Jump to content
Ignoracious

Strange experience...

Recommended Posts

Yesterday, I had my eMac G4 asleep and put my iPod Shuffle 2G into its dock to wake up the Mac. I have the disk mode enabled, so it appeared on the desktop as a drive. However, it didn't mount on iTunes. I repeatedly mounted and unmounted the Shuffle and suddenly a strange web folder called Limewire (something) was present in the left pane of iTunes and files were being added to it as I looked. It seemed that my iPod Shuffle was being used covertly for P2P. I immediately shut down my Mac in response, pulled out the Shuffle from its dock, and rebooted it up the eMac. Next, I could dock my Shuffle without those strange effects.

 

I was pretty scared with this experience, and because this is my only Mac, I hesitate to repeat the experience, to see if I can reproduce it. Just wanted to report this for possible future reference. And oh, my Mac is fully patched. I wonder if I was being hacked, or if some software is messing up my system. The only software I have installed lately is the latest Mac Update and a program called SpinXpress (which has P2P features), though that application wasn't running at the time the strange things happened.

 

BTW I have had other experiences, like my mouse cursor moving on the screen when I hadn't used it for over 10 minutes. That has been going on for a long time.

 

Now I wonder, am I targeted by a hacker, or what? To be continued, no doubt.

Share this post


Link to post
Share on other sites

Do you have kids with computers or open wireless enabled? The reason I ask is that Limewire shares songs downloaded through it just as iTunes shares your song library. Chances are that your mac has not been hacked, but rather someone is on your network running Limewire. As for the shuffle not mounting in iTunes, I'd suggest doing a restore on the device. Just erase the puppy and then re-sync it that may take care of any issues you're having.

 

I'd love to hear more about your network setup and who else is using your computer, and what level of access your main account has. You may want to consider a program such as Little Snitch just to see what's going on with your network. It costs some money, but it could help you figure out if you've got some software on your machine that you don't know about that is accessing the internet.

 

I seriously doubt you've been hacked. OS X is an extremely robust system and it would be very hard for someone to remote into your system (unless you've done something like have sharing turned on for an admin account without a password). If there is something bad on your system it is most likely that someone else in your household put it there or someone tricked you somehow into installing something.

 

Regarding the cursor thing, have you tried switching to a new mouse? I had an old apple mouse that used to jitter all around the screen when you picked it up, and then eventually started freaking out the cursor randomly. Just a thought.

 

Man I wish I was at your computer right now, there is just so much I could do to help if only I knew more about your setup.

 

-Tom

Share this post


Link to post
Share on other sites

I live alone (well apart from my two cats), no-one else than me has access to the computer, and I have my eMac connected to the cable modem through an ethernet cable. I don't use wireless internet at all. The eMac even doesn't have an Airport Card installed.

 

I guess I could have installed some malware, because I like installing software. In the past, I have visited dodgy websites with Safari, and those sites often tried to install exe files (I always refused the install), though, nowadays, I do all my browsing using FireFox with the NoScript and Permit Cookies extensions, unless it is a trusted website that isn't compatible with NoScript and/or Permit Cookies. In that case I use Safari. An example is uploading movies to YouTube.

 

I know the common thought is that a fully patched Mac can't be hacked, but who's to say someone has found a way to hack a Mac remotely, and uses, among others, my Mac to perfect his hacking techniques, possibly to sell his skills to the highest bidder.

 

I would also like to add that I have inspected my firewall and removed two (inactive) ports I never put there. It could be that some software has installed itself as spyware and is trying to bypass the firewall, to do all kinds of things without my knowledge.

 

Next time something similar happens, I will try to remember to take screenshots, so you can see what is possibly wrong with my system.

 

Of course, I do regular backups, and I will look into little snitch.

 

Edit: And I do my day to day work on a non-admin account. I only use my admin-account for installing software that needs an admin-account to install (e.g. Apple's Final Cut Express).

Edited by Ignoracious

Share this post


Link to post
Share on other sites

Don't worry. EXE's do not work on Macs. The files do not do anything.

 

Get Little Snitch. There is a fully functional free trial, that you need to start up again every 3 hours. But it works. Run it, plug in the Shuffle. You will be able to see and shut down any communication with the internet before it happens. Highly useful.

Warning: Little Snitch may cause flaming napalm style death if a game tries to check for updates as it starts, sees an active internet connection and no standard firewall, but is blocked by Little Snitch. In this case, command+tab to Little Snitch, tell it to let the game through, go back to the game, the flaming napalm death will cease and you can play.

Share this post


Link to post
Share on other sites

Does your admin account have a password? Having an admin account without a password is not a good idea, even if you're not logged in to it, someone else could.

 

-Tom

Share this post


Link to post
Share on other sites
My admin account has a non-trivial password (combination of letters and numbers).

Your mac didn't get hacked. No one is using your ipod to hack into your system so that they can.... file share. As someone else said the .exe files and other such stuff that will occasionally be automatically downloaded from malicious sites won't do anything on a mac. I always think it's sort of funny, kind of like that used to be a problem. As far as the limewire folder isn't there always a limewire folder when you use limewire?

Share this post


Link to post
Share on other sites

Your quite right to be vigilant about the dangers of being connected to the Internet.

 

I keep a fairly close watch on Apple security and I've never heard of an OS X machine (yet) becoming a "zombie bot" or being controlled by a third party agent. There's always a first case and certainly OS X isn't immune to these kinds of attack.

 

If you think that your security has been compromised, run Little Snitch for a couple of weeks. Either it will prove your suspicions or nothing will show up.

 

If you still have these concerns, I'd suggest creating a backup, including your preferred applications and then restoring it every week or few weeks. As an alternative, a complete install and then copying your user account to that image would also work.

 

Also, although many ISP's don't commit to providing a permanent IP address, in practise their customer's IP addresses often stay the same for months or even years. You could ask your ISP to change your IP address.

Edited by Ginamos

Share this post


Link to post
Share on other sites
Your quite right to be vigilant about the dangers of being connected to the Internet.

 

I keep a fairly close watch on Apple security and I've never heard of an OS X machine (yet) becoming a "zombie bot" or being controlled by a third party agent. There's always a first case and certainly OS X isn't immune to these kinds of attack.

 

If you think that your security has been compromised, run Little Snitch for a couple of weeks. Either it will prove your suspicions or nothing will show up.

 

If you still have these concerns, I'd suggest creating a backup, including your preferred applications and then restoring it every week or few weeks. As an alternative, a complete install and then copying your user account to that image would also work.

 

Also, although many ISP's don't commit to providing a permanent IP address, in practise their customer's IP addresses often stays the same for months or even years. You could ask your ISP to change you IP address.

Can't you just turn off your router and modem to get a new IP address? Always works for me.

Share this post


Link to post
Share on other sites

Josh, I think our posts crossed, but no matter.

 

As far as I know IP addresses are assigned by the ISP, happy to be proved wrong. :)

 

Edit: internal network IP addresses can be whatever you like.

Edited by Ginamos

Share this post


Link to post
Share on other sites
Josh, I think our posts crossed, but no matter.

 

As far as I know IP addresses are assigned by the ISP, happy to be proved wrong. :)

They did cross but it doesn't matter. The ISP definitely assigns the IP address but if you turn off your modem and router then turn them back on they will request a new IP address and it won't be the same. I used to run into this because at one time I had a netgear router where you could plug in a USB drive and then you could log into it from anywhere. Every time I would have to restart my router I would need to make sure I kept track of the new IP address so I could log in. Maybe I am confused but it seems like that's all I had to do.

Share this post


Link to post
Share on other sites

Interesting, that's not been my experience in the UK and Australia, but I haven't observed closely, so I'm quite probably wrong. You probably know a lot more about practical networking than I do.

 

Normally, when I reset my router the external IP remains the same, possibly you're doing some kind of hard reset that requests a new address, I'm not really sure.

Share this post


Link to post
Share on other sites
Interesting, that's not been my experience in the UK and Australia, but I haven't observed closely, so I'm quite probably wrong. You probably know a lot more about practical networking than I do.

 

Normally, when I reset my router the external IP remains the same, possibly you're doing some kind of hard reset that requests a new address, I'm not really sure.

Maybe it's different in the US. All I do is turn off the modem and turn off the router and give it a few seconds. You are right though that often people have the same IP for months. If you have a good router and rarely have to restart it then you rarely get assigned a new IP or alternatively you have to request a new ip.

Share this post


Link to post
Share on other sites
Maybe it's different in the US. All I do is turn off the modem and turn off the router and give it a few seconds. You are right though that often people have the same IP for months. If you have a good router and rarely have to restart it then you rarely get assigned a new IP or alternatively you have to request a new ip.

 

Assigning an IP to the router is the job of your ISP. Depending on what they do you may (as is my case) always have the same IP as long as you have the same account.

 

-Tom

Share this post


Link to post
Share on other sites
Assigning an IP to the router is the job of your ISP. Depending on what they do you may (as is my case) always have the same IP as long as you have the same account.

 

-Tom

So it just depends on the ISP wether you get a new IP every time your router looks for an IP?

Share this post


Link to post
Share on other sites

Well, I thought my system was fully patched before, but when I installed the new update of iTunes earlier today, the Security update SecUpdQuickTime716 appeared in my Software Update. Now when I insert the iPod Shuffle 2G into my sleeping Mac, it doesn't wake up the Mac anymore. So I guess that means Apple was aware of the problem with the iPod Shuffle 2G.

 

The description on http://www.apple.com/support/downloads/ of "Security Update (QuickTime 7.1.6 for Mac)" is

This update is recommended for all users and improves the security of QuickTime 7.1.6.

 

So I guess, it is possible that someone has breached the security of QuickTime and Apple fixed it.

Edited by Ignoracious

Share this post


Link to post
Share on other sites
So it just depends on the ISP wether you get a new IP every time your router looks for an IP?

 

I believe so. All I know for sure is that it is your ISP that assigns you an IP from a huge list of IPs that they have been assigned and I had the same IP for over a year at my last apartment and unplugged my modem several times. Now that I've moved, I have a new IP even with the same ISP (but a new account).

 

-Tom

Share this post


Link to post
Share on other sites
Well, I thought my system was fully patched before, but when I installed the new update of iTunes earlier today, the Security update SecUpdQuickTime716 appeared in my Software Update. Now when I insert the iPod Shuffle 2G into my sleeping Mac, it doesn't wake up the Mac anymore. So I guess that means Apple was aware of the problem with the iPod Shuffle 2G.

 

The description on http://www.apple.com/support/downloads/ of "Security Update (QuickTime 7.1.6 for Mac)" is

So I guess, it is possible that someone has breached the security of QuickTime and Apple fixed it.

This update fixes the exploit recently shown in that $10k contest to hack a mac. http://www.macrumors.com/2007/04/21/macboo...test-won-10000/

Share this post


Link to post
Share on other sites

Anyway, I guess if my provider doesn't change my IP address, and there is a real chance that a directly connected Mac can be hacked, I should put a router between my Mac and the cable modem. I have done without a router for a long time, but it seems the time has come that Macs are interesting enough for computer criminals to target.

 

Some of you might not be convinced, but I have had a strange enough experience to be convinced that Macs can be hacked if someone is determined enough.

Share this post


Link to post
Share on other sites

Well, I asked on a Dutch webforum if I was hacked, and they said: "No!" It seems that with cable modems you share connection with some of your neighbors (as in a section). It means if I turn the search for shared libraries on in iTunes, I could see a Limewire folder appearing there. Furthermore, it is possible for those neighbors to see my Internet traffic in the clear, such as e-mail passwords, so I should use an encrypted connection (https for webmail and SSL for e-mail), and hope my forum passwords and such aren't stolen. If I wanted an unshared Internet access, I should use a DSL type of connection.

 

I never heard of this security risk with cable modems. Has anyone of you heard of it?

 

Anyway, that should mean that I'm not hacked!

 

On the other hand, I have discovered a possible security risk.

Share this post


Link to post
Share on other sites
Well, I asked on a Dutch webforum if I was hacked, and they said: "No!" It seems that with cable modems you share connection with some of your neighbors (as in a section). It means if I turn the search for shared libraries on in iTunes, I could see a Limewire folder appearing there. Furthermore, it is possible for those neighbors to see my Internet traffic in the clear, such as e-mail passwords, so I should use an encrypted connection (https for webmail and SSL for e-mail), and hope my forum passwords and such aren't stolen. If I wanted an unshared Internet access, I should use a DSL type of connection.

 

I never heard of this security risk with cable modems. Has anyone of you heard of it?

 

Anyway, that should mean that I'm not hacked!

 

On the other hand, I have discovered a possible security risk.

The same thing applies as before. No one cares to hack your forum passwords. Still as a general precaution you should get a router. If you put yourself behind a router I think you will be cordoning off a section of the greater network which should take care of any potential security risks. I knew the limewire thing was familiar and not unusual but no amount of Google searching got me to the solution. I would have had to just remember that. I have seen it before in offices and other large networks but I completely forgot, so thanks for the solution.

Share this post


Link to post
Share on other sites

Good news, you're getting closer the problem.

 

I have read about shared cable modems compromising security (may even have been on this forum about 18 months ago). Can't give you any first hand experience as I've never used a cable modem, but the advice you've been given is very probably correct.

 

I didn't realise you had no router, adding a router will provide an additional hardware firewall and is definitely recommended.

 

I assume the issue with the mouse cursor moving was probably just down to an old malfunctioning mouse.

 

In the long-term you probably need to look at moving to a DSL connection.

Share this post


Link to post
Share on other sites
Guest Chris Mt.Pleasant

I agree. Definitely get a router, make sure your Sharing prefs are locked down, and get little snitch installed. Limewire is no big threat to us Mac users but someone in your neighborhood may be partaking in some file sharing. A router will provide a hardware firewall that won't let that happen again.

Share this post


Link to post
Share on other sites

^^ that's what I was going to say... i lived in an apartment with another girl, and her "limewire" folder would show up on the left-hand side of my itunes... only when her limewire was running.

Share this post


Link to post
Share on other sites
They did cross but it doesn't matter. The ISP definitely assigns the IP address but if you turn off your modem and router then turn them back on they will request a new IP address and it won't be the same. I used to run into this because at one time I had a netgear router where you could plug in a USB drive and then you could log into it from anywhere. Every time I would have to restart my router I would need to make sure I kept track of the new IP address so I could log in. Maybe I am confused but it seems like that's all I had to do.

Renewal of IP-addies is deependent upon the lease duration. Some ISPs use 2-3 weeks lease durations - so you need to be logged OFF during that time to be awarded a new IP addy.

In general intranet-networks that lease time is set to 45 minutes or 1 hour in general.

The long lease period is said to be advantageous for the user (not that I can see any advantage) in that they always have the same IP address. To me it is making your protection in jeopardy by leaving it the same year in year out.

The argument of lease renewal is not a very valid one in general for ISPs.

 

HTH

Rob

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing

    No registered users viewing this page.

  • Who's Online (See full list)

    There are no registered users currently online

×