Author Topic: which process did a monitoring item come from? (CHECKURL http://31.7.62.38/open)  (Read 3420 times)

0 Members and 1 Guest are viewing this topic.

sejtam

  • Guest
I has some cases where the Avast MAD daemon would take very huge CPU percentage (170% or more) on my macbook pro.

I followed the instructions in http://forum.avast.com/index.php?action=emailuser;sa=email;msg=783022) to set the logging to 0xffffffff




Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Session (71170) closed.
Mon Jun 11 12:40:23 2012 [DAEMON 28399]: New session (71172) created: 2957578240.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Input (normal): 'CHECKURL http://31.7.62.138/open/1'.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Command 'CHECKURL' received.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Input (normal): 'QUIT'.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Command 'QUIT' received.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Session (71171) closed.
Mon Jun 11 12:40:23 2012 [DAEMON 28399]: New session (71173) created: 2957578240.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Input (normal): 'CHECKURL http://31.7.62.138/open/1'.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Command 'CHECKURL' received.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Input (normal): 'QUIT'.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Command 'QUIT' received.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Session (71172) closed.
Mon Jun 11 12:40:24 2012 [DAEMON 28399]: New session (71174) created: 2957578240.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Input (normal): 'CHECKURL http://31.7.62.138/open/1'.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Command 'CHECKURL' received.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Input (normal): 'QUIT'.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Command 'QUIT' received.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Session (71173) closed.
Mon Jun 11 12:40:24 2012 [DAEMON 28399]: New session (71175) created: 2957578240.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Input (normal): 'CHECKURL http://31.7.62.138/open/1'.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Command 'CHECKURL' received.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Input (normal): 'QUIT'.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Command 'QUIT' received.


I killed my web-browser and almost all other processes, but these kept coming..

I could not figure out where these came from, and in the process of stopping every other process I accidentally killed launchd and thus rebooted the machine.

Now they are no longer happening, so I have to wait for the next occurrence.

I need some additional method to find out what caused these.

31.7.62.138 reolves to privatelayer.com, a service I have no association with myself..


Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
I has some cases where the Avast MAD daemon would take very huge CPU percentage (170% or more) on my macbook pro.

I followed the instructions in http://forum.avast.com/index.php?action=emailuser;sa=email;msg=783022) to set the logging to 0xffffffff




Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Session (71170) closed.
Mon Jun 11 12:40:23 2012 [DAEMON 28399]: New session (71172) created: 2957578240.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Input (normal): 'CHECKURL http://31.7.62.138/open/1'.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Command 'CHECKURL' received.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Input (normal): 'QUIT'.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Command 'QUIT' received.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Session (71171) closed.
Mon Jun 11 12:40:23 2012 [DAEMON 28399]: New session (71173) created: 2957578240.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Input (normal): 'CHECKURL http://31.7.62.138/open/1'.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Command 'CHECKURL' received.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Input (normal): 'QUIT'.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Command 'QUIT' received.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Session (71172) closed.
Mon Jun 11 12:40:24 2012 [DAEMON 28399]: New session (71174) created: 2957578240.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Input (normal): 'CHECKURL http://31.7.62.138/open/1'.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Command 'CHECKURL' received.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Input (normal): 'QUIT'.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Command 'QUIT' received.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Session (71173) closed.
Mon Jun 11 12:40:24 2012 [DAEMON 28399]: New session (71175) created: 2957578240.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Input (normal): 'CHECKURL http://31.7.62.138/open/1'.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Command 'CHECKURL' received.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Input (normal): 'QUIT'.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Command 'QUIT' received.


I killed my web-browser and almost all other processes, but these kept coming..

I could not figure out where these came from, and in the process of stopping every other process I accidentally killed launchd and thus rebooted the machine.

Now they are no longer happening, so I have to wait for the next occurrence.

I need some additional method to find out what caused these.

31.7.62.138 reolves to privatelayer.com, a service I have no association with myself..

Hallo,
best way how to catch the culprit is to log netstat -an to get a clue what app is trying to communicate with the suspicious IP target.
We can't say more, especially when the culprit is inactive at the moment.

regards,
PC
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)