# iMac and Botnet?



## Eagle2000 (Apr 23, 2011)

My ISP (Insight) informed us that we had a botnet. On my home network I have 3 PCs and 1 iMac. I reinstalled the operating systems completely on the PCs, but did not do anything on the iMac. I was then informed again that we have a botnet. The PCs were isolated and not used during this last notification. I am using WPA2 on my Airport Extreme. I am not running AV on the iMac. I am concerned now that the iMac may have a botnet. Question - Should I run a free copy of Sophos or Clamxav? Will these products be able to identify a Botnet? OR should I reinstall the operating system on my iMac? Any advice is greatly appreciated.


----------



## Headrush (Feb 9, 2005)

You're likely not infected but I would suggest running ClamXav anyways.
Remember even if viruses, trojans don't run on OS X, you can still pass them to Windows users.

You can also download a free trial of *Little Snitch* and see any outgoing or incoming network access attempts.

Re-installing is overkill at this point.

*Edit: *Did the notice from your ISP specifically say they thought YOU had a botnet, or one was detected on their network and hence your machine could be at risk?


----------



## DoubleHelix (Dec 10, 2004)

You reinstalled Windows on all 3 computers and never connected them to Internet?


----------



## Eagle2000 (Apr 23, 2011)

My ISP stated I had a botnet. They said that periodic scans are conducted on their end and the IP address from my router was sending mass amounts of spam.

I did run ClamXav and it found 7 files that were phishing email files which I deleted.

I am not that familiar with Console but noticed the following line repeated multiple times (every few minutes) throughout the day: 
"4/25/11 9:45:08 PM com.apple.launchd.peruser.501[95] (com.lexmark.bmlaunchd) Throttling respawn: Will start in 10 seconds". 
I am thinking this is related to an issue with Lexmark but thought I would mention.


----------



## Eagle2000 (Apr 23, 2011)

DoubleHelix -For the dates the ISP provided me where instances were found, my Windows machines were not connected.


----------



## Headrush (Feb 9, 2005)

ClamXav finding numerous phishing emails is pretty normal.

I would install *Little Snitch* and you'll catch any outgoing traffic.

I would also recommend changing your WPA2 password. Could be that your WiFi network has been compromised.
I also set my Airport Extreme that access only be granted based on specific MAC addresses. Although MAC addresses can be faked it still adds a little more security.

You can also look in the access logs of the Airport Extreme and look for any possible clues of another user.


----------



## DoubleHelix (Dec 10, 2004)

You have 4 computers. Are you the only person in the house? If not, how can you be 100% certain no one else turned on any of the Windows computers and connected them to the Internet? Do you or your family members have friends over? Do they bring computers?


----------



## Eagle2000 (Apr 23, 2011)

Thank you for the advice. I went ahead and installed Little Snitch. I am changing the WPA2 password.

I have a dumb question but am curious - I have a Roku video streaming device and a Wii that both utilize wireless. Could these devices obtain a botnet?

Thanks again for your help.


----------



## Eagle2000 (Apr 23, 2011)

DoubleHelix - There are no friends with computers or utilizing our computers. 1 of the computers is a laptop that was not utilzed and stored in laptop bag since windows was reinstalled. The other 2 computers are desktop pcs that were at the computer repair shop.


----------



## DoubleHelix (Dec 10, 2004)

Did your ISP provide any specifics about this "botnet"? If they're simply assuming a botnet based on bandwidth consumption, then having both a Wii and a Roku on the network would explain that. Not sure about the Wii, but if you use the Roku a lot, you'll consume a significant amount of bandwidth.


----------



## Eagle2000 (Apr 23, 2011)

They only communicated that from my IP address there were large amounts of spam being sent thus they concluded that I have a botnet. I am starting to question whether their information is accurate.

Also, would it be possible for someone to "spoof" my IP address?


----------

