Signs of a hacker/crackers presence on a macbook pro?

[408Mike]

Recently an output of netstat -a gave an output of one established ftp connection. This is weird because I do not have any ftp software installed and never use it. I have no reason to.

The weirder part is that the connection persisted after closing down my internet connection. I could not kill the pid nor would it go away. I had to restart my system to get rid of it.

Whats up with that??? Sound fishy to anyone? Could this be evidence of SSH tunneling or similar? I feel confident I wiped out any malware I had but my network I am not in love with. I suspect there is something lurking someplace I cannot see but not 100% on that. My suspicion comes from, among other things, the fact that if ALL computers in the house are completely off and the router is rebooted as soon as it's back online its flashing like fucking mad with wireless internet connectivity. There is also a wireless connection always present, with no computers running. Weird?

Security- router has wpa2 with a fairly tough password, my mac i have locked down as best I can without TOO much effort. Root disabled all accounts have 8+ character passwords mixing numbers letters symbols etc, my firewall is set to deny all inbound connections and with little snitch i keep an eye on outbound. I mean what else can/should I be doing? If someone is breaking into my mac or using my network how can I find evidence of this? FWIW I tried packet capturing and was bewildered at the data I received. I have no clue what any of it means. I also have cocoa packet sniffer.

[Bootsy Collins]

Recently an output of netstat -a gave an output of one established ftp connection. This is weird because I do not have any ftp software installed and never use it. I have no reason to.

The weirder part is that the connection persisted after closing down my internet connection. I could not kill the pid nor would it go away. I had to restart my system to get rid of it.

Whats up with that??? Sound fishy to anyone? Could this be evidence of SSH tunneling or similar? I feel confident I wiped out any malware I had but my network I am not in love with. I suspect there is something lurking someplace I cannot see but not 100% on that. My suspicion comes from, among other things, the fact that if ALL computers in the house are completely off and the router is rebooted as soon as it's back online its flashing like fucking mad with wireless internet connectivity. There is also a wireless connection always present, with no computers running. Weird?

Is your WIFI protected with a WEP key?

[Bootsy Collins]

Recently an output of netstat -a gave an output of one established ftp connection. This is weird because I do not have any ftp software installed and never use it. I have no reason to.

The weirder part is that the connection persisted after closing down my internet connection. I could not kill the pid nor would it go away. I had to restart my system to get rid of it.

Whats up with that??? Sound fishy to anyone? Could this be evidence of SSH tunneling or similar? I feel confident I wiped out any malware I had but my network I am not in love with. I suspect there is something lurking someplace I cannot see but not 100% on that. My suspicion comes from, among other things, the fact that if ALL computers in the house are completely off and the router is rebooted as soon as it's back online its flashing like fucking mad with wireless internet connectivity. There is also a wireless connection always present, with no computers running. Weird?

Is your WIFI protected with a WEP key?

What I have recommended in the past is to enable MAC filtering on your wireless router. It gives you an added layer of security.

[408Mike]

Recently an output of netstat -a gave an output of one established ftp connection. This is weird because I do not have any ftp software installed and never use it. I have no reason to.

The weirder part is that the connection persisted after closing down my internet connection. I could not kill the pid nor would it go away. I had to restart my system to get rid of it.

Whats up with that??? Sound fishy to anyone? Could this be evidence of SSH tunneling or similar? I feel confident I wiped out any malware I had but my network I am not in love with. I suspect there is something lurking someplace I cannot see but not 100% on that. My suspicion comes from, among other things, the fact that if ALL computers in the house are completely off and the router is rebooted as soon as it's back online its flashing like fucking mad with wireless internet connectivity. There is also a wireless connection always present, with no computers running. Weird?

Is your WIFI protected with a WEP key?

What I have recommended in the past is to enable MAC filtering on your wireless router. It gives you an added layer of security.

My wifi? Do you mean the wifi on my mac or do you mean my home router?

I wanted to set up MAC filtering but it's tough as my family aren't the most tech savvy and getting their machines mac addresses is a pain. I can do it, never felt the need. If you think it matters I will do it. Also won't mac spoofing negate the security in the first place?

I forgot to mention I have all sharing services turned off, all plist files adjusted so that none of the sharing programs run at launch, no startup items whatsoever, my loginwindow plist is clean, my SSHD script altered for no root login, no agent forwarding all that. I have deleted telnet and remote desktop software, really anything and everything I can think of that might give connectivity I have done my best to alter in favor of total lockdown. Still not sure though. I get the feeling it's not enough..Recently did a full wipe of my hard drive, booted from usb and wiped the main drive clean including free space but still..

[Bootsy Collins]

Recently an output of netstat -a gave an output of one established ftp connection. This is weird because I do not have any ftp software installed and never use it. I have no reason to.

The weirder part is that the connection persisted after closing down my internet connection. I could not kill the pid nor would it go away. I had to restart my system to get rid of it.

Whats up with that??? Sound fishy to anyone? Could this be evidence of SSH tunneling or similar? I feel confident I wiped out any malware I had but my network I am not in love with. I suspect there is something lurking someplace I cannot see but not 100% on that. My suspicion comes from, among other things, the fact that if ALL computers in the house are completely off and the router is rebooted as soon as it's back online its flashing like fucking mad with wireless internet connectivity. There is also a wireless connection always present, with no computers running. Weird?

Is your WIFI protected with a WEP key?

What I have recommended in the past is to enable MAC filtering on your wireless router. It gives you an added layer of security.

My wifi? Do you mean the wifi on my mac or do you mean my home router?

I wanted to set up MAC filtering but it's tough as my family aren't the most tech savvy and getting their machines mac addresses is a pain. I can do it, never felt the need. If you think it matters I will do it. Also won't mac spoofing negate the security in the first place?

I forgot to mention I have all sharing services turned off, all plist files adjusted so that none of the sharing programs run at launch, no startup items whatsoever, my loginwindow plist is clean, my SSHD script altered for no root login, no agent forwarding all that. I have deleted telnet and remote desktop software, really anything and everything I can think of that might give connectivity I have done my best to alter in favor of total lockdown. Still not sure though. I get the feeling it's not enough..Recently did a full wipe of my hard drive, booted from usb and wiped the main drive clean including free space but still..

Enable MAC Filtering on the wireless router

Getting MAC addresses is pretty simple to do. For Windows devices you just need to go to the command prompt and type in ipconfig /all. It will list the MAC addresses for both wireless and wired adapters. For Macs you just need to go to System Preferences-Network-Airport (for wireless) or Ethernet (For Wired) and Advanced- NOTE: The MAC address is listed as Airport ID in that utility. I will give you a sample 00:1f:5b:bc:d8:64

Also I would change the admin password and possibly the SSID on your wireless router if you left it at the default it is very simple for someone to log into it.

[Crowe Diddly]

What I have recommended in the past is to enable MAC filtering on your wireless router. It gives you an added layer of security.

It really doesn't, though. Almost anyone equipped to break a WEP key can just as easily clone your MAC address, and may do it out of habit anyway just to hide their own tracks. edit:says he uses wpa2 key in OP. As long as he has a strong randomish pass, MAC filtering will only be a pain in the ass for him.

[Bootsy Collins]

What I have recommended in the past is to enable MAC filtering on your wireless router. It gives you an added layer of security.

It really doesn't, though. Almost anyone equipped to break a WEP key can just as easily clone your MAC address, and may do it out of habit anyway just to hide their own tracks. edit:says he uses wpa2 key in OP. As long as he has a strong randomish pass, MAC filtering will only be a pain in the ass for him.

True. Another thing he can do is disable SSID broadcast. However if he is connecting a new device he would need to manually type in the SSID.

[408Mike]

What I have recommended in the past is to enable MAC filtering on your wireless router. It gives you an added layer of security.

It really doesn't, though. Almost anyone equipped to break a WEP key can just as easily clone your MAC address, and may do it out of habit anyway just to hide their own tracks. edit:says he uses wpa2 key in OP. As long as he has a strong randomish pass, MAC filtering will only be a pain in the ass for him.

The MAC spoofing as I understood it negates the security of using MAC addresses via the router.

Yeah the router is secured with an administrator password (long and tough-jack the ripper would need years to crack it) and the wifi connections are secured with WPA-2 with a solid password. No passwords stored anywhere on any machine, ever.

I think whatever malware I came in contact with is either still present or has given someone an "in" that I can't fucking get rid of despite my best efforts.

[Bootsy Collins]

What I have recommended in the past is to enable MAC filtering on your wireless router. It gives you an added layer of security.

It really doesn't, though. Almost anyone equipped to break a WEP key can just as easily clone your MAC address, and may do it out of habit anyway just to hide their own tracks. edit:says he uses wpa2 key in OP. As long as he has a strong randomish pass, MAC filtering will only be a pain in the ass for him.

The MAC spoofing as I understood it negates the security of using MAC addresses via the router.

Yeah the router is secured with an administrator password (long and tough-jack the ripper would need years to crack it) and the wifi connections are secured with WPA-2 with a solid password. No passwords stored anywhere on any machine, ever.

I think whatever malware I came in contact with is either still present or has given someone an "in" that I can't fucking get rid of despite my best efforts.

Have you tried a cold reset?