3

I was running a test using wireshark to torch some traffic. I saw quite a bit of traffic on localhost. Further investigation showed the following issue:

I am seeing a HTTP GET request about every second that requests a JPEG called areYouAlive

WireShark Get Request

Transmission Control Protocol, Src Port: 61239, Dst Port: 50063, Seq: 1, Ack: 1, Len: 165
GET /areYouAlive HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET /areYouAlive HTTP/1.1\r\n]
        [GET /areYouAlive HTTP/1.1\r\n]
        [Severity level: Chat]
        [Group: Sequence]
    Request Method: GET
    Request URI: /areYouAlive
    Request Version: HTTP/1.1

Reviewing netstat and showing PID for the connection showed Process ID 0 which maps to System Idle Process.

I used Wireshark to extract the image and it is a very tiny image that is 631 bytes. A very tiny pixel. I will attach it here as well.

areYouAlive JPG file

Does anyone have any idea what is causing this? I have never seen it before, but I have also never looked.

Mokubai
  • 89,133
  • 25
  • 207
  • 233
Danny
  • 31
  • 2
  • 1
    I think its more likely that an error is preventing reading the PID and it defaults to 0, rather than it being the system idle "process". this is clearly a heartbeat of some kind. does the domain the pixel is hosted on ring any bells for you, perhaps reminding you of a piece of software you installed? could be malware, but there are lots of reasons (both legitimately and not) to test path reachability or tell a server you are there periodically. – Frank Thomas Feb 25 '22 at 08:12
  • Check what is listening on _127.0.0.1:50063_. It is clearly part of this. // As Frank Thomas said, the System Idle Process could not do this. Well, with rootkits maybe. – Daniel B Feb 25 '22 at 08:41

0 Answers0