9 Replies Latest reply: Mar 30, 2014 1:11 PM by WZZZ
jamevelyn Level 1 Level 1 (0 points)
Noob, just downloaded Little Snitch on MBP, getting familiar with background processes and shell scripts. Let x = variables.

LS is showing my mDNSResponder sending out a 225.etc request after I turn Airport off. No other machines on network are runing.

When I DLed Little Snitch and began running it, neither configd nor SystemUIServer were on the LS register. After restart, both showed up and have been sitting contentedly.

When Airport is on, Finder via nmblookup is sending a request to [x].255 about every minute that I have Safari open. When I turn Airport off, then back on, and I'm running LS, Safari to verisign connection shows up and configd connection shows up at ff[x:xx].

My concerns: Former employer is after my intellectual property. I had MBP connected on a daily basis to WiFi and certain sharing elements on with firewall off (stupid, I know, but I didn't know nad hadn't thought about it, and co. in question was pretty technologically dinosauric). Connected to same network by ethernet occasionally, and installed by disk a Windows partition and Open Office by disk given by employers' IT staff.

What's the possibility that a keystroke logger was put on my machine by an Admin of network I connected to, and is there any way to detect and disable said keylogger? Also, is there any way--outside of reverse-lookup, SPAM blacklisting sites--to check destinations of remote connections my comp might be making to an external server?

Macbook Pro Late 2008, Macbook Air 11", Mac OS X (10.6.5)
  • northey Level 2 Level 2 (175 points)
    Doesn't little snitch come up with a window asking if you want to allow this outgoing request. If you check in little snitches rules you can allow or prevent this from happening.

    In fact, open up the window and have a read of what's been outgoing. Little snitch should tell you what is safe to prevent from outgoing and what you should allow. This is how mine's been set up and seems to be working fine.

    Hope this helps.
  • ajduguid Level 3 Level 3 (650 points)
    If you're genuinely worried they've done something then why not just back up your user files and wipe the machine? It's a guaranteed way to erase any fears.
  • R C-R Level 6 Level 6 (14,930 points)
    FWIW, mDNSResponder is the process responsible for [Bonjour|http://developer.apple.com/networking/bonjour/faq.html], Apple's name for its implementation of the popular zero-configuration networking technology. (That's what allows your Mac to discover & use network printers, local servers, etc.) And as mentioned [here|http://support.apple.com/kb/HT3789], it is also used in Snow Leopard for unicast DNS resolution; without it, that OS cannot resolve hostnames like www.apple.com.

    Likewise, [nmblookup|http://developer.apple.com/library/mac/#documentation/Darwin/Referen ce/ManPages/man1/nmblookup.1.html] is the process that supports the OS X implementation of [Samba|http://en.wikipedia.org/wiki/Samba_(software)], which allows file & printer sharing between Windows & UNIX type OS's.

    [configd|http://developer.apple.com/library/mac/#DOCUMENTATION/Darwin/Reference/ ManPages/man8/configd.8.html] is an essential process that among many other things supplies the dynamic network port configurations that support the above & many other network processes.

    So it is perfectly normal for these processes to periodically generate outbound network activity & by itself that does not mean a key logger is installed in your system.
  • WZZZ Level 6 Level 6 (12,640 points)
    This is all I'm seeing from LS. SystemUI Server is allowed to connect for iStat Menus. I am using wireless. nmblookup is allowed by default, but I'm not seeing anything from it, nor from configd. The mDNSResponder stuff is completely kosher. I'm using Firefox, not Safari which might explain the nmblookup difference. Don't know if or what in Safari would be calling for that.







    Image and video hosting by TinyPic

    You can run the demo of MacScan to scan for known keyloggers.

    http://macscan.securemac.com/

    Here are my rules. All the protected (padlocked) MobileMe related stuff is denied. (Actually, correction: I keep denying that stuff and it seems to always get reset, maybe on restarting.)

    Image and video hosting by TinyPic

    Message was edited by: WZZZ
  • WZZZ Level 6 Level 6 (12,640 points)
    EDIT: wasn't looking carefully, the padlocked stuff I disabled wasn't reset after all. All you can do for these is remove the check; can't be changed to place the half-red circle. I realize I have nmblookup disabled. I don't see anything for configd.
  • Alan 648 Level 1 Level 1 (0 points)

    I'm using a third party AV that has a firewall.The program works in a very similar to little snitch ( which I may add as one of my protective layers) although I don't want overkill on this stuff. Anyow, I have't seen this request before but the AV/Firewall is asking me if I want to allow systemUIserver an outgoing connection to a remoter computer 192.168.xx.xx with remote port being identified as udp 192 ( osu-nms).

     

    Should I allow this connection or do you believe it's "questionable"??

     

    Thank you all for any and all help. These boards have been very helpful.

     

    Alan

  • WZZZ Level 6 Level 6 (12,640 points)
  • Alan 648 Level 1 Level 1 (0 points)

    Partially. Doesn't explain ( to me ) why an outgoing connection is needed.

     

    Thanks for the quick response.

     

    Alan

  • WZZZ Level 6 Level 6 (12,640 points)

    Not sure, but maybe LS considers the 192.x.x address at the Airport Base outgoing. Is that within your LAN?