Need help, OSX Virus connecting to: 2.20.188.163

Question

Need help, OSX Virus connecting to: 2.20.188.163

Virus connecting out to random IP: 2.20.188.163

Whilst connecting to the internet, my NOD32 Cyber Security Process: eset_proxy connected to this IP address: 2.20.188.163

I've done a search on google:

https://gyazo.com/e069344010246521376d3ca5b9dc9f3b

https://gyazo.com/c3a43d477e607cec6a69fa617fa3a9fb

https://www.virustotal.com/en/ip-address/2.20.188.163/information/

This Virus total report indicates there have been detected files that communicate with this IP address.https://gyazo.com/e069344010246521376d3ca5b9dc9f3b

Checking the IP address, port 80, HTTP is open. When accessing the IP address via Chrome I am given this message.

Invalid URL

The requested URL "/", is invalid.

Reference #9.9fbc1402.1448377597.36f6112

Upon page refresh the reference number seems to keep changing.

If anyone can help shed some light on this strange behaviour I'd be most grateful.

Thanks.

MacBook Pro with Retina display, Mac OS X (10.5)

Posted on Nov 24, 2015 7:12 AM

Reply

Answer 1

Nov 24, 2015 7:58 AM in response to HappyDude1234

Sounds like a scam to me.

Reply

Answer 2

Nov 24, 2015 8:38 AM in response to QuickTimeKirk

Yes, it does seem that way. If anyone can shed some light on the situation I'd really appreciate it!

Reply

Answer 3

Nov 24, 2015 8:48 AM in response to HappyDude1234

Remove the software you installed for "security" as it's not needed in OS X.

Reply

Answer 4

Nov 24, 2015 10:40 AM in response to QuickTimeKirk

I don't think that the antivirus is the culprit.

I have tested removing it anyhow, still really unusual behaviour.

Please can anyone help?

Reply

Answer 5

Nov 24, 2015 11:22 AM in response to HappyDude1234

It sure is the culprit.

In order to show it's working it sends you these "reports" to prove its value. There are no OS X virus issues.

Reply

Answer 6

Nov 24, 2015 12:13 PM in response to QuickTimeKirk

How can this be the case when I still have so many hostnames that do the same thing.

I have removed antivirus...

This is what happens when I try to connect to it via my browser.

https://gyazo.com/30be3a00f5fcef1c510095678ea77727

https://gyazo.com/4bf34a277fc87ac4553f5d5d136d54a3

https://gyazo.com/173fe4a9da6d04385d54340c85d89c3f

These are the open ports

http://mxtoolbox.com/SuperTool.aspx?action=scan%3a2.20.188.163&run=toolpage

Thus I tired to connect via port 80.

EDIT:

Just uncovered this:

https://gyazo.com/418a7e73281461cb841862351508a27e

https://gyazo.com/21b2c5e443b8fc7a88193cf96c8891b9

Another hostname that my chrome browser seems to be connecting to, operating the same way.

AND ANOTHER...

http://a104-84-74-236.deploy.static.akamaitechnologies.com/

https://gyazo.com/2368a414d3ac174c1771d2528539b8e9

All are showing the same thing.

Here is a list of them from port monitor: https://gyazo.com/05d017bb0f2c33d065e7e42d71ef4029

All of them are operating in the same way...

There is also this: https://gyazo.com/4f8a38af68dd4f94d5ae352f596f1948

It seems to be redirecting to mixpanel? I am very confused...

*Sigh* There's more...

https://gyazo.com/b7f39c37c97950e801fc19501af39f8c

What the **** are all of these hostnames?

https://gyazo.com/2ef50b779da67b7bb8a29165bd09ccc0

Reply

Answer 7

Kurt Lang

Level 9

58,404 points

Nov 24, 2015 1:52 PM in response to HappyDude1234

You're getting an awful lot of outright false, and misleading information.

IP address 2.20.188.163 doesn't even exist anywhere in the world. That is, there's no domain name anywhere that uses that address:

Address lookup

lookup failed	2.20.188.163
Could not find a domain name corresponding to this IP address.

Further searching does use it as a linked inetnum of 2.20.188.0 - 2.20.191.255. That traceroute and whois shows that it belongs to Akamai. No idea why they would be trying to "steal" your data. A brief description of what they do:

Akamai is a cloud-based service provider specialized in content acceleration and security. Akamai has an immensely high number of globally distributed servers (150k+) which are very close to end users. This is also combined with caching, route optimizations, and distributed security and firewall mechanisms.

So are you using some sort of online data service other than iCloud?

Reply

Answer 8

John Galt

Level 10

141,438 points

Nov 24, 2015 5:57 PM in response to HappyDude1234

Uninstall "ESET" according to its instructions. Merely disabling it is not sufficient. You must use its Uninstall program. Refer to the screenshot below.

Do not use any other technique or utility to eradicate it. After it is uninstalled evaluate your ability to use Safari normally.

Reply

Answer 9

Nov 24, 2015 6:03 PM in response to HappyDude1234

Just in case you haven't caught it yet, uninstall ESET. It is a worthless scam on the Mac. It lies like a carpet.

Reply