mdimport accessing strange IP

Discussion in 'macOS' started by ScottR, May 11, 2007.

  1. ScottR macrumors member

    Joined:
    May 11, 2007
    #1
    Hello. Netbarrier X4 keeps telling me that process "mdimport" (which seems to be associated with Spotlight) keeps wanting to access 71.125.38.152 at Port 80. This domain seems to be associated with hvsinternational.com--a "hospitality" consulting firm.

    Unfortunately, if I hit Deny the dialog just comes back seconds later. I don't see this process in the Anti-Spyware tab, which, I believe, happens with NetBarrier and Java applications or programs written in other "compile on the fly" languages, like Python (i.e., the setting doesn't "stick").

    What the heck is happening???
     
  2. Eraserhead macrumors G4

    Eraserhead

    Joined:
    Nov 3, 2005
    Location:
    UK
    #2
    the IP address is something to do with this (I typed it into Camino) http://www.niehs.nih.gov/guide/remote/citrix/nfuse.htm

    Puzzling that mdimporter is accessing it, sounds like it's either a false alarm, or you've been hacked.
    Try and see what LittleSnitch comes up with, once it's activated disable NetBarrier as it may interfere.
     
  3. ScottR thread starter macrumors member

    Joined:
    May 11, 2007
    #3
    I seem to have semi-solved the problem.

    The last thing I'd done before the message appeared was to run the current version of Google Earth. This didn't happen WHILE I was running GE--I'd quit it shortly before. As a test, I ran it again for about 30 seconds, quit, and NetBarrier popped up the same alert (actually, DOZENS of times).

    I guess that GE places some reference to this web site in its files and Spotlight indexes the reference (I didn't find any occurrence searching via Spotlight, ironically enough).

    Why, though, is Spotlight trying to access the site--via a Citrix login at that??
     
  4. ScottR thread starter macrumors member

    Joined:
    May 11, 2007
    #4
    OK, more stuff.

    It's not just Google Earth. I'd downloaded POIs for GE from Roadfood.com, a subscriber service. That hvsinternational.com seems to be associated with roadfood (or at least with people there).

    This doesn't seem to be anything malevolent--at least I don't think so. For some reason, Spotlight is finding references to that IP within the kml file and seems compelled to try to access the links. Is it supposed to make Internet calls like this?
     
  5. SC68Cal macrumors 68000

    Joined:
    Feb 23, 2006
    #5
    Are you using Firefox?

    Firefox caches weblinks while your reading a page
     
  6. ScottR thread starter macrumors member

    Joined:
    May 11, 2007
    #6
    No, like I said, it's related to the Google Earth application, not a browser issue at all.
     
  7. robbieduncan Moderator emeritus

    robbieduncan

    Joined:
    Jul 24, 2002
    Location:
    London
    #7
    mdimport is basically a container. It doesn't know how to index files itself, it relies on plugins to index them. GoogleEarth has probably installed an mdimport plugin for kml files. What the plugin does is up to the plugin writer. It could quite easily be written to access an IP address if one is found in the file and include some of the text in the indexed entry.
     

Share This Page