ESTABLISHED web process??

melodysneed · August 28, 2011, 12:51pm

I put lsof -i -P -n into the terminal and this is the output. I believe i am being hacked??

lsof -i -P -n
COMMAND    PID        USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
SystemUIS 1578 melodysneed    9u  IPv4 0x07d608ec      0t0  UDP *:*
SystemUIS 1578 melodysneed   11u  IPv4 0x0ba68810      0t0  UDP *:*
WebProces 2141 melodysneed    7u  IPv4 0x0c550748      0t0  TCP 192.168.1.71:51015->74.125.67.17:443 (ESTABLISHED)
WebProces 2141 melodysneed   11u  IPv4 0x049f7ee8      0t0  TCP 192.168.1.71:50706->207.46.232.182:80 (ESTABLISHED)

frank_rizzo · August 28, 2011, 1:24pm

what don't you understand?

h112 · August 28, 2011, 1:56pm

Perhaps,
It seems that your machine has an active connection , with a remote host .
It seems to be https and http connections.
This doesn't mean your system has been compromised or has been hacked.
1- verify the process webProces what is and why it's running .
2- You can do some reverse DNS lookups , whois and blacklist checkups.
3- you can examine what type of data is passing thru this connection by sniffing traffic

melodysneed · August 28, 2011, 2:32pm

Well, I do not understand what these established connections are. I am connected to 2wire through ethernet. However I also ran ifconfig -a and these results also startled me. I am not a Pro by any means, however it looks like I have a lot of interfaces configured that I am not sure how they got that way. Ant insight would be GREATLY appreciated. Thanks in advance, Melody

ifconfig -a: 

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
	inet 127.0.0.1 netmask 0xff000000 
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
	lladdr 00:22:41:ff:fe:ed:c1:16 
	media: autoselect <full-duplex>
	status: inactive
en1: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
	ether 00:23:12:1b:c3:a8 
	media: autoselect (<unknown type>)
	status: inactive
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether 00:22:41:34:81:7f 
	inet6 fe80::222:41ff:fe34:817f%en0 prefixlen 64 scopeid 0x6 
	inet 192.168.1.71 netmask 0xffffff00 broadcast 192.168.1.255
	media: autoselect (100baseTX <full-duplex>)
	status: active

melodysneed · August 28, 2011, 2:39pm

I ran ifconfig -a and these are my results. I am not a advanced Command line user, so any commands to trace these connections that you could pass on would be very useful. I am connected through ethernet and have my airport turned off. ????? CONFUSED
Here are the results of ifconfig -a:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
	inet 127.0.0.1 netmask 0xff000000 
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
	lladdr 00:22:41:ff:fe:ed:c1:16 
	media: autoselect <full-duplex>
	status: inactive
en1: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
	ether 00:23:12:1b:c3:a8 
	media: autoselect (<unknown type>)
	status: inactive
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether 00:22:41:34:81:7f 
	inet6 fe80::222:41ff:fe34:817f%en0 prefixlen 64 scopeid 0x6 
	inet 192.168.1.71 netmask 0xffffff00 broadcast 192.168.1.255
	media: autoselect (100baseTX <full-duplex>)
	status: active

frank_rizzo · August 28, 2011, 2:55pm

looks like there is a open HTTP(web) connection to a mircosoft - Bing

and

a HTTP(SSL) connection to google.com

don't think you have to worry about them