spyware for mac [actually, BitTorrent]? "python" app calling random sites -

zozo
Posted:
in General Discussion edited January 2014
I installed Little Snitch for the first time and all of a sudden I have an app called "python" that wants to call to different websites every few minutes.



Its an invisible app, but I do see it twice in the list of running processes if I type "top" in terminal.



I've followed some of th sites it wasnt to go to (like www.macgamer.net ) and other various IP addresses, and they're all crud. Heres another that just popped up: "The application "python" wants to connect to adsl-68-127-147-254.dsl.pltn13.pacbell.net on TCP port 6881".... JESUS and another one!!! "The application "python" wants to connect to dsl-32.54.240.220.lns02-kent-syd.dsl.comindico.com.au on TCP port 6881"



I have no clue whats going on and what app installed it. I have a feelings it XFactor, but I'm not 100% sure.





here are some screenshots:













Comments

  • Reply 1 of 15
    zozo Posts: 3,115member
    PS how do I find where this Python actually IS?



    I have found a directory in Library > Python that has another folder called 2.3 and inside that folder is a document that says "readme". In the readme it says "This directory exists so that 3rd party packages can be installed

    here. Read the source for site.py for more details."



    Library > Python > 2.3 > README
  • Reply 2 of 15
    Python is a coding language... Its some app written in python that is trying to connect to those websites.
  • Reply 3 of 15
    zozo Posts: 3,115member
    that makes no sense...



    every minute?



    fyi, I do have Developer Tools intsalled, but never used them.

    and why is this app trying to contact "dead" sites or totally hidden sites?



    elp elp
  • Reply 4 of 15
    zozo Posts: 3,115member
    more:



    The application "python" wants to connect to c210-49-101-4.rochd1.qld.optusnet.com.au on TCP port 6881



    The application "python" wants to connect to cpc1-nfds2-4-0-cust235.nott.cable.ntl.com on TCP port 6881



    The application "python" wants to connect to lns-th2-15-82-64-228-77.adsl.proxad.net on TCP port 6883



    The application "python" wants to connect to bzq-218-23-181.cablep.bezeqint.net on TCP port 6881



    The application "python" wants to connect to dsl-082-082-144-188.arcor-ip.net on TCP port 6887



    and the list goes on... every minute a new one....
  • Reply 5 of 15
    zozo Posts: 3,115member
    The application "python" wants to connect to c3eea2cd5.cable.wanadoo.nl on TCP port 6882



    The application "python" wants to connect to astound-66-234-214-17.ca.astound.net on TCP port 6890



    The application "python" wants to connect to 173.pool9.dsl8mosaka.att.ne.jp on TCP port 6884



    The application "python" wants to connect to adsl-67-125-58-61.dsl.lsan03.pacbell.net on TCP port 6881



    The application "python" wants to connect to 81-178-80-215.dsl.pipex.com on TCP port 6882



    The application "python" wants to connect to host81-152-206-71.range81-152.btcentralplus.com on TCP port 6882



    The application "python" wants to connect to host144-76.pool8249.interbusiness.it on 6 port 6881



    and this is just since the last post...



    out of hand
  • Reply 6 of 15
    Honestly I have no idea. It has to be an App that you installed that was built with python though. Thats all I was trying to say.



    If the sites are dead though than maybe its an older program. Just open up process viewer and look for programs that look strange to you that where started under your username. Maybe if you post back here with some of those we can help narrow it down. If you see python in the process viewer list just remember thats not the program thats doing it, Its just a run time engine. You could kill it though and it should take the app down with it. Odds are your not running to many python apps to begin with.
  • Reply 7 of 15
    zozo Posts: 3,115member
    in terminal:



  • Reply 8 of 15
    Thats just the runtime engine though, Its like if you run a java app and open your terminal you will see java running. Its not the app.



    Still try killing python. It should take the offending app down with it.
  • Reply 9 of 15
    zozo Posts: 3,115member
    good call.



    I opened ACTIVITY MONITOR and selected both instances of Python.













    there ya go...



    If you have Tomato Torrent then you got spyware running while its running. Which means... another few days of that for me... crap.
  • Reply 10 of 15
    smirclesmircle Posts: 1,035member
    Quote:

    Originally posted by ZO



    If you have Tomato Torrent then you got spyware running while its running.




    Uhm, this is just a bittorrent client trying to connect to other bittorrent clients via the usual bittorrent port (6881). Maybe you should read a bit about how P2P works



    From a Bittorrent FAQ:

    Quote:

    What language is BitTorrent written in?



    Python. And it uses wxWindows for its GUI.



    and this FAQ tells us:

    Quote:

    What ports does BitTorrent use? [...]



    Prior to version 3.2, BitTorrent by default uses ports in the range of 6881-6889. As of 3.2 and later, the range has been extended to 6881-6999. [...] The client starts with the lowest port in the range and sequentially tries higher ports until it can find one to which it can bind. This means that the first client you open will bind to 6881, the next to 6882, etc.



    confirmed! Little snitch confuses users.
  • Reply 11 of 15
    jwri004jwri004 Posts: 626member
    The innocence, it is sort of sweet!
  • Reply 12 of 15
    stoostoo Posts: 1,490member
    Emergency over, nothing to see. Move along now.
  • Reply 13 of 15
    zozo Posts: 3,115member
    doh...



    in my defense it COULD have stayed in the same application or whatnot...



    anyway, good to know. Thanks



    lock the thread away!



  • Reply 14 of 15
    Quote:

    Originally posted by ZO

    doh...



    in my defense it COULD have stayed in the same application or whatnot...



    anyway, good to know. Thanks



    lock the thread away!







    Well it would have except the bittorrent client technically wasnt what was trying to connect to the net... The run time engine was
Sign In or Register to comment.