Previous 1 2 Next 18 Replies Latest reply: Dec 22, 2012 1:55 PM by Eaglerock
Brad Cook Level 1 Level 1 (15 points)

When I shut down my Mac today, it said 224 people were connected to it. I have file and printer sharing on, but my home router is secured with a password, so I don't know how that's possible. Even if my router was open, I don't have 224 people living close enough that they could all be on my home network.

 

Was that a weird glitch, or is it something I should be concerned about?  I know there have been some reports of malware popping up on Macs, so I'm wondering if my computer could be infected.

 

Thanks.

  • Klaus1 Level 8 Level 8 (45,875 points)

    Has your Mac been infected by a Botnet?

     

    Simply put, a bot – which is short for robot – is an automated computer program that allows outside sources to control computers remotely without the users' knowledge. A botnet is a network of hundreds or thousands of computers infected with botnet malware that communicates covertly with a command-and-control (CnC) server run by a type of cybercriminal called a botmaster. Unbeknownst to the individual users, their computers are linked in a rogue network which the botmaster can utilize for a variety of nefarious purposes.

    Detailed information here:

    http://mac-internet-security-software-review.toptenreviews.com/how-do-i-know-if- my-computer-is-a-botnet-zombie-.html

  • WZZZ Level 6 Level 6 (12,685 points)

    What said "224 people connected?" How did that message appear, in what form?

  • Brad Cook Level 1 Level 1 (15 points)

    It appeared as a pop-up box that warned me that 224 users were connected to my computer and would be disconnected when I shut it down.  I rarely shut down that computer, so I have no idea how long it was like that (meaning, having that many users connected).

  • WZZZ Level 6 Level 6 (12,685 points)

    First, as far as I know, there have only been two Mac botnets. Most recently the Flashback drive-by botnet, which, at its maximum had 600,000+ machines under its control. And running the latest Java update for 10.6.8 should take care of that. There was an earlier botnet from 2009 infecting machines which had installed pirated copies of iWork. If it ever got going, I doubt it was controling only 225 machines. In any case, I've never heard of botnets allowing themselves to be announced in this fashion. They are silent backdoors.

     

    That leaves some other possible explanation, and here I simply don't know enough about what might be causing this message at shutdown. I agree, it would be unlikely 224 people would be poaching on your wireless, and, even if there were a few it would be unlikely you'd be getting a message of this sort. And your wireless network is probably still be up and running when you shut down the Mac. It wouldn't have to shut down when your Mac shuts down. (On a related note, make sure your wireless encryption protocol is set to WPA2/AES. WEP can be cracked in a minute and WPA has been broken too. You said your router is secured with a password, but is it a long, random, all over the keyboard one? A short simple one can be cracked. Mine is 40+ characters. Still, even if someone had hacked into your router, I don't think you'd be getting this kind of message.)

     

    I've never heard of this kind of warning pop-up at shutdown. If you were running a server to numerous machines, that might be one explanation. But that doesn't appear to be the case.

     

    Perhaps someone else will have an idea about what's going on. I might be wrong, but I don't think it's any kind of known botnet. I wouldn't rule out the possibility of a weird glitch. Is it reproducible?

     

    Oh, and you're not running any kind of VNC are you?

  • Brad Cook Level 1 Level 1 (15 points)

    I was away for a few days. Last night, when I booted up my iMac again, I connected to it with my MacBook, and in the sharing pane in Sys Prefs, it said 1 user was connected.  Later, I checked again and it said 2 users were connected, which was odd, since the MacBook is the only other Mac running in the house right now. (My wife's iBook gave up the ghost recently, so she's been using an iPad until we buy another laptop.)

     

    This morning, I reviewed the processes running in Activity Monitor and checked them against a list of known OS X processes.  None of the malware processes showed up, but there was an odd one called Monitor that wasn't on the list, so I terminated it, thinking it might be a keystroke logger or something of the sort.

     

    I shut down file sharing on the iMac. Then I went into Sys Prefs and changed and my user password. Then I logged back into the iMac through my MacBook; since then, only one connected user has been shown.

     

    I switched routers a while back and hadn't logged into the admin settings on my new 2WIRE from AT&T since then.  I just now logged in and saw that I'm using WPA-PSK (TKIP) and WPA2-PSK (AES) (that's all one option).  I also have the option to use just WPA2-PSK (AES), so I'll switch to that.

     

    I'll also set up a new router password.  I've been using the default one on the 2WIRE label (same with the admin key; I'll change that too).

     

    BTW, while logged into the router, I saw something odd: 2 unknown devices are connected to it, along with Macintosh-2, 2 iPhones, and 2 iPads (the iPhones and iPads are ours).  I assumed Macintosh-2 was my computer, but it has a different IP address assigned to it than the one I see in Sys Prefs.  The IP address for my MacBook is listed under one of the devices labeled "unknown."

  • Brad Cook Level 1 Level 1 (15 points)

    Do old devices show up in the list of devices connected to a router? Wondering if my wife's iBook is one of those unknown devices. Also, my son has been by with his MacBook Pro recently, so another might be him.

     

    And, duh, I just realized that macintosh-2 is the iMac, since it's connected by Ethernet.  Right now I have that, an unknown device that's my MacBook, and my iPhone and iPad showing up as active devices connected to the router. I'll get my wife's iPhone and iPad connected after she returns home.

     

    I changed my admin and access passwords on the router.  We'll see what happens from here.

     

    I'm not running a VNC.

     

    Oh, something else: I noticed that I had "Share files and folders using SMB" checked, so I unchecked that.

     

    Thanks for all your help. It's much appreciated.

  • WZZZ Level 6 Level 6 (12,685 points)

    I've never used anything in Sharing -- have always had everything there turned off -- so I'm a complete dunce in this area, but I've just done a search using "OS X file sharing + connected users" and come up with a few useful hits. You might want to have a look.

     

    Also, I would think you'd want to go by the known MAC addresses of whatever your connected devices are, not their IPs.

  • Brad Cook Level 1 Level 1 (15 points)

    So, since I last posted, I've been monitoring the # of users connected in the Sharing preferences pane. I currently only have "using AFP" checked (FTP and SMB are not). That number has fluctuated around 2 or 3, which is still perplexing since only my MacBook has been connecting to the iMac via file sharing, but I just looked and it said 156 users connected . I did a restart and it said zero.

     

    Then I logged in with the MacBook and it said 1.  So it seems like it's correctly reporting the # of people connected.  Again, I don't think these are people connecting to my router, so either the Sharing prefs pane is reporting the wrong number or people are logging into my iMac somehow, despite the firewall on my router.

     

    And now I just looked at the firewall in Sys Prefs and, duh, it was off.  Not sure when or why I turned it off, but I just turned it back on.

     

    I will continue to monitor sharing in Sys Prefs and see if the # of connected users changes.  Sure, it was dumb of me to turn the firewall off, but it's still bothersome that there were all those users connected.  I hope they were only able to get into my guest folder and nothing else.

     

    Any further thoughts and advice is much appreciated.

  • Brad Cook Level 1 Level 1 (15 points)

    BTW, a search on "OS X file sharing + connected users" mostly pulled up people talking about OS X Server. I didn't see anything where someone experienced something similar to what I saw. But I'm sure most people aren't dumb like me and leave their firewall off for who knows how long.

  • BDAqua Level 10 Level 10 (120,010 points)

    Hi Brad, WZZZ asked me to take a look here.

     

    Uf ut happens again, open Terminal & type a simple...

     

    w

     

    Or...

     

    who

     

    That should tell you who's connected.

     

    Open Console in Utilities, check these Logs...

     

     

    system.log and /private/var/log/kernel.log

     

    Look for en0 if you connect via Ethernet, en1 usually if you connect via Airport/Wifi.

     

    Do you use FaceBook, Teitter, or Linkenden?

  • Brad Cook Level 1 Level 1 (15 points)

    I think I may have figured out what was doing this: I had an app installed called FingerPrint, which is supposed to let you print from iOS to a non-AirPrint-compatible printer, but it never worked well for me.  I had it set as a log-in item.

     

    In system.log, there are tons of entries that say:

     

    Jun 14 23:59:13 macintosh-2 com.apple.launchd[1] (com.collobos.fingerprintd[77594]): Exited with exit code: 1

    Jun 14 23:59:13 macintosh-2 com.apple.launchd[1] (com.collobos.fingerprintd): Throttling respawn: Will start in 10 seconds

     

    That's just an example. There are tons of this from this morning too. After deleting FingerPrint, I'm now seeing these entries:

     

    Jun 16 08:20:11 macintosh-2 com.apple.launchd[1] (com.collobos.fingerprintd): Throttling respawn: Will start in 10 seconds

    Jun 16 08:20:12 macintosh-2 WDDriveManagerStatusMenu[269]: *** attempt to pop an unknown autorelease pool (0x81d600)

    Jun 16 08:20:21 macintosh-2 com.apple.launchd[1] (com.collobos.fingerprintd[3805]): posix_spawn("/Applications/FingerPrint.app/Contents/MacOS/fingerprintd", ...): No such file or directory

    Jun 16 08:20:21 macintosh-2 com.apple.launchd[1] (com.collobos.fingerprintd[3805]): Exited with exit code: 1

    Jun 16 08:20:21 macintosh-2 com.apple.launchd[1] (com.collobos.fingerprintd): Throttling respawn: Will start in 10 seconds

     

    Is it possible that all these instances of com.collobos.fingerprintd trying to respawn the app caused multiple user connections?

     

    Before I deleted FingerPrint, Sys Prefs was saying that 2 users were connected.  Now it's just saying one.

     

    RE the "who" command in Terminal: It produces this:

     

    [user name] console  Jun 15 18:15

    [user name] ttys000  Jun 16 07:59

     

    Both user names are me.  Not sure if "console" and "ttys000" are meaningful.

     

    Also, both system.log and kernel.log have tons of entries in them.  Not sure what I should be looking for.  Filtering out anything that says "en0" produces nothing in system.log.  In kernel.log, I get one entry per day that looks like this:

     

    Jun 16 07:00:07 macintosh-2 kernel[0]: Ethernet [AppleYukon2]: Link up on en0, 100-Megabit, Full-duplex, No flow-control, Debug [796d,6d00,0de1,0200,41e1,4000]

     

    I have the iMac set to wake up at 7 AM every day, so I assume that's from the wake-up process.

     

    One last thing: I do use FaceBook and LinkedIn.  I use FaceBook on both the iMac and MacBook and LinkedIn only on the MacBook. Could an unauthorized user gain access through one of those?

     

    Thanks for all your help. It's much appreciated.

  • BDAqua Level 10 Level 10 (120,010 points)

    Good work Brad, I think you found it.

    Is it possible that all these instances of com.collobos.fingerprintd trying to respawn the app caused multiple user connections?

    You should remove com.collobos.fingerprintd, I'd get Find Any File...

     

    http://apps.tempel.org/FindAnyFile/

     

    To find & trash it.

     

    Both user names are me.  Not sure if "console" and "ttys000" are meaningful.

    This is normal.

     

    Could an unauthorized user gain access through one of those?

    Not directly, but all have been hacked into lately, so I was just collecting info in case we didn't find it.

  • Brad Cook Level 1 Level 1 (15 points)

    Many thanks for your response.  Your info is greatly appreciated.

     

    What do you mean by "all have been hacked into lately"? Have other Mac users experienced issues with being hacked into?

  • BDAqua Level 10 Level 10 (120,010 points)

    None have lead to direct attacks that I'm aware of, mostly just stolen info like Passwords, eMail addies of everybody you know, & a few million Credit Card Infos.

Previous 1 2 Next