Has my Mac been compromised ?

Discussion in 'other security issues & news' started by Bernard101, Jan 23, 2013.

Thread Status:
Not open for further replies.
  1. Bernard101

    Bernard101 Registered Member

    Joined:
    Jan 23, 2013
    Posts:
    5
    Location:
    UK
    Good Morning, I hope someone can advise me, I am something of a computer novice and need some help.
    Yesterday I was in a chat room, and was asked by someone to paste some text into my browser.

    It looked something like this: 192.168.0.1:8080/and then a load of random letters.

    He said it would speed up our chatting. Instead he told me that my computer was now 'compromised', and vanished. I have run Norton which found nothing and there is nothing odd in the behaviour of my Mac, however, I am concerned. Have I been tricked into something ? Or is it nothing? Many thanks, for any advice (except "don't do it again", I have worked that one out for myself.)

    Thanks Bernard
     
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    You should have the complete link into your browser history page. Like this it is not possible to judge as it looks like a prunk as that will call up the router interface, granted your router (do you have a router?) has the IP address 192.168.0.1 :)
     
  3. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    Fax is right. 192.168.0.1 would be the address of your router. That was the target of this "attack". Its impossible for us to say what he was trying to do without the full url string. I would say absolute worst case is that IF your browser still had a factory default password, the url string could have logged in to the router, and turned on port forwarding so attacks from the internet would be routed directly to your mac. The other possibility would be that he could have set your router to use a Rogue DNS server, to give them more opportunities to steal information or exploit your machine.
     
  4. Bernard101

    Bernard101 Registered Member

    Joined:
    Jan 23, 2013
    Posts:
    5
    Location:
    UK
    First of all thank you very much for taking the time to help me, fax. I am afraid I have no more info on what I pasted, because the browser never actually accessed the page in question, it just hung up, although my router is indeed at 192.168.0.1.

    I do have a clear memory of the thing i pasted in and it was pretty much like that:

    192.168.0.1:8080/asdfdvbfgjmuyk ( not those actual letters). Does that throw any more light on it ?

    I do hope it was just a prank.

    with thanks

    Bernard
     
  5. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    The 192.168.x address series are non-routable private v4 addresses for internal use only (these you can't route over the internet/public networks). If you’re subnet isn’t even the same, then any “attack” would of failed from the get go. If you wish PM me the full url and I’ll look into it, however from what you’ve written this was a prank or a failed attempt from an individual with limited networking knowledge. If the URL in question had been entered into a browser, you the user would have tried to connect to your internal network on port 8080 and that is only if you fell in the 192.168.0 subnet and if the port was open for routing. The random sting would not be applicable in this case as again you would be redirected to your own network. Port 8080 is an alternative web port to the traditional port 80. I’ve seen it mostly used for debugging apache or proxy traffic.

    It’s possible this individual tried to send you an exploit via his/her local network and if that is the case then it’s comical actually. However next time do not trust URL strings from unknown individuals.
     
    Last edited: Jan 23, 2013
  6. Bernard101

    Bernard101 Registered Member

    Joined:
    Jan 23, 2013
    Posts:
    5
    Location:
    UK
    Thanks to all people helping me. I have to go out now but will pick this up in the morning and dig out some more info to send. Bernard
     
  7. Bernard101

    Bernard101 Registered Member

    Joined:
    Jan 23, 2013
    Posts:
    5
    Location:
    UK
    Good Morning.

    I have tried to PM the helpful EncryptedBytes, but am getting the message that the messaging system is out of action today. Is there any more info I can put up here to help figure out if there has been a problem ? I have looked in my router settings and they look like they always did, but as a non-tech I don't really know what I am looking for. Any tips on what the footprints or fingerprints of malicious activity might look like would be helpful, or alternatively another way to PM private details would be appreciated.

    Bernard
     
  8. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    The string you posted will have no effect on the router. So this is likely a non issue. If you want to be sure just reset the router (after having collected your basic conf. data) next step (paranoid mode) is to flash the router firmware to a new one or the same if the manufacturer has not released a new firmware. Firmware should be downloaded only from manufacturer site. After this you should be 99% sure that wathever has been done to your router is forever gone. :thumb:

    For the future, change the router password with a random alphanumeric password, disable WPS (if your router has WIFI access) and work only with WPA2 encryption. Done!
     
  9. Bernard101

    Bernard101 Registered Member

    Joined:
    Jan 23, 2013
    Posts:
    5
    Location:
    UK
    Thank you so much for all the help. I will do all those things. Paranoid mode is exactly where I am at, so there is one final question:

    You said (fax) that 'the string I posted would do no harm'. Actually it wasn't that string, it looked to me just like a string of random letters, so i put some random letters in my post.

    And so my final question: (paranoid mode again), is whether there is a string that could lead to an attack on my system, or is the whole approach one that, from the attacker's point of view, is useless.

    thanks, and sorry for being such a klutz

    Bernard101
     
  10. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    The latter, i.e useless.
     
Loading...
Thread Status:
Not open for further replies.