Skip navigation

Finder and other apps try to connect to a strange ip address via smb.

353 Views 10 Replies Latest reply: Apr 27, 2013 5:14 AM by raoul_iii RSS
raoul_iii Calculating status...
Currently Being Moderated
Apr 21, 2013 6:12 AM

Hi,

 

I noticed a strange behavior of my os x 10.6 installation. Little snitch reports that the Finder and other apps like TextEdit try to connect via smbclient to the ip 93.186.127.175. It says the Reverse DNS Name is "static.vitalhosting.com.tr". This means that this is a host in Turky.

Has someone an idea what this is? Is there malware on my mac?

 

Best regards,

Raoul

Mac OS X (10.6)
  • CMCSK Level 6 Level 6 (10,200 points)

    raoul_iii wrote:

     

    Hi,

     

    Is there malware on my mac?

     

    Best regards,

    Raoul

     

    Download ClamX to check.

     

     

     

     

     

     

     

     

     

     

     

    dancingsmilie.gif

  • MadMacs0 Level 4 Level 4 (3,315 points)

    raoul_iii wrote:

     

    Hi,

     

    I noticed a strange behavior of my os x 10.6 installation. Little snitch reports that the Finder and other apps like TextEdit try to connect via smbclient to the ip 93.186.127.175.

    What port? 

     

    smbclient is ftp-like client to access SMB/CIFS resources on servers. Part of Samba, a Windows fileserver for Unix.

     

    CMCSK is recommending ClamXav from either the AppStore or here.

  • MadMacs0 Level 4 Level 4 (3,315 points)

    raoul_iii wrote:

     

    thanks for your reply. I have ClamXav already installed. But it did not find anything unusual - which does not mean that there no malware.

    Yes, there is no known malware that utilizes Samba and impacts OS X, but I'm sure there are a few Trojans and Hacktools that ClamAV detects, seemingly of the Windows variety.

    Right now I cannot recall which port it was. I ll post it here as soon as I have checked that.

    If you permanently or until restart "denied" it, the you Little Snitch Rules should still tell you.

    But the problem here is not so much that it is smb but more ip is strange.

     

    So what type of Win activity do you use it smb for?

     

    You might get lucky and be able to get some information from:

     

    person:         Vital Hosting

    abuse-mailbox:  abuse@vit.com.tr

    address:        Niltim. 633.Sk. No13/3 Nilufer BURSA TURKIYE

    phone:          +902244436060

     

    but I suspect you will need a lot more information.

     

    It doesn't accept pings and a port scan has not reveal any open ports yet. Probably off-line for some reason.

     

    Message was edited by: MadMacs0 Google Safe Browsing has found problems in the past http://www.google.com/safebrowsing/diagnostic?site=93.186.127.175

  • MadMacs0 Level 4 Level 4 (3,315 points)

    raoul_iii wrote:

     

    I usually do not use smb.

    So you aren't using Windows on your Mac and no Windows machines or NAS drives on your local network?

    I am going to install wireshark, allow the connection and check what is happening. I'll tell you the result...

    That was going to be my next suggestion, although understanding Wireshark captures are usually a PITA.

  • Alberto Ravasio Level 4 Level 4 (3,160 points)

    If you have access at your router's configuration, you can block outbound traffic towards IP 93.186.127.175

  • MadMacs0 Level 4 Level 4 (3,315 points)

    raoul_iii wrote:

     

    I swiched off all other devices in the local network. Only the router was on. Could it be that there is something wrong with the router?

    Wouldn't be the first time a router was hacked to redirect DNS, but I don't really see how that could cause your issue.

    The Wireshark captures showed that my computer sends some netbios-ssn packages to the ip 93.186.127.175. But no responds is comeing back.. This coincides with your evaluation that the server is down.

    The only port I could verify being open was 21, the ftp port. I tried to establish an ftp connection, but it timed out.  This would be consistent with a hosted server having been wiped and awaiting the next users.  My suspicion would be that once the site was identified to the Turkish ISP, they took it off-line and wiped it clean.

     

    But that still doesn't tell us why your computer is trying to open a connection to it.  There almost has to be something there telling it to open an smb connection to that IP.

     

    Perhaps you could use something like EasyFind to search your entire hard drive for file contents for that IP address.  Include Package Contents as well as Invisible Files & Folders. Even that won't be able to search files you don't have read access to, but it's unlikely to be any of those. Click on the "Settings" gear icon and make sure the Scan all files box is checked. It will take awhile, so you might want to leave it running overnight.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.