These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Macintosh

 
  • Topic is locked indefinitely.
 

Eve Online - Mac data mining malware when you trade in Jita.
Author
Previous Topic Next Topic
Eric Agerwal
Cryosoft
#1 - 2013-07-14 10:37:59 UTC  |  Edited by: Eric Agerwal
Since the latest launcher I now am getting more meaningful logged messages in my console.
It pertains to the following string 'LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32'
I've written petition (3244164) which involved wiping hard drive and reinstalling OS and all software and yet I still continue to have issues with Eve, and filed bug reports (161279) on this issue, to no avail without any kind of response from CCP on the bug.

For me personally everything went awry when DUST went live in May 2013. Others seem to have had
this issue going back for years and CCP continues to ignore people.

I ran:
sudo grep -R 'LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32' /
and it identified
/Applications/EVE Online.app/Contents/Resources/EVE Online.app/Contents/Resources/transgaming/c_drive/Program Files/CCP/EVE/bin/libsndfile-1.dll
and my cloned version
/Applications/EVE Online Clone 1.app/Contents/Resources/transgaming/c_drive/Program Files/CCP/EVE/bin/libsndfile-1.dll

Symptoms:
I get these messages and a minute or so delay between trades whenever I am in Jita as I wait for an eternity for the pop up panel to display. When I try and modify the price or quantity from the stack that I am selling it also takes ages.

I get these messages logged each time:

:13/07/2013 21:52:26 [0x0-0x47a47a].com.ccpgames.eveonline Terminating process by request - returning 0
13/07/2013 21:52:26 [0x0-0x47a47a].com.ccpgames.eveonline 0xf00679dc:1: Atom table size=1 entries=37
13/07/2013 21:52:26 [0x0-0x47a47a].com.ccpgames.eveonline c000: ref=1 hash=35 "aaaaAAaaAaAAAaaaaaaaAaaaaaAaAaaa-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32"
13/07/2013 21:52:26 [0x0-0x47a47a].com.ccpgames.eveonline 0xf005d1e4:1: Token owned by 0xf0059554
13/07/2013 21:52:26 [0x0-0x47a47a].com.ccpgames.eveonline 0xf0059554:1: Thread 0003 unix tid=9751 teb=0x74c2000 state=1 process=000a
13/07/2013 21:52:26 [0x0-0x47a47a].com.ccpgames.eveonline 0xf0050080:1: IO Completion max=4 active=0 queued_tasks=0 assigned=0
13/07/2013 21:52:26 [0x0-0x47a47a].com.ccpgames.eveonline name=""
13/07/2013 21:52:26 [0x0-0x47a47a].com.ccpgames.eveonline 0xf004c4fc:1: Event manual=1 signaled=0 name=""
13/07/2013 21:52:26 [0x0-0x47a47a].com.ccpgames.eveonline 0xf0007a74:1: Token owned by 0xf0050780
13/07/2013 21:52:26 [0x0-0x47a47a].com.ccpgames.eveonline 0xf0050780:1: Process 000a next=0xf00074e0 prev=0x0 handles=0x0
13/07/2013 21:52:26 [0x0-0x47a47a].com.ccpgames.eveonline 0xf004ebd4:1: Event manual=1 signaled=0 name=""
13/07/2013 21:52:26 [0x0-0x47a47a].com.ccpgames.eveonline 0xf0001a84:1: Token owned by 0xf00074e0
13/07/2013 21:52:26 [0x0-0x47a47a].com.ccpgames.eveonline 0xf00074e0:1: Process 0001 next=0x0 prev=0xf0050780 handles=0x0


i have noticed the winserver process that Eve uses for Windows Emulation has open ports to:
f5.c0.354a.static.theplanet.com:http
s3-1.amazonaws.com:http
I presume the first is the mining app and second the storage location for the mined data.
Phext
SIGBUS
#2 - 2013-07-24 17:11:54 UTC  |  Edited by: Phext
http://f5.c0.354a.static.theplanet.com redirects to http://s3.amazonaws.com/gametreemac.updates/
If you call that URL on a client not running eve, you'll get an XML File with an "error code":

"[Error]
AccessDenied
[Message]Access Denied[/Message][RequestId]...some id...[/RequestId][HostId]...yet another id...[/HostId][/Error]"

what happens if you call that url in your browser if an eve client is running on the same client?

Edit:
Use tcpdump[1],[2] to see whats going through the wire.

[1] https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/tcpdump.1.html
[2] http://support.apple.com/kb/ht3994

:wq!