0

I just used Onyx to clean out my caches and log files after which I did a reboot. Browsing the "All Messages" panel of the Console app I noticed this line:

10/27/13 3:38:03.000 PM kernel: 5.106.198.19

Since I did not recognize that IP I did a whois and to my surprise found out that it points to Eurolan Solutions in Romania.

So my question is why is my Mac 10.7.5 contacting Romania and how can I stop this from happening?

Many thanks

Jack
  • 1
  • Could be any software reporting back to the developer.. – Darius Oct 27 '13 at 20:09
  • Via the kernel? Forgive my ignorance, I know just enough to cause problems for those who know more. If you saw this line in your log, would you be concerned? Thanks for the response – Jack Oct 27 '13 at 20:12
  • Based on my somewhat limited knowledge of what a [rootkit](http://en.wikipedia.org/wiki/Rootkit) is it seems like one. – Jon Oct 27 '13 at 20:14
  • Are there OSX root kits floating around? – Jack Oct 27 '13 at 20:15
  • 1
    If you are really worried, you could use something like Little Snitch (or something similar) -> http://www.obdev.at/products/littlesnitch/index.html to identify any incoming and outgoing connection, and block / allow them as necessary. – Darius Oct 27 '13 at 20:21
  • I just added an entry to my router's block list. I just killed access to all of 5.?.?.? As for LittleSnitch I wonder if it loads before this kernel action I referred to in my post. My question is now this: would YOU be worried about this log entry? – Jack Oct 27 '13 at 20:26
  • Eurolan Solution Romania is an ISP. The chances of this being legit software reporting back to its developer are next to nil. – MariusMatutiae Oct 27 '13 at 21:07
  • Last week my Visa card was hijacked too. Guess I have a valid lead as to where I am compromised. Will a DiskUtility format action wipe this alleged root kit out? – Jack Oct 27 '13 at 21:22
  • If you Visa got nabbed, then this sound more and more like you're infected. Perhaps check out http://superuser.com/questions/6800/os-x-rootkit-spyware-scanners?rq=1 – Ƭᴇcʜιᴇ007 Oct 27 '13 at 21:30
  • I don't trust scanners per se, since it is too easy to miss stuff. I've blocked the IP range for now, and I'll wipe the drive and reinstall OSX after I finish my current project. I'll keep an eye on the log files too. Thanks for the help. – Jack Oct 27 '13 at 22:01

1 Answers1

1

After a trip to the Apple Store, I can report this is a non-issue. The Tech I spoke to said they had a server in the back room still running Lion. So he went and looked at the kernel.log and found the same entry that I had. Turns out the numbers I thought were an IP address seem to be tied to the Wifi card as a version number. Better safe than sorry I guess.

Jack
  • 11
  • 1