Did I get hacked?

[jiclark]

I have Little Snitch installed, but had long ago turned off filtering because of the hassle of constant nags to allow or deny network connections. Then, a couple nights ago I noticed its menubar icon fluttering away, so I took a look at what was going on. There were a couple of processes, launchproxy and sshd, that were chugging along, and listing just an IP address (218.75.48.230, fwiw) as the destination. I did a little googling, and the only thing I found was a blog post from a guy who thought his Xserve had been hacked by spammers, and he listed those processes as possible indicators. So, long story short, I reenabled Little Snitch's filtering and it immediately terminated those processes. Now I'm back to being annoyed by LS's intrusiveness, but feeling more secure...

Does anyone here know enough about such things to be able to explain what (might have) happened? Was I 'pwned'?? FYI, I'm using a Mac Pro running Leopard, and connected to 7Mb Qwest DSL via a Buffalo router flashed with the dd-wrt firmware.

More questions:

Is there something I should enable in dd-wrt to avoid this happening again?
In Little Snitch, is there a way to allow all connections for a given app? I'd love to have it allow all connections through Mail, for instance. I use it to view RSS feeds, and don't let it automatically load images in html messages, so it nags me a LOT now. Or is that a security risk?

Sorry, but most of this stuff is just over my head...

Thanks!
John

[UncleJohn]

Googling that IP won't make you any happier.

[hayne]

What services were you running? I.e. what things do you have enabled in the Sharing preferences pane and were these exposed to the wide Internet (via port forwarding in your router)?
Is your password a good one (not easily guessable, not composed of dictionary words) ?

[jiclark]

Yes, I know that IP is from somewhere in China, and on a lot of blacklists...

SSH is enabled and forwarded. Yes, my password is 8 character & random with numbers. I think I'll change it, regardless, and maybe make it 12-character...

The question that I'm most concerned about, obviously, is how to find out whether there was any damage done. I've been told elsewhere that the safest thing to do would be to do a wipe and reinstall. Is that really necessary? Little Snitch is fully enabled now, so I don't believe my machine can be doing anything nefarious without my knowledge, right?

[hayne]

The whole question hinges on whether your machines was compromised. If someone managed to guess your password (e.g. via a dictionary-based attack) then they have full control of the machine and in that case, you can't trust anything that the machine is telling you. (A sufficiently knowledgeable intruder can cover their tracks completely and even modify the OS to make their activities invisible.)
And so if your machine has been compromised, the only safe thing to do is to backup any data files (not applications) that you care about, then erase the disk and reinstall from the original OS X Install disk. Finally, copy your data files from the backup and reinstall any 3rd-party apps from their original CDs.

[Hal Itosis]

Quote: Originally Posted by jiclark In Little Snitch, is there a way to allow all connections for a given app?

Little Snitch is one of the most thoughtfully and cleverly designed programs out there.
It's also thoroughly well documented, and there's nothing anyone here could say that
isn't already fully explained by the built-in help. Just run the Little Snitch Configuration
program, select Little Snitch Help from the Help menu, and read what the author spent
hours typing to achieve. (Or should i copy and paste it all here?).

[ThreeDee]

You can't definitively tell if you have hacked. With all the traffic, someone could have just been still trying a ton of random passwords and didn't get in yet. Or they could have already got in and started mucking up your system, and possibly edited the logs to cover their tracks.

Although nothing bad may have happened, the safest thing to do would be to reinstall OS X. Also, you should never forward port 22, as that is asking for trouble. There are hundreds of 'zombie' computers out there programmed to infect other computers via SSH with port 22 open. You should forward it to an obscure port and make a strong password with caps/lowercase letters, numbers and symbols.

Also see:
http://forums.macosxhints.com/showthread.php?t=96655

[tlarkin]

I found this on google

http://www.dslreports.com/forum/r216...ccess-question

It looks like this person is trying to massively hack any and all ssh connections. At my work we run an enterprise web filter, because we are a k-12 educational organization and are required by federal regulations to filter the internet of school children. Our previous web filter solution used a proxy server, and it was getting nailed by so many Chinese IPs it was insane, it actually did DDOS to our server. Since China filters the internet from all it's people they massively and thoroughly try to tunnel or proxy through someone else.

You can set SSH to deny that host, since ssh requires that both the host and the client machine have ssh keys (keyss may be the wrong word here) for a session to work. I know that at work when I was tinkering with this I put my own machine (for testing purposes) in the ssh config file that did not allow connections and I was not able to ssh into that server until I fixed it (from ARD admin).

You can also change the port of ssh to a non standard port and forward it to your mac from your router that way. I bet that most of these scans and attacks are programmed with the assumption you are using the standard port to ssh.

If you have a strong password though I am not certain how effective dictionary attacks really are though. Well, I am not a hacker for one, so I have very little experience trying to crack passwords.

Oh and also I forgot that sshd and launchproxy are standard system processes, so you would see them running regardless most likely.

[jiclark]

Okay, now I'm *really* bummed. Just now, I'm reading the new posts to this thread, when I notice it's happening AGAIN! Lot's of in/out activity in both launchproxy and sshd to/from 61.184.101.46... Then I see this in Little Snitch's Network Monitor, listed under "Mac OS X Kernel":

Connection report for process: Mac OS X Kernel (/mach_kernel)
Total: 30.9kB sent, 0 Bytes received
218.75.48.230 (218.75.48.230), Port 44368 (unnamed), Protocol 6 (TCP), 21 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 47345 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
218.75.48.230 (218.75.48.230), Port 46329 (unnamed), Protocol 6 (TCP), 136 Bytes sent, 0 Bytes received
61.108.210.11 (61.108.210.11), Port 59136 (unnamed), Protocol 6 (TCP), 21 Bytes sent, 0 Bytes received
218.75.48.230 (218.75.48.230), Port 48330 (unnamed), Protocol 6 (TCP), 1.6kB sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 60952 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 45589 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 39121 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 58381 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
218.75.48.230 (218.75.48.230), Port 37684 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 35133 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 39043 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 44674 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
218.75.48.230 (218.75.48.230), Port 33663 (unnamed), Protocol 6 (TCP), 1.6kB sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 46689 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
61.108.210.11 (61.108.210.11), Port 55075 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 53014 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 46346 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 44831 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 59326 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 37316 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 40995 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
218.75.48.230 (218.75.48.230), Port 32970 (unnamed), Protocol 6 (TCP), 1.6kB sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 40584 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
mail.anonymousprofile.com (208.115.34.73), Port 56617 (unnamed), Protocol 6 (TCP), 21 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 55104 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 56118 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 59933 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 41583 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
mail.anonymousprofile.com (208.115.34.73), Port 51955 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
mail.anonymousprofile.com (208.115.34.73), Port 54365 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 47176 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 43804 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
mail.anonymousprofile.com (208.115.34.73), Port 41097 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 46448 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
61.108.210.11 (61.108.210.11), Port 42088 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 40815 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 50795 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
mail.anonymousprofile.com (208.115.34.73), Port 34210 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 39387 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 40491 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 33242 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 36173 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 33473 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 40835 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 45345 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 39244 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 45619 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 59288 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 46187 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 58858 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 59388 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 51865 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
61.108.210.11 (61.108.210.11), Port 48343 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
61.184.101.46 (61.184.101.46), Port 44858 (unnamed), Protocol 6 (TCP), 1.6kB sent, 0 Bytes received
61.108.210.11 (61.108.210.11), Port 57364 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 42247 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
mail.anonymousprofile.com (208.115.34.73), Port 41692 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 57225 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 42867 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 42236 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 46459 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 47573 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 34125 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 56163 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
61.108.210.11 (61.108.210.11), Port 55557 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 45715 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 40646 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 47255 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
61.184.101.46 (61.184.101.46), Port 47641 (unnamed), Protocol 6 (TCP), 1.6kB sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 40392 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
218.75.48.230 (218.75.48.230), Port 47001 (unnamed), Protocol 6 (TCP), 0.8kB sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 45019 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 40722 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 59217 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 42835 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
mail.anonymousprofile.com (208.115.34.73), Port 46895 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
mail.anonymousprofile.com (208.115.34.73), Port 58157 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 57266 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
mail.anonymousprofile.com (208.115.34.73), Port 51343 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
61.108.210.11 (61.108.210.11), Port 35968 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 42580 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 45365 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 43711 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 42249 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 33286 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
mail.anonymousprofile.com (208.115.34.73), Port 53936 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
mail.anonymousprofile.com (208.115.34.73), Port 50340 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 60524 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
mail.anonymousprofile.com (208.115.34.73), Port 48824 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
ram49-1-82-245-51-6.fbx.proxad.net (82.245.51.6), Port 41513 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
66.165.168.55 (66.165.168.55), Port 39371 (unnamed), Protocol 6 (TCP), 84 Bytes sent, 0 Bytes received
61.184.101.46 (61.184.101.46), Port 48108 (unnamed), Protocol 6 (TCP), 1.6kB sent, 0 Bytes received
... [there's tons more; if it would be of any use, I could post the whole thing somewhere for perusal]


Can someone explain what that all represents? I hate to even guess... And is there any consolation in the fact that so little data was actually sent, or is that just because it's all Terminal commands?

Anyway, now I know I've definitely got problems. So, I've changed my password (to one that's a 20-character mixed-alphanumeric-upper/lowercase-plus-symbols, which shows maximum-strength in the password utility). I've turned off ssh/port-forwarding in the router config. Now I need to reinstall...

In one of the posts above, there's a link to a thread that suggests that an Archive-and-Install might be good enough. What's your opinion? I'm guessing that I should just bite the bullet and go for the complete wipe/clean install, if only for peace of mind, but is that the consensus here?

Thanks for all the great info everyone. Definitely a huge learning experience, and I think of myself as a fairly savvy Mac user. I can't imagine how many others are likely exposing themselves to intrusions like this, if only through basic stuff like Back To My Mac and the use of weak passwords!!

I only hope this thread will help others learn how to avoid this experience! Please keep posting relevant info and links. My apologies to people like Hal Itosis for ruining their day; I will try not to post stupid questions like that in the future...

Humbly,
John

[hayne]

I don't think an "archive & install" would be a good idea when you suspect that the system has been compromised. You want to wipe it down tho the "bare metal" in order to be sure than nothing from the intruder remains.

[JDV]

While someone certainly seems to be TRYING to get in, it looks to me from this section of the report that they have not been successful. If you do decide to go to ground zero, be aware that if this is a random port probe that it may well continue after you have re-done the whole machine. If you've implemented a super-strong password, and it looks like you have, there isn't much to do except try to block that IP address, though the attackers likely have others to use at their disposal. Whether they had actually broken in before this is sort of hard to know, but nothing seems to be being sent that would appear to be particularly worrisome. Nonetheless, if you decide to re-install and wanting to be as safe as possible, Hayne's suggestion is a good idea, even if you aren't certain if it was tampered with.

Joe VanZandt

[jiclark]

JDV,

I've attached the entire 'report' from Little Snitch. Could you explain why it doesn't appear to you that the attempt to break in was successful?

I know, from all that I've read about this, that there is no definitive way to know for sure either way, so I should probably do the reinstall. But if this "Mac OS X Kernel" Connection Report shows that it isn't likely, it sure would make me feel better!

Plus, as long as Little Snitch is monitoring incoming/outgoing network activity, I'll know if my machine is doing anything nefarious on its own, right? In other words, an intruder can do all sorts of things to hide a hijacked machine from the user, but they can't actually hide the network activity, right? Or if they can, how do they do that? It can't be hidden from the router at least, am I correct?

Obviously, I'm still not completely clear how possible it is for a hacker to take over a machine, and then totally hide what they're doing with it from anyone administering the LAN. In short, is that possible?

[Hal Itosis]

Quote: Originally Posted by jiclark My apologies to people like Hal Itosis for ruining their day; I will try not to post stupid questions like that in the future...

Nothing to it. Here is a typical Little Snitch dialog:

Code:

   "loginwindow"
    wants to connect to lcs.mac.com on TCP port 443 (https).

    Details...
         IP Address   17.250.248.160
   Reverse DNS Name   lcs.mac.com
     Established by   /System/Library/CoreServices/
                      loginwindow.app/Contents/MacOS/
                      loginwindow
         Process ID   22

        [ Once  |  Until Quit  |  Forever ]

     ( ) Any Connection
     ( ) Port 443 TCP (https)
     ( ) lcs.mac.com
     (•) lcs.mac.com & Port 443 TCP (https)

                       ( Deny )  (( Allow ))

Even without reading any help file, one can (should) see that...

between the 3 horizontal choices: Once, Until Quit, Forever
and the 4 vertical options: Any Connection, Specify Port, Specify Domain, Specify Both
and the 2 buttons at the bottom: Deny, Allow

...all possible ways of dealing with the situation are laid out
in (probably) the plainest terms humanly possible.


Reviewing the question: "In Little Snitch, is there a way to allow all connections for a given app?"

Answer: Yes... click Forever, Any Connection, Allow.
Easy, and not annoying or intrusive (as claimed).

[hayne]

Quote: Originally Posted by jiclark I'm still not completely clear how possible it is for a hacker to take over a machine, and then totally hide what they're doing with it from anyone administering the LAN. In short, is that possible?

Yes - that is what I was trying to say above.
It's easy to understand how such a thing is possible since anyone with full control of the machine can completely replace any parts of the operating system with versions that they have written (or downloaded) and so your machine might be running some specially written version of the OS that seems just like the original while being quite different underneath.

[jiclark]

Just to be clear though Hayne, they can't hide any actual network traffic that might be generated by their "specially written version" of the OS, can they? If so, how would that work??

[hayne]

Quote: Originally Posted by jiclark Just to be clear though Hayne, they can't hide any actual network traffic that might be generated by their "specially written version" of the OS, can they? If so, how would that work??

What machine are you using to see reports of this network traffic? If it is the machine that was compromised, then what I said above applies - you can't trust anything that a compromised machine says (or doesn't say).