Less than Stellar Member
|
Quote:
edit: I just checked my "attached devices" in my router and only my computers are connected. If it's not red and showing substantial musculature, you're wearing it wrong. |
|
quote |
monkey with a tiny cymbal
Join Date: Nov 2004
Location: Lost
|
Text fields where? In a browser? Or another app?
If it's a remote exploit attempt, it's going after windows: "update.exe"... and it looks like a buffer overflow attempt. But I don't know. |
quote |
Less than Stellar Member
|
Quote:
I decided to see what that ftp server was and this was the homepage. Odd. If it's not red and showing substantial musculature, you're wearing it wrong. Last edited by torifile : 2007-04-12 at 22:28. Reason: Posts merged |
|
quote |
is the next Chiquita
Join Date: Feb 2005
|
If this was an exploit attempt (not that I would know), I would imagine they'd want to hide their IP somehow, so wouldn't suspect that homepage...
|
quote |
Less than Stellar Member
|
I'm thinking that it wasn't a remote exploit but that some hackers got hold of an open FTP server and are using it to pass around a file they've called update.exe. I've heard of this type of use of open FTP servers but I have no idea why a 1337 h4x0r would enter that on my box.
If it's not red and showing substantial musculature, you're wearing it wrong. |
quote |
Veteran Member
Join Date: Feb 2006
Location: Arizona
|
Quote:
Seems likes some kind of windows hack, covered up to look like an updater.... Still strange they got in your mac If you can read this this, please send to an admin, i am blocked and cant post.... |
|
quote |
‽
|
Let's analyze:
We can deduce that this update is a replacement service to create a trojan horse, opening a Windows machine for remote access. |
quote |
Less than Stellar Member
|
Quote:
And, more importantly, how can I protect myself from this happening again? Shit. I just remembered that I've got a Windows computer on the network. It's really just a print server (an old HP laserjet that just won't die). I bet it's compromised. Luckily there's nothing on it but Win2k and some music... Ok. That Windows box is officially off the network. If it's not red and showing substantial musculature, you're wearing it wrong. |
|
quote |
Veteran Member
Join Date: Jun 2005
Location: State of Flux
|
Quote:
|
|
quote |
‽
|
Is your Mac mini the machine doing the Internet connection sharing?
|
quote |
Less than Stellar Member
|
|
quote |
‽
|
What log file was this text in?
|
quote |
Senior Member
Join Date: Jan 2006
Location: Antwerp, Belgium
|
Nerdy as this may seem, I find reading this terribly exciting.
|
quote |
Less than Stellar Member
|
It was actually in the text field in the System Preferences. I think that's why that last command looks cut off.
I'll check to log files to see if there's any more info. Glad I could provide some nerd excitement. If it's not red and showing substantial musculature, you're wearing it wrong. Last edited by torifile : 2007-04-13 at 10:50. Reason: Posts merged |
quote |
‽
|
What text field? Your host name?
|
quote |
BANNED
I am worthless beyond hope. Join Date: May 2004
Location: Inner Swabia. If you have to ask twice, don't.
|
No... I believe he means the search field...
|
quote |
Less than Stellar Member
|
|
quote |
Less than Stellar Member
|
I have a whole host of sshd failure attempts on my mini. I think that my mini was assigned the IP to which I was forwarding my ssh port. I wonder if someone just happened to guess my password? All I see in security.log are failed login attempts. Is there some place where successful ones are logged? (I've logged in over SSH too, so there should be some success in there but I'm not seeing it.)
edit: my successful logins are in there but they were buried under a billion failures. If it's not red and showing substantial musculature, you're wearing it wrong. |
quote |
monkey with a tiny cymbal
Join Date: Nov 2004
Location: Lost
|
Is your username/password guessable? If so, I really wouldn't be surprised if some dictionary attack succeeded. There are a gazillion SSH dictionary attacks going on all the time.
When I had a machine open to the world with SSH, I got really tired of all the denied entries in my SSH log. So, I just changed which port was forwarded from my router. Instead of linking the router's external port 22 to the Mini's port 22, I linked some random external port, like 23422. While I must stress that this does *not* increase your security, it does reduce the number of dictionary scripts that hit your machine. You can do much more complicated things that actually do increase your security level, but I would start with a stronger password and moving SSH off of port 22. |
quote |
Less than Stellar Member
|
I'm not too terribly worried about someone getting access to my mini since it only houses music and movies. It is quite annoying though. I'll try using a different port for ssh. And I've changed my passwords just in case. 'course, I've already forgotten the new password. D'oh!
If it's not red and showing substantial musculature, you're wearing it wrong. |
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
Is it at all possible that you could have accidentally pasted that text into the System Preferences search field? That seems to me the simplest and most reasonable explanation to me.
If that were the case, the text could have easily gotten to your clipboard using JavaScript on a malicious web page. The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
quote |
Less than Stellar Member
|
Quote:
I tried connecting to that ftp server just to see and there's definitely one there but the password - I presume that f1634163f is the password based on where it is in the command - doesn't work. If it's not red and showing substantial musculature, you're wearing it wrong. |
|
quote |
monkey with a tiny cymbal
Join Date: Nov 2004
Location: Lost
|
I think the fs are delimiters. I'd leave them out, making the password just 1634163. That said, I'm not going to try it.
|
quote |
Less than Stellar Member
|
|
quote |
Posting Rules | Navigation |
|
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
a weird startup problem...so weird...??? | stevegong | Genius Bar | 19 | 2007-04-13 11:12 |
Weird Rare Crashes | macuser256 | Genius Bar | 15 | 2007-03-02 15:35 |
Weird iMac display problem | rushmere | Genius Bar | 3 | 2006-06-16 14:33 |
Weird Rev A iMac G5 Issue | bassplayinMacFiend | Genius Bar | 3 | 2005-11-16 09:53 |
Bus to hell | Kickaha | AppleOutsider | 52 | 2005-07-31 21:16 |