13 Replies Latest reply: Dec 30, 2011 9:49 AM by BDAqua
Faris Kalin Level 1 Level 1 (0 points)

I've got a weird situation.  Even if I never access any program that would use the net, if I'm connected to my mifi (4g 4510 and previously the 3g 2200), it will show on the mifi that data is being transmitted and/or received.  The light on the mifi blinks when data is sent/received.  It also shows up in the activity monitor.  Anyone have any idea what the cause of this is, and whether or not I should be worried?

 

I tend to be pretty cautious so I wouldn't think that I'm infected with something, but this is really odd behavior, don't you think.  I always use limited user mode, NoScript, and am careful where I go on the net.  Plus, I've never been prompted for my admin password other than when I'm updating via the Apple software updater.


MacBook Pro, Mac OS X (10.5.8)
  • BDAqua Level 10 Level 10 (120,915 points)

    Hello Faris,

     

    Several things could be happening, is Mail running? Time/Date can be updating, Bonjour can be advertising services.

     

    What encryption or type of connection does it use? Could someone nearby be using it?

     

    Open Activity Monitor>Network Tab, does it show sent/rec'd bytes when the flashing is happening?

     

    Little Snitch, stops/alerts outgoing stuff...

     

    http://www.obdev.at/products/littlesnitch/index.html

  • Faris Kalin Level 1 Level 1 (0 points)

    About every 15-30 seconds, .07 to .15 kb of data is sent and received according to the network tab in the activity monitor this coincides with the flashing on the mifi.

     

    There is definitely no one else using the mifi because the mifi shows how many users are attached to it on it's LCD screen and it only shows 1.  Plus, I have it password protected using WPA2.

     

    I don't know what type of encrytion or connection it uses.  I wouldn't know how to find that out.

     

    I've never heard of Bonjour and I've actually never opened my Mail program on my Macbook ever. 

     

    I didn't really think much about it when I was using my 3G mifi.  I just assumed it was something that the mifi did.  It was a 1st generation device and worked a bit weird anyway.  However, I've only had the 4G version a few weeks.  It's much newer so I wouldn't expect it to be doing that.  Plus, I tried connecting my iPod Touch to it, and it didn't show any data being sent or received when I wasn't using a service that would be doing that.

     

    It's such a small amout of data, but it's such a consistent flow of data that I'm not sure whether I should be worried about it or not.

  • BDAqua Level 10 Level 10 (120,915 points)

    WPA2 is the encryption type it's using, which is good.

     

    I wouldn't be worried, it seems normal here, but Little Snitch would likely tell you what it was that wanted out.

  • Faris Kalin Level 1 Level 1 (0 points)

    When I get some spare time, I might try installing Little Snitch.  It would be interesting to get some more info on this.  Thanks for letting me know about that program.  Anything I should know about installing it or using it?

     

    The data amount transmitted is so small but at such regular intervals that it makes me really curious as to what it could be.

  • BDAqua Level 10 Level 10 (120,915 points)

    Not much you need to know about installing or using it, some would consider it a pain to use as I do,  I do think it'll tell us what this is that is going out, here's the Rules you can view...

    LittleSnithRules.jpg

  • Faris Kalin Level 1 Level 1 (0 points)

    I finally got around to installing Little Snitch.  That is quite an interesting program.  It looks like the culprit for the data transfer when nothing else was open is "time.apple.com".  After looking it up online, this appears to be the automatic updater for the clock so that it stays on proper time.

     

    I do have some questions about the program though.  There are some odd things that showed up when I booted up Safari (but not while I was in Firefox).  Any idea what they are?  Are they just local network stuff (I did check to have that show up before I started up Safari).  Are they normal or something I should worry about?  I had Firefox running for awhile but I didn't have the "show local connections" box checked for very long with Firefox open.  I'm on a laptop and not connected to anything except my mifi router.

     

    One is "Finder via nmblookup" in /system/library/coreservices/finder.app

    It showed up and then immediately terminated

     

    Another is "DirectoryService" in /usr/sbin/DirectoryService

     

    Another is "mDNSResponder" in /usr/sbin/mDSNResponder

  • Faris Kalin Level 1 Level 1 (0 points)

    Also, what is the "pubsubagent"?  It shows up and tries to connect to the apple discussion forums when I start safari.  I'd have more into about it, but it doesn't stay in the list like the other items do.

     

    Sorry for all of the Little Snitch questions, but it isn't exactly user friendly.  Does Little Snitch start up automatically when you boot the computer or do you have to launch it.  It's odd that there doesn't seem to be a manual for it.

  • David Vincent Level 1 Level 1 (15 points)

    This agent is probably ok.  A technical note, http://support.apple.com/kb/TS1770, says in part: "The PubSub agent syncs the RSS read/unread status of bookmarked RSS feeds between computers using Mac OS X 10.5 that are syncing bookmarks via MobileMe Sync."

  • BDAqua Level 10 Level 10 (120,915 points)

    Once installed it loads automatically, & all those things are normal processes.

  • Faris Kalin Level 1 Level 1 (0 points)

    Thanks for the info.  Little Snitch is definitely a great program, but it sure makes me paranoid since I don't know what half of the stuff that pops up is.  It's troublesome for me because I got a Mac so that I wouldn't have to be so paranoid.  lol

     

    Today it stated that "AirPort Base Station Agent" at "/System/Library/CoreServices/AirPort Base Station Agent.app" asked to connect to css.wlxrs.com and apsu.apple.com.  I don't even have an airport base station nor have I ever connected to one. 

     

    Then there is "usbmuxd" at "/System/Library/PrivateFrameworks/MobileDevice.framework/ which looks like it's connecting to the address of the mifi if I'm remembering the mifi's address correctly.

     

    Are these things normal too?

  • BDAqua Level 10 Level 10 (120,915 points)

    It'll get easier.

     

    css.wlxrs.com appears to be malware alright, (mostly Windows though), open Little Snitch Rules & make sure that one is denied always...

     

    http://www.threatexpert.com/report.aspx?md5=26d29b1a830fb021f568805f9daa6b95

     

    Then get the Free Sophos AV software...

     

    http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-ed ition.aspx

  • Faris Kalin Level 1 Level 1 (0 points)

    Weird.  NoScript (a Firefox anti-script extension) has wlxrs.com whitelisted.  I think hotmail uses it for something.

     

    http://noscript.net/changelog

     

    v 2.2.4rc1

    ==========================================================================

    x Restored wlxrs.com in the default whitelist (it had

      accidentally changed back to two subdomains)

     

    Also, Avast seems to think it's ok:

     

    http://forum.avast.com/index.php?topic=75641.0

  • BDAqua Level 10 Level 10 (120,915 points)

    OK, I guess it could be used for something else, if Avast says it's OK, then likely not the problem I thought.