I got this warning on my router:
Threat
A Network Trojan was Detected. Signature ET MALWARE
Suspicious User Agent (Autoupdate). From: 10.0.1.3:61379, to: 54.36.160.184:80, protocol: TCP
I did "% lsof -i" to try to figure out which process it was, but none was using that port when I checked. Is there any way to monitor the port and catch which process tries to use it, the next time it does?
Mac Pro, macOS 10.13
Works here...
im19:~ bd1$ lsof -nP -i4TCP:$61379 | grep LISTEN
im19:~ bd1$
bash -c 'while [ 0 ]; do lsof -nP -i4TCP:$61379 | grep LISTEN;sleep 1;done'
Or...
bash -c 'while [ 0 ]; do sudo lsof -iTCP -sTCP:LISTEN -n -P;sleep 5;done'
Control+c to stop
lsof -nP -i4TCP:$61379 | grep LISTEN
sudo lsof -iTCP -sTCP:LISTEN -n -P
% lsof -nP -i4TCP:$63681 | grep LISTEN
lsof: unacceptable port specification in: -i 4TCP:
lsof 4.89
latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
usage: [-?abhlnNoOPRtUvV] [+|-c c] [+|-d s] [+D D] [+|-f[cgG]]
[-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Use the ``-h'' option to get more help information.
% sudo lsof -iTCP -sTCP:LISTEN -n -P
shows about 25 lines of things on various ports, but 1) my port of interest isn't there - is there an option to have it wait and keep testing until it shows up, or I need to write a script for that, and 2) I would assume there are more than 25 processes making connections right now - what are the criteria for being shown on this list? Thanks!!
That's it, I wasn't in bash. Now it works. I'll run it and see if it catches it again. I haven't seen IP 54.36.160.184 reported anywhere as a Mac trojan target.
How to find which process used a port? Possible Trojan.
