 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Mac Forum / General / Networking / July 2005Possible security problem?
I am running a Mac G5 with 10.3.9 and have just discovered that at regular but intermittent intervals, several times an hour, the process nmbd attempts to make a UDP contact with a wide variety of addresses mostly US based, but some European, on various ports ranging from 135 to 62253. I run Firewalk X2 but have not worried in the past about what apps and processes were getting out, just incoming, but turned logging on the other day and discovered this consistent communication. I have blocked nmbd for the moment, with no apparent ill effects, but I am very curious as to the reason behind it. I don't see how I could have been hacked, but it does look suspicious. This occurs regardless of the apps running at the time, even after rebooting and with nothing aside from system services started. I do have Virtual PC on the system, but even with it not started, or killing it from the activity monitor makes no difference to the activity. Samba is not running. Can anybody shed some light on this? Google doesn't seem to offer much in the way of explanation. Regards Tony > I am running a Mac G5 with 10.3.9 and have just discovered that at > regular but intermittent intervals, several times an hour, the process [quoted text clipped - 17 lines] > Can anybody shed some light on this? Google doesn't seem to offer much > in the way of explanation. Nnbd is part of the samba PC file sharing suite. If you don't need samba, turn off "Windows Sharing" in the Sharing System Preferences pane. If you need samba, but want to restrict its activities, read up on the configuration options in the man page for smb.conf.  SignatureTom Stiller PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF >>I am running a Mac G5 with 10.3.9 and have just discovered that at >>regular but intermittent intervals, several times an hour, the process [quoted text clipped - 22 lines] > pane. If you need samba, but want to restrict its activities, read up > on the configuration options in the man page for smb.conf. Hi Tom That is why I mentioned that Samba is not a part of the equation. Even so, if it was enabled why would nmbd be sending packets all over the world? That is what has me intrigued. Regards Tony > >>I am running a Mac G5 with 10.3.9 and have just discovered that at > >>regular but intermittent intervals, several times an hour, the process [quoted text clipped - 29 lines] > Even so, if it was enabled why would nmbd be sending packets all over > the world? That is what has me intrigued. Sorry, I slipped right by the comment on samba. One question is: why is nmbd running at all? It isn't running on my machine. SignatureTom Stiller PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF On 28/7/05 4:15 AM, in article tomstiller-03EA0F.14154127072005@comcast.dca.giganews.com, "Tom Stiller" <tomstiller@comcast.net> wrote: >>> Nnbd is part of the samba PC file sharing suite. If you don't need >>> samba, turn off "Windows Sharing" in the Sharing System Preferences [quoted text clipped - 10 lines] > Sorry, I slipped right by the comment on samba. One question is: why is > nmbd running at all? It isn't running on my machine. This is what is so intriguing Tom. I am not at all expert but I am trying to learn. I have purchased several books on OSX and Unix and am struggling a bit, but getting more experienced. I have booted the system in verbose mode, looked at the the start-up sequence and don't see nmbd starting, but a few minutes later it is running. I look at it in the activity monitor and it says that the parent process is msinit but I can't FIND msinit. It isn't running. It is as though I have a hidden program that is mimicking another application or somehow fooling the OS, or at least fooling the Activity Monitor. The only google references to msinit are to windows exe files and they certainly wouldn't be running on a Mac. VPC wasn't running so they wouldn't be running there either. I need to learn a lot more. Judging by the way the addresses that it attempts to contact resolve, it has to be something nefarious. I have done a port scan and I only have three ports open, time server and dns etc. I have verbose logging on and have checked very carefully, but nothing untoward has attempted to gain access. I had thought that something was triggering nmbd but nothing seems to be. I have searched my hard drive with some of the addresses that it has tried to reach - a very very slow process, but nothing came up. I am lost. I don't know what is starting it, and I don't know where it is being feed addresses from, and I don't know its purpose. I have allowed it to send packets out a couple of times, wondering if I would log some response to it, but nothing seems to happen. I certainly don't get responses logged from any of the addresses it seeks out. I have scanned the addresses and ports that it tries to reach using the network utility and those ports are usually open. I feel that whatever it is, it probably came as a result of Virtual PC. When I first installed Virtual PC, it was turning the Firewall off, a problem noted in several MS virtual PC discussion areas. I would try to start the firewall manually and it would put a message up that another firewall was running and then shut down. When I became aware of the problem, I disabled VPC's networking and it stopped turning the firewall off, but maybe something got into the system before I did something about it. I have possibly been too confident that Macs and OSX are not at risk from trojans and viruses the way PCs are. An ex boyfriend always told me that Macs didn't have to worry about these thing. It would not have been the only thing that he was wrong about. ;) V. > The only google references to msinit are to windows exe files and > they certainly wouldn't be running on a Mac. VPC wasn't running so they > wouldn't be running there either. They are to Windows worms and trojans. There are or were Windows malware that would run on a Mac providing you were running Microsoft programs. I'd be a bit concerned and scan the first twenty google pages for clues. Ignore the "Windows only" stuff if Microsoft is anywhere on your system. Especially if you're using Samba. I forget if you said you were. <http://www.susaaland.dk/unofficial-samba-howto/index.html> does mention msinit in a couple of places. And the daemon you say fires up is a Samba daemon. The good news, if you have a problem, is that it won't affect your Mac. But it may spew zombie crap to Windows machines if it's working. I'll be interested in the outcome. Please keep us posted. My worst conjecture is that you may have an infected Samba server that may be functional. I doubt it's that bad. And I don't remember whether you are using samba :-) But it sounds like msinit is firing it up. leo Signature<http://web0.greatbasin.net/~leo/ > On 28/7/05 4:15 AM, in article > tomstiller-03EA0F.14154127072005@comcast.dca.giganews.com, "Tom Stiller" [quoted text clipped - 26 lines] > they certainly wouldn't be running on a Mac. VPC wasn't running so they > wouldn't be running there either. The Console application is an excellent tool for selecting and examining log files. You might see if there are any entries in the samba log or if you can find he launch of nmbd in one of the system logs. Other than that I have no idea where to look. I do know that my router is bombarded with connection attempts to ports 1026 and 1027 (I think those are associated with Windows networking) which I attribute to zombies looking for a host to infect. SignatureTom Stiller PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF > I do know that my router is bombarded with connection attempts to ports > 1026 and 1027 (I think those are associated with Windows networking) > which I attribute to zombies looking for a host to infect. I rather suspect "messenger spam". All the packets I see destined for those ports are UDP packets. Unless the zombie is small enough to be contained in a single UDP packet. The Windows Messenger Service (not to be confused with Windows Messenger, the IM) works with UDP packets. SignatureNorman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. On 28/07/2005, V=?ISO-8859-1?B?6Q==?=ronique Souchon wrote in message <BF0E2409.12C46%veronique_souchon@hotmail.com>: > This is what is so intriguing Tom. I am not at all expert but I am > trying to learn. Well I /am/ an expert and all I can do is curse Microsoft. nmbd is part of the Samba distribution: it's the Unix implementation of Microsoft's NETBIOS protocol handler. It doesn't do file sharing, it does the Microsoft equivalent of something like DNS or Rendezvous. It can be needed if you're doing anything in a Windows-like manner, for instance talking to printers which only speak Windows, but if you're just doing Unix or Mac you don't need it at all. So do you have any Windows functions enabled ? Are you printing to Windows computers or enabling file-sharing with Windows computers ? If not, go to the Sharing System Preferences panel and turn everything you're not using off. Then reboot. Then see if the problem continues to happen. Simon. SignatureUsing pre-release version of newsreader. Please tell me if it does weird things. On 28/7/05 12:30 AM, in article tomstiller-E2B975.10304927072005@comcast.dca.giganews.com, "Tom Stiller" <tomstiller@comcast.net> wrote: >> I am running a Mac G5 with 10.3.9 and have just discovered that at >> regular but intermittent intervals, several times an hour, the process [quoted text clipped - 22 lines] > pane. If you need samba, but want to restrict its activities, read up > on the configuration options in the man page for smb.conf. I am curious about this as also. I have "Little Snitch" running on my iBook and it keeps telling me that nmbd wants to contact addresses all over the place. I have asked a few people but no one seem to really be sure what is happening. I don't have any local network but I just checked and Windows sharing was turned on, but it isn't really necessary so I have turned it off. I will wait to see if nmbd still wants to chat to everyone. Hah, as I was typing that, the Little Snitch window popped up saying that nmbd wanted permission to talk to 59.113.15.201 on port 1026. It is always a different address that it wants to go to and often with a different port. Why would that be? I travel a lot for my job, and it doesn't seem to matter what country I am in, it mostly wants to go to an American address or sometimes Soviet/Polish address. It has been doing it for many months. Perhaps I need to reboot after making the windows sharing change before it takes effect? I have some familiarity with my computer and OSX but I am far from expert, so I often puzzle about things. I learned to use Unix (a little) in University, just enough to earn some credit for my degree. I should have studied harder, because I quite enjoy it. I was just about to send when Little Snitch popped up with a new request, copied below. The application "nmbd" wants to connect to adsl190.231.axelero.hu on UDP port 1027 (exosee) My network utility says that this address is in Hungary. I am really, really curious. Is someone trying to use my computer illegally? V. > I was just about to send when Little Snitch popped up with a new request, > copied below. [quoted text clipped - 5 lines] > > I am really, really curious. Is someone trying to use my computer illegally? Could it be responding to automated Windows worm connection attempts? Jim SignatureFind me at http://www.ursaMinorBeta.co.uk "The voices that control me from inside my head Say I shouldn't kill you yet." - Jonathan Coulton, 'Skullcrusher Mountain' On 28/7/05 1:16 AM, in article slrndef9ap.mh2.jim@odin.magrathea.local, >> I was just about to send when Little Snitch popped up with a new request, >> copied below. [quoted text clipped - 9 lines] > > Jim How would the worm be accessing my computer? I have a firewall and it is an Apple Macintosh iBook, not a windows system. In order for it to respond, the worm would have to pass a firewall with no ports but the bare minimum open. My firewall log doesn't seem to have refused anything within the same time periods as the nmbd attempts to get out. If anything, it would have to be a sneaky program that is hidden on my computer and trying regularly to do something. None of the addresses that it is trying to reach are in my address book, so I can't make sense of it. The only software that I have put on my computer that isn't commercial are some puzzle and card games and I always scan them with Virex before installing them. Oh, and I have some different language dictionaries also, but they were virus/trojan checked by Virex before mounting. This is the first time that I have seen anyone else make comment about the problem although the fellow in the Apple Computer store in Lyons said he had heard of other people with the same problem. He thought that it might be something that Microsoft was doing sneakily, but I don't think so. V. > On 28/7/05 1:16 AM, in article slrndef9ap.mh2.jim@odin.magrathea.local, > [quoted text clipped - 15 lines] > Apple Macintosh iBook, not a windows system. In order for it to respond, the > worm would have to pass a firewall with no ports but the bare minimum open. Fair enough, it was just a thought. If your router isn't set to pass the usual Windows ports (135-139,445) then it won't be that. Heck, it might not even be that if you *were* passing those ports..! It was just a guess. Jim SignatureFind me at http://www.ursaMinorBeta.co.uk "The voices that control me from inside my head Say I shouldn't kill you yet." - Jonathan Coulton, 'Skullcrusher Mountain' > Fair enough, it was just a thought. If your router isn't set to pass the usual > Windows ports (135-139,445) then it won't be that. Heck, it might not even be > that if you *were* passing those ports..! It was just a guess. A geeky thing to try would be to run netcat to listen on whatever port it's trying to connect to, then edit your hosts file to point the host it's trying to connect to to 127.0.0.1. You can then see what it sends :) alex SignatureAlex Meaden Technical Support Officer Computing Service University of Kent ["Followup-To:" header set to comp.sys.mac.comm.] > How would the worm be accessing my computer? I have a firewall The standard configuration for the osx firewall doesn't do anything with udp. Is that the firewall you have in mind? You can add rules to block udp if you want to but it doesn't happen automatically. > Apple Macintosh iBook, not a windows system. In order for it to > respond, the worm would have to pass a firewall with no ports but the > bare minimum open. If nmbd is listening on a udp port and some client talks to it, it will talk back. This is normal behavior and has nothing to do with worms. As for why nmbd is running, one possibility, as you suggest, is VPC. Even if VPC itself isn't running, it's very possible that some startup or login item associated with VPC is starting background processes, possibly including nmbd. This is not unusual or anything to worry about. For example, processes that are part of iTunes and iCal typically start at login time. I haven't had VPC installed for years, so I don't know whether or not it runs anything at boot time or login time. You might want to check. Look at personal login items, as well as system startup items and (in 10.4) launchd items. Is this network activity dangerous? Probably not. For efficiency reasons you should try to keep nmbd from running if you don't need it, but I doubt your machine is at risk. On 28/7/05 10:00 PM, in article ddWdnR990utnVXXfRVn-pQ@comcast.com, "D P Schreber" <schreberdp@rayban.net> wrote: > ["Followup-To:" header set to comp.sys.mac.comm.] >> How would the worm be accessing my computer? I have a firewall > > The standard configuration for the osx firewall doesn't do anything with > udp. Is that the firewall you have in mind? You can add rules to > block udp if you want to but it doesn't happen automatically. Hello I use Brickhouse and Little Snitch in combination. Between the two of them I have a very configurable system with regard to both incoming and outgoing protection and reporting. >> Apple Macintosh iBook, not a windows system. In order for it to >> respond, the worm would have to pass a firewall with no ports but the >> bare minimum open. > > If nmbd is listening on a udp port and some client talks to it, it will > talk back. This is normal behavior and has nothing to do with worms. This is why I was looking at the logs so carefully, trying to find something that it might have been responding to. Nothing matched. > As for why nmbd is running, one possibility, as you suggest, is VPC. > Even if VPC itself isn't running, it's very possible that some startup [quoted text clipped - 4 lines] > so I don't know whether or not it runs anything at boot time or login > time. You might want to check. I look at the activity monitor and see that is running and lists the parent process as msinit. Msinit is not running, not can I find it anywhere on my system. It is confusing. If I kill nmdb, using the Activity Monitor, a few minutes later it gets restarted, once again listed as a child of msinit. > Look at personal login items, as well > as system startup items and (in 10.4) launchd items. I have 10.4 but won't install it as I see too many problems being reported on these news groups. I will wait until Apple get things better sorted out before giving myself the headaches. > Is this network activity dangerous? Probably not. For efficiency > reasons you should try to keep nmbd from running if you don't need it, > but I doubt your machine is at risk. With the blocking that I have in place I am not concerned, just extremely curious and frustrated that I cannot find whatever is starting it. V. In article <BF0DE290.12472%veronique_souchon@hotmail.com>, V=?ISO-8859-1?B?6Q==?=ronique Souchon <veronique_souchon@hotmail.com> wrote: > Hah, as I was typing that, the Little Snitch window popped up saying that > nmbd wanted permission to talk to 59.113.15.201 on port 1026. You can check IP addresses at <http://openrbl.org/>. SignatureHans Aberg > I was just about to send when Little Snitch popped up with a new request, > copied below. [quoted text clipped - 5 lines] > > I am really, really curious. Is someone trying to use my computer illegally? My money is on, "Yes". UDP to port 1026; and my router logs are filled with incoming UDP packets to port 1026. I have always suspected Windows Messenger Service spam. Can you find a way to examine those packets? Are there Mac packet sniffers? SignatureNorman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. > My money is on, "Yes". UDP to port 1026; and my router logs are filled with > incoming UDP packets to port 1026. I have always suspected Windows > Messenger Service spam. Can you find a way to examine those packets? Are > there Mac packet sniffers? Ethereal - http://www.ethereal.com Works under most UNIXes (including OS X) and Windows. alex SignatureAlex Meaden Technical Support Officer Computing Service University of Kent In comp.security.firewalls Alex <aejm+nospam@kent.ac.uk> wrote: >> My money is on, "Yes". UDP to port 1026; and my router logs are filled with >> incoming UDP packets to port 1026. I have always suspected Windows [quoted text clipped - 6 lines] > > alex Be sure to read this one: http://www.ethereal.com/appnotes/enpa-sa-00020.html Signature"I didn't know it was impossible when I did it." MSN/Mail: pboosten at hotmail dot com On 28/07/2005, Alex wrote in message <dcacqn$kh2$2@oheron.kent.ac.uk>: > > My money is on, "Yes". UDP to port 1026; and my router logs are filled > > with incoming UDP packets to port 1026. I have always suspected Windows [quoted text clipped - 4 lines] > > Works under most UNIXes (including OS X) and Windows. You don't even need that. 'tcpdump' will do it. It's complicated to use but can do everything, including monitoring only packets from/to specific ports. Use 'man tcpdump' for more info. Simon. SignatureUsing pre-release version of newsreader. Please tell me if it does weird things. Simon Slavin <slavins.delete.these.four.words@hearsay.demon.co.uk> wrote: > On 28/07/2005, Alex wrote in message <dcacqn$kh2$2@oheron.kent.ac.uk>: > [quoted text clipped - 11 lines] > use but can do everything, including monitoring only packets from/to > specific ports. Use 'man tcpdump' for more info. That, and don't bother looking at the packets. A waste of time. > I am running a Mac G5 with 10.3.9 and have just discovered that at > regular but intermittent intervals, several times an hour, the process > nmbd attempts to make a UDP contact with a wide variety of addresses > mostly US based, but some European, on various ports ranging from 135 to > 62253. If you are running OS X, see if your system has the command lsof. If so, read the man page and use it to see what file(s) are associated with the attempt to make the UDP contact. The lsof is available on Linux, but I am too lazy to go to my wife's G5 and check for you. <g> jim b. SignatureUnix is not user-unfriendly; it merely expects users to be computer-friendly. > I am running a Mac G5 with 10.3.9 and have just discovered that at > regular but intermittent intervals, several times an hour, the process [quoted text clipped - 21 lines] > > Tony Hi, Well if you see a strange command connecting to net, try running Terminal, type "man (command name)" , e.g. cable25-100:/etc ilgaz$ man nmbd NAME nmbd - NetBIOS name server to provide NetBIOS over IP naming services to clients (snip arguments part) DESCRIPTION This program is part of the samba(7) suite. nmbd is a server that understands and can reply to NetBIOS over IP name service requests, like those produced by SMB/CIFS clients such as Win- dows 95/98/ME, Windows NT, Windows 2000, Windows XP and LanManager clients. It also participates in the browsing protocols which make up the Windows "Network Neighborhood" view. Have a nice day Ilgaz > Well if you see a strange command connecting to net, try running > Terminal, type "man (command name)" , e.g. [quoted text clipped - 15 lines] > > Have a nice day One can also look at <http://en.wikipedia.org/wiki/NetBIOS>, which says: ... If someone is already utilising the NetBIOS name plus type, it is the responsibility of the Name service, running on the host that owns the name, to send a "Node Conflict" message out to absolutely everyone it can possibly find, including on all other transports. Joy. It may amuse people to know that there is a long-standing bug in Microsoft's NetBIOS stack implementation in Windows NT... SignatureHans Aberg |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.