Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Ken Franklin
Ken Franklin Author
User level: Level 1
39 points

Am I being hacked?? HAVE I been hacked?

Here are some excerpts from my firewall log over the past few days:

Apr 8 17:58:06 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to TCP 192.168.1.105:52751 from 38.100.165.23:80
Apr 8 17:58:07 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to TCP 192.168.1.105:52752 from 38.100.165.23:80
Apr 9 12:12:53 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to TCP 192.168.0.100:50333 from 204.2.228.90:80
Apr 9 12:12:53 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to TCP 192.168.0.100:50334 from 204.2.228.90:80
Apr 9 12:12:53 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to TCP 192.168.0.100:50335 from 204.2.228.90:80
Apr 9 12:12:53 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to TCP 192.168.0.100:50336 from 204.2.228.90:80
Apr 10 10:32:17 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to UDP 192.168.0.100:49181 from 192.168.0.1:1900
Apr 10 10:32:17 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to UDP 192.168.0.100:49182 from 192.168.0.1:1900
Apr 10 10:32:18 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to UDP 192.168.0.100:49183 from 192.168.0.1:1900
Apr 10 10:32:20 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to UDP 192.168.0.100:49184 from 192.168.0.1:1900
Apr 10 10:32:24 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to UDP 192.168.0.100:49185 from 192.168.0.1:1900
Apr 10 10:32:32 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to UDP 192.168.0.100:49186 from 192.168.0.1:1900
Apr 10 10:32:48 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to UDP 192.168.0.100:49187 from 192.168.0.1:1900
Apr 11 06:48:01 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to TCP 192.168.1.105:50886 from 72.232.153.253:80
Apr 11 06:48:01 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to TCP 192.168.1.105:50885 from 66.102.1.164:80
Apr 11 06:48:01 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to TCP 192.168.1.105:50887 from 66.102.1.164:80
Apr 11 06:48:04 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to TCP 192.168.1.105:50885 from 66.102.1.164:80
Apr 11 06:48:04 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to TCP 192.168.1.105:50887 from 66.102.1.164:80
...and while at work today...
Apr 11 17:03:39 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to TCP 192.168.0.100:49770 from 216.73.86.52:80
Apr 11 17:03:42 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to TCP 192.168.0.100:49770 from 216.73.86.52:80
Apr 11 17:25:54 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to UDP 192.168.0.100:49538 from 10.200.23.1:53
Apr 11 17:26:07 Macintosh-2 Firewall[39]: Stealth Mode connection attempt to UDP 192.168.0.100:49539 from 10.200.23.1:53

---is somebody getting access to my computer?

Ken (preparing to wear tinfoil over his skull) Franklin

MacBook Pro 2.0GHz dual, Mac OS X (10.5.2)

Posted on Apr 11, 2008 3:53 PM

Reply
6 replies
User profile for user: Ken Franklin
Ken Franklin Author
User level: Level 1
39 points

Apr 12, 2008 3:34 AM in response to Ken Franklin

{quote}It looks like someone is trying to get into your Mac and the firewall is stopping them. How are you connected to the Internet? Is it a DSL or cable modem plugged directly into the Ethernet port?{quote}

At work and at home, I am connecting through a wireless router (using my Airport card). Both routers use WPA2 security.

{quote}were both hack attempts from work?{quote}

No, some were at home and some were at work. My home router uses a Sprint broadband card, and my work router is connected through a server to a T1 line.

-Ken (how are so many IP addresses seeing me?) Franklin
Reply
User profile for user: Dogcow-Moof
Dogcow-Moof
User level: Level 8
36,179 points

Apr 12, 2008 5:14 AM in response to Ken Franklin

These messages are perfectly normal, and are not at all indicative of a hack attempt.

What usually generates these is the action of navigating away from a site while that site is attempting to communicate with your browser. This can be anything from clicking on a link before the page is finished loading to navigating away while a banner ad or other animation is running.

If you do a reverse DNS lookup on some of your addresses you'll come up with sites like Google and doubleclick.net.

You also have a few having to do with DNS, probably for a similar reason (a DNS response coming in after you've already received a reply from an alternate server.)

In short, don't be concerned about them.
Reply
User profile for user: BearsPaw
BearsPaw
User level: Level 1
20 points

Apr 12, 2008 5:22 AM in response to Ken Franklin

Try https://www.grc.com/
This is Shields UP! - Internet Vulnerability.url

This site has facilities to check all your ports to see if any are open to attack. The only firewall I have is that provided by the Huawei E220 USB Modem that I use to connect to the internet.
Shields -UP! reports my PC is in stealth mode and to all intents and purposes, is invisible on the internet.

It would be interesting to see if it will check out your mac internet footprint?

Message was edited by: BearsPaw
Reply
User profile for user: Dick M
Dick M
User level: Level 3
675 points

Apr 14, 2008 7:40 PM in response to Ken Franklin

I did some tracking back of IP addresses and got China, Canada, australia etc. I contacted Shaw Internet of Canada and reported just one IP address to see what would come of it. Here is their reply---


Hello,

Thank you for your report of abuse but in this case there are some details you should be aware of.

The “attacks” you are seeing on your system are not attacks per se. Although we cannot say definitively without seeing the logs of your firewall, we have seen dozens of similar reports over the past few months with exactly the same symptoms.

The IP address you have reported to us, 24.64.XX.XX, is not currently in use nor has it even been assigned to any device in the past 90+ days. You are likely also seeing probes from many other random IPs within the 24.64.X.X range. All of these probes will be UDP. All of the probes will be directed at ports 1026, 1027 & 1028 on your computer. All of them are spoofing their origin.

This traffic is NOT originating from Shaw's network.

What is actually happening is that there is an unscrupulous advertiser which is spoofing Shaw IP addresses in the 24.64.0.0/16 range and is trying to send messenger pop-ups to computers in order to dupe people into buying a product. It has been quite a thorn in our side because it is falsely indicating Shaw customers at are fault for the traffic.

Your security software is smart enough to deflect these probes but not smart enough to know what is really going on. Each probe it sees is interpreted as an attack on your system and you are notified accordingly. Understandably, this can be quite alarming but, in this case, is actually nothing to be concerned with. In the future, any UDP probes you see from 24.64.X.X IPs on ports 1026, 1027 & 1028 can be ignored. Please do keep us apprised of ANY other attacks you may see from Shaw IP addresses.

If you have any further questions or comments please do not hesitate to contact us.

Regards,

Acceptable Use Policy Management Team
Shaw High-Speed Internet Service
Shaw Cablesystems G.P.
2400 - 32nd Avenue N.E.
Calgary, Alberta, T2E 9A7
Telephone: (403)750-7420
Facsimile: (403)539-6831
Reply

Am I being hacked?? HAVE I been hacked?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up