PDA

View Full Version : Strange Java Behaviour - Many Outbound Connection Attempts


dexterbip
10-07-2010, 10:22 AM
Hi there,

I'm noticing some weird behaviour from the Java process and Google has failed me so I'm turning here for help. I'm hesitant to cry malware because I'm aware that these issues often turn out to be something simpler but...

I was noticing some strange network activity when there should be none and, also, the Java process being consistently high in the activity monitor sorted by CPU % (only 1-15% but still odd considering I wasn't running anything I thought would be using Java).

So, I fired up the Little Snitch network monitor and took a look. Turns out that the Java process is making (or attempting to make) constant connections (one every 0.5 seconds, at least) to URLs outside my network. These connections are to huge number of different URLs (some of which appear to be DNS redirectors such as dyndns but which are always lengthy and generally non-human readable) across many different high number UDP ports.

I've used Little Snitch to completely firewall off the Java process from outside for now but obviously I'd like to know what's going on.

I'm on OS X 10.6.4, software update shows everything up to date and this behaviour begins as soon as the computer is booted, without any other apps running.

Any clues?

Let me know if there's any more information I can provide; I generally know my way around OS X pretty well and the command line a bit so if there's anything you'd like me to provide then fire away.

Thanks in advance.

hayne
10-07-2010, 10:46 AM
There is not usually any "Java" process.
So that must come from some program that you are running, or from some program that is installed to run automatically at startup or login.

Use "Activity Monitor" in "hierarchical" mode to see what the parent process of that "Java" process is.

dexterbip
10-07-2010, 05:08 PM
Right then, so, the Java process is a child of "wrapper-osx-universal-32".

trevor
10-07-2010, 05:30 PM
Searching Google for that text string seems to show that it is a part of Freenet (http://freenetproject.org/download.html). Have you installed Freenet at some point?

Trevor

dexterbip
10-08-2010, 06:23 AM
Ha, well I'll be.

Installed it a while back, never actually did anything with it and evidently forgot all about it.

Removed, everything back to normal.

Thanks!