Need help identifying the OSX process that's generating strange network traffic

I'd normally suggest netstat -n -p in linux, but the Mac/BSD version doesn't associate with connections with processes unlike the linux version.

So maybe try to see if sudo lsof -lnP +M -i4? sudo in case its not your user id thats running it, -lnP to not convert UIDs/ip addresses/ports to usernames/domain names/common services, +M for portmapper registration info, and -i4 to see all ipv4 open connections.

Maybe write a watch script to grep for that port. Granted again macs don't have a watch command but you can simulate with a quick script like:

sudo su
while true; do lsof -lnP +M -i4 | grep '30149'; sleep 1; done

and eventually quit by Ctrl-C.

Looking at your edit; I think your computer may be fine, but you probably should reconfigure your firewalls/port forwarding rules on your router.

You should have your router act as a firewall and drop/ignore random packets that do not originate from a connection you initiated (and are not sent to a port for a server you are running that should be accessible by the outside world). Let's say your ISP issued IP address is 100.101.102.103 and my computer is 1.2.3.4 and your macbook pro is one computer behind your router with a local IP address 192.168.2.5. If I send a packet from my machine to that 100.101.102.103 on port 30149, your router should have no reason to forward that packet to 192.168.2.5 (versus any other computer connected to that router). The router should just drop it.

This is contrasted with a legitimate request that your computer initiated. E.g., if your router knows that 192.168.2.5 has requested a connection with 1.2.3.4 at some port (say port 80 at my end for a webserver I host; some random port at your end say 58325) then your router will direct received packets from 1.2.3.4 directed to 100.101.102.103 at port 58325 to your macbook at 192.168.2.5 port 58325 knowing that's who the packet is for (your router remembering the IP + port combo originated your computer) so by default will forward it appropriately.

This is also contrasted by say if you want to host a server of some sort on your computers behind your router. Then you need to define some port forwarding rules for outside computers that initiate a connection to 100.101.102.103 at some port to then get mapped to the correct port on the correct computer. E.g., if you have a macbook pro and a linux box (192.168.2.3), you may have connections to 100.101.102.103 on port 22 go to the linux box ssh port (192.168.2.3 port 22), but maybe have 100.101.102.103 on port 23 get forwarded to the macbook pro's ssh port (192.168.2.5 port 22).

In summary: your router should not have any port forwarding rules set up, unless you are running services like http/ssh/nfs/cifs, etc at known ports that need to be accessible to the outside world.


Your computer is fine imho.

I think you're being scanned and it's a targetted scan on port 30149. I don't know of any vulnerable service running on that port but in my mind someone was looking for something on that port. I suspect they were scanning a large netblock and your public, IPv4 IP from your ISP was just one of many scanned.

I don't believe it's malware C&C traffic as everything is initiated inbound as far as I can see.

The attacker is performing the scan on port TCP and UDP port 30149 and as per their respective RFCs, your MBP is responding correctly when a destination port is closed (RFC 793 and 768 respectively) - RST/ACK to the TCP Syn attempt as the port on the MBP is closed and similarly for UDP with an ICMP Port Unreachable (type 3, code 3) so that's all good.

If you perform a reverse-dns lookup dig -t x IP on the various IPs that are attempting to connect to you, you'll see that they're quite geographically diverse. Given the short time-frame of the attack, this leads me to believe that the person attacking you has a small botnet and obviously, if they're decent, you shouldn't be able to see their real IP.

  • 121.54.54.36 - no reverse record but whois shows => Wireless Broadband, Makati City, Philippines

  • 86.176.100.134 - host86-176-100-134.range86-176.btcentralplus.com => ISP in UK

  • 49.156.159.35 - no reverse record but 'whois' says => CityOnline Services Ltd, Bangalore

  • 78-60-80-5 - 78-60-80-5.static.zebra.lt => Media Company in Lithuania

  • 81.203.200.189 - 81.203.200.189.dyn.user.ono.com

  • 46.240.50.22 - no reverse record but part of RIPE so in Europe

  • 78.165.164.69 - 78.165.164.69.dynamic.ttnet.com.tr => some kinda ISP in Turkey

  • 186-228-40-136 - 186-228-40-136.ded.intelignet.com.br => Brazilian Postal Service or something

  • 81.203.200.189 - 81.203.200.189.dyn.user.ono.com

  • 90.14.19.81 - ALyon-152-1-212-81.w90-14.abo.wanadoo.fr

  • 41.96.92.136 - It's in Algeria but no reverse DNS

These IP addresses are all from systems (most likely on broadband connections) that have been compromised and similar to you, they have a static IP from the ISP (the hostname is a giveaway in most cases above).

So it's pretty standard inbound scanning that you see everywhere on the Internet. 'dr jimbob' has made some good suggestions and you should tighten up the rules on you external router to essentially only outbound initiated traffic (this might will 'active ftp' but hopefully you're neither using ftp and if you are, it's 'passive'). You can create some ACLs so that you don't leak information suck as ICMP Type 3 messages when ports/services are closed. I could go on forever here but there's loads of papers here on how to create perimeter protection (ignoring the fact that there's no real perimeter these days).

Finally and very interestingly, if you look here at Dshield, you'll see there was a spike worldwide in scanning port 30149 on June 29th/30th.

Most home routers (well the decent ones) have iptables on them and there's loads you can do on that - see the HowTo.

Tags:

Macos

Network

Attacks

Recent Posts