Re: Possible security problem?

From: Véronique Souchon (veronique_souchon_at_hotmail.com)
Date: 07/27/05 

Date: Thu, 28 Jul 2005 05:56:25 +1000

On 28/7/05 4:15 AM, in article
tomstiller-03EA0F.14154127072005@comcast.dca.giganews.com, "Tom Stiller"
<tomstiller@comcast.net> wrote:

>>>
>>> Nnbd is part of the samba PC file sharing suite. If you don't need
>>> samba, turn off "Windows Sharing" in the Sharing System Preferences
>>> pane. If you need samba, but want to restrict its activities, read up
>>> on the configuration options in the man page for smb.conf.
>>>
>>
>> Hi Tom
>>
>> That is why I mentioned that Samba is not a part of the equation.
>>
>> Even so, if it was enabled why would nmbd be sending packets all over
>> the world? That is what has me intrigued.
>
> Sorry, I slipped right by the comment on samba. One question is: why is
> nmbd running at all? It isn't running on my machine.

This is what is so intriguing Tom. I am not at all expert but I am trying to
learn. I have purchased several books on OSX and Unix and am struggling a
bit, but getting more experienced. I have booted the system in verbose mode,
looked at the the start-up sequence and don't see nmbd starting, but a few
minutes later it is running. I look at it in the activity monitor and it
says that the parent process is msinit but I can't FIND msinit. It isn't
running. It is as though I have a hidden program that is mimicking another
application or somehow fooling the OS, or at least fooling the Activity
Monitor. The only google references to msinit are to windows exe files and
they certainly wouldn't be running on a Mac. VPC wasn't running so they
wouldn't be running there either.

I need to learn a lot more.

Judging by the way the addresses that it attempts to contact resolve, it has
to be something nefarious. I have done a port scan and I only have three
ports open, time server and dns etc. I have verbose logging on and have
checked very carefully, but nothing untoward has attempted to gain access. I
had thought that something was triggering nmbd but nothing seems to be. I
have searched my hard drive with some of the addresses that it has tried to
reach - a very very slow process, but nothing came up. I am lost. I don't
know what is starting it, and I don't know where it is being feed addresses
from, and I don't know its purpose. I have allowed it to send packets out a
couple of times, wondering if I would log some response to it, but nothing
seems to happen. I certainly don't get responses logged from any of the
addresses it seeks out. I have scanned the addresses and ports that it tries
to reach using the network utility and those ports are usually open.

I feel that whatever it is, it probably came as a result of Virtual PC. When
I first installed Virtual PC, it was turning the Firewall off, a problem
noted in several MS virtual PC discussion areas. I would try to start the
firewall manually and it would put a message up that another firewall was
running and then shut down. When I became aware of the problem, I disabled
VPC's networking and it stopped turning the firewall off, but maybe
something got into the system before I did something about it.

I have possibly been too confident that Macs and OSX are not at risk from
trojans and viruses the way PCs are. An ex boyfriend always told me that
Macs didn't have to worry about these thing. It would not have been the only
thing that he was wrong about. ;)

V.

Relevant Pages

  • Re: OE6 Express on XP - Upgraded to XP-SP2 and now cannot send and receive emails!
    ... "Tom Brehony" wrote in message ... You said telnet on ports 110 and 25 timed out. ... Ctrl-a,Ctrl-c and pasting that into a new Notepad window. ... about the firewall. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: NTFRSUTIL error 1753
    ... So what you are suggesting is that I do not start the windows firewall ... ports is the issue even when I hard code the ports in the registry it ... the point of network services thats seems to be a long time ... Tom, this appears to be a continuation of your previous threads. ...
    (microsoft.public.windows.server.active_directory)
  • Re: LOTS of Pop Ups
    ... Tom this crap just started a couple of weeks ago. ... have found that the geeks are wrong more than they are right. ... try a third party Firewall. ... P.S BTW what time the packaging was LOL. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: XP SP2 and ISA ?
    ... Tom and Deb Shinder's Configuring ISA Server 2004 ... Here's where I'd have to disagree with you, Tom. ... point of having a client-based firewall. ...
    (microsoft.public.isa)
  • Re: Queen Mary 2 Review - Transatlantic Crossing
    ... Where I would differ is that I did not miss not having ports. ... But they could enjoy the food an service which was top notch. ... food and service think of cruises before 1999. ... Tom would probably want to take this ship every year. ...
    (rec.travel.cruises)