|
Alles rund um Mac OSX & Linux: CBL listet meinen Mac (OS X, Version 10.6.8) als mit Neuvret-Trojaner infiziert - was tun?Windows 7 Für alle Fragen rund um Mac OSX, Linux und andere Unix-Derivate. |
27.10.2015, 13:38 | #1 |
| CBL listet meinen Mac (OS X, Version 10.6.8) als mit Neuvret-Trojaner infiziert - was tun? Das Macbook hat 7 Jahre auf dem Buckel. Die Festplatte wurde vor 3 Monaten erneuert. Das Macbook verursacht bisher keinerlei Probleme. Dass wir einen Virus haben, hat mir ein Freund mitgeteilt, der zu Besuch war und unser Internet (Air Port) für mehre Tage intensiv (Gamer!) genutzt hat. Als er auf den Servercluster zugreifen wollte, wurde ihm Aufgrund der IP den Zugang verweigerte, Grund: Versand von Malware von der IP aus. Die Meldung von CBL hänge ich unten an. Was macht ein Microsoftvirus auf dem Mac? Ich werde jetzt das Betriebssystem auf 10.7 Lion erneuern. Für 10.6.8 scheint es mir keine Optionen auf irgendwas zu geben. Ich habe auch versucht, die Schritte von Cheklist durchzuführen. Aber der mac erkennt die Programme nicht und will sie nur mit Textprogrammen öffnen??? Auch er Norton Power Eraser, den ich installiert habe, wird nicht als Programm erkannt. Bin selbst Computerdepp und nutze den Rechner als Musik- und Bildarchiv und für Internet-Recherche. Daher gibt's auch fast keine Downloads auf dem Rechner, aber sehr viele Dateien, die ich nicht verlieren möchte (gibt aber ein Backup auf ner externen Festplatte). Was tun??? Hier der CBL Vermerk: IP Address 178.115.129.254 is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet. It was last detected at 2015-10-17 07:00 GMT (+/- 30 minutes), approximately 9 days, 3 hours, 59 minutes ago. This IP address is infected with, or is NATting for a machine infected with the Neurevt trojan. Neurevt is a malicious software (malware) used by cybercriminals to steal sensitive personal data, such as credentials (username, password) for online services (email, webmail, etc.). The infection was detected by observing this IP address attempting to make contact to a Neurevt Command and Control server (C&C), a central server used by the criminals to control with Neurevt infected computers (bots). More information about Neurevt can be found here (Microsoft). This was detected by a TCP/IP connection from 178.115.129.254 on port 39000 going to IP address 173.193.197.194 (thesinkhole) on port 80. The botnet command and control domain for this connection was "bloop.xyz". Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 173.193.197.194 or host name bloop.xyz on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to 173.193.197.194 or bloop.xyz. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25. This detection corresponds to a connection at 2015-10-17 06:40:05 (GMT - this timestamp is believed accurate to within one second). These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer. You will need to find and eradicate the infection before delisting the IP address. Norton Power Eraser is a free tool and doesn't require installation. It just needs to be downloaded and run. One of our team has tested the tool with Zeus, Ice-X, Citadel, ZeroAccess and Cutwail. It was able to detect and clean up the system in each case. It probably works with many other infections. We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP addresses given above. Those IP addresses are of sinkholes operated by malware researchers. In other words, it's a "sensor" (only) run by "the good guys". The bot "thinks" its a command and control server run by the spambot operators but it isn't. It DOES NOT actually download anything, and is not a threat. If you firewall the sinkhole addresses, your IPs will remain infected, and they will STILL be delivering your users/customers personal information, including banking information to the criminal bot operators. If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you which internal machine is connecting to them so that you can identify the infected machine yourself and fix it. We are enhancing the instructions on how to find these infections, and more information will be given here as it becomes available. Virtually all detections made by the CBL are of infections that do NOT leave any "tracks" for you to find in your mail server logs. This is even more important for the viruses described here - these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent. This means: if you have port 25 blocking enabled, do not take this as indication that your port 25 blocking isn't working. The links above may help you find this infection. You can also consult Advanced Techniques for other options and alternatives.NOTE: the Advanced Techniques link focuses on finding port 25(SMTP) traffic. With "sinkhole malware" detections such as this listing, we aren't detecting port 25 traffic, we're detecting traffic on other ports. Therefore, when reading Advanced Techniques, you will need to consider all ports, not just SMTP. Pay very close attention: Most of these trojans have extremely poor detection rates in current Anti-Virus software. For example, Ponmocup is only detected by 3 out of 49 AV tools queried at Virus Total. Thus: having your anti-virus software doesn't find anything doesn't prove that you're not infected. While we regret having to say this, downloaders will generally download many different malicious payloads. Even if an Anti-Virus product finds and removes the direct threat, they will not have detected or removed the other malicious payloads. For that reason, we recommend recloning the machine - meaning: reformatting the disks on the infected machine, and re-installing all software from known-good sources. |
27.10.2015, 22:34 | #2 | ||
/// Mac Expert | CBL listet meinen Mac (OS X, Version 10.6.8) als mit Neuvret-Trojaner infiziert - was tun?Zitat:
Siehe Erläuterungen unten.... Dieser Trojaner ist nur auf Windows aktiv. Dein Mac hat damit nichts zu tun. Die IP ist eine Pool Adresse aus drei.com https://db-ip.com/all/178.115.129. Du kannst selbst prüfen welche IP dein Rechner hat: myip.is Das kommt vor das ein ganzer Adressraum gesperrt wird. Du musst glaubhaft widerlegen das die Funde die gemacht wurden nicht von deinem System aus gehen. Ändere dein Wireless Kennwort und denn Zugang zu deinem Router. Zitat:
__________________ Geändert von Dante12 (27.10.2015 um 22:42 Uhr) |
27.10.2015, 22:44 | #3 |
/// Winkelfunktion /// TB-Süch-Tiger™ | CBL listet meinen Mac (OS X, Version 10.6.8) als mit Neuvret-Trojaner infiziert - was tun? Der Fairness halber möchte ich an dieser Stelle erwähnen, dass ich seinen Thread hierher verschoben hab - weil im Thread Mac OS X thematisiert wird.
__________________
__________________ |
27.10.2015, 22:50 | #4 |
/// Mac Expert | CBL listet meinen Mac (OS X, Version 10.6.8) als mit Neuvret-Trojaner infiziert - was tun? Danke für den Hinweis Cosinus
__________________ ----------------- -Gruß dante12 ----------------- Lob, Kritik, Wünsche? Spende fürs trojaner-board? |
28.10.2015, 05:09 | #5 | |
| CBL listet meinen Mac (OS X, Version 10.6.8) als mit Neuvret-Trojaner infiziert - was tun? Cool! Danke für die Hilfe!!!! Das ist schon mal total beruhigend. Ich ändere jetzt das Kennwort und den Zugang zum Router. Und dann versuch ich das mit dem "glaubhaft widerlegen" ... auch wenn ich noch nicht weiß, wie und bei wem. PS: Kein PC vorhanden.Ees gibt nur den Mac. Zitat:
|
28.10.2015, 07:07 | #6 | |
/// Mac Expert | CBL listet meinen Mac (OS X, Version 10.6.8) als mit Neuvret-Trojaner infiziert - was tun?Zitat:
Um vorsorglich zu sehen ob an deinem Rechner was sein könnte, kannst du ja mal ein Log nach folgender Anleitung erstellen: EtreCheck Log
Lesestoff: Posten in CODE-Tags Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR oder 7Z-Archiv zu packen erschwert mir massiv die Arbeit. Auch wenn die Logs für einen Beitrag zu groß sein sollten, bitte ich dich die Logs direkt und notfalls über mehrere Beiträge verteilt zu posten. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
__________________ --> CBL listet meinen Mac (OS X, Version 10.6.8) als mit Neuvret-Trojaner infiziert - was tun? Geändert von Dante12 (28.10.2015 um 07:13 Uhr) |
28.10.2015, 08:45 | #7 |
| CBL listet meinen Mac (OS X, Version 10.6.8) als mit Neuvret-Trojaner infiziert - was tun?Code:
ATTFilter EtreCheck version: 2.6.1 (221) Report generated 28.10.15 08:39 Runtime 1:06 Download EtreCheck from hxxp://etresoft.com/etrecheck Click the [Click for support] links for help with non-Apple products. Click the [Click for details] links for more information about that line. Hardware Information: (What does this mean?) MacBook (13-inch Mid 2007) [Click for Technical Specifications] [Click for User Guide] MacBook - model: MacBook2,1 1 2.16 GHz Intel Core 2 Duo CPU: 2-core 2 GB RAM BANK 0/DIMM0 1 GB DDR2 SDRAM 667 MHz ok BANK 1/DIMM1 1 GB DDR2 SDRAM 667 MHz ok Bluetooth: Old - Handoff/Airdrop2 not supported Wireless: en1: 802.11 a/b/g/n Battery: Health = Normal - Cycle count = 96 - SN = (null) Video Information: (What does this mean?) GMA 950 - VRAM: spdisplays_integrated_vram Color LCD 1280 x 800 spdisplays_display_connector System Software: (What does this mean?) OS X Snow Leopard 10.6.8 (10K549) - Time since boot: about 2 days Disk Information: (What does this mean?) CT250BX100SSD1 disk0 : (232,89 GB) (Solid State - TRIM: No) - (disk0s1) <not mounted> : 210 MB SSD Hauptfestplatte 250GB Pip (disk0s2) / : 249.72 GB (145.70 GB free) USB Information: (What does this mean?) Micron Built-in iSight Apple Computer Apple Internal Keyboard / Trackpad Apple Inc. Bluetooth USB Host Controller Apple Computer, Inc. IR Receiver Startup Items: (What does this mean?) HW_CreateNetwork: Path: /Library/StartupItems/HW_CreateNetwork HWNetMgr: Path: /Library/StartupItems/HWNetMgr HWPortDetect: Path: /Library/StartupItems/HWPortDetect HWPortDetect_driver: Path: /Library/StartupItems/HWPortDetect_driver StartOuc: Path: /Library/StartupItems/StartOuc Startup items are obsolete in OS X Yosemite System Launch Agents: (What does this mean?) [running] com.apple.AirPortBaseStationAgent.plist - Invalid signature! [loaded] com.apple.cvmsCompAgent_i386.plist - Invalid signature! [loaded] com.apple.cvmsCompAgent_ppc.plist - Invalid signature! [running] com.apple.cvmsCompAgent_x86_64.plist - Invalid signature! System Launch Daemons: (What does this mean?) [running] com.apple.usbmuxd.plist - No signature! Launch Agents: (What does this mean?) [loaded] com.intego.backupassistant.agent.plist [Click for support] Launch Daemons: (What does this mean?) [loaded] com.adobe.fpsaud.plist [Click for support] [loaded] com.bombich.ccc.plist [Click for support] [running] com.bombich.ccc.scheduledtask.C7D090A9-5EC5-4833-B8BF-CE8B8EF2EB90.plist [Click for support] [running] com.intego.BackupAssistant.daemon.plist [Click for support] User Launch Agents: (What does this mean?) [loaded] com.adobe.ARM.[...].plist [Click for support] [loaded] com.google.keystone.agent.plist [Click for support] User Login Items: (What does this mean?) Microsoft AU Daemon Programm (/Applications/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app) AirPort-Basisstation-Agent Programm (/System/Library/CoreServices/AirPort Base Station Agent.app) AdobeResourceSynchronizer Programm Hidden (/Applications/Adobe Reader.app/Contents/Support/AdobeResourceSynchronizer.app) Other Apps: (What does this mean?) [loaded] [0x0-0x11011].org.mozilla.firefox [running] [0x0-0x119119].com.etresoft.EtreCheck [running] [0x0-0x16016].com.adobe.Reader [running] [0x0-0x23023].com.microsoft.Word [running] [0x0-0xa00a].com.microsoft.autoupdate.fba Internet Plug-ins: (What does this mean?) JavaAppletPlugin: Version: 13.9.8 - SDK 10.6 Check version FlashPlayer-10.6: Version: 19.0.0.226 - SDK 10.6 [Click for support] QuickTime Plugin: Version: 7.6.6 AdobePDFViewerNPAPI: Version: 11.0.11 - SDK 10.6 [Click for support] AdobePDFViewer: Version: 11.0.11 - SDK 10.6 [Click for support] CANONiMAGEGATEWAYDL: Version: 3.1.0.2 [Click for support] Flash Player: Version: 19.0.0.226 - SDK 10.6 [Click for support] Silverlight: Version: 5.1.40416.0 - SDK 10.6 [Click for support] AmazonMP3DownloaderPlugin101749: Version: AmazonMP3DownloaderPlugin 1.0.17 - SDK 10.4 [Click for support] iPhotoPhotocast: Version: 7.0 Safari Extensions: (What does this mean?) AdBlock Audio Plug-ins: (What does this mean?) iSightAudio: Version: 7.6.6 3rd Party Preference Panes: (What does this mean?) Flash Player [Click for support] Time Machine: (What does this mean?) Time Machine information requires OS X 10.8 "Moutain Lion" or later. Top Processes by CPU: (What does this mean?) 7% activitymonitord 4% WindowServer 4% fontd 3% LaunchCFMApp 2% AdobeReader Top Processes by Memory: (What does this mean?) 401 MB Safari 326 MB firefox 311 MB WebProcess 59 MB mds 53 MB Mail Virtual Memory Information: (What does this mean?) 80 MB Free RAM 1.92 GB Used RAM 1.31 GB Swap Used Diagnostics Information: (What does this mean?) Oct 26, 2015, 12:34:43 AM Self test - passed Oct 25, 2015, 12:15:40 PM ~/Library/Logs/DiagnosticReports/PubSubAgent_2015-10-25-121540_[redacted].crash |
28.10.2015, 09:37 | #8 |
/// Mac Expert | CBL listet meinen Mac (OS X, Version 10.6.8) als mit Neuvret-Trojaner infiziert - was tun? Scheint alles in Ordnung zu sein, dein Speicher solltest du mal aufrüsten denn hier wird sehr viel auf die Festplatte "abgelegt" weil der Speicher nicht ausreicht.
__________________ ----------------- -Gruß dante12 ----------------- Lob, Kritik, Wünsche? Spende fürs trojaner-board? |
28.10.2015, 09:42 | #9 |
| CBL listet meinen Mac (OS X, Version 10.6.8) als mit Neuvret-Trojaner infiziert - was tun? Danke dante!!! |
Themen zu CBL listet meinen Mac (OS X, Version 10.6.8) als mit Neuvret-Trojaner infiziert - was tun? |
bot, clean, dateien, detected, dns, downloader, email, festplatte, firewall, help, infected, infiziert, internet, macbook, malware, malware / spyware, net command, neurevt, norton power eraser, opera, port, programme, proxy, proxy server, software, spam, spambot, temp, trojan, virus |