Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

Fairly certain I am being hacked by a goverment agencey?

Oct 3, 2011 11:40AM PDT

Sorry, but I brought this question to a more pedestrian forum and only received response like why. I am wondering if folks can give me an objective response. For a couple of months now my logs have been going crazy! New ones have been appearing out of no where and my comp is a shell of what it used to be. Any help would be diabolically appreciated.

For a couple of months now my log files, permissions, and windows server
have been going crazy. The internet proxys are completely grayed out in
preferences. I have been using Disk warrior constantly to revert
changes, but folder permissions just revert back to some bizarre scheme.
Is it hammer to the hard drive?

Help would be GREATLY appreciated


Here is my netstat.

Really hard to read in this format!

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 192.168.1.33.49780 74.125.226.186.http ESTABLISHED
tcp4 0 0 192.168.1.33.49779 74.125.226.155.http ESTABLISHED
tcp4 0 0 192.168.1.33.49730 unknown.scnet.ne.http ESTABLISHED
tcp4 0 0 192.168.1.33.49683 server-216-137-3.http ESTABLISHED
tcp4 0 0 192.168.1.33.49678 74.125.226.186.http ESTABLISHED
tcp4 0 0 192.168.1.33.49666 a23-2-12-251.dep.http ESTABLISHED
tcp4 0 0 localhost.ipp *.* LISTEN
tcp6 0 0 localhost.ipp *.* LISTEN
udp4 0 0 192.168.1.33.ntp *.*
udp4 0 0 *.60138 *.*
udp4 0 0 *.56298 *.*
udp4 0 0 *.53613 *.*
udp4 0 0 *.58385 *.*
udp4 0 0 *.53342 *.*
udp4 0 0 *.56369 *.*
udp6 0 0 Falliable.ntp *.*
udp4 0 0 *.* *.*
udp6 0 0 localhost.ntp *.*
udp4 0 0 localhost.ntp *.*
udp6 0 0 localhost.ntp *.*
udp6 0 0 *.ntp *.*
udp4 0 0 *.ntp *.*
udp6 0 0 *.mdns *.*
udp4 0 0 *.mdns *.*
udp4 0 0 *.* *.*
udp4 0 0 *.* *.*
icm6 0 0 *.* *.*
Active LOCAL (UNIX) domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
4cbd550 stream 0 0 0 4cd3d48 0 0
4cd3d48 stream 0 0 0 4cbd550 0 0
4cf1908 stream 0 0 0 5679dd0 0 0
5679dd0 stream 0 0 0 4cf1908 0 0
4cd3e58 stream 0 0 0 4752b28 0 0 /var/run/asl_input
4752b28 stream 0 0 0 4cd3e58 0 0
5679770 stream 0 0 0 56797f8 0 0 /var/run/com.sophos.sau.ipc
56797f8 stream 0 0 0 5679770 0 0
5679880 stream 0 0 0 5679908 0 0 /var/run/com.sophos.sav.ic.ipc
5679908 stream 0 0 0 5679880 0 0
5679990 stream 0 0 0 5679a18 0 0 /var/run/com.sophos.sav.ic.ipc
5679a18 stream 0 0 0 5679990 0 0
4cf1660 stream 0 0 0 4cf1220 0 0 /var/run/usbmuxd
4cf1220 stream 0 0 0 4cf1660 0 0
4cf1440 stream 0 0 0 4cf1330 0 0 /var/run/mDNSResponder
4cf1330 stream 0 0 0 4cf1440 0 0
4cbd908 stream 0 0 0 4cbd198 0 0 /var/run/mDNSResponder
4cbd198 stream 0 0 0 4cbd908 0 0
4cf15d8 stream 0 0 0 4cbdb28 0 0 /var/run/mDNSResponder
4cbdb28 stream 0 0 0 4cf15d8 0 0
4cf1198 stream 0 0 0 5679ee0 0 0
5679ee0 stream 0 0 0 4cf1198 0 0
5679f68 stream 0 0 0 4cf14c8 0 0
4cf14c8 stream 0 0 0 5679f68 0 0
4cf12a8 stream 0 0 0 4cf17f8 0 0
4cf17f8 stream 0 0 0 4cf12a8 0 0
4cbdf68 stream 0 0 5661880 0 0 0 /tmp/launch-YHnwAS/Shocked
47523b8 stream 0 0 56619a0 0 0 0 /tmp/launch-SOF0iT/Listeners
4cbdd48 stream 0 0 5661ac0 0 0 0 /tmp/launch-bnkUiw/Render
4752550 stream 0 0 5661be0 0 0 0 /private/tmp/com.hp.launchport
47525d8 stream 0 0 5603000 0 0 0 /tmp/launchd-92.Je8ttt/sock
47522a8 stream 0 0 5604200 0 0 0 /var/run/com.sophos.sav.ic.ipc
4752088 stream 0 0 5604290 0 0 0 /var/run/com.sophos.sav.ic.ipcs
4cbd6e8 stream 0 0 51de830 0 0 0 /var/run/com.sophos.sav.quarantine
4cbd440 stream 0 0 0 0 0 0
4cd3550 stream 0 0 0 4cd33b8 0 0
4cd33b8 stream 0 0 0 4cd3550 0 0
4cd3ee0 stream 0 0 5023200 0 0 0 /var/run/com.sophos.sau.ipc
4cf1d48 stream 0 0 5023290 0 0 0 /var/run/com.sophos.sau.ipcs
4cf1f68 stream 0 0 5024010 0 0 0 /var/run/pppconfd
4cd3198 stream 0 0 0 4cbd660 0 0 /var/run/asl_input
4cbd660 stream 0 0 0 4cd3198 0 0
4cbdc38 stream 0 0 0 4752330 0 0
4752330 stream 0 0 0 4cbdc38 0 0
4cf1c38 stream 0 0 4fea0e0 0 0 0 /var/run/com.sophos.sav.scan
4cbdaa0 stream 0 0 4fea680 0 0 0 /var/run/com.sophos.sav.ipcs
4cbdbb0 stream 0 0 4fea710 0 0 0 /var/run/com.sophos.sav.ipc
4cf1880 stream 0 0 0 4cd3990 0 0
4cd3990 stream 0 0 0 4cf1880 0 0
4cf1aa0 stream 0 0 0 4cbd330 0 0
4cbd330 stream 0 0 0 4cf1aa0 0 0
47526e8 stream 0 0 0 4cf1ee0 0 0
4cf1ee0 stream 0 0 0 47526e8 0 0
4cd3440 stream 0 0 0 4cd34c8 0 0
4cd34c8 stream 0 0 0 4cd3440 0 0
4cd3880 stream 0 0 0 4cd3908 0 0
4cd3908 stream 0 0 0 4cd3880 0 0
4cd3aa0 stream 0 0 0 4cd3b28 0 0
4cd3b28 stream 0 0 0 4cd3aa0 0 0
4cbd000 stream 0 0 0 4cbd088 0 0
4cbd088 stream 0 0 0 4cbd000 0 0
4cbd220 stream 0 0 0 4cbd2a8 0 0
4cbd2a8 stream 0 0 0 4cbd220 0 0
4cbd770 stream 0 0 0 4cbd7f8 0 0
4cbd7f8 stream 0 0 0 4cbd770 0 0
4cbd990 stream 0 0 0 4cbda18 0 0
4cbda18 stream 0 0 0 4cbd990 0 0
4cbddd0 stream 0 0 0 4cbde58 0 0
4cbde58 stream 0 0 0 4cbddd0 0 0
4752440 stream 0 0 0 47524c8 0 0
47524c8 stream 0 0 0 4752440 0 0
47527f8 stream 0 0 0 4752770 0 0
4752770 stream 0 0 0 47527f8 0 0
4752880 stream 0 0 0 4752990 0 0
4752990 stream 0 0 0 4752880 0 0
4752a18 stream 0 0 0 4752aa0 0 0
4752aa0 stream 0 0 0 4752a18 0 0
4752c38 stream 0 0 4869b50 0 0 0 /var/tmp/launchd/sock
4752cc0 stream 0 0 4869c70 0 0 0 /private/var/run/cupsd
4752d48 stream 0 0 4869d90 0 0 0 /var/run/usbmuxd
4752e58 stream 0 0 4869eb0 0 0 0 /var/run/asl_input
4752f68 stream 0 0 4869f40 0 0 0 /var/run/portmap.socket
4752ee0 stream 0 0 4852000 0 0 0 /var/run/mDNSResponder
4cf1550 dgram 0 0 0 4cf1a18 4cf1a18 0
4cf1a18 dgram 0 0 0 4cf1550 4cf1550 0
4752bb0 dgram 0 0 0 4cd3bb0 4cd3bb0 0
4cd3bb0 dgram 0 0 0 4752bb0 4752bb0 0
4cbdcc0 dgram 0 0 0 4752dd0 0 4cf1770
4cf1e58 dgram 0 0 0 4cbdee0 4cbdee0 0
4cbdee0 dgram 0 0 0 4cf1e58 4cf1e58 0
4cf1770 dgram 0 0 0 4752dd0 0 5679cc0
5679cc0 dgram 0 0 0 4752dd0 0 5679c38
5679aa0 dgram 0 0 0 5679bb0 5679bb0 0
5679bb0 dgram 0 0 0 5679aa0 5679aa0 0
5679c38 dgram 0 0 0 4752dd0 0 4752220
4752220 dgram 0 0 0 4752dd0 0 4cbd3b8
4752660 dgram 0 0 0 4cf1110 4cf1110 0
4cf1110 dgram 0 0 0 4752660 4752660 0
4cd3220 dgram 0 0 0 4cd32a8 4cd32a8 0
4cd32a8 dgram 0 0 0 4cd3220 4cd3220 0
4cf1000 dgram 0 0 0 4cf1088 4cf1088 0
4cf1088 dgram 0 0 0 4cf1000 4cf1000 0
4cbd3b8 dgram 0 0 0 4752dd0 0 4cd3660
4cf1cc0 dgram 0 0 0 4cd36e8 4cd36e8 0
4cd36e8 dgram 0 0 0 4cf1cc0 4cf1cc0 0
4cd3660 dgram 0 0 0 4752dd0 0 4cd3f68
4752110 dgram 0 0 0 4cbd5d8 4cbd5d8 0
4cbd5d8 dgram 0 0 0 4752110 4752110 0
4cd3f68 dgram 0 0 0 4752dd0 0 4cf1b28
4cd37f8 dgram 0 0 0 4cd3cc0 4cd3cc0 0
4cd3cc0 dgram 0 0 0 4cd37f8 4cd37f8 0
4cd3c38 dgram 0 0 0 4cd35d8 4cd35d8 0
4cd35d8 dgram 0 0 0 4cd3c38 4cd3c38 0
4cd3110 dgram 0 0 0 4cd3770 4cd3770 0
4cd3770 dgram 0 0 0 4cd3110 4cd3110 0
4cf1b28 dgram 0 0 0 4752dd0 0 4752000
4cf1bb0 dgram 0 0 0 4cf1990 4cf1990 0
4cf1990 dgram 0 0 0 4cf1bb0 4cf1bb0 0
4cd3dd0 dgram 0 0 0 4cd3000 4cd3000 0
4cd3000 dgram 0 0 0 4cd3dd0 4cd3dd0 0
4752000 dgram 0 0 0 4752dd0 0 4cbd880
4cd3a18 dgram 0 0 0 4cf1dd0 4cf1dd0 0
4cf1dd0 dgram 0 0 0 4cd3a18 4cd3a18 0
4cbd880 dgram 0 0 0 4752dd0 0 4cbd110
4cbd110 dgram 0 0 0 4752dd0 0 4752908
4752908 dgram 0 0 0 4752dd0 0 0
4752dd0 dgram 0 0 4869e20 0 4cbdcc0 0 /var/run/syslog

Discussion is locked

- Collapse -
Now tell us something about your network
Oct 3, 2011 9:55PM PDT

It's all in the details.

- Collapse -
Also
Oct 3, 2011 10:28PM PDT

Also, why not tell us what you could POSSIBLY be doing that would attract the attention of a government agency, and make them resort to these kinds of methods as opposed to just getting a search warrant and seizing your computer.

It had nothing to do with it being a more "pedestrian" forum, it had everything to do with your basic thesis being deep in the dark wooded area that's past the nice little grassy area that is beyond the parking lot which is on the other side of left field. If a government agency had ANY interest in what you were doing, the odds of them "hacking" into your computer would be pretty much none if we're dealing with any western nation. They would just come along, take your entire computer and anything else they thought might be necessary, and that would be that. Generally speaking, police agencies aren't allowed to break the law in order to uphold the law.

Then there's the fact that "hacking" someone's computer isn't quite as easy as it seems from TV and movies. It's a bit more than just hitting a few keys and boom, you're in.

Finally we arrive at what's often known as Occam's Razor which says that given two possibilities, the simpler one is usually correct. So, we have some government agency hacking your computer vs say a failing HDD or any number of possibilities which are infinitely more plausible.

- Collapse -
to be exact,
Oct 4, 2011 1:22AM PDT

The Occam's razor is like this (from Wiki): when faced with competing hypotheses that are equal in other respects, it is recommended to select the one that makes the fewest new assumptions. So, the possibilities must first be equal...

- Collapse -
Which can be loosely summarized
Oct 4, 2011 10:34AM PDT

Which can be loosely summarized as: choose the simplest answer.

No matter how you look at it, which seems more likely? A failing HDD or some government agency taking some kind of interest in a random person?

I of course have to operate on the assumption that the OP hasn't done anything that should draw the attention of any government agencies. Like being a known associate of a wanted criminal, being suspected of being some sort of criminal, or lately in the US it seems, simply being muslim.

If the OP were part of some software piracy ring, or had ties to a drug cartel, that might be another story, but I can't assume that. In fact, I would assume that anyone involved in any such operations would be smart enough to not do a dumb thing like come to a public forum and ask whether some government agency is spying on them.

No, I'm afraid we're dealing with a card carrying member of the tinfoil hat brigade. Quite possibly someone who's starting to manifest paranoid schizophrenia, or is undiagnosed/off their meds. That is a far more likely proposition than some government agency "hacking" someone's computer. I will at least offer the caveat that there is a possibility there is additional information the OP has elected not to share, but the number of mental leaps it would take to get to assuming a government agency is behind things, given the apparent lack of analytical skill in this field by the OP, is probably going to support my hypothesis a lot more than the OP's. It is possible I'm wrong, just highly unlikely.

- Collapse -
Good logic!
Oct 4, 2011 11:26AM PDT

Maybe it is a joke... Seriously, Sophos is involved but it could only mean that it is active. Other things look pretty innocent (similar to what I have). This said, the computer should not probably be slow, unresponsive, with proxies grayed out, etc. just because of this. I think the first thing to do (since Disk Warrior was applied regularly and did not help for long) is to backup all critical data NOW. Then I would try to reinstall system software, maybe just a combo update. If this does not help (quite possible), I would agree with your diagnosis of failing hardware.

- Collapse -
Personally, I think we should just ignore this
Oct 4, 2011 9:55PM PDT

as the OP has not felt it necessary to reply to the first question they were asked.