|
|
 Up |
|
|
  |
Date: Mar 26, 2008 16:40
Yesterday my daughter called in a panic that her iMac had been taken
over. She states that her cursor was moving contrary to her inputs.
Shen was browsing "Facebook" at the time. I VNCed in to her machine and
viewed the cosole logs. Here is a excerpt.
3/26/08 1:40:32 PM ftpd[788] repeated login failures from 121.88.5.53
3/26/08 1:40:32 PM com.apple.ftpd[658] launchproxy[658]:
/usr/libexec/ftpd: Connection from: 121.88.5.53 on port: 53521
3/26/08 1...
|
| Show full article (1.51Kb) |
|
| | 20 Comments |
|
|
Author: Jolly RogerJolly Roger Date: Mar 26, 2008 19:27
> Yesterday my daughter called in a panic that her iMac had been taken
> over. She states that her cursor was moving contrary to her inputs.
> Shen was browsing "Facebook" at the time.
Was her cursor actually doing anything as if someone else was
controlling it?
> I VNCed in to her machine and viewed the cosole logs.
How, exactly, is the VNC service enabled on her computer? Are you
running your own VNC service such as Vine Server on the computer, or are
you using Apple's built-in screen sharing service? Are you accessing the
service through an SSH tunnel?
> Here is a excerpt.
>
> 3/26/08 1:40:32 PM ftpd[788] repeated login failures from 121.88.5.53
> 3/26/08 1:40:32 PM com.apple.ftpd[658] launchproxy[658]:
> /usr/libexec/ftpd: Connection from: 121.88...
|
| Show full article (3.66Kb) |
|
| | no comments |
|
|
Author: Jolly RogerJolly Roger Date: Mar 26, 2008 19:29
In article <260320082010412638%%dave@N_O_T_T_H_I_Sbalderstone.ca>,
Dave Balderstone wrote:
> In article <2008032619402316807-rdembyATmaccom@ news.panic.com>, Rob
> wrote:
> >> Is this a DOS attack or some other form of intrusion and what measures
>> do I need to take to prevent further attempts...
|
| Show full article (1.51Kb) |
| no comments |
|
|
Author: Jolly RogerJolly Roger Date: Mar 26, 2008 19:30
In article news.west.cox.net>,
Michelle Steiner michelle.org> wrote:
>> Is this a DOS attack or some other form of intrusion and what
>> measures do I need to take to prevent further attempts.
>
> It is indeed an attempted intrusion, from a site in Korea.
>
> Your log shows that the attempts all failed, so I doubt that her cursor
> problems were related to that.
Well to be more correct:
The *portion* of the log shows that attempts *during that time* failed.
--
Please send all responses to the relevant news group. E-mail sent to
this address may be devoured by my very hungry SPAM filter. I do not
read posts from Google Groups. Use a real news reader if you want me to
see your posts.
|
| Show full article (0.85Kb) |
| no comments |
|
|
Author: Jolly RogerJolly Roger Date: Mar 26, 2008 19:35
In article
earthlink.vsrv-sjc.supernews.net>,
Jolly Roger pobox.com> wrote:
>> Yesterday my daughter called in a panic that her iMac had been taken
>> over. She states that her cursor was moving contrary to her inputs.
>> Shen was browsing "Facebook" at the time.
>
> Was her cursor actually doing anything as if someone else was
> controlling it?
In other words was it just moving randomly around the screen, or did it
appear that someone else was actually controlling it and attempting to
control the computer?
|
| Show full article (0.91Kb) |
| no comments |
|
|
Author: Barry MargolinBarry Margolin Date: Mar 26, 2008 21:37
In article
earthlink.vsrv-sjc.supernews.net>,
Jolly Roger pobox.com> wrote:
>> Here is a excerpt.
>>
>> 3/26/08 1:40:32 PM ftpd[788] repeated login failures from 121.88.5.53
>> 3/26/08 1:40:32 PM com.apple.ftpd[658] launchproxy[658]:
>> /usr/libexec/ftpd: Connection from...
|
| Show full article (2.08Kb) |
| no comments |
|
|
Author: Jolly RogerJolly Roger Date: Mar 26, 2008 21:49
In article newsgroups.comcast.net>,
Barry Margolin alum.mit.edu> wrote:
> In article
> earthlink.vsrv-sjc.supernews.net>,
> Jolly Roger pobox.com> wrote:
> >>> Here is a excerpt.
>>>
>>> 3/26/08 1:40:32 PM ftpd[788] repeated...
|
| Show full article (2.61Kb) |
| no comments |
|
|
Author: Jolly RogerJolly Roger Date: Mar 26, 2008 22:02
In article <260320082237321291%%dave@N_O_T_T_H_I_Sbalderstone.ca>,
Dave Balderstone wrote:
> In article
> earthlink.vsrv-sjc.supernews.net>,
> Jolly Roger pobox.com> wrote:
> >> Note that we were not shown the entire log for that day, nor have we seen
>> logs for other days.
>>
>> At this point, we are unable to tell for sure whether or not the FTP or
>> VNC services were compromised on this computer.
>
> You working for Symantec now?
Nope. I'm simply pointing out there's a lot we *don't* know about the
situation.
What we *do* know, however, gives cause for at least a small amount of
concern for the well being of the OP's daughter's system. I feel this
concern is perfectly legitimate.
|
| Show full article (2.44Kb) |
| no comments |
|
|
Author: David StoneDavid Stone Date: Mar 27, 2008 05:06
In article news.west.cox.net>,
Michelle Steiner michelle.org> wrote:
> In article
> earthlink.vsrv-sjc.supernews.net>,
> Jolly Roger pobox.com> wrote:
> >>> Your log shows that the attempts all failed, so I doubt that her
>>> cursor problems were related to that.
>>
>> Well to be more correct:
>>
>> The *portion* of the log shows that attempts *during that time*
>> failed.
>
> True. I (rashly) assumed that he posted all the relevant parts of the
> log.
The other problem is that _successful_ connections are not logged in
ipfw.log - you'd have to use netstat of lsof to see if something
was successfully connected over the internet.
|
| Show full article (0.89Kb) |
| no comments |
|
|
|
|
|
Author: Jolly RogerJolly Roger Date: Mar 27, 2008 10:57
In article ,
David Stone wrote:
> In article news.west.cox.net>,
> Michelle Steiner michelle.org> wrote:
> >> In article
>>
|
| Show full article (1.84Kb) |
| no comments |
|
|
|
|
