User Name
Password
AppleNova Forums » Genius Bar »

Friggin advertisers or more


Register Members List Calendar Search FAQ Posting Guidelines
Friggin advertisers or more
Thread Tools
Ebby
Subdued and Medicated
 
Join Date: May 2004
Location: Over Yander
Send a message via AIM to Ebby  
2015-08-06, 09:02

So I happened to stumble on the fact my IP address was on a spam blacklist. Oh shucks, time to scan the PC. But nothing there. Could it be an error? Maybe.

Couldn't be a Mac. We don't download crap software there. Time to break out CocoaPacketAnalyzer for some fun.

Holy shit on a stick! Have any of you guys ever run a packet sniffer on your LAN's? I captured 60 seconds of idle (no open apps) computer time and schweet jeebus there is some seedy stuff going on!

Lots of the nastyness I can track back to advertising sites or some sort of shady web front. So I definitely think 2 out of 3 macs have been compromised in some way.

What do apple people do at this point? Certainly nothing has identified any malware? Is this a wipe-and-install kind of situation?

EDIT: PCAP file Many are google's servers. I assume an autoupdate check kicked in. One from Boincstats. Several point to servers that have been known to host malware or linked from .exe files. I know I don't have to worry about those, but it got me wondering about flash...

^^ One more quality post from the desk of Ebby. ^^
SSBA | SmockBogger | SporkNET

Last edited by Ebby : 2015-08-06 at 09:44. Reason: Added PCAP file
  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2015-08-06, 23:21

Are you on a static IP or dynamic? Is this an office/home IP or a server IP from a hosting provider?

If it is dynamic then it's possible it was blacklisted beforehand. If it is static, what is the reason it is listed? The blacklisting organizations say why, this is what you have to track down. Don't both spending time wiping computers yet, it might not be needed at all.

It never hurts to do a wipe and clean install other than the time lost to do those steps. How bad is it to clear the cobwebs of old software you don't need or want any more? I would never settle for a PC to be "cleaned" but a scanning software let alone a Mac. If malware of any kind is found, wipe and do over is the best solution.

Also, you should be able to see what MAC address is running the packets you think are bad. Be sure to check what machine is associated with the traffic. It could be android phones that are running nasty stuff on them.

Edit: BTW, if it is a static IP I don't mind helping you out with this. PM me the IP and I'll help you with this.

Louis L'Amour, “To make democracy work, we must be a nation of participants, not simply observers. One who does not vote has no right to complain.”
Visit our archived Minecraft world! | Maybe someday I'll proof read, until then deal with it.

Last edited by turtle : 2015-08-06 at 23:34.
  quote
Ebby
Subdued and Medicated
 
Join Date: May 2004
Location: Over Yander
Send a message via AIM to Ebby  
2015-08-07, 00:05

We have a dynamic IP, but the same one for 7 years. The blacklists we show up on focus on spam. I know what computers are sending and receiving which packets. Its frustrating. I was up till 8:30AM sniffing and tracking things, killing background processes, etc. I just had another remote server attacked last month that took forever to stop and now my home system... It suuuucks being in silicon valley sometimes. I can watch the packets hit my firewalls from china and russia. I feel targeted.

I installed little snitch and it is giving me a lot of info. I don't think it alerts me of all the servers my machine contacts behind my back, only the data apps generate. It would be nice if some development tool could connect the dots between packet sent and process generated. It takes so long to gather info.

When I sniffed wireless packets, I did collect some from my android phone. Mostly multicast UPnP traffic and a sync app to local storage. HP printers are chatty SOB's but harmless. AFP has lots of keepalive talk. And I found some interesting DHCP traffic trying to reach a device across a wireless bridge.

It is the advertisers... malicious or not, (via sites known to have hosted malware in the past) have something on my system that generates data that can be profiled and sold. Without the tools, us users are helpless.

... maybe a big red button that tracks and inflicts harm to hackers? That is sooo one of my 3 genie wishes.

^^ One more quality post from the desk of Ebby. ^^
SSBA | SmockBogger | SporkNET

Last edited by Ebby : 2015-08-07 at 00:16.
  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2015-08-07, 23:08

Yeah, those advertisers certainly do what they can to wrk their way into your systems to track your life.

For the blacklisting, are you running a mail server in your home? If so then you might have someone with a forwarder to something like AOL, Gmail etc. that when spam comes to the address on your server it is forwarded to the external mail service. As far as the external mail service is concerned the spam originates from your service since it is the one sending the spam to that address.

If you aren't running a mail server then you should look at which machine is spamming due to a hack in most cases. Blocking port 22 outbound on your network should stop the bleeding while you figure out which one is doing it.

Staring into traffic is fun ... and then it's not. Seeing what you find is more frustrating than it is fun in most cases.

Louis L'Amour, “To make democracy work, we must be a nation of participants, not simply observers. One who does not vote has no right to complain.”
Visit our archived Minecraft world! | Maybe someday I'll proof read, until then deal with it.
  quote
Ebby
Subdued and Medicated
 
Join Date: May 2004
Location: Over Yander
Send a message via AIM to Ebby  
2015-08-08, 00:26

Quote:
Seeing what you find is more frustrating than it is fun in most cases.
You can say that again. I feel betrayed by my own systems.

I've tinkered with a mail server but I turn it off when I am done. I don't send anything but to myself.

I have been watching port 22, 587, and 443 by collecting packets in 60 second bursts. Little snitch shows some idle traffic at regular intervals but no spammy traffic so far. I'm kinda scratching my head.

Ignorance is bliss.

^^ One more quality post from the desk of Ebby. ^^
SSBA | SmockBogger | SporkNET
  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2015-08-08, 08:31

SMTP runs on port 25, 465 (SSL) and 587 typically. It can run on any port technically though. For those that said you were spamming, look at the sample message they give you for what caused the listing. Normally it will let you know the computer or device that actually did the spamming to get you listed.

Louis L'Amour, “To make democracy work, we must be a nation of participants, not simply observers. One who does not vote has no right to complain.”
Visit our archived Minecraft world! | Maybe someday I'll proof read, until then deal with it.
  quote
Posting Rules Navigation
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Post Reply

Forum Jump
Thread Tools
Similar Threads
Thread Thread Starter Forum Replies Last Post
This is friggin cool (optical illusion) joveblue AppleOutsider 16 2007-03-23 18:09
That's a friggin' weird country, eh? murbot AppleOutsider 37 2007-03-16 10:49
friggin lawyers - FSJ no more? Mac+ AppleOutsider 3 2007-02-01 20:46


« Previous Thread | Next Thread »

All times are GMT -5. The time now is 09:41.


Powered by vBulletin®
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004 - 2024, AppleNova