What did the university tech guy have you do, precisely? My first guess here would be that you've somehow (intentionally or unintentionally) set up a proxy to the university's guest access, so that you're somehow still connecting to it (that could explain the weird activity and the unknown shared device). Have you tried going through little snitch's preferences and removing the permissions you granted it? or maybe just deleting it and reinstalling its default preferences?
Hello. Thanks for writing. Actually he didn't do much. What I meant by that is when I went looking for a wifi network, he confirmed that of the many available, "U of M Guest" was correct:
- "U of M Student (password required)"
- "U of M Guest (no password required, only email)"
- "John's Dorm Room"
- "U of M Guest" (*Fake, possibly set up for guests to login, that installs malware or something)
When I opened Safari after joining the Guest net, it took me to the U of M's page (umn.edu or something), where I was asked to submit my email address. Then a pop up window opened with a timer on it and started counting down.
At the end of the 3 hour window, I'd be asked to repeat that process and "log" back in with my email. (screen grab is from my Safari History).
Regarding your comments, the proxy thing sounds very plausible. But, the permissions I gave it were only temporary so they expired after I quit Safari and or restarted my Mac.
My concern is that it just keeps trying to connect. And I'm afraid of 2 things, 1: I've been infected or hacked etc. 2: I'm going to block a normal function of Mac OS while trying to stop this and break something I need later.
Any more thoughts?
well, I wouldn't get paranoid at this moment. the Shared just refers to a remote computer that you have access to - it doesn't necessarily imply that access works both ways. first thing I would do would be to open System Preferences and look at the Sharing pane to see if there's anything untoward going on there, and then I'd look at the Network pane, click the advanced tab, and see what's listed under proxies. I don't know why you were at U of M, but there are a couple of things listed there with the ECIS acronym (European Conference on Information Systems, and College in the Schools Entry Project). It's possible you have established aconnection with a server related to one of those.
Ok thanks again. I did get a little paranoid. Mostly because I am always careful and observant with my Little Snitch setting and other stuff in general. But the moment I got on line, I hit "accept until quit" a bunch of time because I was scrambling to play a video for some high school kids giving a video presentation. BTW, I was at the U for PeaceJam 2011 (w Nobel Peace Laureate President Oscar Arias of Costa Rica) to stage manage for a non-profit org I consultant for.
I checked Sharing pane. I recognize all the settings as things I've set up or tinkered with. Nothing new relative to the U of M sessions. But here are the details of the active settings.
- Screen - active, for my iOS devices via VNC and iTeleport
- Printer - 3 printers are active and under users it says "Everyone" (this stands out a little?)
- Bluetooth - active, requires pairing
Check this out, I clicked on that PC Server a few times in quick succession, the equivalent of banging the side of a TV to improve the picture I know, but I managed to get this prompt:
It's a little different than the one above?
Ok, as for Network...
Under Network pane:
- Preferred Networks - I went & erased "U of M Guest"
Under Advanced > Proxies > Bypass proxy setting for these Hosts & Domains
- It listed this: *.local, 169.254/16
I'm going to restart & try again now with that preferred network deleted.
Do my settings look proper to you?
Thank you so much,
your proxy settings are exactly like mine, so they seem alright, and probably didn't need to be deleted. I can't find the 'use passive ftp mode' setting, but that shouldn't by itself make a difference - all that might do is allow you to log into a server anonymously, or (if you have your machine set up as a server) allow others to log onto your box anonymously. You might try the obvious - command-drag the odd server off of your sidebar and see if the problem goes away.
Form my experience, universities (because they deal with large numbers of clueless incoming teens) usually have draconian safeguards against viruses, hacking, trojans, and other general computer ills, so I would not worry about having gotten mucked while connected there. Anything's possible, but it's much more likely that something innocuous got set that just needs to be unset.
twtwtw, dude, youre good... THANK YOU... i think we got it.
actually i didn't have to delete any proxy settings, i left those alone and deleted the wifi network i used at the university:
- Sys Prefs > Network > Advanced > Airport > Preferred Networks
once i located the name of the potentially problematic wifi network (U of M Guest) that you said i might be connecting to under preferred networks, i clicked the " - " (minus symbol) to remove it. after that I clicked "OK" and it went back to Network (sys pref) where i clicked "Apply".
finally, I quit everything and restarted my mac. when it came back on, the requests for nmbd were gone and nothing i do can recreate the NetAuthAgent alert.
i'm also not seeing anything under shared that shouldn't be there!
i'm going to sleep on it and give it 48 hours... i'm sure it'll be fine, but when i verify it's gone, i'll come back and hit you with some Correct Answer points. i wouldn't have thought to delete the preferred networks without you guiding me to the Sharing AND Network pref panes.
PS: here is screen grab of the PASV thing (and the proxy settings i mentioned above) for your reference