Go Back   The macosxhints Forums > OS X Help Requests > Networking



Reply
 
Thread Tools Rate Thread Display Modes
Old 04-13-2008, 12:38 AM   #1
Balden
Prospect
 
Join Date: Apr 2008
Posts: 4
How to get rid of network intruders?

Hi there,
I've got a tiny wireless network at home and today discovered weird names showing up as networks also running on my computer. They are actively using my connection and I can't find a way to get rid of them. I've seen about 6 different ones. They connect and disconnect seemingly randomly and very quickly. I can't edit their settings because when I try to "join them" in the hopes of deleting them or finding out more I can't get on because they have a password. Also, they show up as locked in NetBarrier (x4) which I'm just using without really knowing how. Their ip addresses come up as invalid when traced. When I did a whois on one of them I got this:
NetRange:***10.0.0.0 - 10.255.255.255
CIDR:*******10.0.0.0/8
NetName:****RESERVED-10
NetHandle:**NET-10-0-0-0-1
Parent:
NetType:****IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG

Some are on the same channel as my legitimate one, others on a different one. (not that I know what that really means either)

Here is a bit of my system log from earlier today when this was happening (on the networked mac, not the one I'm posting from now):
Apr 12 15:29:01 localhost kernel[0]: Registering For 802.11 Events
Apr 12 15:29:01 localhost kernel[0]: [HCIController][setupHardware] AFH Is Supported
Apr 12 15:29:02 B-and-B-PowerB configd[67]: setting hostname to "B-and-B-PowerB.local"
Apr 12 15:29:02 B-and-B-PowerB lookupd[103]: lookupd (version 369.6) starting - Sat Apr 12 15:29:02 2008
Apr 12 15:29:04 B-and-B-PowerB /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow: Login Window Application Started
Apr 12 15:29:05 B-and-B-PowerB loginwindow[106]: Login Window Started Security Agent
Apr 12 15:29:05 B-and-B-PowerB configd[67]: executing /System/Library/SystemConfiguration/Kicker.bundle/Contents/Resources/enable-network
Apr 12 15:29:05 B-and-B-PowerB configd[67]: posting notification com.apple.system.config.network_change
Apr 12 15:29:05 B-and-B-PowerB lookupd[116]: lookupd (version 369.6) starting - Sat Apr 12 15:29:05 2008
Apr 12 15:29:05 B-and-B-PowerB configd[67]: setting hostname to "b-and-b-powerb"
Apr 12 15:29:06 B-and-B-PowerB Parallels: Loading Hypervisor module...
Apr 12 15:29:06 B-and-B-PowerB bootpd[173]: interface en0: ip 192.168.2.1 mask 255.255.255.0
Apr 12 15:29:06 B-and-B-PowerB bootpd[173]: interface en1: ip 192.168.1.46 mask 255.255.255.0
Apr 12 15:29:06 B-and-B-PowerB named[174]: starting BIND 9.3.2 -c /etc/com.apple.named.conf.proxy -f
Apr 12 15:29:06 B-and-B-PowerB named[174]: running
Apr 12 15:29:06 B-and-B-PowerB configd[67]: target=enable-network: disabled
Apr 12 15:29:06 B-and-B-PowerB kernel[0]: [Parallels] Parallels Hypervisor started.
Apr 12 15:29:06 B-and-B-PowerB Parallels: Loading Monitor module...
Apr 12 15:29:07 B-and-B-PowerB kernel[0]: [Parallels] Parallels VM observer thread started
Apr 12 15:29:07 B-and-B-PowerB Parallels: Loading ConnectUSB module...
Apr 12 15:29:07 B-and-B-PowerB Parallels: Loading Network module...
Apr 12 15:29:07 B-and-B-PowerB Parallels: Loading Virtual Ethernet module...
Apr 12 15:29:08 B-and-B-PowerB kernel[0]: com_parallels_kext_Pvsvnic0: Ethernet address 00:1c:42:00:00:00
Apr 12 15:29:08 B-and-B-PowerB kernel[0]: com_parallels_kext_Pvsvnic1: Ethernet address 00:1c:42:00:00:01
Apr 12 15:29:08 B-and-B-PowerB Parallels: Staring DHCP/NAT daemon...
Apr 12 15:29:09 B-and-B-PowerB pvsnatd[260]: en2: DHCP for 10.37.129.2-10.37.129.254 netmask 255.255.255.0
Apr 12 15:29:09 B-and-B-PowerB pvsnatd[260]: en3: DHCP/NAT for 10.211.55.2-10.211.55.254 netmask 255.255.255.0
Apr 12 15:29:09 B-and-B-PowerB Parallels: Restarting InternetSharing...
Apr 12 15:29:09 B-and-B-PowerB Parallels: Restaring CiscoVPN...
Apr 12 15:29:09 B-and-B-PowerB Parallels: Initialization complete.
Apr 12 15:29:14 B-and-B-PowerB mDNSResponder: Adding browse domain local.
Apr 12 15:29:32 B-and-B-PowerB BatteryUpdater[330]: Battery is already up-to-date with BatteryUpdater v 1.2
Apr 12 15:40:48 B-and-B-PowerB mDNSResponder: mDNS_SetPrimaryInterfaceInfo V4 address - incorrect type. Discarding.
Apr 12 15:40:56 B-and-B-PowerB configd[67]: posting notification com.apple.system.config.network_change
Apr 12 15:40:56 B-and-B-PowerB lookupd[382]: lookupd (version 369.6) starting - Sat Apr 12 15:40:56 2008
Apr 12 15:40:56 B-and-B-PowerB named[174]: /etc/com.apple.named.conf.proxy:21: no forwarders seen; disabling forwarding
Apr 12 15:40:56 B-and-B-PowerB named[174]: /etc/com.apple.named.conf.proxy:21: no forwarders seen; disabling forwarding
Apr 12 15:40:56 B-and-B-PowerB configd[67]: setting hostname to "B-and-B-PowerB.local"
Apr 12 15:41:06 B-and-B-PowerB named[174]: /etc/com.apple.named.conf.proxy:21: no forwarders seen; disabling forwarding
Apr 12 15:41:06 B-and-B-PowerB named[174]: /etc/com.apple.named.conf.proxy:21: no forwarders seen; disabling forwarding
Apr 12 15:48:40 B-and-B-PowerB kernel[0]: 11D beacon causing regdomain change to CC 840
Apr 12 15:48:40 B-and-B-PowerB kernel[0]: en1: 802.11d country code set to 'US'.
Apr 12 15:48:40 B-and-B-PowerB kernel[0]: en1: Supported channels 1 2 3 4 5 6 7 8 9 10 11 36 40 44 48 52 56 60 64 149 153 157 161 165

This is really getting me crazy and god knows what else is happening to my computer, software, or data.

The computer is a 2.33 ghz Intel core duo, running 10.4.9 I considered upgrading the system software in case various security fixes would knock these leeches out, but I was afraid they'd just get into my newer OSX version too.

I welcome all advice! Many thanks to anyone who can take the time to help me solve this.

-Balden
Balden is offline   Reply With Quote
Old 04-13-2008, 07:31 AM   #2
cwtnospam
League Commissioner
 
Join Date: Jan 2005
Posts: 8,475
Log into your router (post the router name & model for more specific help) using an ethernet connection and set up WPA2 security on it. You will then need to use the passkey you set up there for any computer that is to connect wirelessly.

By the way, it's possible to have other networks legitimately running near yours. That may be part of what you're seeing.
cwtnospam is offline   Reply With Quote
Old 04-13-2008, 09:51 AM   #3
Gnarlodious
Major Leaguer
 
Join Date: Oct 2003
Location: Santa Fe
Posts: 372
Most likely these are "Ad Hoc" WiFi devices such as wireless printers. They attempt to join any open network and are a scourge to the router management community. I routinely see 80 to a hundred Ad-Hoc devices in my "Survey" page. I think most of these devices are the same ones that try to connect with different MAC interface addresses.

In addition, you should be aware that "Leopard" has some pretty severe DNS problems. All kinds of weird networks might be reported, especially if you are using a hosts file. If this is the case, network security will not solve the problem.

Last edited by Gnarlodious; 04-13-2008 at 09:55 AM.
Gnarlodious is offline   Reply With Quote
Old 04-13-2008, 09:57 AM   #4
Balden
Prospect
 
Join Date: Apr 2008
Posts: 4
Thanks cwtnospam,
I'm with Verizon and have a Westell Wind River (model D90-327W15-06). I'm not sure it'll let me set a WPA2 password, or it might be I went with a WEP because that's all my HP Printer could handle. But it's been a long time since the laptop could even print to the printer wirelessly, so screw the WEP... and I had a different router when I originally set up the network.
Balden is offline   Reply With Quote
Old 04-13-2008, 10:24 AM   #5
Balden
Prospect
 
Join Date: Apr 2008
Posts: 4
Also,
For you console savie types, can you translate this section of the system log? (see below) In my ignorance it looks like maybe these intruders are accessing my network via parallels, or thats how the code got in. I don't have any USB device connected to my laptop, nor am I knowingly using virtual Ethernet. Also I don't access my network on Ethernet 2 or 3 but those IP addresses starting with 10 are the ones associated with the interlopers accessing my network.
Apr 12 15:29:05 B-and-B-PowerB configd[67]: setting hostname to "b-and-b-powerb"
Apr 12 15:29:06 B-and-B-PowerB Parallels: Loading Hypervisor module...
Apr 12 15:29:06 B-and-B-PowerB bootpd[173]: interface en0: ip 192.168.2.1 mask 255.255.255.0
Apr 12 15:29:06 B-and-B-PowerB bootpd[173]: interface en1: ip 192.168.1.46 mask 255.255.255.0
Apr 12 15:29:06 B-and-B-PowerB named[174]: starting BIND 9.3.2 -c /etc/com.apple.named.conf.proxy -f
Apr 12 15:29:06 B-and-B-PowerB named[174]: running
Apr 12 15:29:06 B-and-B-PowerB configd[67]: target=enable-network: disabled
Apr 12 15:29:06 B-and-B-PowerB kernel[0]: [Parallels] Parallels Hypervisor started.
Apr 12 15:29:06 B-and-B-PowerB Parallels: Loading Monitor module...
Apr 12 15:29:07 B-and-B-PowerB kernel[0]: [Parallels] Parallels VM observer thread started
Apr 12 15:29:07 B-and-B-PowerB Parallels: Loading ConnectUSB module...
Apr 12 15:29:07 B-and-B-PowerB Parallels: Loading Network module...
Apr 12 15:29:07 B-and-B-PowerB Parallels: Loading Virtual Ethernet module...
Apr 12 15:29:08 B-and-B-PowerB kernel[0]: com_parallels_kext_Pvsvnic0: Ethernet address 00:1c:42:00:00:00
Apr 12 15:29:08 B-and-B-PowerB kernel[0]: com_parallels_kext_Pvsvnic1: Ethernet address 00:1c:42:00:00:01
Apr 12 15:29:08 B-and-B-PowerB Parallels: Staring DHCP/NAT daemon...
Apr 12 15:29:09 B-and-B-PowerB pvsnatd[260]: en2: DHCP for 10.37.129.2-10.37.129.254 netmask 255.255.255.0
Apr 12 15:29:09 B-and-B-PowerB pvsnatd[260]: en3: DHCP/NAT for 10.211.55.2-10.211.55.254 netmask 255.255.255.0
Apr 12 15:29:09 B-and-B-PowerB Parallels: Restarting InternetSharing...
Apr 12 15:29:09 B-and-B-PowerB Parallels: Restaring CiscoVPN...
Apr 12 15:29:09 B-and-B-PowerB Parallels: Initialization complete.
Apr 12 15:29:14 B-and-B-PowerB mDNSResponder: Adding browse domain local.
Apr 12 15:29:32 B-and-B-PowerB BatteryUpdater[330]: Battery is already up-to-date with BatteryUpdater v 1.2
Apr 12 15:40:48 B-and-B-PowerB mDNSResponder: mDNS_SetPrimaryInterfaceInfo V4 address - incorrect type. Discarding.
Apr 12 15:40:56 B-and-B-PowerB configd[67]: posting notification com.apple.system.config.network_change
Apr 12 15:40:56 B-and-B-PowerB lookupd[382]: lookupd (version 369.6) starting - Sat Apr 12 15:40:56 2008
Apr 12 15:40:56 B-and-B-PowerB named[174]: /etc/com.apple.named.conf.proxy:21: no forwarders seen; disabling forwarding
Apr 12 15:40:56 B-and-B-PowerB named[174]: /etc/com.apple.named.conf.proxy:21: no forwarders seen; disabling forwarding
Apr 12 15:40:56 B-and-B-PowerB configd[67]: setting hostname to "B-and-B-PowerB.local"
Apr 12 15:41:06 B-and-B-PowerB named[174]: /etc/com.apple.named.conf.proxy:21: no forwarders seen; disabling forwarding
Apr 12 15:41:06 B-and-B-PowerB named[174]: /etc/com.apple.named.conf.proxy:21: no forwarders seen; disabling forwarding
Apr 12 15:48:40 B-and-B-PowerB kernel[0]: 11D beacon causing regdomain change to CC 840
Apr 12 15:48:40 B-and-B-PowerB kernel[0]: en1: 802.11d country code set to 'US'.
Apr 12 15:48:40 B-and-B-PowerB kernel[0]: en1: Supported channels 1 2 3 4 5 6 7 8 9 10 11 36 40 44 48 52 56 60 64 149 153 157 161 165
Balden is offline   Reply With Quote
Old 04-13-2008, 10:48 AM   #6
hayne
Site Admin
 
Join Date: Jan 2002
Location: Montreal
Posts: 32,389
1) You definitely should update (via Software Update) to the latest version of the OS available (for Tiger, the latest is currently 10.4.11) and also install any security updates that are available via Software Update.

2) I see reference to "Internet Sharing" in the log you showed. Do you have Internet Sharing enabled ? (in Sharing Preferences)
You don't want to have that enabled.
__________________
hayne.net/macosx.html
hayne is offline   Reply With Quote
Old 04-13-2008, 10:58 AM   #7
cwtnospam
League Commissioner
 
Join Date: Jan 2005
Posts: 8,475
You might look here for manuals/support for that router. Also, as Hayne says, turn off Internet Sharing on your Mac.
cwtnospam is offline   Reply With Quote
Old 04-13-2008, 11:25 AM   #8
Balden
Prospect
 
Join Date: Apr 2008
Posts: 4
All righty, I've tightened things up, hadn't realized the laptop's firewall wasn't on (!) and sharing was... am also updating. When that stops I'll make sure I can still get on the web within Parallels. Should I still change my WEP password to a WPA2 (if possible)?

Cheers to the folks who really know how to make our 'puters work!
Balden is offline   Reply With Quote
Old 04-13-2008, 11:30 AM   #9
trevor
Moderator
 
Join Date: Jun 2003
Location: Boulder, CO USA
Posts: 19,804
Quote:
Should I still change my WEP password to a WPA2 (if possible)?

Yes. WEP is insecure, WPA2 is secure.

Trevor
trevor is offline   Reply With Quote
Old 04-13-2008, 01:45 PM   #10
ElectricSheep
Triple-A Player
 
Join Date: Mar 2006
Posts: 173
I see nothing anomalous in your log output; there is no evidence there of any intruder on your network. Perhaps you are concerned about these lines:

Quote:
Apr 12 15:29:09 B-and-B-PowerB pvsnatd[260]: en2: DHCP for 10.37.129.2-10.37.129.254 netmask 255.255.255.0
Apr 12 15:29:09 B-and-B-PowerB pvsnatd[260]: en3: DHCP/NAT for 10.211.55.2-10.211.55.254 netmask 255.255.255.0

pvsnatd is part of the Parallels Virtual Switch component that allows the guest operating system inside of your Parallels virtual machine to access your network. The Virtual Switch will create two virtual network interfaces (en2, and en3) and use its own network address translation daemon to move packets to and from the virtual machine. By default, the virtual switch uses Class A network addresses (10.x.x.x), but you can change those preferences.
ElectricSheep is offline   Reply With Quote
Old 04-13-2008, 05:09 PM   #11
Balden
Prospect
 
Join Date: Apr 2008
Posts: 4
Thanks for that explanation, ES. Would it be normal for Parallels to access the network if I hadn't launched it? That's one thing that alarmed me. And last question, why can't I delete these other networks from appearing in my network configurations?

Thanks to all-
Balden is offline   Reply With Quote
Reply

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -5. The time now is 10:32 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.