Jump to content

Recommended Posts

In regards to fake mDNS this malware creates duplicates. So you will have two mDNS or two Chrome and switches around. On the seconmDNS is where I found the IP I listed. Hope it helps.

Share this post


Link to post
Share on other sites

As has already been stated, what you are describing has nothing to do with DNS Hijacking or the OSX/MaMi malware which is hard coded to use IP addresses 82.163.143.135 & 82.163.142.137. It would have been better to have started a new topic, or better yet taken it to a more appropriate forum since I've seen no connection to Malwarebytes in anything you've outlined.

Personally, I don't think this is really is the right place to be discussing such things, especially if you suspect the user has been subjected to identity theft or other illegal cyber activity. The computer should be turned off now and law enforcement contacted so that the computer can be examined by certified forensic personal.

184.105.247.203 belongs to the Hurricane Electric, Inc., a well know Internet Service Provider since 1994 which is the worlds largest provider of IPv6 services and over the years has been used by most ISP's that were initially unable to provide such services themselves. It's totally unremarkable for mDNSResponder to be contacting one of their servers to translate an IPv6 address and highly unlikely to be involved in the type of activity you outlined.

The damage you have described could only be accomplished by physical access to the computer itself or shared access approved by the user. It is not known to be possible to access a Mac drive over the Internet or from the local network without explicitly granting permission. 

One possibility would be if Back To My Mac has been enabled and the login credentials (userID and password) compromised or guessed. 

 

Share this post


Link to post
Share on other sites

The IP Address above beyonds to Hurricane Electric LLC - Fremont CA. This a a known good company so far as I know. I have known of them for at least 5 years. I used to use them for a IPv4 to IPv6 connector.

If you are have issues with that IP address..... contact them.

OrgAbuseHandle: ABUSE1036-ARIN

OrgAbuseName:   Abuse Department

OrgAbusePhone:  +1-510-580-4100

OrgAbuseEmail:  abuse@he.net

OrgAbuseRef:    https://whois.arin.net/rest/poc/ABUSE1036-ARIN

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.