Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'View currently open network connections' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
View currently open network connections
Authored by: theosib on Jul 07, '11 11:56:16AM

This hint is basically a trojan. It seriously needs to be redacted!



[ Reply to This | # ]
View currently open network connections
Authored by: babbage on Jul 07, '11 06:55:29PM

All of these replies are correct — this hint is a REALLY TERRIBLE IDEA, and should be redacted. Running a script as root to download & install network-scanning software from some random person's possibly sketchy Scandinavian server? Are you insane? NO NO NO.

If you want a non-insane way to do this, here's one that will work on any Mac, by leveraging the stroke command line tool embedded in every copy of Network Utility:

$ cd /Applications/Utilities/Network\ Utility.app/Contents/Resources
$ ./stroke 
2011-07-07 21:44:43.728 stroke[80012:903] stroke address startPort endPort
$ ./stroke localhost 0 1000
Port Scanning host: 127.0.0.1

	 Open TCP Port: 	22     		ssh
	 Open TCP Port: 	80     		http
	 Open TCP Port: 	88     		kerberos
	 Open TCP Port: 	139    		netbios-ssn
	 Open TCP Port: 	445    		microsoft-ds
	 Open TCP Port: 	548    		afpovertcp
	 Open TCP Port: 	631    		ipp
$ 

You can have that scan any address you like, and if you use it a lot, you can even symlink it to somewhere in your $PATH so that you don't have to type that all our every time:

$ sudo ln -s /Applications/Utilities/Network\ Utility.app/Contents/Resources/stroke /usr/local/bin/

That way, you can run stroke address startPort endPort and it will just work. And if you want to get fancy and build up something that runs it from cron or launchd or whatever, good for you.

But for Pete's sake, please don't ever follow the advice in this hint and download & run the garbage that got published here today.

---
--
DO NOT LEAVE IT IS NOT REAL


[ Reply to This | # ]
View currently open network connections
Authored by: babbage on Jul 07, '11 07:49:22PM

ADDENDUM:

Having now looked at Peter Moller's site, and read over the source of his scripts, it's not *that* bad.

Moller is a systems administrator at Lund University in Sweden. (I'll give the uni the benefit of the doubt & assume they don't have a criminal working as their sysadmin.) The output from the script does include a lot of information that isn't really as simple as just displaying the output from stroke or lsof or netstat. In my day job, I have to help manage a bunch of Linux servers, and having a display something like this would be pretty useful to me.

But the scripts make some serious, serious mistakes.

• You can't just run the thing and see the output in a Terminal window like a normal Unix script — you *must* run it through GeekTool.

• If you try to look at the source of the script while it's running, it will refuse to run, because the `vi open_ports.sh` command will show up among your running processes, and it halts when it sees this. (It's possible this is a bug rather than intentional obfuscation — obviously you can get around it by linking the file to another name and just working with the other version in the text editor.)

• If you try to modify the script, it will refuse to run, because it does an SHA checksum on itself, compared to a version downloaded from the author's site. (Then again, you could just comment out the checksum & exit code.)

• As another commenter noted, it's using a deprecated means to communicate with a Geo-IP lookup service that's of questionable utility anyway. Unless you're using this script to maintain a log of your travels, chances are you don't need this in the first place.

• By checking in with the author's web server, the program is effectively spyware, as it's recording an unnecessary log of where you've been and what software you've been running, and regularly phoning home back to the author's site. The current version does not appear to send personal information back, but given that the script has an auto-update mechanism built in, there is no guarantee about what future versions may do with this info.

Basically, if there were a version of this script that just ran like a normal Unix command and looked up this info and displayed it like this, that wold be pretty handy. And if it wanted to have an optional update function THAT YOU CAN CONTROL, then that would be acceptable too — most software comes with some kind of update notification framework these days, that's not controversial. And if you could turn off the logging &/or the location lookups, even better.

But the original point that I & others made still stands. Unless you personally know & trust Mr Moller, these scripts as designed & written should not be considered. A version that fixed some of these problems, sure, that could be handy, but it would be almost as easy to just write it from scratch as it would to wait for an alternate version of this that wasn't so frightening.

---
--
DO NOT LEAVE IT IS NOT REAL



[ Reply to This | # ]
View currently open network connections
Authored by: PeterMoller on Jul 08, '11 12:22:55PM

Wow! Lots of opinions! :-)

>Having now looked at Peter Moller's site, and read over the source of his scripts, it's not *that* bad.
Well, thank you!


>Moller is a systems administrator at Lund University in Sweden. (I'll give the uni the benefit of the doubt & assume they don't have a criminal working as their sysadmin.)
I have been a sysadmin here for some 20 years now, and no, no criminal charges! :-) But I understand you guys; I probably would have been sceptic about this too. But look at the script, it's fairly simple and, I hope, well commented!

>The output from the script does include a lot of information that isn't really as simple as just displaying the output from stroke or lsof or netstat. In my day job, I have to help manage a bunch of Linux servers, and having a display something like this would be pretty useful to me.
I have it running on a bunch of servers at the dept. and on one machine, it immediatley informed me that a whole bunch of clients still used it's SMB-service (which they shouldn't have)


One general comment first: the script *must* run as root or you will only see your own network connections. One aspect of this script is to help find installed spyware/malware (and this is not one); those rarely run as *you*! Only seeing one users aspect of a UNIX computer is almost completely useless in a general view. So, root. Unfortunatley. Sorry, guys.


>• You can't just run the thing and see the output in a Terminal window like a normal Unix script — you *must* run it through GeekTool.
Nope. If you read the instructions, you see that run as root, the script generates the data and run as any other user (i.e. your normal account) it displays the data. Try it yourself! GeekTool just displays what would have been viewed in a Terminal window. This is how I run it under Linux.


>• If you try to look at the source of the script while it's running, it will refuse to run, […]
Yes, I know. Then again, I didn't consider it important enugh to fix. Since the geo lookup can take some time, I didn't want it to launch copy after copy after copy of the script. I write it in TextWrangler and that doesn't make any problem.


>• If you try to modify the script, it will refuse to run, because it does an SHA checksum on itself, compared to a version downloaded from the author's site. (Then again, you could just comment out the checksum & exit code.)
Nope, absolutely not. The checksum is *only* used to verify the “new” script when updating.


>• As another commenter noted, it's using a deprecated means to communicate with a Geo-IP lookup service that's of questionable utility anyway. […]
True. Two points, though:
1. I included it mostly because I found it to be intruiging
2. But having it and starting to look at the data, I realised that this kind of information is coming big time (throught different
means, though). If nothing else, the Ad industry is highly into this and both iOS and OS X now have location manager
(see this URL for instance: http://developer.apple.com/library/ios/#documentation/CoreLocation/Reference/CLLocationManager_Class/CLLocationManager/CLLocationManager.html)


>• By checking in with the author's web server, the program is effectively spyware, as it's recording an unnecessary log of where you've been and what software you've been running, and regularly phoning home back to the author's site.
Nope. Absolutely *not*. No information of any kind is transmitted from the client of open_ports.sh to the web-server — or any other server of any kind that I have or am aware of. Naturally, the apache web-server logs your visit in the normal way but nothing whatsoever more than that. Read the script!
There is a local logging that I included mostly to see how the computers idea of where in the world I have been matches where I have actually been, but it is not needed or even used in any way (or communicated in any way to anyone).


>[…] And if it wanted to have an optional update function THAT YOU CAN CONTROL, then that would be acceptable too — most software comes with some kind of update notification framework these days, that's not controversial.[…]
Ok, I hear it loud and clear: people don't want auto update, so I will most probably turn it of in the next version and instead have the script perform the chek (if there is a new version) and *inform* the user that there is a new version ready to be fetched.


>But the original point that I & others made still stands. Unless you personally know & trust Mr Moller, these scripts as designed & written should not be considered.
I guess I would have been wary as well. But now I'm me and find this quite useful at work, so I thought I should share it.



[ Reply to This | # ]
View currently open network connections
Authored by: S Barman on Jul 07, '11 08:48:54PM

You can also download and use nmap from nmap.org. Nmap does more probing and is a really nice tool!



[ Reply to This | # ]
View currently open network connections
Authored by: PeterMoller on Jul 08, '11 10:56:37PM

While “stroke” is a nice thing (that I didn't know about), it by no means does what open_ports.sh does.

/Peter
(author of open_ports.sh)



[ Reply to This | # ]
View currently open network connections
Authored by: PeterMoller on Jul 08, '11 10:24:07PM

No it's not a trojan: it's an installer script (I don't really know why the installer-script got published in the hint). The script itself if by no means a trojan.



[ Reply to This | # ]