Hi,
I noticed a few new entries in my macbook hosts file looking like this:
| 127.0.0.1 | swscan.apple.com |
and so on..
I understand these are the addresses to the apple update services. It seems strange to me that these addresses are pointing to my local machine?
Does anyone know if this is suppose to be like this , or is someone trying to prevent my mac from updating?
Thanx for your replies!
MacBook Pro (Retina, 13-inch, Late 2013), OS X Mavericks (10.9.5)
That certainly isn't normal. Either you inadvertently installed something that edited your hosts file, or someone else did this on purpose.
That certainly isn't normal. Either you inadvertently installed something that edited your hosts file, or someone else did this on purpose.
Hi Esquared,
Thanx for your reply, I was afraid of that... I didnt install any new programs so that means someone is trying to destabilise my system.
I removed the lines from my host file and running a virus scan right now. Can you think of any other things I should do?
One thing you should certainly do is to get rid of your worthless "anti-virus" software.
There is no known malware in circulation that would modify the hosts file. Someone using the computer did it deliberately.
I know a virus is problably not what caused this, but non the less I figured it would be a good thing to do (using Sophos which is already getting really annoying.. ). Furthermore I've installed Little Snitch to keep an eye on my network traffic.
To be clear, I'm a 100% sure no one had physical access to my macbook. Maybe it was accessed over a network?
I'm really quite baffled by this and not sure what else measures I should take, so any further advice would be much appreciated!
Thanx again.
What made you think about checking the hosts file in the first place?
Just to be sure that no-one has guessed/obtained the current one, change the password of your main (only?) user account on the MBP.
Oh, and check if there are any sharing options activated in System Preferences -> Sharing.
I needed to change my hosts file because I needed to point a domain name to my localhost (web development). I will change my password but I really think it's very unlikely that someone accessed my mbp. It has been in my house and unless someone broke in, figured out my password, changed my hosts file and then left without a trace (which by then sounds like a pretty crazy practical joke..) , no one had access. I'm only sharing my printer.
The only thing I did recently is adding a licence key. But this is from trusted software.
I'm quite new to osx but no stranger to windows. Are there any other settings I can check to be sure no one is trying to get into my mbp?
Again, thanx for all the effort!
There really is no way to change the hosts file without authorization. So either someone who knew your password had physical or network access, or an installer of this or that application had a "little extra" on board.
Hold on... I suddenly realized it may have something to do with this:
http://www.thesafemac.com/iworm-method-of-infection-found/
Can you check your Mac for these items?
/Library/Application Support/JavaW/JavaW
/Library/LaunchDaemons/com.JavaW.plist
Wow! Yes these to files are present on my system! I read the article you mentioned.They are talking about illegal software. There is only 100% legal software on my mbp (and taking care in keeping it that way after coming from a windows environment..).
What will be the best way to move on from here? Should I just remove the files? Will that be enough?
The last update I'm seeing is from sept 20th (safari update). Could my mbp be infected by visiting a malicious website?
I think my XProtect.meta.plist is up to date (but how to be sure?).
XProtect was updated last night (especially for this trojan). In System Preferences -> Apple Store deselect the 'Automatically look for....' option. And select it again.
The built-in Firewall (System Preferences -> Security & Privacy) should give you some extra protection.
As for the cause of "infection": there's still a lot of uncertainty there. So far the only sources that were found are modified installers of well-known applications. But there could be other sources too, like modified versions of harmless stuff like Flash Player installers.
You might add a post to this topic (reply to the post by thomas r. at the end): Re: mac.backdoor.iworm
Report the modification of the hosts file and the fact that, as far as you know, no illegal software was involved.
Thanx so much. I do have that bloody flash player installed...
To conclude; should I delete the JavaW files you mentioned earlier?
Ah yes, delete those. (And see the remark I've added to my previous post.)
Concerning Flash Player: can you remember where you got it from? If it came from the Adobe site, it's unlikely to have been the source...
I noticed a few new entries in my macbook hosts file looking like this:
| 127.0.0.1 | swscan.apple.com |
I don't know what swscan.apple.com is, because I can't go to it using a browser.
What that line in your hosts file does is "prevent" requests for connection from going to that web site.
This technique is used as an adblocking method - preventing known adware sites from appearing when viewing web pages.
I wonder if some antivirus or adblocker software made these hosts file entries?
PS - just learned that swscan.apple.com is part of the Software Update system.
So, it seems your system was modified to prevent normal updates?
swscan.apple.com in hosts file
