |
|
|
|
08/22/2011 11:55:46 AM · #20 |
This thread was reawakened by a spammer. (post hidden now).
I never did solve the problem, but I learned to "stop worrying and love the bomb".
|
|
Home -
Challenges -
Community -
League -
Photos -
Cameras -
Lenses -
Learn -
Help -
Terms of Use -
Privacy -
Top ^
DPChallenge, and website content and design, Copyright © 2001-2025 Challenging Technologies, LLC.
All digital photo copyrights belong to the photographers and may not be used without permission.
Current Server Time: 08/18/2025 04:25:43 PM EDT.
