Hello:
My Mac has been running extremely slow, and I noticed the lights on my router have been blinking like crazy (lots of network activity). I downloaded Nmap for Mac, and the findings were interesting.
Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-25 09:09 MST
NSE: Loaded 93 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 09:09
Scanning 192.168.0.1 [1 port]
Completed ARP Ping Scan at 09:09, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:09
Completed Parallel DNS resolution of 1 host. at 09:09, 0.05s elapsed
Initiating SYN Stealth Scan at 09:09
Scanning 192.168.0.1 [65535 ports]
Discovered open port 80/tcp on 192.168.0.1
Discovered open port 23/tcp on 192.168.0.1
Discovered open port 53/tcp on 192.168.0.1
Discovered open port 443/tcp on 192.168.0.1
SYN Stealth Scan Timing: About 45.41% done; ETC: 09:10 (0:00:37 remaining)
Discovered open port 52869/tcp on 192.168.0.1
Discovered open port 52900/tcp on 192.168.0.1
Discovered open port 1111/tcp on 192.168.0.1
Completed SYN Stealth Scan at 09:10, 67.58s elapsed (65535 total ports)
Initiating Service scan at 09:10
Scanning 7 services on 192.168.0.1
Completed Service scan at 09:11, 21.21s elapsed (7 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.1
NSE: Script scanning 192.168.0.1.
Initiating NSE at 09:11
Completed NSE at 09:11, 16.32s elapsed
Nmap scan report for 192.168.0.1
Host is up (0.0039s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet BusyBox telnetd
53/tcp open upnp Intel UPnP reference SDK 1.2 (Linux 2.4.17_mvl21-malta-mips_fp_le; UPnP 1.0)
80/tcp open http i3 micro or Linksys SPA400 VoIP gateway http config
|_http-title: Qwest Modem Configurator
443/tcp open ssl/http thttpd
|_sslv2: server still supports SSLv2
|_http-title: Qwest Modem Configurator
| ssl-cert: Subject: commonName=threefigs/organizationName=Actiontec/stateOrProvinceName=CA/countryName=US
| Issuer: commonName=Steven/organizationName=Actiontec/stateOrProvinceName=CA/countryName=US
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2006-08-31 02:59:16
| Not valid after: 2022-02-18 02:59:16
| MD5: 6c65 6329 a6c4 6ab1 9c6b ab8e 2959 5a15
|_SHA-1: c191 8256 a80e 78dc bbea b48d 575e 2afb 86a3 ab71
1111/tcp open telnet BusyBox telnetd
52869/tcp open upnp Intel UPnP reference SDK 1.2 (Linux 2.4.17_mvl21-malta-mips_fp_le; UPnP 1.0)
52900/tcp open upnp Intel UPnP reference SDK 1.2 (Linux 2.4.17_mvl21-malta-mips_fp_le; UPnP 1.0)
MAC Address: 00:24:7B:27:19:34 (Actiontec Electronics)
Device type: general purpose
Running: MontaVista Linux 2.4.X
OS CPE: cpe:/o:montavista:linux:2.4
OS details: MontaVista embedded Linux 2.4.17
Uptime guess: 0.995 days (since Wed Oct 24 09:18:36 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=203 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; Device: VoIP adapter; CPE: cpe:/o:linux:kernel
TRACEROUTE
HOP RTT ADDRESS
1 3.86 ms 192.168.0.1
NSE: Script Post-scanning.
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.27 seconds
Raw packets sent: 66909 (2.945MB) | Rcvd: 65833 (2.650MB)
It found a telnet process (which does not appear in activity monitor and which closed itself as I began typing this), when telnet was not opened. I noticed one of the protocols is a voiceover IP. I've had two strange processes open, and one is listed as VDCassistant. The other I can't remember the name of and disappeared as I was typing this.
I did a Port Scan with Network Utility and got the following information:
Port Scan has started
Port Scanning host: 192.168.0.1
Open TCP Port: 23 telnet
Open TCP Port: 53 domain
Open TCP Port: 80 http
Open TCP Port: 443 https
Open TCP Port: 1111 lmsocialserver
Open TCP Port: 52869
Open TCP Port: 52900
Port Scan has completed
The actiontec modem is mine, but there shouldn't be any telnet or linux boxes running, e.g. "Montavista Linux." I understand lmsocialserver is a remote access trojan, but I believe it only works on windows. ClamVA did not alert to it.
Lastly, I've had unknown devices connected to my router. The Mac addresses trace to Akamai in Phoenix (strange because I live in Tucson).
unknown
192.168.0.4
10:9a:dd:9d:95:9b

Unavailable

unknown
192.168.0.3
00:e0:91:d2:10:a9

Unavailable
Does this sound like my Mac is being hacked? What should I do, and how can I tell who it is? Also, how do I close connections on the devices that are connected to my router?
Thanks!
My Mac has been running extremely slow, and I noticed the lights on my router have been blinking like crazy (lots of network activity). I downloaded Nmap for Mac, and the findings were interesting.
Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-25 09:09 MST
NSE: Loaded 93 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 09:09
Scanning 192.168.0.1 [1 port]
Completed ARP Ping Scan at 09:09, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:09
Completed Parallel DNS resolution of 1 host. at 09:09, 0.05s elapsed
Initiating SYN Stealth Scan at 09:09
Scanning 192.168.0.1 [65535 ports]
Discovered open port 80/tcp on 192.168.0.1
Discovered open port 23/tcp on 192.168.0.1
Discovered open port 53/tcp on 192.168.0.1
Discovered open port 443/tcp on 192.168.0.1
SYN Stealth Scan Timing: About 45.41% done; ETC: 09:10 (0:00:37 remaining)
Discovered open port 52869/tcp on 192.168.0.1
Discovered open port 52900/tcp on 192.168.0.1
Discovered open port 1111/tcp on 192.168.0.1
Completed SYN Stealth Scan at 09:10, 67.58s elapsed (65535 total ports)
Initiating Service scan at 09:10
Scanning 7 services on 192.168.0.1
Completed Service scan at 09:11, 21.21s elapsed (7 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.1
NSE: Script scanning 192.168.0.1.
Initiating NSE at 09:11
Completed NSE at 09:11, 16.32s elapsed
Nmap scan report for 192.168.0.1
Host is up (0.0039s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet BusyBox telnetd
53/tcp open upnp Intel UPnP reference SDK 1.2 (Linux 2.4.17_mvl21-malta-mips_fp_le; UPnP 1.0)
80/tcp open http i3 micro or Linksys SPA400 VoIP gateway http config
|_http-title: Qwest Modem Configurator
443/tcp open ssl/http thttpd
|_sslv2: server still supports SSLv2
|_http-title: Qwest Modem Configurator
| ssl-cert: Subject: commonName=threefigs/organizationName=Actiontec/stateOrProvinceName=CA/countryName=US
| Issuer: commonName=Steven/organizationName=Actiontec/stateOrProvinceName=CA/countryName=US
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2006-08-31 02:59:16
| Not valid after: 2022-02-18 02:59:16
| MD5: 6c65 6329 a6c4 6ab1 9c6b ab8e 2959 5a15
|_SHA-1: c191 8256 a80e 78dc bbea b48d 575e 2afb 86a3 ab71
1111/tcp open telnet BusyBox telnetd
52869/tcp open upnp Intel UPnP reference SDK 1.2 (Linux 2.4.17_mvl21-malta-mips_fp_le; UPnP 1.0)
52900/tcp open upnp Intel UPnP reference SDK 1.2 (Linux 2.4.17_mvl21-malta-mips_fp_le; UPnP 1.0)
MAC Address: 00:24:7B:27:19:34 (Actiontec Electronics)
Device type: general purpose
Running: MontaVista Linux 2.4.X
OS CPE: cpe:/o:montavista:linux:2.4
OS details: MontaVista embedded Linux 2.4.17
Uptime guess: 0.995 days (since Wed Oct 24 09:18:36 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=203 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; Device: VoIP adapter; CPE: cpe:/o:linux:kernel
TRACEROUTE
HOP RTT ADDRESS
1 3.86 ms 192.168.0.1
NSE: Script Post-scanning.
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.27 seconds
Raw packets sent: 66909 (2.945MB) | Rcvd: 65833 (2.650MB)
It found a telnet process (which does not appear in activity monitor and which closed itself as I began typing this), when telnet was not opened. I noticed one of the protocols is a voiceover IP. I've had two strange processes open, and one is listed as VDCassistant. The other I can't remember the name of and disappeared as I was typing this.
I did a Port Scan with Network Utility and got the following information:
Port Scan has started
Port Scanning host: 192.168.0.1
Open TCP Port: 23 telnet
Open TCP Port: 53 domain
Open TCP Port: 80 http
Open TCP Port: 443 https
Open TCP Port: 1111 lmsocialserver
Open TCP Port: 52869
Open TCP Port: 52900
Port Scan has completed
The actiontec modem is mine, but there shouldn't be any telnet or linux boxes running, e.g. "Montavista Linux." I understand lmsocialserver is a remote access trojan, but I believe it only works on windows. ClamVA did not alert to it.
Lastly, I've had unknown devices connected to my router. The Mac addresses trace to Akamai in Phoenix (strange because I live in Tucson).
unknown
192.168.0.4
10:9a:dd:9d:95:9b

Unavailable

unknown
192.168.0.3
00:e0:91:d2:10:a9

Unavailable
Does this sound like my Mac is being hacked? What should I do, and how can I tell who it is? Also, how do I close connections on the devices that are connected to my router?
Thanks!