gimp install freezes machine, possible trojan?

[john.carlson3@…]

I was installing gimp with port install gimp. It was going through dependencies, so I stepped away from the machine. When I came back, the machine was frozen, and I had to unplug it to get it going again. Later I got the message below (truncated) from my ISP, Today at 10:05am. The last date I can see any the file in /opt/local is 1 Sep 13:15. When I booted up, it said Norton Antivirus auto-protect was turned off. Hmm. After installing Norton Firewall today, I am going through logs and file system stuff to try to figure out what happened.

IMPORTANT COMPUTER SAFETY NOTICE from AT&T Internet Services Security Center -„IRC Traffic Detected‰

Our investigation shows that the following IP was assigned to your log-on session at the indicated time and was using IRC connections to a computer network which is possibly a Botnet.

Date: (UTC) => Your IP: 2011-09-01 14:09:47 => 69.107.67.20

IRC Botnet infected systems commonly send or receive commands that can SPAM email, spread malicious software, and perpetrate identity theft.

IRC traffic on ports other than those normally used by IRC can be an indication of backdoor trojans or bots.

[john.carlson3@…]

List of files in /opt/local created from Sep 1 13:10-13:19

[neverpanic (Clemens Lang)]

Priority high is reserved for MacPorts developers, please remember to CC the maintainer.

This seems unrelated to MacPorts, though – Downloads made by MacPorts are checked for authenticity and are unlikely to include malicious software. Also your machine apparently having crashed already when the connection was established leaves me baffled. Do you have any other machines/devices on your network (i.e. using the same IP) that were running at that time?

[john.carlson3@…]

I'm unclear on when the machine froze. I tried last, but it just has wtmp begins <now>. All the wtmp.# files are 0 sized. Is there something else which reports on login times and reboots on Mac OS X Snow Leopard? I have a time-capsule, Roku, Wii and the router. It's possible I was using the Roku during that time. Also my printer attached to the Macintosh hung at "Shutting Down..." but it was missing ink. I am frazzled. I will get snort and try to sort through things. It's probably unrelated to macports at this point. Time to reimage I guess.

[jmroot (Joshua Root)]

Closing given that nobody else seems to be able to reproduce this, and there isn't really enough information to investigate further. Feel free to reopen if that changes.