13 Replies Latest reply: Jul 11, 2011 8:43 AM by Linc Davis
chrisfromnorth cairns Level 1 Level 1 (0 points)

hi guys, i'm new to this forum and to macs but i'm learning...

i have found a reference to iesnare on my mac and i have done some research which indicates its a tracker program for people who visit gambling sites and/or who might use stolen credit cards or identities on such sites... i do neither of these and have no idea how this program came to be on my mac...

i would like to know if anyone out there knows how to identify where it is on the mac and how to delete it properly...

my mac has had a number of problems which i might research with you soon, but it appears that i have a hacker who no matter how i 'protect' my stuff is able to access passwords etc thru ssh files and push files... i have not given anyone access to the mac or my passwords... an example is that on my history today i was apparently online here at 6.30am... my head was still very much planted on my pillow at that time...

any comments apart from what i've seen in many communities that this is not happening and/or it was done by mistake etc would be appreciated ...

i would like to stop these things from happening but dont know how...

if all that's too hard (and i know for me it does become so at times) i'll just come online and post incidents as they occur....

so first up hi to all you guys out there, pleasure to meet you and can you please help with the iesnare problem i have ...

thanks chris


MacBook Pro, Mac OS X (10.6.8)
  • thomas_r. Level 7 Level 7 (29,635 points)

    This is the first I've ever heard of iesnare, but it sounds like it's a cookie used for tracking you across multiple cooperating web sites.  It's not doing you any actual harm, especially if you're not visiting those sites, but to remove them from Safari, go to Safari -> Preferences, click Security, then Show Cookies.  Type "snare" (without the quotes) in the search field and remove anything related to iesnare.

     

    I'm curious why you believe someone is hacking you via ssh.  The only evidence you mention is something from your "history" (what history?).  What makes you so specific that you are targeting ssh?

     

    Note that it is extremely unlikely that anyone is hacking your machine unless you have someone local who has had access to your machine and set up a back door for some reason.  Go to System Preferences -> Sharing and make sure everything is turned off.  Install Little Snitch and make sure that nothing that you don't approve is making connections.  (You'll need to learn what connections are appropriate - your Mac will make a lot of connections normally, via cryptically-named processes.)  You could also do a scan with ClamXav if you are afraid you may have had malware installed.

  • Linc Davis Level 10 Level 10 (147,605 points)

    What does /var/log/secure.log show from the time when you think there was an unauthorized login?

  • chrisfromnorth cairns Level 1 Level 1 (0 points)

    it tells me that permission is denied

  • Linc Davis Level 10 Level 10 (147,605 points)

    In the Finder, select Go > Go to Folder from the menu bar. Enter "/var/log" (without the quotes) in the text box. Select secure.log in the Finder window that opens. Open the Info dialog. In the Sharing & Permissions section, click the lock icon and authenticate. Make the permissions the following:

     

    system    Read & Write

    admin     Read only

    everyone  No access 

     

    Here "admin" means the admin group. Close the Info window and try again to read the log.

  • chrisfromnorth cairns Level 1 Level 1 (0 points)

    Thanks for your help Thomas, i am in the process of downloading ClamXav i have Little Snitch on my mac, but it doesnt help... two example of what has happened is i now have an 'other' account listing on my login window, i didnt set it up, it's not linked to the root user and i cant access or delete it, another thing that has happened four times since my purchase in feb this year is that the mac just freezes and i have to reload eveything from scratch... my backups which were ok 20 mins before the 'crash' suddenly were not and were inaccessible when needed... and finally apple are currently investigating the fact that i cant access my me account or idisk, yet it is seen syncing with my mac at times... they have logs of this which were uploaded to them the other day... the accounts are there, someone is accessing them but it isnt me... now i'm not neurotic and i do have some knowledge about computers having worked on them for 30 odd years (yes i remember when the disks were like lp records) and you had to work in dos and i have some experience with programing many years ago, but this is beyond me...

    chris

  • Linc Davis Level 10 Level 10 (147,605 points)

    Do you have "Back to My Mac" enabled in your MobileMe account? Has the password of the account been changed without your knowledge?

  • chrisfromnorth cairns Level 1 Level 1 (0 points)

    sorry mac went offline... will try your previous suggestion in a sec but wanted to answer this one... no i cant even access my mobileme account and apple wont give me passwords etc because i cant give them my dob etc which is linked to my account and which is accessing the sync service... so all i can do is watch it happening and not get access to the idisk or my account - which fortunately isnt linked to my apple id otherwise i wouldnt be able to be online here i guess

  • Linc Davis Level 10 Level 10 (147,605 points)

    Disable MobileMe immediately. Assume that any information that was accessible through it has been compromised. That includes the contents of your Keychain.

  • chrisfromnorth cairns Level 1 Level 1 (0 points)

    are you able to advise how to disable mobile me?

    still trying to do the secure log thing, some interesting stuff coming up that im trying to make sense of like the root account being enabled half an hour ago (wasnt me)

  • thomas_r. Level 7 Level 7 (29,635 points)

    What do you mean, you can't give them your date of birth?  I'm assuming you are able to give it, but that it's not being recognized as correct...  is that right?  If so, sounds like your MobileMe account has been hacked and the profile information changed.  Is that MobileMe account also linked to your Apple ID?  Is your Apple ID linked to a credit card?  If so, you've got serious problems.  You should contact MobileMe support right away and review the transactions on your credit card.

  • chrisfromnorth cairns Level 1 Level 1 (0 points)

    yes i can give them my dob but its not the right one and no i dont have a credit card (at least that's one good thing) and i did contact mobile me and apple yesterday and they went thru the whole thing, there is an account in my name, perhaps 2 one of which has access to my idisk and which syncs from my mac (i have seen it, but have not instigated it) and i dont know how to access the account without a password of course, but they wont give me the password because i cant identify me as being me and whoever else it is has a history with them apparently... i have been going round and round in circles with them for ages...

  • thomas_r. Level 7 Level 7 (29,635 points)

    It's hard for me to understand that you can't verify the account.  It was subscribed to, less than one year ago, using a credit card.  Surely Apple can verify the account through the card used to pay for the account?!  Since nobody has offered such, you need to ask about that.

  • Linc Davis Level 10 Level 10 (147,605 points)

    are you able to advise how to disable mobile me?

     

    Through the MobileMe preference pane in System Preferences.