<PLEASE USE THE FOLLOWING TEMPLATE TO HELP YOU CREATE A GREAT POST!>
<Below this line, add a link to the EXACT exercise that you are stuck at.>
<In what way does your code behave incorrectly? Include ALL error messages.>
I found this "text portion with the executable “route” in my iMacs sbin folder. It appears to be an attempt to change my routing tables and network interface but I’m not familiar enough with code to know for certain. If anyone can offer some knowledge about this systems file it would be greatly appreciated. I just need to know if this is “stock” from Apple or if it is indeed some sort of intrusion before I spend over a grand on a forensic specialist. Again, any thoughts would be truly appreciated… Here’s the text (or binaries?), located within that folder;
```
addblackholechangecloningdeletedstexpireflushgatewaygenmaskgethosthopcountifaceinterfaceifaifpinetinet6isolinkllinfolocklockrestmaskmonitormtunetnetmasknostaticosiprefixlenproto1proto2recvpiperejectrttrttvarsasendpipessthreshstaticx25xnsxresolveifscopebad keyword: %susage: route [-dnqtv] command [[modifiers] args]
nqdtv/dev/nullsocketmust be root to alter routing tableroute-sysctl-estimatemalloc failedroute-sysctl-getwrite to routing socketgot only %d for rlen
%-20.20s default%u.%u.%u.%uinvalid(%d) %x%u%u.%u%u.%u.%uaf %d:bad interface nameinvalid mask: %s%s %s %s: gateway %s (%s): %s
getifaddrsinternal error%s: %s
bad address: %sprefixlen not supported in this af
%s: bad value
actual retrieval of interface table
got message of size %d on %suwriting to routing socket: %sread from routing socketRTM_ADD: Add RouteRTM_DELETE: Delete RouteRTM_CHANGE: Change Metrics or flagsRTM_GET: Report MetricsRTM_LOSING: Kernel Suspects PartitioningRTM_REDIRECT: Told to use different routeRTM_MISS: Lookup failed on this addressRTM_LOCK: fix specified metricsRTM_OLDADD: caused by SIOCADDRTRTM_OLDDEL: caused by SIOCDELRTRTM_RESOLVE: Route created by cloningRTM_NEWADDR: address being added to ifaceRTM_DELADDR: address being removed from ifaceRTM_IFINFO: iface status changeRTM_NEWMADDR: new multicast group membership on ifaceRTM_DELMADDR: multicast group membership removed from ifacerouting message version %d not understood
%s: len %d, if# %d, flags:metric %d, flags:pid: %ld, seq %d, errno %d, ifscope %d, ifref, flags: route to: %s
routing message version %d not understoodmessage length mismatch, in packet %d, returned %dmessage indicates error %ddestination: %s
mask: %s
gateway: %s
interface: %.*s
flags:
%s
recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire%8u%c %8d%c
sockaddrs:
locks: inits:
sockaddrs: %s%s: link %s; %s: inet %s; 064128not in tableentry in userouting table overflowdoneExamining routing table from sysctl00—Xa
ºHH3HTG,!
¿£„„Î"ù#%€(G)*≈*+\+!ú4¶4∞4∫4ƒ4Œ4ÿ4‚4Ï4ˆ45
555(525<5F5P5Z5d5n5x5Ç5å5ñ5†5™5¥5æ5»5“5‹5Ê55˙5666"6,666@6J6T6^6h6r6|6Ü6ê6ö6§6Æ6∏6¬6Ã6÷6‡6Í6Ù677777$7(7/757 =7
E7
I7N7
W7]7g7k7o7t7z7~7É7ä7è7ò7ù7•7©7≠7µ7æ7¬7 Ã7!”7"⁄7#„7$Í7%Ó7&ı7'¯7(8)
8*8+8,8-"8.(?y:å:•:…:·:
;4;\;|;ú;º;‚;<:<Z<ê< pksentrttvarrttssthreshsendpiperecvpipeexpirehopcountmtuUPGATEWAYHOSTREJECTDYNAMICMODIFIEDDONEDELCLONE CLONING
XRESOLVE
LLINFOSTATIC
BLACKHOLEb016PROTO2PROTO1PRCLONINGWASCLONEDPROTO3b024PINNEDLOCALBROADCASTMULTICASTIFSCOPECONDEMNEDIFREFPROXYROUTERUPBROADCASTDEBUGLOOPBACKPTPb6RUNNINGNOARP PPROMISC
ALLMULTI
OACTIVESIMPLEX
LINK0LINK1LINK2MULTICASTDSTGATEWAYNETMASKGENMASKIFPIFAAUTHORBRD"0`=AÄ-p(`@___stack_chk_guardQrê@___stderrpê@___stdoutpê@_optindê@dyld_stub_binderÄ–ˇˇˇˇˇˇˇˇêr0@___bzeroêr8@___errorêr@@___memcpy_chkêrH@___memmove_chkêrP@___snprintf_chkêrX@___stack_chk_failêr`@___strlcpy_chkêrh@_atoiêrp@_bcopyêrx@_ctimeêrÄ@_errêrà@_errxêrê@_exitêrò@_fflushêr†@_fprintfêr®@_freeaddrinfoêr∞@_freeifaddrsêr∏@_fwriteêr¿@_gai_strerrorêr»@_getaddrinfoêr–@_geteuidêrÿ@_gethostbyaddrêr‡@_gethostbynameêrË@_gethostnameêr@_getifaddrsêr¯@_getnameinfoêrÄ@_getnetbyaddrêrà@_getnetbynameêrê@_getoptêrò@_getpidêr†@_if_nametoindexêr®@_indexêr∞@_inet_addrêr∏@_inet_lnaofêr¿@_inet_networkêr»@_inet_ntoaêr–@_link_addrêrÿ@_link_ntoaêr‡@_mallocêrË@_memcpyêr@_memsetêr¯@_openêrÄ@_printfêrà@_putcêrê@_putcharêrò@_putsêr†@_readêr®@_setuidêr∞@_shutdownêr∏@_socketêr¿@_strchrêr»@_strcmpêr–@_strerrorêrÿ@_strlenêr‡@_strncpyêrË@_strtoulêr@_sysctlêr¯@_timeêrÄ@_warnêrà@_warnxêrê@_writeê__mh_execute_headerº
GÂÎñÙ˚§„ëØÄé˙≤Ôœl‘™;\˙fiµ<BEa!*8GWi|áí°ßƵ∫¿∆Œ◊ÂÚ˙-<IUbp~Üéû•∞º ’‡ÎÛ˚ (.4<FNV^hpyÇäêñù§
!"#$%&’()*+,-.0123456789:;<=>?@ABC@
/
!"#$%&’()*+,-.0123456789:;<=>?@AB__mh_execute_header___bzero___error___memcpy_chk___memmove_chk___snprintf_chk___stack_chk_fail___stack_chk_guard___stderrp___stdoutp___strlcpy_chk_atoi_bcopy_ctime_err_errx_exit_fflush_fprintf_freeaddrinfo_freeifaddrs_fwrite_gai_strerror_getaddrinfo_geteuid_gethostbyaddr_gethostbyname_gethostname_getifaddrs_getnameinfo_getnetbyaddr_getnetbyname_getopt_getpid_if_nametoindex_index_inet_addr_inet_lnaof_inet_network_inet_ntoa_link_addr_link_ntoa_malloc_memcpy_memset_open_optind_printf_putc_putchar_puts_read_setuid_shutdown_socket_strchr_strcmp_strerror_strlen_strncpy_strtoul_sysctl_time_warn_warnx_writedyld_stub_binderradr://5614542˙fi¿M$D˙fi‡h0]‡com.apple.route
<do not remove the three backticks above>
Im not too familiar with macs or anything but I did some checking and it seems like a way to block ups. Check this link from FreeBSD FreeBSD Forum
Thanks for your reply, forgive me but can you be a bit more specific? Is this something that would have been done manually?
From what I was reading it sounds like it’s built into Mac and FreeBSD, which I believe is what macs OS is built on. When I checked on google most of what I seen said it was set up to block groups of IP addresses. I am not really experienced with the Mac OS though. I would get in touch with Mac customer support, if you want a definite answer
Sorry I couldn’t be of anymore assistance
Oh no, I appreciate your replies. I’ve been trying to work through the apple care maze but haven’t gotten too far. I’ll keep trying, do you happen to know of any other forums that might be able to help? I don’t think I’ll ever be able to get my hands on Apple source code to compare this to, anything you can think of would be appreciated.