Strange error message in OSX, in light of other events, makes me worried about remote access to my computer.
January 10, 2010 12:07 PM Subscribe
Strange error message in OSX, in light of other events, makes me worried about remote access to my computer.
I'm using Leopard on a MacBook Pro.
Chronology of events (please forgive irrelevant detail / ask me for missing detail):
1. I was signed into a public wifi network named after somebody's house that I sometimes use; not sure who owns it. Although the network almost always has a strong signal, it works for me only sometimes; other times, I connect and although the signal is strong, I can't load any websites or use any programs that connect to the net. But this time, I was able to get on easily.
2. After a short time using the internet, the mouse pointer moved choppily an inch or two across the screen while I wasn't touching the touchpad. This worried me a bit, because I was pretty sure my hands weren't near the touchpad, but I ultimately decided to ignore it, because I figured I could have touched it accidentally.
3. Then, Finder switched Spaces spontaneously. I think I had closed a window immediately before this happened. Again, I ignored this, because in the past I've encountered a context that makes Finder switch Spaces seemingly spontaneously.
4. But, even though I had "ignored" those things, I was a little creeped out by them, so I decided to get offline for the present. I disconnected from the network, "forgot" it in Network Preferences, and left the computer unconnected while I went off to do something else.
5. When I returned, there was a strange and worrying error message on the screen. I took a screenshot, so I can describe it exactly. There was the exclamation point in a yellow triangle that signifies an error on the left, and it read:
Server connection interrupted:
Config
There was a button on it that read "Disconnect". There was no title on the bar at the top of the message window (which was thinner than that of an ordinary window), and when I clicked on it to select it, it seemed to be part of Finder (when it was selected, the Finder menu bar was active at the top of the screen).
6. I clicked "Disconnect," and nothing visibly happened.
The worrying thing to me is that I don't believe I had any programs open, like a torrent program or calendar program or something, that could plausibly explain the error message in (5) -- the fact that it was part of Finder also worried me, because why would Finder be connected to some kind of server? In light of (2) and (3) (the choppiness of the mouse movement in (2) is especially worrying), it seems like it could be something to do with someone connecting to my computer. I do have remote access and all that stuff turned off in my preferences.
Can anyone help explain this or make suggestions for what I should do?
I'm using Leopard on a MacBook Pro.
Chronology of events (please forgive irrelevant detail / ask me for missing detail):
1. I was signed into a public wifi network named after somebody's house that I sometimes use; not sure who owns it. Although the network almost always has a strong signal, it works for me only sometimes; other times, I connect and although the signal is strong, I can't load any websites or use any programs that connect to the net. But this time, I was able to get on easily.
2. After a short time using the internet, the mouse pointer moved choppily an inch or two across the screen while I wasn't touching the touchpad. This worried me a bit, because I was pretty sure my hands weren't near the touchpad, but I ultimately decided to ignore it, because I figured I could have touched it accidentally.
3. Then, Finder switched Spaces spontaneously. I think I had closed a window immediately before this happened. Again, I ignored this, because in the past I've encountered a context that makes Finder switch Spaces seemingly spontaneously.
4. But, even though I had "ignored" those things, I was a little creeped out by them, so I decided to get offline for the present. I disconnected from the network, "forgot" it in Network Preferences, and left the computer unconnected while I went off to do something else.
5. When I returned, there was a strange and worrying error message on the screen. I took a screenshot, so I can describe it exactly. There was the exclamation point in a yellow triangle that signifies an error on the left, and it read:
Server connection interrupted:
Config
There was a button on it that read "Disconnect". There was no title on the bar at the top of the message window (which was thinner than that of an ordinary window), and when I clicked on it to select it, it seemed to be part of Finder (when it was selected, the Finder menu bar was active at the top of the screen).
6. I clicked "Disconnect," and nothing visibly happened.
The worrying thing to me is that I don't believe I had any programs open, like a torrent program or calendar program or something, that could plausibly explain the error message in (5) -- the fact that it was part of Finder also worried me, because why would Finder be connected to some kind of server? In light of (2) and (3) (the choppiness of the mouse movement in (2) is especially worrying), it seems like it could be something to do with someone connecting to my computer. I do have remote access and all that stuff turned off in my preferences.
Can anyone help explain this or make suggestions for what I should do?
That error sounds like the one you get when you were connected to an SMB share and lost connectivity, happens to me all the time. I wouldn't worry about it.
You should probably check Activity Monitor for anything strange, also check the Sharing PrefPane to see if Remote Management/Login are enabled.
posted by wongcorgi at 12:24 PM on January 10, 2010
You should probably check Activity Monitor for anything strange, also check the Sharing PrefPane to see if Remote Management/Login are enabled.
posted by wongcorgi at 12:24 PM on January 10, 2010
I just connected to a remote file server and then shut off my Airport. The finder sidebar didn't give any apparent indication that the connection had changed, for 1-2 minutes. Then I clicked the expand-triangle on of the the displayed folders on that server. It took another 30 seconds or so but then I got a "Server connections interrupted" dialog with no title-text, naming that remote connection, and offering Ignore and Disconnect All buttons. The Disconnect All button dismissed the dialog, unmounted (ejected) the remote disk (its desktop icon disappeared and an appropriate Growl message popped up), and updated the Finder sidebar by removing the remote connection's name from the Devices section.
There are some slight differences to what you described but I'm running Snow Leopard so I'm guessing that, from the appearance of the dialog onward, what you saw was benign, and normal system response to pulling the plug on your net connection. I don't have anything to propose for the behaviors in 2) or 3), nor what remote connection you might have had open over it. Were you connected to another machine's desktop or file system (even on on your own network), f/ex? Streaming?
posted by TruncatedTiller at 12:48 PM on January 10, 2010
There are some slight differences to what you described but I'm running Snow Leopard so I'm guessing that, from the appearance of the dialog onward, what you saw was benign, and normal system response to pulling the plug on your net connection. I don't have anything to propose for the behaviors in 2) or 3), nor what remote connection you might have had open over it. Were you connected to another machine's desktop or file system (even on on your own network), f/ex? Streaming?
posted by TruncatedTiller at 12:48 PM on January 10, 2010
Nthing checking your own password, or the password on any other accounts on your Mac, so they are not easy or blank.
Do you have a Guest account enabled? Even with sharing off, that might give an attacker enough of a foodhold to find the name of another account.
Do you have a MobileMe account? BackToMyMac is a feature in MobileMe that may have been compromised.
Did you install anything recently? While most Mac apps are safe, there's a documented, pirated version of iLife with a trojan inside it on the web, as well as a media player / codec that some sites will try to pass as required to view videos.
The mouse & keypad activity can be chalked up to a bad physical connection inside (It's happened to me once or twice), or something damp on the trackpad, etc. But those combined with the server - and the name "config" - are a bit too coincidental for me.
I would clone your Hard Drive to an external drive, boot from a CD or such, and see if you can run a scanning utility against the boot drive. I don't know of any offhand (I haven't run into this myself yet, fortunately), but the Mac forums might be able to help.
Alternatively, if you haven't migrated to Snow Leopard yet, this might be a good excuse to nuke & rebuild. ;-)
posted by GJSchaller at 2:02 PM on January 10, 2010
Do you have a Guest account enabled? Even with sharing off, that might give an attacker enough of a foodhold to find the name of another account.
Do you have a MobileMe account? BackToMyMac is a feature in MobileMe that may have been compromised.
Did you install anything recently? While most Mac apps are safe, there's a documented, pirated version of iLife with a trojan inside it on the web, as well as a media player / codec that some sites will try to pass as required to view videos.
The mouse & keypad activity can be chalked up to a bad physical connection inside (It's happened to me once or twice), or something damp on the trackpad, etc. But those combined with the server - and the name "config" - are a bit too coincidental for me.
I would clone your Hard Drive to an external drive, boot from a CD or such, and see if you can run a scanning utility against the boot drive. I don't know of any offhand (I haven't run into this myself yet, fortunately), but the Mac forums might be able to help.
Alternatively, if you haven't migrated to Snow Leopard yet, this might be a good excuse to nuke & rebuild. ;-)
posted by GJSchaller at 2:02 PM on January 10, 2010
Is remote access installed and enabled on your computer..?
posted by HuronBob at 3:31 PM on January 10, 2010
posted by HuronBob at 3:31 PM on January 10, 2010
Response by poster: Thanks for the advice, everyone!
- I actually think I may have connected to something on the public network I was using to get online. So the benign explanation given in the first three comments is sounding pretty plausible.
- As I wrote in my post, remote access is disabled. Everything else in the Sharing area of System Preferences is disabled as well.
- My account password is somewhat complicated -- at least not simple. But it's the same as the password for several of my online accounts, so maybe it could have been discovered by someone whose public wifi network I was using?
- I don't have a Guest account enabled.
- I did install stuff recently, but I don't remember exactly what. Not a pirated version of iLife.
GJSchaller, what do you think about the explanation given in the first three comments?
posted by electric water kettle at 5:26 PM on January 10, 2010
- I actually think I may have connected to something on the public network I was using to get online. So the benign explanation given in the first three comments is sounding pretty plausible.
- As I wrote in my post, remote access is disabled. Everything else in the Sharing area of System Preferences is disabled as well.
- My account password is somewhat complicated -- at least not simple. But it's the same as the password for several of my online accounts, so maybe it could have been discovered by someone whose public wifi network I was using?
- I don't have a Guest account enabled.
- I did install stuff recently, but I don't remember exactly what. Not a pirated version of iLife.
GJSchaller, what do you think about the explanation given in the first three comments?
posted by electric water kettle at 5:26 PM on January 10, 2010
This thread is closed to new comments.
It's possible that you accidentally clicked somebody's computer in the sidebar- that can make the Finder mount their shared folder sometimes, and if they suddenly close their computer or leave the network, you'll get that dialog.
Mounting or unmounting network shares won't give an attacker access to your computer. It's like plugging in or unplugging a flash drive. If you have remote access turned off in System Preferences, I wouldn't worry about it.
posted by aaronbeekay at 12:21 PM on January 10, 2010