How to identify the virus or process [closed] - process
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
I have noted unauthorized access to my router (default gateway) from my PC (Catalina iMac).
I am investigating this because we have several Mac PCs that are having the same behavior.
I would like to identify the virus or process that is causing this unauthorized access and remove it.
We scanned our PC with Virus Buster and Avast Antivirus, but it did not detect any viruses...
To investigate, I took tcpdump log of my PC.
And I confirmed packets accessing the router.
For several minutes after starting up the PC, the following suspicious behavior is observed.
Lots of DNS queries I don't recognize.
I don't remember accessing them.
myspace.com, qq.com, baidu.com, weebly.com, mail.ru, odnoklassniki.ru, aol.com, ebay.com, alibaba.com etc.
Lots of access to various ports.
21, 22, 23, 53, 81, 111, 135, 139, 192, 427, 443, 445, 515, 548, 554, 631, 873, 1433, 1688, 1801, 1900, 1980, 1990, 2105, 2323, 2869, 3000, 3283, 3306, 3389, 3910, 4070, 4071, 5000, 5001, 5040, 5060, 5094, 5357, 5431, 5555, 5800, 5900, 5916, 5985, 6668, 7547, 7676, 7680, 7777, 8000, 8001, 8002, 8008, 8009, 8080, 8081, 8082, 8089, 8090, 8099, 8181, 8182, 8291, 8443, 8728, 8888, 9080, 9100, 9101, 9112, 9220, 9295, 9999, 10001, 10243, 12323, 15500, 16992, 16993, 17500, 18181, 20005, 30005, 30102, 37215, 37777, 41800, 41941, 44401, 47001, 47546, 49000, 49152, 49153, 49200, 49443, 49667, 52869, 52881, 53048, 55442, 55443, 57621, 59777, 60000, 62078
Lots of http, https access
GET / HTTP/1.1
GET /admin HTTP/1.1
GET /AvastUniqueURL HTTP/1.1
GET /cgi-bin/a2/out.cgi HTTP/1.1
GET /cgi-bin/ajaxmail HTTP/1.1
GET /cgi-bin/arr/index.shtml HTTP/1.1
GET /cgi-bin/at3/out.cgi HTTP/1.1
GET /cgi-bin/atc/out.cgi HTTP/1.1
GET /cgi-bin/atx/out.cgi HTTP/1.1
GET /cgi-bin/auth HTTP/1.1
GET /cgi-bin/bbs/postlist.pl HTTP/1.1
GET /cgi-bin/bbs/postshow.pl HTTP/1.1
GET /cgi-bin/bp_revision.cgi HTTP/1.1
GET /cgi-bin/br5.cgi HTTP/1.1
GET /cgi-bin/click.cgi HTTP/1.1
GET /cgi-bin/clicks.cgi HTTP/1.1
GET /cgi-bin/crtr/out.cgi HTTP/1.1
GET /cgi-bin/fg.cgi HTTP/1.1
GET /cgi-bin/findweather/getForecast HTTP/1.1
GET /cgi-bin/findweather/hdfForecast HTTP/1.1
GET /cgi-bin/frame_html HTTP/1.1
GET /cgi-bin/getattach HTTP/1.1
GET /cgi-bin/hotspotlogin.cgi HTTP/1.1
GET /cgi-bin/hslogin.cgi HTTP/1.1
GET /cgi-bin/ib/301_start.pl HTTP/1.1
GET /cgi-bin/index HTTP/1.1
GET /cgi-bin/index.cgi HTTP/1.1
GET /cgi-bin/krcgi HTTP/1.1
GET /cgi-bin/krcgistart HTTP/1.1
GET /cgi-bin/link HTTP/1.1
GET /cgi-bin/login HTTP/1.1
GET /cgi-bin/login.cgi HTTP/1.1
GET /cgi-bin/logout HTTP/1.1
GET /cgi-bin/mainmenu.cgi HTTP/1.1
GET /cgi-bin/mainsrch HTTP/1.1
GET /cgi-bin/msglist HTTP/1.1
GET /cgi-bin/navega HTTP/1.1
GET /cgi-bin/openwebmail/openwebmail-main.pl HTTP/1.1
GET /cgi-bin/out.cgi HTTP/1.1
GET /cgi-bin/passremind HTTP/1.1
GET /cgi-bin/rbaccess/rbcgi3m01 HTTP/1.1
GET /cgi-bin/rbaccess/rbunxcgi HTTP/1.1
GET /cgi-bin/readmsg HTTP/1.1
GET /cgi-bin/rshop.pl HTTP/1.1
GET /cgi-bin/search.cgi HTTP/1.1
GET /cgi-bin/spcnweb HTTP/1.1
GET /cgi-bin/sse.dll HTTP/1.1
GET /cgi-bin/start HTTP/1.1
GET /cgi-bin/te/o.cgi HTTP/1.1
GET /cgi-bin/tjcgi1 HTTP/1.1
GET /cgi-bin/top/out HTTP/1.1
GET /cgi-bin/traffic/process.fcgi HTTP/1.1
GET /cgi-bin/verify.cgi HTTP/1.1
GET /cgi-bin/webproc HTTP/1.1
GET /cgi-bin/webproc?getpage=/../../etc/passwd&var:language=en_us&var:page=* HTTP/1.1
GET /cgi-bin/webproc?getpage=/etc/shadow HTTP/1.1
GET /cgi-bin/webproc?getpage=/etc/shadow&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=wizard HTTP/1.1
GET /cgi-bin/webscr HTTP/1.1
GET /cgi-bin/wingame.pl HTTP/1.1
GET /das/cgi-bin/session.cgi HTTP/1.1
GET /dd.xml HTTP/1.1
GET /fcgi-bin/dispatch.fcgi HTTP/1.1
GET /fcgi-bin/performance.fcgi HTTP/1.1
GET /Frontend HTTP/1.1
GET /HNAP1/ HTTP/1.1
GET /L3F.xml HTTP/1.1
GET /login.html HTTP/1.1
GET /menu.html?images/ HTTP/1.1
GET /picsdesc.xml HTTP/1.1
GET /redir/cgi-bin/ajaxmail HTTP/1.1
GET /rom-0 HTTP/1.1
GET /rootDesc.xml HTTP/1.1
GET /ssdp/device-desc.xml HTTP/1.1
GET /upnp/dev/a266dba0-8baa-3406-a010-2db481ceabf3/desc HTTP/1.1
GET /WANCfg.xml HTTP/1.1
GET /WANIPCn.xml HTTP/1.1
GET /WANIPCn.xml HTTP/1.1 )
POST /ctl/CmnIfCfg HTTP/1.1
POST /ctl/IPConn HTTP/1.1
POST /uuid:0cd2a2e0-68c2-a366-b2f1-8d93ddce634b/WANIPConnection:1 HTTP/1.1
If you have any information about viruses that behave this way, etc., it would be helpful.
Also, please reply me know if there is any other information you need in order to identify it.
After a lot of research, I found out that it was caused by the Wi-Fi Inspector feature of Avast Antivirus!
The pattern of tcpdump log when the Wi-Fi Inspector button is clicked is almost same.
Related
Postman shows "Could not get any response" even though response is OK
I have a WCF service which I make API requests to. This API call returns a JSON response object and also is able to return it in GZIP compression as well when "gzip" value is used in "Accept-Encoding" header. The problem is when I try to get the response in GZIP, Postman shows "Could not get any response" although I see response and response's content are OK (200 status code) in Fiddler and can easily decompress the response content in my C# client. I took a look in Postman Console but all I see is "Error: incorrect header check". I hardly tried to find any documentation regarding this header check but couldn't find any. These are the request headers: POST /correction/v1/document?lang=US HTTP/1.1 Content-Type: text/plain Accept-Encoding: gzip User-Agent: PostmanRuntime/7.6.0 Accept: */* content-length: 630 Connection: close These are the response headers: HTTP/1.1 200 OK Content-Length: 512 Content-Type: application/json; charset=utf-8 Content-Encoding: gzip Server: Microsoft-HTTPAPI/2.0 Date: Sun, 24 Feb 2019 14:05:50 GMT Connection: close The only thing I suspect is wrong is this message from Fiddler: I integrated this code into mine in order to use GZIP in WCF. https://github.com/carlosfigueira/WCFSamples/tree/master/MessageEncoder/GZipEncoderAndAutoFormatSelection Basically, it captures the response before returning to client and use GZipStream for compression.
I got the same issue, I added the following header to fix this issue. Accept-Encoding : *
I was able to solve a similar issue by using the header Accept-Encoding: */* or if you want to be specific do Accept-Encoding: */* that way the HTTP client will be able to process the response based on the type of encoding received, in the case of a gzip, it will decode the response and show it as normal text.
For me, I removed 'Accept-Encoding' in the request header.
I got this issue when the REST service was returning a zip content (aka. WinZip format). I solved the error by compressing the data using 7zip to produce true gzip format.
WSO2 create API for SCEP server HTTP GET POST
I have a SCEP endpoint (Simple Certificate Enrollment Protocol) which is using simple HTTP GET and POST with parameters, for example: http://localhost/scepserver/pkiclient.exe?operation=GetCACaps&message=CA I am trying to implement this API in WSO2 Api Manager with endpoint to my SCEP server. I was trying to do it using "Design a New REST API" but it is not working and I do not want to use JSON in message payload. How should I define API for SCEP, with example to call endpoint with query parameters? EDIT: Trying through curl: curl -X GET 'http://10.30.9.145:8280/devscep/1/pkiclient.exe?operation=GetCACaps&message=CA' -v Result: * Hostname was NOT found in DNS cache * Trying 10.30.9.145... * Connected to 10.30.9.145 (10.30.9.145) port 8280 (#0) > GET /devscep/1/pkiclient.exe?operation=GetCACaps&message=CA HTTP/1.1 > User-Agent: curl/7.38.0 > Host: 10.30.9.145:8280 > Accept: */* > < HTTP/1.1 401 Unauthorized < activityID: 22588072245075117976472 < WWW-Authenticate: realm="WSO2 API Manager" < Content-Type: application/soap+xml; charset=UTF-8 < Date: Fri, 14 Jul 2017 13:02:16 GMT < Transfer-Encoding: chunked < * Connection #0 to host 10.30.9.145 left intact <?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"><soapenv:Body/></soapenv:Envelope>
In the resources section of the design page, you can define expected query parameters for each resource. https://docs.wso2.com/display/AM210/Key+Concepts#KeyConcepts-APIresources
Custom Status Line Not Working in RESTLET
I am writing a REST application and i am using RESTLET. My service has a PUT method. As part of the response, i would like to return to the user Custom Status. For Example : 200 - Successfully Created and Data processing in progress. I tried to set the statuses as below. #Put public String storeItem(Representation entity) throws Exception { // Some Processing Status st = new Status(420,null,"REASON_PHRASE","Some description",null); setStatus(st); return "Some String Representation" } When i try to access the URL using CURL, i get the following status line. curl -v -X PUT "http://localhost:8080/extensible/data/process" * About to connect() to localhost port 8080 (#0) * Trying ::1... connected * Connected to localhost (::1) port 8080 (#0) > PUT /extensible/data/upload HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: localhost:8080 > Accept: */* > < HTTP/1.1 420 420 < Content-Type: application/json; charset=UTF-8 < Date: Wed, 22 Jan 2014 06:56:24 GMT < Accept-Ranges: bytes < Server: Restlet-Framework/2.0.1 < Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept < Content-Length: 21 < * Connection #0 to host localhost left intact * Closing connection #0 The status line above is HTTP/1.1 420 420 but i expect a status line of HTTP/1.1 420 REASON_PHRASE What am i doing wrong? Any help will be greatly appreciated.
My two cents about the design. 1. I think you need a pretty good reason to use a custom http status. I don't think this is the case. REST API consumed by applications and the application that consume the API know that this particular PUT is part of an asynchronous process. There for a simple 200 with the new id as data or link to the edit url should be enough. The client application should notify the user, if decided to do so. If you still think a custom status is the right way you should consider using 20* and not 420.
bad request 400 with Telnet
'm trying to use the If-Modified-Since command in Telnet. I want to get a 304 Not modified statut code. I tried this but it don't work, I get a 400 bad request error telnet lemonde.fr 80 GET /index.html HTTP/1.1 User-Agent: Mozilla/5.0 From: yahoo.com Accept: text/html,text/plain,application/* Host: www.lemonde.fr If-Modified-Since: Wed, 19 Oct 2015 10:50:00 GMT <linefeed> I got as a result HTTP/1.0 400 Bad request Cache-Control: no-cache Connection: close Content-Type: text/html
You need to define the HTTP port. So try: telnet lemonde.fr 80 The default telnet port is 23. So you won't be able to communicate with the HTTP server.
NSURLConnection and Authenticating to webservices behind ssl?
I'm currently trying to connect to a webservice placed on https://xxx.xxx.xx/myapp It has anonymous access and SSL enabled for testing purposes atm. While trying to connect from the 3G network, i get Status 403: Access denied. You do not have permission to view this directory or page using the credentials that you supplied. I get these headers while trying to connect to the webservice locally: Headers Request URL:https://xxx.xxx.xx/myapp Request Method:GET Status Code:200 OK Request Headers GET /myapp/ HTTP/1.1 Host: xxx.xxx.xxx Connection: keep-alive Authorization: Basic amViZTAyOlE3ZSVNNHNB User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: sv-SE,sv;q=0.8,en-US;q=0.6,en;q=0.4 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Response Headers HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Thu, 16 Feb 2012 12:26:13 GMT Content-Length: 622 But when accessing outside the local area, we get the big ol 403. Which in turn wants credentials to grant the user access to the webservice. However, i've tried using the ASIHTTPRequest library without success, and that project has been abandoned. And they suggest going back to NSURLConnection. And i have no clue where to start, not even which direction to take. -connection:(connection *)connection didRecieveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge The above delegate method of NSURLConnection doesnt even trigger. So i have no idea what so ever how to authenticate myself. All i get is the parsed results of the xml elements of the 403-page. I needs dem seriouz helps! plx.
This was all just a major f-up. The site had ssl required and enabled, and setting ssl required for the virtual directories does some kind of superduper meta-blocking. So, by disabling ssl required for the virtual directories, it runs over ssl and is not blocking 3G access..