Mailing List Archive

   tlug.jp -> Mailing List -> tlug archive -> tlug Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] How to detect unwelcome visitors on my macbook?

Yesterday I accidently used a non tlug-registered account to reply. Here is my current status: 

Am 06.09.11 17:02, schrieb Bkay:

What services are running/accessible to the outside world?

$ netstat -an | grep LISTEN
tcp4       0      0  127.0.0.1.895          *.*                    LISTEN
tcp4       0      0  127.0.0.1.8080         *.*                    LISTEN
tcp4       0      0  127.0.0.1.631          *.*                    LISTEN
tcp6       0      0  ::1.631                *.*                    LISTEN
Above is an example from my MBP, only localhost so nothing accessible from the outside. 
bash-3.2$ sudo netstat -an | grep LISTEN
Password:
tcp6       0      0  fe80::1%lo0.49219      *.*                    LISTEN
tcp4       0      0  127.0.0.1.26164        *.*                    LISTEN
tcp4       0      0  *.17500                *.*                    LISTEN
tcp4       0      0  *.1715                 *.*                    LISTEN
tcp4       0      0  127.0.0.1.6969         *.*                    LISTEN
tcp4       0      0  127.0.0.1.64022        *.*                    LISTEN
tcp4       0      0  127.0.0.1.6970         *.*                    LISTEN
tcp4       0      0  127.0.0.1.12311        *.*                    LISTEN
tcp4       0      0  127.0.0.1.6968         *.*                    LISTEN
tcp4       0      0  *.12346                *.*                    LISTEN
tcp4       0      0  *.12345                *.*                    LISTEN
tcp4       0      0  *.10022                *.*                    LISTEN
tcp46      0      0  *.80                   *.*                    LISTEN
tcp4       0      0  127.0.0.1.631          *.*                    LISTEN
tcp6       0      0  ::1.631                *.*                    LISTEN
bash-3.2$

If I compare with this:

bash-3.2$ sudo lsof -iTCP -sTCP:LISTEN
Password:
COMMAND  PID   USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
launchd 1 root 19u IPv6 0x05a5ae20 0t0 TCP localhost:ipp (LISTEN) launchd 1 root 20u IPv4 0x05a5fb98 0t0 TCP localhost:ipp (LISTEN) 
httpd     18   root    4u  IPv6 0x05a5abb0      0t0  TCP *:http (LISTEN)
sesinetd 46 root 3u IPv4 0x05a5c6c8 0t0 TCP *:houdini-lm (LISTEN) 
tcprelay  47   root    3u  IPv4 0x05a5f378      0t0  TCP *:10022 (LISTEN)
tcprelay  47   root    4u  IPv4 0x05a5ef68      0t0  TCP *:italk (LISTEN)
tcprelay  47   root    5u  IPv4 0x05a5eb58      0t0  TCP *:12346 (LISTEN)
novacomd 48 root 3u IPv4 0x05a5e338 0t0 TCP localhost:6968 (LISTEN) novacomd 48 root 4u IPv4 0x05a5df28 0t0 TCP localhost:12311 (LISTEN) novacomd 48 root 5u IPv4 0x05a5db18 0t0 TCP localhost:6970 (LISTEN) novacomd 48 root 6u IPv4 0x05a5d708 0t0 TCP localhost:64022 (LISTEN) novacomd 48 root 7u IPv4 0x05a5d2f8 0t0 TCP localhost:acmsoda (LISTEN) 
httpd     88   _www    4u  IPv6 0x05a5abb0      0t0  TCP *:http (LISTEN)
Dropbox  242 ulrike   18u  IPv4 0x05a5e748      0t0  TCP *:17500 (LISTEN)
Dropbox 242 ulrike 25u IPv4 0x05a5c2b8 0t0 TCP localhost:26164 (LISTEN) java 372 ulrike 39u IPv6 0x05a5a1f0 0t0 TCP localhost:49219 (LISTEN) 
bash-3.2$

... then I can easily match:

tcp4       0      0  *.17500                *.*                    LISTEN
Dropbox  242 ulrike   18u  IPv4 0x05a5e748      0t0  TCP *:17500 (LISTEN)

tcp4       0      0  *.12346                *.*                    LISTEN
tcprelay  47   root    5u  IPv4 0x05a5eb58      0t0  TCP *:12346 (LISTEN)

tcp4       0      0  *.10022                *.*                    LISTEN
tcprelay  47   root    3u  IPv4 0x05a5f378      0t0  TCP *:10022 (LISTEN)

... which leaves:

tcp4       0      0  *.1715                 *.*                    LISTEN
tcp4       0      0  *.12345                *.*                    LISTEN
tcp46      0      0  *.80                   *.*                    LISTEN

httpd     18   root    4u  IPv6 0x05a5abb0      0t0  TCP *:http (LISTEN)
sesinetd 46 root 3u IPv4 0x05a5c6c8 0t0 TCP *:houdini-lm (LISTEN) 
tcprelay  47   root    4u  IPv4 0x05a5ef68      0t0  TCP *:italk (LISTEN)
httpd     88   _www    4u  IPv6 0x05a5abb0      0t0  TCP *:http (LISTEN)
both httpd are probably *.80, that leaves the other to match sesinetd and tcprelay. There is probably a more elegant way to do this? 

Am 07.09.11 02:42, schrieb Simon Cozens:
I would want to know (a) where it lives: "lsof -p 47 | grep txt" and 
bash-3.2$ sudo lsof -p 47 | grep txt
tcprelay 47 root txt REG 14,2 17728 2522044 /opt/nova/bin/tcprelay 
tcprelay  47 root  txt    REG       14,2   1054960 1795653 /usr/lib/dyld
tcprelay 47 root txt REG 14,2 229736448 5970774 /private/var/db/dyld/dyld_shared_cache_i386 
bash-3.2$
(b) who's starting it and why: grep -r tcprelay /System/Library/Launch* /Library/Launch* 
bash-3.2$ sudo grep -r tcprelay /System/Library/Launch* /Library/Launch*
/Library/LaunchDaemons/com.palm.tcprelay: <string>com.palm.tcprelay</string>
/Library/LaunchDaemons/com.palm.tcprelay: <string>/opt/nova/bin/tcprelay</string> 
bash-3.2$
So tcprelay seems to be part of the Palm development stuff I tested a year ago. This problably much better than what Google found: http://www.kinostudios.com/tcprelay.php
And sesinetd is related to 3d animation licensing: http://www.sidefx.com/index.php?option=com_content&task=view&id=1283&Itemid=273 

bash-3.2$ sudo lsof -p 46 | grep txt
sesinetd 46 root txt REG 14,2 2794880 3001580 /Library/Frameworks/Houdini.framework/Versions/11.0.581/Resources/houdini/sbin/sesinetd sesinetd 46 root txt REG 14,2 191232 15971 /usr/lib/libmx.A.dylib 
sesinetd  46 root  txt    REG       14,2   1054960 1795653 /usr/lib/dyld
sesinetd 46 root txt REG 14,2 233680896 5970778 /private/var/db/dyld/dyld_shared_cache_x86_64 
bash-3.2$

bash-3.2$ sudo grep -r sesinetd /System/Library/Launch* /Library/Launch*
/Library/LaunchDaemons/com.sidefx.sesinetd.plist: <string>com.sidefx.sesinetd</string> /Library/LaunchDaemons/com.sidefx.sesinetd.plist: <string>/Library/Frameworks/Houdini.framework/Versions/Current/Resources/houdini/sbin/sesinetd</string> /Library/LaunchDaemons/com.sidefx.sesinetd.plist: <string>/Library/Logs/sesinetd.log</string> 
bash-3.2$
Make sure your firewall is up and running....here is a good guide to secure your Macbook and how to check for this 
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml#AppleMac

Wonderful!
If no services are accessible from the outside (you can always check by running NMAP from another system on the LAN), it will be hard for anyone to take over control of your Macbook....
I had "stealth mode" switched on, but nmap reported that this might be the case and suggested options with which it obviously scanned all ports an reported that all of them were filtered. Maybe "stealth mode" is not really neccessary or helpful?
There are always "dial-home" baddies or reverse connections.... for the paranoid I can recommend Little Snitch. 
http://www.obdev.at/products/littlesnitch/index.html
Interesting to watch what is connecting where, even if I don't understand everything. But I can test what I am missing if I do not allow a connection.
Hope this can give some piece of mind. I'm curious to see if you 'discover' anything. I'm familiar with forensics on Linux and Windows but not so much MacOS although some principles/tools also apply I guess. 

Feel free to ping me if you need more help.
Thanks a lot for all the replies! I do feel much better now. Even though I still have the impression that my thunderbird has a little life of its own, but it might be me who had forgotten what I did before, I will observe it. Just hope that there is no problem with the battery. 

Uli
Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links