0
I am trying to secure a Mac after discovering that network links are being established to some unwanted internet sites.
Using 'lsof -i' (list open 'files', internet) I have seen that launchd, ntpd, firefox, dropbox and other processes are either 'LISTENING' or have 'ESTABLISHED' links to a site or sites which I suspect have to do with spyware. I have been trying to find startup files and preference lists that initiate thise links but can't find them. I could easily reinstall the OS and restore data from a backup but I'd prefer to know how to fix this as I have six Macs to look after.
Thanks...
What is it about these sites that makes them suspect? – Richard Hoskins – 2009-09-22T13:49:40.600
I researched the three sites (on different machines) via the internet and found that they are all suspect - either adware or possibly spyware. All I would like to do is find what config file and/or process on the Mac starts the link to each site. – None – 2009-09-22T14:22:38.907
As soon as I detected each instance, I made the hosts file point to 127.0.0.1 for the respective sites and blocked them on the DNS I use. Sno Leopard's Firewall does not seem to allow for biocking IPs - at least I'm not sure how to do it. This is where my unix sysadmin knowledge starts to wane....
I guess it has been like this for a long time because I only just thought of looking at this recently. One of the sites, apparently, has already been shut down as of Nov 2008 but one of the Macs still 'LISTENS' for it... – None – 2009-09-22T14:30:28.380
This sounds confused; LISTEN means your Mac is listening for an incoming connection, and isn't associated with any particular remote computer; instead,
lsof
will report which of your computer's IP addresses the program is listening on (or "*", meaning all ports). This can be a bit confusing, sincelsof
tries to display names rather than numeric IP address, and it can give misleading results if (for example) you have a lot of names mapped to 127.0.0.1 in /etc/hosts. Trylsof -i -n
to get raw IPs instead. – Gordon Davisson – 2009-09-22T17:36:32.063Gordon, thanks for your suggestion to use the '-n' option. It confirmed that the 'ESTABLISHED' connections were the re-mapped IPs I put in the hosts file i.e. to 127.0.0.1. So, at least I know that it is definitely not talking outside anymore.
Now all I would like to do is to find out what unix OS config files are involved in launching these attempted connections. That is the problem I am trying to solve. – None – 2009-09-23T15:02:01.407
TT - I don't actually think you have a problem here. The apps you list are supposed to listen on the network, that's how they work. The fact that you have loads of custom hosts entries is making the output of lsof -i look suspicious, but by the sounds of it everything is normal.
I don't believe you CAN find any OS config files for this, because I don't think any problem actually exists.
If you're still worried post up the output of lsof -i -n and we can have a look. – Bart B – 2009-09-28T14:35:23.617