spyware for mac [actually, BitTorrent]? "python" app calling random sites -
I installed Little Snitch for the first time and all of a sudden I have an app called "python" that wants to call to different websites every few minutes.
Its an invisible app, but I do see it twice in the list of running processes if I type "top" in terminal.
I've followed some of th sites it wasnt to go to (like www.macgamer.net ) and other various IP addresses, and they're all crud. Heres another that just popped up: "The application "python" wants to connect to adsl-68-127-147-254.dsl.pltn13.pacbell.net on TCP port 6881".... JESUS and another one!!! "The application "python" wants to connect to dsl-32.54.240.220.lns02-kent-syd.dsl.comindico.com.au on TCP port 6881"
I have no clue whats going on and what app installed it. I have a feelings it XFactor, but I'm not 100% sure.
here are some screenshots:
Its an invisible app, but I do see it twice in the list of running processes if I type "top" in terminal.
I've followed some of th sites it wasnt to go to (like www.macgamer.net ) and other various IP addresses, and they're all crud. Heres another that just popped up: "The application "python" wants to connect to adsl-68-127-147-254.dsl.pltn13.pacbell.net on TCP port 6881".... JESUS and another one!!! "The application "python" wants to connect to dsl-32.54.240.220.lns02-kent-syd.dsl.comindico.com.au on TCP port 6881"
I have no clue whats going on and what app installed it. I have a feelings it XFactor, but I'm not 100% sure.
here are some screenshots:



Comments
I have found a directory in Library > Python that has another folder called 2.3 and inside that folder is a document that says "readme". In the readme it says "This directory exists so that 3rd party packages can be installed
here. Read the source for site.py for more details."
Library > Python > 2.3 > README
every minute?
fyi, I do have Developer Tools intsalled, but never used them.
and why is this app trying to contact "dead" sites or totally hidden sites?
elp elp
The application "python" wants to connect to c210-49-101-4.rochd1.qld.optusnet.com.au on TCP port 6881
The application "python" wants to connect to cpc1-nfds2-4-0-cust235.nott.cable.ntl.com on TCP port 6881
The application "python" wants to connect to lns-th2-15-82-64-228-77.adsl.proxad.net on TCP port 6883
The application "python" wants to connect to bzq-218-23-181.cablep.bezeqint.net on TCP port 6881
The application "python" wants to connect to dsl-082-082-144-188.arcor-ip.net on TCP port 6887
and the list goes on... every minute a new one....
The application "python" wants to connect to astound-66-234-214-17.ca.astound.net on TCP port 6890
The application "python" wants to connect to 173.pool9.dsl8mosaka.att.ne.jp on TCP port 6884
The application "python" wants to connect to adsl-67-125-58-61.dsl.lsan03.pacbell.net on TCP port 6881
The application "python" wants to connect to 81-178-80-215.dsl.pipex.com on TCP port 6882
The application "python" wants to connect to host81-152-206-71.range81-152.btcentralplus.com on TCP port 6882
The application "python" wants to connect to host144-76.pool8249.interbusiness.it on 6 port 6881
and this is just since the last post...
out of hand
If the sites are dead though than maybe its an older program. Just open up process viewer and look for programs that look strange to you that where started under your username. Maybe if you post back here with some of those we can help narrow it down. If you see python in the process viewer list just remember thats not the program thats doing it, Its just a run time engine. You could kill it though and it should take the app down with it. Odds are your not running to many python apps to begin with.
Still try killing python. It should take the offending app down with it.
I opened ACTIVITY MONITOR and selected both instances of Python.
there ya go...
If you have Tomato Torrent then you got spyware running while its running. Which means... another few days of that for me... crap.
Originally posted by ZO
If you have Tomato Torrent then you got spyware running while its running.
Uhm, this is just a bittorrent client trying to connect to other bittorrent clients via the usual bittorrent port (6881). Maybe you should read a bit about how P2P works
From a Bittorrent FAQ:
What language is BitTorrent written in?
Python. And it uses wxWindows for its GUI.
and this FAQ tells us:
What ports does BitTorrent use? [...]
Prior to version 3.2, BitTorrent by default uses ports in the range of 6881-6889. As of 3.2 and later, the range has been extended to 6881-6999. [...] The client starts with the lowest port in the range and sequentially tries higher ports until it can find one to which it can bind. This means that the first client you open will bind to 6881, the next to 6882, etc.
confirmed! Little snitch confuses users.
in my defense it COULD have stayed in the same application or whatnot...
anyway, good to know. Thanks
lock the thread away!
Originally posted by ZO
doh...
in my defense it COULD have stayed in the same application or whatnot...
anyway, good to know. Thanks
lock the thread away!
Well it would have except the bittorrent client technically wasnt what was trying to connect to the net... The run time engine was