drummonds

Q: Security: Has my iMac been compromised?

Hi everyone, I'm recently returning to my studies as a novice web developer. Today I looked my Apache logs for the first time in well over a year. And there are some suspicious accesses to pages I should not be hosting. And unfortunately some of them originate from 127.0.0.1. So I'm wondering if there is malware running on my system.

 

There are also what appear to be failed attempts to access PHP setup scripts. I'm alarmed that these requests originate from external IP addresses. My iMac is running behind a router that should not be forwarding HTTP requests to internal computers. So I don't even know how these requests could have been made from the named IP addresses.

 

Can anyone with some security sense help me understand where to start?

 

Here are the suspicious entries in /var/log/apache2/access.log:

 

150.70.97.118 - - [14/Oct/2015:09:24:16 +0800] "GET / HTTP/1.1" 200 45

183.60.48.25 - - [14/Oct/2015:09:30:20 +0800] "GET http://www.baidu.com/ HTTP/1.1" 200 45

67.23.72.105 - - [14/Dec/2015:12:46:11 +0800] "GET / HTTP/1.0" 200 45

127.0.0.1 - - [09/Jan/2016:14:00:39 +0800] "GET /announce?info_hash=%a8%c5%8a%2f%a1%ad%fc%d2%98%c4%14%f1%97%90%eb%20ZR%92i&peer _id=-UM1870-%7b%a1%c0%c3%5c%a9%bc%b8pbS5&port=62348&uploaded=0&downloaded=0&left =16384&corrupt=0&key=56FCE29F&event=started&numwant=200&compact=1&no_peer_id=1&i pv6=fe80%3a%3ac62c%3a3ff%3afe1c%3a9cb5 HTTP/1.1" 404 206

127.0.0.1 - - [09/Jan/2016:14:30:44 +0800] "GET /announce?info_hash=%a8%c5%8a%2f%a1%ad%fc%d2%98%c4%14%f1%97%90%eb%20ZR%92i&peer _id=-UM1870-%7b%a1%c0%c3%5c%a9%bc%b8pbS5&port=62348&uploaded=378322944&downloade d=1577058304&left=2265792512&corrupt=0&key=1A63E46F&event=started&numwant=200&co mpact=1&no_peer_id=1&ipv6=fe80%3a%3ac62c%3a3ff%3afe1c%3a9cb5 HTTP/1.1" 404 206

127.0.0.1 - - [09/Jan/2016:15:00:50 +0800] "GET /announce?info_hash=%a8%c5%8a%2f%a1%ad%fc%d2%98%c4%14%f1%97%90%eb%20ZR%92i&peer _id=-UM1870-%7b%a1%c0%c3%5c%a9%bc%b8pbS5&port=62348&uploaded=1191395328&download ed=3565158400&left=269926400&corrupt=0&key=1D3BDF6F&event=started&numwant=200&co mpact=1&no_peer_id=1&ipv6=fe80%3a%3ac62c%3a3ff%3afe1c%3a9cb5 HTTP/1.1" 404 206

127.0.0.1 - - [09/Jan/2016:15:30:54 +0800] "GET /announce?info_hash=%a8%c5%8a%2f%a1%ad%fc%d2%98%c4%14%f1%97%90%eb%20ZR%92i&peer _id=-UM1870-%7b%a1%c0%c3%5c%a9%bc%b8pbS5&port=62348&uploaded=1642004480&download ed=3842285168&left=0&corrupt=0&key=1C21EB07&event=started&numwant=200&compact=1& no_peer_id=1&ipv6=fe80%3a%3ac62c%3a3ff%3afe1c%3a9cb5 HTTP/1.1" 404 206

127.0.0.1 - - [09/Jan/2016:16:00:59 +0800] "GET /announce?info_hash=%a8%c5%8a%2f%a1%ad%fc%d2%98%c4%14%f1%97%90%eb%20ZR%92i&peer _id=-UM1870-%7b%a1%c0%c3%5c%a9%bc%b8pbS5&port=62348&uploaded=2636832768&download ed=3842285168&left=0&corrupt=0&key=C27B5299&event=started&numwant=200&compact=1& no_peer_id=1&ipv6=fe80%3a%3ac62c%3a3ff%3afe1c%3a9cb5 HTTP/1.1" 404 206

127.0.0.1 - - [09/Jan/2016:16:31:03 +0800] "GET /announce?info_hash=%a8%c5%8a%2f%a1%ad%fc%d2%98%c4%14%f1%97%90%eb%20ZR%92i&peer _id=-UM1870-%7b%a1%c0%c3%5c%a9%bc%b8pbS5&port=62348&uploaded=2667307008&download ed=3842285168&left=0&corrupt=0&key=3C87C3AF&event=started&numwant=200&compact=1& no_peer_id=1&ipv6=fe80%3a%3ac62c%3a3ff%3afe1c%3a9cb5 HTTP/1.1" 404 206

::1 - - [01/Feb/2016:10:45:49 +0800] "GET /images/static/icon_alert.gif HTTP/1.1" 404 226

150.70.173.48 - - [14/Feb/2016:13:44:18 +0800] "GET / HTTP/1.1" 200 45

150.70.188.171 - - [14/Feb/2016:14:00:25 +0800] "GET / HTTP/1.1" 200 45

123.151.42.61 - - [14/Feb/2016:15:27:58 +0800] "GET http://www.baidu.com/ HTTP/1.1" 200 45

66.249.66.149 - - [14/Feb/2016:16:07:49 +0800] "GET /robots.txt HTTP/1.1" 404 208

66.249.66.149 - - [14/Feb/2016:16:07:49 +0800] "GET /t%C3%BCrk%C3%A7e-sohbet-ruleti.html HTTP/1.1" 404 225

66.249.74.11 - - [17/Feb/2016:10:45:25 +0800] "GET /robots.txt HTTP/1.1" 404 208

66.249.74.8 - - [17/Feb/2016:10:45:25 +0800] "GET /adana-bayan-arkada%C5%9F-telefon-numaralar%C4%B1.html HTTP/1.1" 404 243

150.70.173.41 - - [17/Feb/2016:10:53:32 +0800] "GET / HTTP/1.1" 200 45

123.151.42.61 - - [25/Feb/2016:13:01:48 +0800] "GET http://www.baidu.com/ HTTP/1.1" 200 45

213.254.129.187 - - [25/Feb/2016:13:11:54 +0800] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 226

213.254.129.187 - - [25/Feb/2016:13:12:04 +0800] "GET /pma/scripts/setup.php HTTP/1.1" 404 219

213.254.129.187 - - [25/Feb/2016:13:12:15 +0800] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 223

iMac, Mac OS X (10.7.1)

Posted on Mar 10, 2016 2:45 AM

Close

Q: Security: Has my iMac been compromised?

  • All replies
  • Helpful answers

  • by rccharles,

    rccharles rccharles Mar 10, 2016 4:05 PM in response to drummonds
    Level 6 (8,486 points)
    Classic Mac OS
    Mar 10, 2016 4:05 PM in response to drummonds

    127.0.0.1 is an alternate address for this computer.  It says to route the request to an app on this computer.

     

     

    I'd look at your router.  Somehow internet requests are flowing through your router. DMZ on?

     

     

    I recommend that you get a littlesnitch. littlesnitch will track your Web traffic and tell you which applications are sending data from your computer. Be sure to run it awhile because it will trigger a number of alerts. In trail mode, it will run for three hours per boot for a about a month.

     

    http://www.obdev.at/products/littlesnitch/index.html

     

     

     

     

    Run:

  • by drummonds,

    drummonds drummonds Mar 10, 2016 5:19 PM in response to drummonds
    Level 1 (0 points)
    Mar 10, 2016 5:19 PM in response to drummonds

    So you agree that my router must be passing HTTP requests through to my iMac, right? That's surprising. I'll spend some time on it.

     

    The HTTP requests coming from the loopback address are concerning for another reason. That tells me there is (or was) malware running on my iMac already. How else could HTTP requests come from 127.0.0.1?

  • by Sidney San Martín,

    Sidney San Martín Sidney San Martín Mar 12, 2016 6:06 AM in response to drummonds
    Level 4 (1,413 points)
    Mar 12, 2016 6:06 AM in response to drummonds

    The requests from 127.0.0.1 look like queries to a torrent tracker. I decoded the info_hash parameter to a8c58a2fa1adfcd298c414f19790eb205a529269, which you can Google. If you ever torrented this file, it's possible that the torrent accidentally included 127.0.0.1 (or a domain that someone pointed at 127.0.0.1) as a tracker address and your client made those requests.

     

    In that case, they're be harmless!

  • by MrHoffman,

    MrHoffman MrHoffman Mar 12, 2016 12:24 PM in response to drummonds
    Level 6 (15,627 points)
    Mac OS X
    Mar 12, 2016 12:24 PM in response to drummonds

    127.0.0.1 is the server you're looking at.  The server itself.   You won't acquire that traffic through any competent router as, well, 127.0.0.1 on the router would be the router itself.  On any host on the 'net, 127.0.0.1 is that host.   In this case, they're 404 links, as well.   Pages that do not exist.  This might mean there was or is Torrent software on the box, as has been mentioned.

     

    Your iMac is (or was) accessible to the 'bet, which usually means either port-forwarding has been enabled on the gateway-firewall box by you, or that your iMac was connected to a different network that was open during these times.   Or this iMac and the local network was been compromised, and somebody has opened up remote access.   That's a fairly long window of time shown, too — which could mean this access may have happened somewhere else, if this iMac system has been moved around among locations.  Key now is whether similar traffic exists and is happening now.

     

    The GET for robots.txt is utterly normal fodder on the 'net.   123.151.42.61 and 183.60.48.25 tried to connect through your server to another host, which apparently worked.   if that GET actually passed through your server to the target host over at Baidu, your web server is very likely misconfigured.   If that generated a server-local error page or such (and got the 200 that way) and didn't pass through to Baidu, what's shown here could be entirely normal for a failed attempt to proxy through your host.   Given the transfer size matches a couple of other GET requests, the request probably got something local and got handed a 200 that way.

     

    The 'net is going to look at or try to look at absolutely everything normal, suspicious, weird, bizarre, known broken, or just wrong — this as soon as there's an accessible path to a web server on TCP port 80 or TCP port 443.   Or any other open port.

     

    In general, you'll want to learn more about IP networks and routing, about network and server security, and about backups and related topics.   And watch your current logs — as you're doing here — so that you can learn what's probably "normal" and what's not.   More than a few php applications are unfortunately vulnerable to security attacks — learn what you can about securing your php code, SQL injection, XSS and related topics.  There are many resources and books available on these topics, though you might start at owasp.