Little Snitch periodically brings up a dialog that says:
Terminal via node wants to accept an incoming connection from X on port 3000 (remoteware-cl).
X are different IPs in eastern europe. A full Sophos system scan did not find the malware. I can determine which process is opening the connection with lsof -i tcp:3000
. Once I have the pid, how can I determine how the process started, and how do I remove what's starting it / prevent it from starting again?