So I heard from Simplify Media, and their response was informative:
A port scan is a ping from a specific location to a range of ports probing for an opening. The logs you posted actually show the opposite. These are pings from to range of ports to one specific port:Aug 22 02:59:45 crackbook kernel[0]: Connection attempt to TCP 127.0.0.1:59008 from 127.0.0.1:62838
Aug 22 02:59:45 crackbook kernel[0]: Connection attempt to TCP 127.0.0.1:59008 from 127.0.0.1:62839
Aug 22 02:59:45 crackbook kernel[0]: Connection attempt to TCP 127.0.0.1:59008 from 127.0.0.1:62840
Aug 22 02:59:45 crackbook kernel[0]: Connection attempt to TCP 127.0.0.1:59008 from 127.0.0.1:62841
Note that the connection attempts are all to 127.0.0.1:59008 (in your case), and, as you mention, these are on the loopback interface and have no impact on security.
What you observed is standard behavior on startup. Our UI launches, and for the first 15 or 30 seconds while everything is coming up, it tries to communicate with our networking stack. Retry attempts are not from 0 to 65535 but rather from the “upper range of ephemeral ports” that are dynamically allocated to client TCP/IP socket connections (49152 through 65535). Once the application is started, internal communication should be flowing over the designated port and no more retry attempts are necessary, unless the peer process terminates for some reason.
They are correct…the scans were originating FROM multiple ports TO a single port. So I’m obviously not harboring a Trojan…although it seems possible that a Trojan could replicate this behavior to find open services and avoid detection if it wanted to.
After studying my logs more closely, however, I found thousands of entries indicative of this scan, including one set that showed it was continuously scanning like this for over 12 hours. This is far more than the 15 to 30 seconds or so they said the Simplify Media client normallly does this. I sent them the logs and some other information so they can look into it further. But the odds are that there’s something on my macbook that’s keeping the app from stopping these scans…whether it be an unknown firewall rule or something else.
The good news is that they got back to me quickly and took my findings seriously.
Simplify Media, the iTunes library sharing application, has been flooding the loopback ethernet interface and scanning all 65,535 ports of my machine.
My Macbook Pro’s networking has been a bit sluggish lately, so I looked in the system.log and found thousands of entries like this:Aug 22 00:07:37 crackbook kernel[0]: Limiting closed port RST response from 261 to 250 packets per second
Aug 22 00:07:39 crackbook kernel[0]: Limiting closed port RST response from 252 to 250 packets per second
Aug 22 00:07:47: --- last message repeated 3 times ---
Aug 22 00:07:47 crackbook kernel[0]: Limiting closed port RST response from 255 to 250 packets per second
Aug 22 00:07:49 crackbook kernel[0]: Limiting closed port RST response from 252 to 250 packets per second
I did some research and found this type of log entry to be indicative of a DDoS attack, or at least a port scan. So, in Terminal I changed the sysctl param to display failed network attempts (“sudo sysctl -w net.inet.tcp.log_in_vain=1”) and started logging these types of entries:Aug 22 02:59:45 crackbook kernel[0]: Connection attempt to TCP 127.0.0.1:59008 from 127.0.0.1:62838
Aug 22 02:59:45 crackbook kernel[0]: Connection attempt to TCP 127.0.0.1:59008 from 127.0.0.1:62839
Aug 22 02:59:45 crackbook kernel[0]: Connection attempt to TCP 127.0.0.1:59008 from 127.0.0.1:62840
Aug 22 02:59:45 crackbook kernel[0]: Connection attempt to TCP 127.0.0.1:59008 from 127.0.0.1:62841
Aug 22 02:59:45 crackbook kernel[0]: Connection attempt to TCP 127.0.0.1:59008 from 127.0.0.1:62842
Aug 22 02:59:45 crackbook kernel[0]: Connection attempt to TCP 127.0.0.1:59008 from 127.0.0.1:62843
Aug 22 02:59:45 crackbook kernel[0]: Connection attempt to TCP 127.0.0.1:59008 from 127.0.0.1:62844
Aug 22 02:59:45 crackbook kernel[0]: Connection attempt to TCP 127.0.0.1:59008 from 127.0.0.1:62845
So I’ve spent the last few days fearing I had some kind of a trojan that is continuously looking for vulnerable local ports.
However, today I finally realized that the “trojan” was Simplify Media. My machine started to get sluggish again, so I checked my logs and it was again being filled with the “Limiting closed port RST response” entries. I used “sudo ifconfig lo0 down” in Terminal to disable the loopback interface, only to have my machine nearly lock up within a minute or so. One look at the running processes showed that Simplify Media was hogging 97% of the CPU. When I brought the loopback up, this number dropped, and the log started to fill up again. I killed Simplify Media, and the log entries stopped instantly.
I find it very troubling that Simplify Media would be flooding an ethernet interface like this, even if it is the loopback. I’ve contact Simplify Media about this issue, but haven’t heard back yet. In the meantime I will be keeping Simplify Media safely locked away.
The “Blue Dog” Democrats were thrown a lavish party on AT&T’s dime at the DNC:
Amazingly, not a single one of the 25-30 people we tried to interview would speak to us about who they were, how they got invited, what the party’s purpose was, why they were attending, etc. One attendee said he was with an “energy company,” and the other confessed she was affiliated with a “trade association,” but that was the full extent of their willingness to describe themselves or this event. It was as though they knew they’re part of a filthy and deeply corrupt process and were ashamed of — or at least eager to conceal — their involvement in it.
Yay democrazy. *sigh*
http://www.salon.com/opinion/greenwald/2008/08/25/blue_dogs/
David Byrne has designed some funky bike racks for NYC. Before learning it was designed by Byrne, I saw the high heeled shoe one in front of Bergdorf’s on Fifth Avenue and it made me smile. Nice work.
(click to enlarge)
I generated the above image by running the script for The Big Lebowski through the awesome Wordle service. Wordle is a toy for generating “word clouds” from text that you provide. The clouds give greater prominence to words that appear more frequently in the source text.) I think I may have to make a t-shirt.
No one got it, though.
via Fark.com
