The reason these flags have been brought to my attention is because the suspected infected clients use P2P to download a payload from a server. Our network flags the P2P traffic which is what alerted me to the abnormal traffic.

Clients
All of the clients have been either iOS (iPhones and iPads) or Apple laptops running OS X.
To my knowledge there haven’t been any Windows clients flagged for the same P2P traffic.

What’s in common
The main thing in common is all of the clients are initiating a P2P connection to the host update.alyac.co.kr:6969 or IP address 125.140.132.205 which both belong to a Korean antivirus company.
All of the clients show the agent to be libtorrent.
All users don’t seem particularly tech savvy and no common software was found between all of the computers/phones/tablets. In most cases the software installed seemed very minimal. I did not have the opportunity to gather browser history on the clients.

What else is weird
The requests happen in batches. The first week I noticed them there were 3-4 in that week. A little time passed and I had another 2 hits just days apart. Now I get smaller sporadic hits.

What I have found
I have wireshark dumps from the P2P traffic but I can’t decipher any meaningful information from them besides the actual connection being made. Email me if you want to have a look.
I also found that the Alyac servers were hacked back in 2011 but I can’t find much else about the company or domain.

So I am posting this for anyone with more information to help me track down what is happening. I find it too coincidental that P2P traffic is going to a random Korean website when the users don’t appear to have any P2P traffic installed. Please leave a comment if you’ve seen something similar or have any other information on what may be happening.

Just like with the manual way in Vista set up two user accounts, your local admin and a template user. Change all the settings you want for the template user and then restart and log in as admin. To copy the files to the default user you will need to open the terminal and follow the commands below.

Local admin isn’t enough, you will need to actually be using the terminal as the root user. If you don’t have root enabled you can find out how to enable it here.

sudo su

The English.lproj is the default user directory for any user that uses the English language. All we are doing here is copying the English.lproj folder and its contents to English.lproj.bak. For these important files ditto is better than cp because ditto will preserve the “resource fork” using the –rsrc option. It is also a good idea to keep a copy of this default user somewhere else besides just this computer in case something happens. I would recommend zipping up the English.lproj folder and storing it on a backup drive somewhere.

cd /System/Library/User Template/
ditto –rsrc English.lproj/* English.lproj.bak

Now that we copied a backup we can remove all the files/settings in the old English.lporj directory. If you accidentally delete the English.lproj folder (instead of just its contents) you can create it again with mkdir.

rm -rf English.lproj/*

Here we are just copying everything from our user we set up to the user template folder. Replace “rothgar” in the below command with the username you gave your template user.

cp -R /Users/rothgar/* English.lproj/

This final step will change the owner and group of the files and folders inside the user template to what they should be. All of the default user files should be owned by root and the group wheel.

chown -Rv root:wheel English.lproj

Those are all the steps needed to modify the default user. It would also be a good idea to reboot the computer, log in as admin, and check/repair disk permissions on the drive just to make sure everything is correct before you take an image of the computer. If everything is correct you can test out your settings with a new user and if everything checks out delete your template user.

Let me know if you have any questions, comments, or problems with the process in the comments.

defaults write com.apple.finder _FXShowPosixPathInTitle -bool YES

And you have your location at the top of the window. I don’t even have a Apple anymore but this still may be useful in the future. Only works in OSX 10.5.5+

1. Tweak your default account including setting dock, clearing cache, recent items, etc.

2. Restart and login to the machine as admin.

3. Issue the following commands in the terminal:

:~root# cd /System/Library/User Template/
:~root# sudo ditto -rsrcFork English.lproj/* English.lproj.bak
:~root# sudo rm -rf /System/Library/User Template/English.lproj/*
:~root# sudo cp -R /Users//* /System/Library/User Template/English.lproj/
:~root# sudo chown -R root English.lproj
:~root# sudo chgrp -R wheel English.lproj

4. Restart, log in as admin and repair permissions before creating a new account to see if it worked.

Now all your new users that log into the machine (including mobile users) will have these same settings as your template user.

The second is as easy as deleting one folder and two files.

All you have to do is boot the mac into single user mode (command+s at start up) and enter the following commands at the terminal you are presented with.

mount -uw /
rm -rf /Users/ /var/db/netinfo/local.nidb /var/db/.AppleSetupDone
reboot (or shutdown -h now if you don't want the machine to turn back on)
Replace with whatever username you set up on the computer.

This isn’t exactly the same as a fresh install but it is close enough. It removes all of the users and has the person go through the steps of naming the computer and registering with Apple.

Let me know if you have any other tips for restoring a Apple computer to true factory defaults.

First up is replacing your task manager with process explorer in Windows Vista. In XP it is usually as simple as going to options and clicking on replace task manager. In Vista there is a bit more of a trick to it if you still have UAC ruling your life. UAC is the first thing I turn off in Vista so there wasn’t any problem for me. Head over to the How-to Geek for further instructions and screenshots.

The next tip is all about drivers. First you could always see what drivers you have installed at the command line, but that isn’t very fun. I guess you could see what drivers are installed and export the list to a text document, excel spreadsheet, or something else. Or you could just transfer the drivers directly from one machine to another. This is great news if you are moving from one computer to another, or if you are just having problems with your computer and want to do some troubleshooting.

Downloadsquad makes the list of useful tools with the Revo Uninstaller. I have never heard of it before but already really like it. Not only can it uninstall your programs and search for left over files and registry entry’s, but it also has built in shortcuts like the on screen keyboard, msconfig, system properties, etc. And because the new version is free AND portable I can keep it on my usb key and take it with me when troubleshooting machines.

Downloadsquad also showed me a Universal Extractor that could be very useful for extracting files that 7-zip can’t already open. I haven’t tried it yet but I defiantly want to keep it in my bag of tricks.

You would think this post would be done now because there is already so much stuff. But I have been procrastinating for a while now on these tools.

Inventgeek had one of the best do-it-yourself articles I have sen for a while. How to make your own thermal paste from diamond dust. I really want to give this one a try on my PS3 but it is going to have to wait just a little bit. I am still a bit nervous about putting it back together. The opening up doesn’t scare me at all. It is only the reassembly.

The last two articles go back to the How-to Geek. If you support machines like I do you probably use the Group Policy Editor quite a bit in Windows XP. This tip shows you how to add it to the control panel. There is also one for adding User Accounts Utility (userpasswords2) in the control panel.

Last but not least. How to Remote Control Leopard with TightVNC brought to you by Lifehacker.

Well I am officially caught up with the articles I wanted to add here. Now I think I will try some of them out and maybe play some more video games.