Stealth Mode connection attempts to UDP while booting

If your computer is attached directly to the internet, it will constantly be attacked. Bots are constantly probing devices visible to the world. If you place a NAT router between your modem and your computer, the router will be the device being probed and your computer will remain isolated from the internet “world.”

If you do have a router, it is misconfigured.

Hey,

sorry for the late answer, it's a busy week.

What Barney-15E said is true, don't use port mapping and you're not hacked since the connection attempt is rejected.

Boot-Disc: http://www.livecd.com/

Works with HFS+ partitions without problem (tested).

Rootkit-Hunter: https://www.switchingtomac.com/tutorials/how-to-check-your-mac-for-rootkits/

For these connections, try to disable all log-in items in system preferences -> user & groups -> your profile -> "login items".

If that still doesn't help, and if no antivirus finds anything, I'd install macOS / OS X on an external hard drive (even a USB stick if big enough works) and check if the attempts still occur starting from there. If not, backup your whole system and re-install it.

-Lex

Oh, btw, I'm not exactly sure when Apple last updated the Airport software so you might wanna think about replacing your airport router with something newer. The older software gets, the more likely it is to be hacked. Unless it's Windows. You can compromise that right out of the box. ^-^

If you have port mapping turned on, then the world has a direct connection to your Mac on those mapped Ports. As the attempts are being rejected, they haven’t “hacked” your Mac.

Hey wvthr,

1. Always a pleasure. (As far as I'm somewhat helpful at least.)

2. Sorry, I didn't quite catch that, my bad. There doesn't seem to be a live disk that supports APFS as of yet.

3. Giving Little Snitch a try is always a go. It's a great way to limit home phoners anyways and worth the price.

4. Stealth Mode in a nutshell: When stealth mode is activated, requests upon "is this port available and open?" aren't answered at all and therefore usually determined "not reachable" by automated attacks. If stealth mode is disabled the request "is this port available and open" is answered with either YES or NO.

4.1. Stealth mode is usually a good deterrent if you're in a network outside your own, like in a free wifi network in a coffee shop for example.

4.2. You router at home should already block connections from the outside except for forwarded ports.

4.3. I'm not a fan of forwarded ports to be honest. Once a port is forwarded, it's open, like floodgate open.

5. I'm not quite sure how MacOS handles torrent clients or rather say, their background processes. On Windows you can quite often see activity on torrent client background processes as torrent encourages you to not only download but also upload bits and pieces of the files you're downloading (happens automatically). Some clients leave a background process open for sharing. (You could check Activity Monitor and see if there's a process running. If so, close it and check your network flow again.)

6. This could be due to if qbittorrent is running, you're visible to the trackers as seeder/leecher. Due to how torrent works, your IP can be saved in a tracker (or even will be) so if someone else wants to load the torrent attached file, the tracker adds you to the pool of seeders/leechers and people can practically gather bits and pieces of that file from your computer. (This is essentially how torrent works, everybody is sharing a bit; this is also what makes torrent pretty fast)

7. I'm not absolutely sure how Time Machine manages backup files but as long as the TM backup isn't encrypted you should be able to scan it with any Mac anti-virus. Tho, don't take my word for granted on this. I also don't know how AVs affect the consistency of TM backups if they remove certain possibly infected files.

8. Since you're using BitTorrent, it could be that those network connections from all over the world, found their origin in that. What I would do first is creating a separate MacOS install on an external drive. Download Mojave, put it on a USB Stick, install it on an external HDD (if you got one free) or use another 32 GB USB Stick (not sure if a 16 GB stick suffices for full running Mojave) to install Mojave on. It will be slow but running. Start your Mac from there (hold down the Option key while booting & select the Mojave USB Stick) and check your network flow from there. If nothing strange shows up, that would at least tell you if your installation on your SSD/HDD (internal) might be compromised or if it's a rootkit that resides within the EFI.

9. for /usr/bin/fuser , /usr/bin/whatis & /usr/bin/shasum , these files should look like this (see attached screenshots). To check what's in your versions simply open a terminal and type:

"nano /usr/bin/fuser" (without the ")

"nano /usr/bin/whatis" (without the")

"nano /usr/bin/shasum" (without the")

nano is a simple terminal based editor. You can mark the content with your mouse and simply copy it into a text editor. To close nano simply use CTRL+X.

If you need a text copy of the contents, just leave me another message and I'll post it.

10. If you're not running a server, you should disable SSH root access:

"sudo systemsetup -setremotelogin off" (without the " of course). You will be prompted if you really want to disable remote login, to confirm type "yes" (again without ") and hit enter. SSH will be disabled and any active SSH connections will be terminated. (Make sure although, you're not using SSH remote login for anything first.)

Good luck, as always.

-Alex

Hi wvthr,

These activities are definitely not okay. Not only is the source IP way too random (Spectrum USA, German Telecom AG, Korea Telecom, Contabo GmbH, Online S.A.S (France)), but most interestingly is the last port used on your list (8110). It’s commonly used by trojans/trojan services as DLP or LoseLove. DLP tries to or gains root access while LoseLove is a backdoor trojan.

You should definitely run an antivirus scan, preferably via disc (CD/DVD) or USB before the start of macOS / OSX. For example ESET, Malwarebytes - both have rescue disc / usb stick options as free downloads that should get the job done. Not sure if Bitdefender Rescue disc works.

But even after a possible successful cleaning of the compromised system you might want to treat is as exactly that: a compromised system. Backup all user files you might need or want to keep and do a clean install. Make sure to format the hard drive before doing a clean install. And always scan your backups too.

IP's and Origins and attack levels from top to down:

87.169.74.79 (:6881)

Network: Deutsche Telekom AG (German Telecom AG), City: Moers

TCP/UDP Port Use: used in older BitTorrent clients/P2P, some older games

SANS Attack Activity:

• High: Oct. 3 (8k Sources / 357 Targets)
• Low: Oct 17 (2.9k Sources / 277 Targets)

213.136.79.238 (:6894)

Network: Contabo GmbH (Germany), City: -

TCP/UDP Port Use: BitTorrent, Windows Live Messenger (File transfer)

SANS Attack Activity:

• High: Oct 3 (5 Sources / 767 Targets)
• Low: Oct 14 (3 Sources / 7 Targets)

220.124.37.163 (:42203)

Network: Korea Telecom (Korea, KR), City: Iksan

TCP/UDP Port Use: Older games or Unassigned. Known unauthorised use on port 42000 (Source: IANA)

SANS Attack Activity:

• High: Oct 13 (3 Sources / 13 Targets)
• Low: Oct 5 (3 Sources / 3 Targets)

213.136.79.238 (:6961)

Network: Contabo GmbH (Germany), City: -

TCP/UDP Port Use: JMACT3, BitTorrent

SANS Attack Activity:

• High: Oct 20 (3 Sources / 258 Targets)
• Low: Oct 4 (2 Sources / 4 Targets)

195.154.102.3 (:51413)

Network: ONLINE S.A.S. (France), City: -

TCP/UDP Port Use: P2P, Transmission BitTorrent Client

SANS Attack Activity:

• High: Oct 7 (5 Sources / 57 Targets)
• Low: Oct 21 (2 Sources / 2 Targets)

5.189.187.90 (:31379)

Network: Contabo GmbH (Germany), City: -

TCPUDP Port Use: Unassigned (Source: IANA)

SANS Attack Activity:

• High: Oct 13 (4 Sources / 3 Targets)
• Low: Sept 27 (3 Sources / 3 Targets)

45.37.172.119 (:39748)

Network: Spectrum (USA), City: Durham, NY, USA

TCP/UDP Port Use: Unassigned (Source: IANA)

SANS Attack Activity:

• High: Oct 5 (157 Sources / 4 Targets)
• Low: Oct 12 (2 Sources / 2 Targets)

219.77.23.176 (:62348)

Network: Netvigator (Hong Kong, Asia, HK), City: Hong Kong Central

TCP/UDP Port Use: Dynamic or Private Ports (IANA), Xsan / Xsan Filesystem Access (Apple)

SANS Attack Activity:

• High: Oct 2 (6 Sources / 2 Targets)
• Low: Oct 1 (6 Sources / 2 Targets)

106.242.103.235 (:56125)

Network: LG DACOM Corporation (Republic of Korea, KR), City: Seoul

TCP/UDP Port Use: Dynamic &/or Private Ports (IANA), Xsan / Xsan Filesystem Access (Apple)

SANS Attack Activity:

• High: Oct 12 (6 Sources / 8 Targets)
• Low: Oct 16 (2 Sources / 4 Targets)

112.187.224.215 (:50650)

Network: Korea Telecom (Republic of Korea, KR), City: Seoul

TCP/UDP Port Use: Dynamic &/or Private Ports (IANA), Xsan / Xsan Filesystem Access (Apple)

SANS Attack Activity:

• High: Oct 8 (2 Sources / 781 Targets)
• Low: Oct 20 (2 Sources / 2 Targets)

36.48.26.178 (:42596)

Network: China Telecom (China, CN), City: Changchun

TCP/UDP Port Use: Unassigned (IANA), iTunes Radio Streams (Apple)

SANS Attack Activity:

• High: Oct 13 (2 Sources / 746 Targets)
• Low: Oct 14 (2 Sources / 2 Targets)

18.197.204.108 (:8110)

Network: Amazon.com (Germany), City: Frankfurt am Main

TCP/UDP Port Use: DLP (trojans Service), LoseLove (trojans Service), DLP (trojan Service)

SANS Attack Activity:

• High: Oct 14 (9 Sources / 371 Targets)
• Low: Oct 11 (5 Sources / 7 Targets)

Sources:

Check IP / Location: geoiplookup (dot) net

Traceroute: via CentralOps (dot) net

Port Lookup: SpeedGuide (dot) net / adminsub (dot) net

SANS Attack Tracker: isc (dot) sans (dot) edu

I can’t remember the express setup. Is their a DMZ mode, or do you have any port forwarding?

If you go to network system prefs, click on your connection service (WiFi?), does it give a address starting with 192., 172., or 10. ?

Sometimes, you can get “stealth” attempts when your computer sends out a request, and “forgets” the connection. When the return arrives, it appears as a stealth attempt. I don’t know why it would be trying to connect to that wide array of addresses.