F-Secure for Mac and Little Snitch?
Should F-Secure for Mac Consistenty keep trying to establish outgoing connections to the following addresses domain.akadns.net and retail.sp.f-secure.com. I also see something strange with Safari opening fsecured.lithium.com are all of those correct and safe connections via Little Snitch the reason being is that my Intrusion attacks are back and my laptop had to go out for service and I back to using my Mac and Little Snitch reported connection attempts via domain.akadns.net before I even logged on the Mac Mini which is old computer.
I am running the latest and probably the last incarnation of OS 10.6.8 ( 10K549) build and my F-Secure Mac Security Software is ( B11500.C110) . It is completely different than the windows version and I can not manually ask it to update or anything like that. I can only really on the program that it states it is not compromised. That it is not being manually manipulated via Apple remote desktop exploit/Arda agent which was the number one problem I have had in the past. Knowing UNIX commands or not please give me the heads up on the connections that F-Secure is making.
Sincerely,
Rich
Comments
-
This just keeps getting better guys. What has happened is that someone has gotten in and they created a Guest account that I can not delete and they checked give access to shared folders. i HAVE NO WAY of deleting this guest account and it states in acconts that it is disabled for now. I still want to completely delete the Guest account? How can I do this? Does anyone know how to completely delete it even if go in as an Admin account usually and can not delete it?
-
Hi Rich,
If you are using Mac OS X 10.6.8 Snow Leopard, the only way is to use a Mac OS X 10.6 Install Disk or Upgrade Disk and changed the admin password.
But before that I would suggest if you can do a disk repair with disk utility.
If someone have gain access to your computer he must have be gain access to your computer by remote desktop. And you must be enabling the SSH Remote Login Again.
That cause you being Hacked.
Your Zyxel Router SPI Firewall must be enable! Please consult Zyxel and the Router Manual that comes with it.
-
If your Mac have been compromise, I am suggesting that you backup all the important files to a DVD Writer. Burn it to the CD or DVD.
Do a zero out format to your harddisk again.
And make sure you are not connected to the Internet While Formatting and Installing the OS X.
Make sure you are off line and that your Cable Router and Cable Modem are turned off.
Go to the System Preferences, And turn off everything as I said earlier. (Disable ALL in System Preference)
For example:-
Disable Remote Login
Disable Remote Desktop
Disable ScreenSharing.
Disable Remote Management
Disable File Sharing
Disable Internet Sharing.
** DISABLE ALL OF IT **
http://community.f-secure.com/t5/Security-for-PC/How-can-I-fight-Instructions/td-p/18260/page/2
I thought you are using MacMini G4??? If you are running G4, you must using Mac OS X 10.4!!!
(The information that you gave me are not consistant)
Anyway, if you are using Mac OS X 10.6.
Goto Terminal and type this command to disable the Apple Remote Desktop.
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -agent -stop
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart --deactivate -configure -access -off
Under Security Settings Enable Firewall.
Select Block Incoming and Enable Stealth Mode.
If you intend to consult about Little Snitch read the Documentation.
Deny or Block Incoming port 1-65535 both tcp and udp.
Block SSH and any ARDAgent with little snitch.
Go here to download the Littlesnitch PDF Document.
http://www.obdev.at/products/littlesnitch/documentation.html
And also join the Littlesnitch forum. The guys there can help you out.
http://forums.obdev.at/viewforum.php?f=1
http://www.obdev.at/products/littlesnitch/releasenotes3.html
http://www.obdev.at/products/littlesnitch/faq.html
Email to them
http://www.obdev.at/products/littlesnitch/support.html?topic=question
-
Try and use Who's there. This is a trial. So if you intend to buy the program purchase it.
http://www.opendoor.com/isfym/TOC.html
The above link is a book.
Who's there will detect who is accessing to your computer. So that you can trace easily who is connecting to your computer.
http://www.opendoor.com/whosthere/WhosThereDownload.html
You can also use Opendoor Firewall. Which is trial.
http://www.opendoor.com/doorstop/DoorStopDownload.html
There are other third party firewall which you can use.
But I still suggest to use Littlesnitch.
http://www.hanynet.com/noobproof/
http://www.hanynet.com/waterroof/
http://www.hanynet.com/icefloor/index.html
Icefloor is recommend for users running Mac OS X 10.7 and 10.8.
There are other Antiviruses for Mac.
http://www.freedrweb.com/drweb+mac+light/?lng=en
http://www.avira.com/en/download/product/avira-free-mac-security
http://www.avast.com/free-antivirus-mac
I'm not sure if any of this apps is any good.
It's not free.
There is a free version but you need to know UNIX command to port it.
-
-
Thank you very much for all the Information. This seems like is going to the Apple store though because I can not even get the Mac OS to reinstall. It seems like a firmware change or flash is in order. Then a through diagnostic and cleaning Manhattan Apple Store or some place huge where I can get out and enjoy the trip/travel and see everything to enjoy it.
-
-
The above message refers dumping the Zyxel internet security appliance. The intrusion detection stinks anyway on those units. I have talked to people that evaluated them as intrusion detection settings and the package is crap by the time you pay for it all you better off getting a Sonic Wall or Barracuda Solution.
-
This problem clearly calls for a physical security intrusion detection appliance and I a whole network disinfecting solution which means cleaning every laptop out of six and three desktops. Then all the other internet appliances Roku and TiVo reflashed firmware wise plus someone cracking open the PS3. I am mean if you want to get paranoid which I am then every single possible source has be disinfected because the firewall logs which I have saved show the Roku box on my freaking tv trying to connect my laptop.
-
Wow! If you know Dell's Sonic Wall and Baracuda Networks that is pretty heavy stuff.
Baracuda Networks are usually use by Enterprise companies.
If you know the technical know how that would be good.
I have no knowledge on that.
But if you know the heavy stuff you must know about security stuff.
Like for instance Juniper Networks. Or Nokia Firewall IPSO. Checkpoint-NG. Both are running FreeBSD.
http://en.wikipedia.org/wiki/Nokia_IPSO
http://en.wikipedia.org/wiki/Juniper_Networks
F5 networks. That's too technical man.
Nortel have gone busts. I remember Baynetworks have Wifi. Now it is known as www.netgear.com
if you know WRT stuff. Buffalo wifi routers is using it.
You running a telco on your home huh? like SS7 telephone switch or something?Or E1 telco in europe.
just kidding.
That's stuff is way too killer for me man.
-
Goto this link for you Mac Security.
I hope this will help you.
and
this link
http://www.datamation.com/secu/article.php/3824071/The-Best-Mac-Security-Software.htm
-
On a terminal type command last and hit enter.
See the lists of logins.
See if you can see anybody login to your computer.
This is dead serious man.
This is hacking of all time right down to your Tivo, all your computers etcs.
Did not install Java this time round.
Disable Flash and Disable Java in your browsers for all computers.
-
-
Rich,
If you happen to own a Baracuda Networks Please take note of the security issues here.
http://www.theregister.co.uk/2013/01/24/barracuda_backdoor/
Backdoor root login found in Barracuda gear - and Barracuda is OK with this
Hidden accounts 'needed for remote tech support'
By John Leyden • Get more from this author
Posted in Security, 24th January 2013 17:02 GMT
Multiple Barracuda Networks products feature an undocumented backdoor, leaving widely deployed data centre kit vulnerable to hijacking.
Privileged user accounts were found in various Barracuda appliances, including its flagship Spam and Virus Firewall, Web Application Firewall, Web Filter, SSL VPN, and other gear. The accounts cannot be disabled, are hard-wired into the equipment's operating system, and can be assessed remotely via SSH or the local terminal.
Once logged into a vulnerable machine, hackers can run programs and take over the networking device. The accounts, which were found in /etc/passwd and /etc/shadow files in the equipment, use weak passwords that are easy to crack, security researchers claimed.Each appliance uses a firewall to block access to the SSH server, and thus the hidden root accounts, unless the connection originates from an IP address in the private network ranges of 192.168.200.0/24 and 192.168.10.0/24. The firewall rules also allow in network traffic from public IP addresses in the 205.158.110.0/24 and 216.129.105.0/24 ranges - some of which are controlled by Barracuda, but the others are not.
Therefore a successful compromise would need to be launched from one of these IP addresses at a reachable, vulnerable Barracuda device. Network administrators may want to firewall off port 22 completely.
The oversight is tricky to exploit and was discovered by SEC Consult of Austria, which published an advisory on the issue today.
"An attacker is able to access all mentioned Barracuda appliances through weak passwords and gain shell access to execute arbitrary code on the appliances, e.g. in order to install further backdoors, change configuration or take over the system," explained Johannes Greil of SEC Consult.
"Those attacks are possible from within the two large IP address ranges from the Internet, and two private IP address ranges. One hacked system or malicious company in those networks will allow an attacker to take over all externally reachable Barracuda appliances worldwide."
Barracuda acknowledged the **bleep**-up but downplayed the risk. It also released a software update called "Security Definition 2.0.5", which tightened up its account security but does not remove the hidden root, remote and cluster users because they are needed to administer remote support for customers.
In a related advisory, SEC Consult said Barracuda VPN kit allowed an "unauthenticated attacker to download configuration files and database dumps".
Steve Pao, VP for Product Management at Barracuda Networks, told El Reg that the undocumented superuser accounts were established for support purposes but admitted the setup was flawed and promised to pay SEC Consulting an unspecified bounty for finding the vulnerability.
"The specific discovery was related to access from the default limited set of IP addresses used by the system to initiate remote support tunnels to Barracuda Technical Support," Pao told El Reg in a statement. "We have released a security definition to existing Barracuda Networks appliances that minimises potential attack vectors.
"Individual customers should contact Barracuda Networks Technical Support if they need more information. As we do with all issues reported through our 'Bug Bounty' programme, we have acknowledged the SEC Consulting's reporting of the issues in both the release notes with our security definition and on the Tech Alerts section of our Web site."
Stefan Viehböck of SEC Consult led the research into the vulnerabilities. Barracuda has published alerts covering both bugs on its website here. ®
-
Rich,
Can you cut and paste and give me a look see if there are any changes to the com.apple.openssh.plist file.
You do a search. And examin the ssh plist files and send it here in the forum.
It's a text plist files.
I need to see that.
If you see any traces of kerberos, vpn etc.
Likelyhood your Mac is hacked into.
-
Please take note of the following. (Do not delete this posting)
Keep you updated.
Regarding about UPnp Vulnerability.
http://www.theregister.co.uk/2013/01/29/hdmoore_upnp_flaw_rapid7/
Check your hardware such as router if it is vulnerable.
http://www.kb.cert.org/vuls/id/922681
Mac Antivirus review
http://www.reedcorner.net/mac-anti-virus-testing-01-2013/
Xprotect
-
Please take note of the following issues.
Just to keep you updated.
http://news.cnet.com/8301-1009_3-57570100-83/new-mac-malware-opens-secure-reverse-shell/
http://www.intego.com/mac-security-blog/pint-sized-backdoor-for-os-x-discovered/
🚩 What Do You Think?
We’d love your thoughts on our fresh look! Quick survey, big impact!