mdimport accessing strange IP

[ScottR]

Hello. Netbarrier X4 keeps telling me that process "mdimport" (which seems to be associated with Spotlight) keeps wanting to access 71.125.38.152 at Port 80. This domain seems to be associated with hvsinternational.com--a "hospitality" consulting firm.

Unfortunately, if I hit Deny the dialog just comes back seconds later. I don't see this process in the Anti-Spyware tab, which, I believe, happens with NetBarrier and Java applications or programs written in other "compile on the fly" languages, like Python (i.e., the setting doesn't "stick").

What the heck is happening???

 

[Eraserhead]

the IP address is something to do with this (I typed it into Camino) http://www.niehs.nih.gov/guide/remote/citrix/nfuse.htm

Puzzling that mdimporter is accessing it, sounds like it's either a false alarm, or you've been hacked.
Try and see what LittleSnitch comes up with, once it's activated disable NetBarrier as it may interfere.

 

[ScottR]

the IP address is something to do with this (I typed it into Camino) http://www.niehs.nih.gov/guide/remote/citrix/nfuse.htm

Puzzling that mdimporter is accessing it, sounds like it's either a false alarm, or you've been hacked.
Try and see what LittleSnitch comes up with, once it's activated disable NetBarrier as it may interfere.

I seem to have semi-solved the problem.

The last thing I'd done before the message appeared was to run the current version of Google Earth. This didn't happen WHILE I was running GE--I'd quit it shortly before. As a test, I ran it again for about 30 seconds, quit, and NetBarrier popped up the same alert (actually, DOZENS of times).

I guess that GE places some reference to this web site in its files and Spotlight indexes the reference (I didn't find any occurrence searching via Spotlight, ironically enough).

Why, though, is Spotlight trying to access the site--via a Citrix login at that??

 

[ScottR]

OK, more stuff.

It's not just Google Earth. I'd downloaded POIs for GE from Roadfood.com, a subscriber service. That hvsinternational.com seems to be associated with roadfood (or at least with people there).

This doesn't seem to be anything malevolent--at least I don't think so. For some reason, Spotlight is finding references to that IP within the kml file and seems compelled to try to access the links. Is it supposed to make Internet calls like this?

 

[SC68Cal]

Are you using Firefox?

Firefox caches weblinks while your reading a page

 

[ScottR]

Are you using Firefox?

Firefox caches weblinks while your reading a page

No, like I said, it's related to the Google Earth application, not a browser issue at all.

 

[robbieduncan]

OK, more stuff.

It's not just Google Earth. I'd downloaded POIs for GE from Roadfood.com, a subscriber service. That hvsinternational.com seems to be associated with roadfood (or at least with people there).

This doesn't seem to be anything malevolent--at least I don't think so. For some reason, Spotlight is finding references to that IP within the kml file and seems compelled to try to access the links. Is it supposed to make Internet calls like this?

mdimport is basically a container. It doesn't know how to index files itself, it relies on plugins to index them. GoogleEarth has probably installed an mdimport plugin for kml files. What the plugin does is up to the plugin writer. It could quite easily be written to access an IP address if one is found in the file and include some of the text in the indexed entry.