9 Replies Latest reply: May 8, 2011 10:09 PM by AmplifiedLife
AmplifiedLife Level 1 (15 points)

Hello -


I'm trying to ascertain if I am at risk...

About 1 week ago I connected to the University of Minnesota's "guest" wifi network.  I was asked to provide an email address and that's all.  I was online.

But I use Little Snitch so granted access to a flurry of temporary connections to when they popped up as I was in a rush to connect.  Possibly a bad move, but I was guided through this process by a U of MN tech guy so I felt ok about it.  It worked for the weekend and that was that.  I didn't use my email or login to any websites, I just pulled up a YouTube video for a group's presentation.

All seemed well...  But, when I got home, I received 2 Little Snitch notifications: NetAuthAgent and nmbd.  I don't know if any of this is normal but NetAuthAgent showed up as ~myusername but nmbd showed up as root.


Also, my hard drive space also went down to zero on a random instance when Safari froze up, but I don't have a screen grab of that.






Also, in my Finder, there was a "PC Server" device listed under Shared.  This was new.  This freaked me out.




Not only have I been unable to stop NetAuthAgent and nmbd from prompting me for access every single time I start my computer, the times I have experimented/troubleshot the issue and give them permission, I'm getting the PC Server listed under Shared.


I've run MacScan and I can block it out by denying it access via Little Snitch, but I wanted to ask the digital Jedi out there if this was normal, because when I try to click "Connect To", it give me the following error...


I've seen NetAuthAgent & nmbd before, but not like this. 


In summary, these instances started happening constantly after I used the University's network and has not gone away.


Thanks in advance for your time,


- AmpLife

P.S. I'm running the latest software on a MBP, 17" (Mid '09)     

MacBook Pro, Mac OS X (10.6.7), 17-INCH, MID 2009
  • twtwtw Level 5 (4,910 points)

    What did the university tech guy have you do, precisely?  My first guess here would be that you've somehow (intentionally or unintentionally) set up a proxy to the university's guest access, so that you're somehow still connecting to it (that could explain the weird activity and the unknown shared device).  Have you tried going through little snitch's preferences and removing the permissions you granted it?  or maybe just deleting it and reinstalling its default preferences?

  • AmplifiedLife Level 1 (15 points)

    Hello.  Thanks for writing.  Actually he didn't do much.  What I meant by that is when I went looking for a wifi network, he confirmed that of the many available, "U of M Guest" was correct:

    1. "U of M Student (password required)"
    2. "U of M Guest (no password required, only email)"
    3. "John's Dorm Room"
    4. "U of M Guest" (*Fake, possibly set up for guests to login, that installs malware or something)

    When I opened Safari after joining the Guest net, it took me to the U of M's page (umn.edu or something), where I was asked to submit my email address.  Then a pop up window opened with a timer on it and started counting down. 


    At the end of the 3 hour window, I'd be asked to repeat that process and "log" back in with my email.  (screen grab is from my Safari History).


    Regarding your comments, the proxy thing sounds very plausible.  But, the permissions I gave it were only temporary so they expired after I quit Safari and or restarted my Mac.


    My concern is that it just keeps trying to connect.  And I'm afraid of 2 things, 1: I've been infected or hacked etc. 2: I'm going to block a normal function of Mac OS while trying to stop this and break something I need later.


    Any more thoughts? 


    Thank you.

  • twtwtw Level 5 (4,910 points)

    well, I wouldn't get paranoid at this moment.  the Shared just refers to a remote computer that you have access to - it doesn't necessarily imply that access works both ways.  first thing I would do would be to open System Preferences and look at the Sharing pane to see if there's anything untoward going on there, and then I'd look at the Network pane, click the advanced tab, and see what's listed under proxies.  I don't know why you were at U of M, but there are a couple of things listed there with the ECIS acronym (European Conference on Information Systems, and College in the Schools Entry Project). It's possible you have established aconnection with a server related to one of those. 

  • AmplifiedLife Level 1 (15 points)

    Ok thanks again.  I did get a little paranoid.  Mostly because I am always careful and observant with my Little Snitch setting and other stuff in general.  But the moment I got on line, I hit "accept until quit" a bunch of time because I was scrambling to play a video for some high school kids giving a video presentation.  BTW, I was at the U for PeaceJam 2011 (w Nobel Peace Laureate President Oscar Arias of Costa Rica) to stage manage for a non-profit org I consultant for.


    I checked Sharing pane.  I recognize all the settings as things I've set up or tinkered with.  Nothing new relative to the U of M sessions.  But here are the details of the active settings.

    • Screen - active, for my iOS devices via VNC and iTeleport
    • Printer - 3 printers are active and under users it says "Everyone" (this stands out a little?)
    • Bluetooth - active, requires pairing


    Check this out, I clicked on that PC Server a few times in quick succession, the equivalent of banging the side of a TV to improve the picture I know, but I managed to get this prompt:


    It's a little different than the one above?


    Ok, as for Network...


    Under Network pane:

    • Preferred Networks - I went & erased "U of M Guest"


    Under Advanced > Proxies > Bypass proxy setting  for these Hosts & Domains

    • It listed this:  *.local, 169.254/16 


    I'm going to restart & try again now with that preferred network deleted.


    Do my settings look proper to you?


    Thank you so much,

  • AmplifiedLife Level 1 (15 points)

    Also, this is checked:  Use Passive FTP Mode (PASV)

  • twtwtw Level 5 (4,910 points)

    your proxy settings are exactly like mine, so they seem alright, and probably didn't need to be deleted.  I can't find the 'use passive ftp mode' setting, but that shouldn't by itself make a difference - all that might do is allow you to log into a server anonymously, or (if you have your machine set up as a server) allow others to log onto your box anonymously. You might try the obvious - command-drag the odd server off of your sidebar and see if the problem goes away. 


    Form my experience, universities (because they deal with large numbers of clueless incoming teens) usually have draconian safeguards against viruses, hacking, trojans, and other general computer ills, so I would not worry about having gotten mucked while connected there.  Anything's possible, but it's much more likely that something innocuous got set that just needs to be unset.

  • AmplifiedLife Level 1 (15 points)

    twtwtw, dude, youre good...  THANK YOU... i think we got it.


    actually i didn't have to delete any proxy settings, i left those alone and deleted the wifi network i used at the university: 

    • Sys Prefs > Network > Advanced > Airport > Preferred Networks


    once i located the name of the potentially problematic wifi network (U of M Guest) that you said i might be connecting to under preferred networks, i clicked the " - " (minus symbol) to remove it.  after that I clicked "OK" and it went back to Network (sys pref) where i clicked "Apply".


    finally, I quit everything and restarted my mac.  when it came back on, the requests for nmbd were gone and nothing i do can recreate the NetAuthAgent alert.


    i'm also not seeing anything under shared that shouldn't be there!




    i'm going to sleep on it and give it 48 hours...  i'm sure it'll be fine, but when i verify it's gone, i'll come back and hit you with some Correct Answer points.  i wouldn't have thought to delete the preferred networks without you guiding me to the Sharing AND Network pref panes.




    PS: here is screen grab of the PASV thing (and the proxy settings i mentioned above) for your reference


  • twtwtw Level 5 (4,910 points)

    well, that's truly weird.  I can't imagine why deleting a preferred network would have any effect like this (preferred wireless networks that aren't available ought to be ignored).  But if it works, it works; just don't give me more credit than I deserve. 

  • AmplifiedLife Level 1 (15 points)

    seems to be holding up.

    thanks again.