Little Snitch catches backup.backupdb trying to contact external IP

Question

Level 1

26 points

Little Snitch catches backup.backupdb trying to contact external IP

My MacBook backs up to a Time Machine volume on a server on the same LAN. This has been working fine. Today, when I woke the MacBook, Little Snitch caught backup.backupdb (which is Time Machine I believe) attempting to connect to 65.200.200.47, which whois says belongs to Almar Networks.

Of course, I denied both attempts. A subsequent request for Time Machine to backup again was fine.

There is no web server at that IP address and a Google search is not too enlightening.

Any insight?

Power Mac G5 dual 2.3 GHz, Mac OS X (10.5.6), 4 GB RAM

Posted on Jun 13, 2009 6:40 AM

Reply

Answer 1

Jun 13, 2009 7:31 AM in response to Tom Sheppard

Hello Tom:

Do you have the OS X built-in firewall enabled? I cannot think of anything that TM would do to cause it to backup to an external source.

Barry

Reply

Answer 2

Tom Sheppard Author

Level 1

26 points

Jun 13, 2009 8:13 AM in response to Barry Hemphill

I do not use the built-in firewall. The MacBook is behind an AirPort Extreme router to the Internet with most ports closed and no open ones routed to the MacBook.

It is certainly disconcerting when out of the blue there's a connection attempt to an unknown external IP, especially for something as sensitive as a backup.

Reply

Answer 3

biovizier

Level 5

7,931 points

Jun 13, 2009 8:59 AM in response to Tom Sheppard

I don't know how "LittleSnitch" reports things, but note that the "TimeMachine" backend is ' backupd', and when backing up to a local disk, usually backs up to "Backups.backupdb" which is the name of a folder, not an executable or a process (also note the presence of a letter "s" and the upper-case "B").

So the name "backup.backupdb", while appearing (coincidentally or otherwise) similar to components of "TimeMachine" such as ' backupd' or "Backups.backupdb", may be something else entirely.

Edit. I don't backup over a network so don't know what additional processes may be involved in that mode, but there is no "backup.backupdb" executable on my 10.5.7 system.

Reply

Answer 4

Jun 13, 2009 9:43 AM in response to Tom Sheppard

Hi Tom:

I am always concerned when unexplained things happen as well.

It is just a suggestion, but I would enable the internal firewall to +"allow only essential services."+ I also sit behind a router, but the additional layer makes me relatively confident that no one will be able to sneak into my systems.

Barry

Reply

Answer 5

Tom Sheppard Author

Level 1

26 points

Jun 13, 2009 12:24 PM in response to biovizier

The process certainly is backupd, which is why this is so strange that Little Snitch is calling out backup.backupdb. And worrisome. If it happens again, I'll grab a screenshot of the dialog.

I've noticed other new stuff too, like netauthagent requesting my password to connect to server volumes. Mail asking to use the keychain when it hasn't been changed.

I think I will turn on the firewall until this settles down.

Reply

Answer 6

Tom Sheppard Author

Level 1

26 points

Jun 20, 2009 6:25 AM in response to Tom Sheppard

It happened again this morning. This time I got a screen capture, and it wasn’t backup.backupdb that was the cuprit, it was automountd trying to connect to backup.backupdb. Sorry for the confusion.

It's interesting to note that it has been exactly one week since the last attempt to contact this external host even though the MacBook has done numerous Time Machine backups and sleep/wake cycles in the meantime. This is very suspicious.

I've posted the screen capture of the dialog here: http://AppleNag.com/2009/06/20/is-my-os-x-infected/

Here's the whois report:

whois 65.200.200.47
MCI Communications Services, Inc. d/b/a Verizon Business UUNET65 (NET-65-192-0-0-1)
65.192.0.0 - 65.223.255.255
Almar Networks, LLC UU-65-200-200-32-D3 (NET-65-200-200-32-1)
65.200.200.32 - 65.200.200.63

Reply

Answer 7

Jun 20, 2009 6:32 AM in response to Tom Sheppard

**** Tom:

It is me again 🙂

I have no clue what automountd is, but you might post some of this in the networking forum to see if someone who runs networks might have some answers:

http://discussions.apple.com/forum.jspa?forumID=1222

Barry

Reply

Answer 8

Tom Sheppard Author

Level 1

26 points

Jun 20, 2009 6:53 AM in response to Barry Hemphill

automountd mounts the server's volume automatically when requested by Time Machine so that Time Machine can backup to the volume on the server.

As you suggested, I posted a question on the other forum at: http://discussions.apple.com/thread.jspa?threadID=2049359 but I would prefer that all comments remain here.

Reply

Answer 9

Tom Sheppard Author

Level 1

26 points

Jun 20, 2009 6:59 AM in response to Tom Sheppard

Rob Griffiths, via Twitter @rgriff, pointed me to this explanation http://installingcats.com/2008/06/01/automountd-backups-backupd/

But my server's Time Machine drive is always mounted so is this just a simple race condition when waking from sleep in that Time Machine gets going before other parts of OS X can establish the network link?

Reply

Answer 10

Jun 20, 2009 7:15 AM in response to Tom Sheppard

Do not use Little Snitch, this software creates a false sense of protection and causes problems in the functioning of the operating system. Here after the installation of this program had several problems. I had to do a total reinstall of Leopard.

Reply

Answer 11

Tom Sheppard Author

Level 1

26 points

Jun 20, 2009 7:16 AM in response to Tom Sheppard

Just wondering what would happen if the host at that address decided to pretend to be that mounted volume. Are there other security checks in place that would prevent Time Machine from backing up to that external host?

Reply

Answer 12

Tom Sheppard Author

Level 1

26 points

Jun 20, 2009 7:17 AM in response to Tom Sheppard

Hint, don't include an IP address when Googling for this problem as the IP address will likely be different for each person. After widening my search, there are several articles out there that say that automountd is behaving normally. What seems to be messing up is OS X not being able to see the server's Time Machine volume that's always mounted. That's a different problem.

Reply

Answer 13

Tom Sheppard Author

Level 1

26 points

Jun 20, 2009 7:29 AM in response to wdkuchler

I respectfully disagree with you. Since Little Snitch is not the problem in this case, it simply is reporting a "risk", then it shouldn't take the blame. I should have done a less specific Google search and would have found the articles covering this "problem".

At least with Little Snitch, I can decide to permanently block that outgoing connection to an unknown IP. That gives me more confidence that my backup data is not going to be sent outside my LAN to someone who might decide to spoof the Time Machine volume (if that's possible).

Reply

Answer 14

nerowolfe

Level 6

13,090 points

Jun 20, 2009 3:38 PM in response to wdkuchler

wdkuchler wrote:
Do not use Little Snitch, this software creates a false sense of protection and causes problems in the functioning of the operating system. Here after the installation of this program had several problems. I had to do a total reinstall of Leopard.

I disagree with you completely. Do not tell people not to use software because you don't understand it or it gave you some problem which was most likely unrelated to LittleSnitch but to some other problem you have in your system. You are projecting your problems onto others.

Let people use what they wish to use. The poster asked a question and you are telling him to pretend it does not exist. That is not good.

I use LittleSnitch regularly and have zero problems with it. It does report strange things that without LittleSnitch would go unnoticed. They are all worthy of investigation.

Ignoring a potential problem is a good thing. You would have us sweep it under the rug or bury our heads in the sand.

Why don't you explain the original posters problem to the rest of us? We are waiting for your answer to his question.

Message was edited by: nerowolfe

Reply

Answer 15

nerowolfe

Level 6

13,090 points

Jun 20, 2009 3:42 PM in response to Tom Sheppard

whois 65.200.200.47
MCI Communications Services, Inc. d/b/a Verizon Business UUNET65 (NET-65-192-0-0-1)
65.192.0.0 - 65.223.255.255
Almar Networks, LLC UU-65-200-200-32-D3 (NET-65-200-200-32-1)
65.200.200.32 - 65.200.200.63

If they are your ISP, this might be normal. If not, it is something to be aware of.
LittleSnitch is very good at noticing details that would normally pass us by. Some are important, some innocuous, but in all cases, more knowledge is always preferred to less knowledge or ignorance.

I would check your DNS to be sure that they are the correct ones for the ISP you are using.

Message was edited by: nerowolfe

Reply