3

Little Snitch periodically brings up a dialog that says:

Terminal via node wants to accept an incoming connection from X on port 3000 (remoteware-cl).

X are different IPs in eastern europe. A full Sophos system scan did not find the malware. I can determine which process is opening the connection with lsof -i tcp:3000. Once I have the pid, how can I determine how the process started, and how do I remove what's starting it / prevent it from starting again?

John
  • 31
  • 2
  • `ps auxwww | grep [pid]` would give you the process. Also, Activity Monitor can get you the process information, and you can get information about the process like open ports and files. –  Aug 12 '15 at 15:56
  • Glad to see someone who doesn't kowtow to the urban myth: "no virus on Mac". – dan Aug 14 '15 at 12:40

2 Answers2

2

ps l [pid] will list, among other things, the "parent process ID" (PPID) of the process. (If the parent process has exited, though, that information is lost and PPID will be 1.) ps eww [pid] will list its environment variables, which may give a hint where it came from.

Are you sure this is malware and not an unexpected behavior of something you're doing on purpose? Does it happen even if you aren't running Terminal.app?

Wim Lewis
  • 271
  • 1
  • 3
1

(This is just a complement to the correct answer from Wim Lewis.)

Once you have the pid of your suspect process, here are a few commands to help you analyse what this process might be doing. Let's say you stored this pid in the variable _pid.

  • lsof -p ${_pid}

    will provide you all the files opened now

  • opensnoop ${_pid}

    will show you all the files during this process running

With these file locations you will be able to pretty quickly ascertain if this is a legitimate program or not.

If the system accounting is activated on your system, lastcomm will also provide you which processes were excuted just before this suspect one. Moreover lastcomm will show you if one of these processes was permitting a priviledge escalation (look at the S flag). Unfortunatly, lastcomm doesn't provide the arguments passed to a program nor its environment (*argv, *envp).

dan
  • 3,043
  • 14
  • 35