which process did a monitoring item come from? (CHECKURL http://31.7.62.38/open)

Avast Mac Security
1

I has some cases where the Avast MAD daemon would take very huge CPU percentage (170% or more) on my macbook pro.

I followed the instructions in http://forum.avast.com/index.php?action=emailuser;sa=email;msg=783022) to set the logging to 0xffffffff

Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Session (71170) closed.
Mon Jun 11 12:40:23 2012 [DAEMON 28399]: New session (71172) created: 2957578240.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Input (normal): ‘CHECKURL http://31.7.62.138/open/1’.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Command ‘CHECKURL’ received.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Input (normal): ‘QUIT’.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Command ‘QUIT’ received.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Session (71171) closed.
Mon Jun 11 12:40:23 2012 [DAEMON 28399]: New session (71173) created: 2957578240.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Input (normal): ‘CHECKURL http://31.7.62.138/open/1’.
Mon Jun 11 12:40:23 2012 [SESSION 2957578240]: Command ‘CHECKURL’ received.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Input (normal): ‘QUIT’.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Command ‘QUIT’ received.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Session (71172) closed.
Mon Jun 11 12:40:24 2012 [DAEMON 28399]: New session (71174) created: 2957578240.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Input (normal): ‘CHECKURL http://31.7.62.138/open/1’.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Command ‘CHECKURL’ received.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Input (normal): ‘QUIT’.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Command ‘QUIT’ received.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Session (71173) closed.
Mon Jun 11 12:40:24 2012 [DAEMON 28399]: New session (71175) created: 2957578240.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Input (normal): ‘CHECKURL http://31.7.62.138/open/1’.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Command ‘CHECKURL’ received.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Input (normal): ‘QUIT’.
Mon Jun 11 12:40:24 2012 [SESSION 2957578240]: Command ‘QUIT’ received.

I killed my web-browser and almost all other processes, but these kept coming…

I could not figure out where these came from, and in the process of stopping every other process I accidentally killed launchd and thus rebooted the machine.

Now they are no longer happening, so I have to wait for the next occurrence.

I need some additional method to find out what caused these.

31.7.62.138 reolves to privatelayer.com, a service I have no association with myself…

2

Hallo,
best way how to catch the culprit is to log netstat -an to get a clue what app is trying to communicate with the suspicious IP target.
We can’t say more, especially when the culprit is inactive at the moment.

regards,
PC