Telnet Randomly turns on

[Me1000]

Like the title says, then it takes up about 95% of one core of my processor!

Anyone know why? its about the 5th time its done it...

 

[setatakahashi]

Go to a terminal window and run ps -ef | grep telnet and paste here the results.

 

[Me1000]

This is what i got...

ps: illegal option -- f
usage: ps [-aACcehjlmMrSTuvwx] [-O|o fmt] [-p pid] [-t tty] [-U user]
ps [-L]

 

[setatakahashi]

This is what i got...

Hmm, try ps aux | grep telnet

 

[Me1000]

I didnt get anything back...

Randys-Macbook:~ randy$ ps aux | grep telnet
Randys-Macbook:~ randy$

 

[MacsRgr8]

Telnet (incoming) is off by default on Mac OS X, are your sure you haven't turned it on?
Here's Apple's documentation about enabling Telnet access.

But using Telnet as a "client" is on. Sometimes you can use Telnet to configure your DSL modem, or network printers etc.
Maybe some software you have installed uses Telnet to connect to some network device...?

 

[Queso]

Strange. If it were a backdoor on your Mac, the process would show as telnetd (the telnet server) rather than telnet. It worries me that this may be a process calling itself telnet, but not actually be the OSX telnet client. The built-in one should never get up to those CPU cycle levels.

 

[Me1000]

Well im almost positive ive never turned it on, especially if you have go through all that!


if it happens again, is there anyway to get some more info on what is running?

 

[setatakahashi]

The next time that you experience this problem, open a terminal window and type ps auxl

Then you'll see in the first column the user running the process (USER), the Process ID (PID), Parent Process ID(PPID) and command used to start it (COMMAND).

USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME UID PPID CPU PRI NI WCHAN COMMAND

Pick the PPID from the telnet process. This number will tell you which process started telnet. Type ps aux | grep <PPID of telnet> .

Tell us what process was starting telnet, ok?

 

[Me1000]

ok, its a rare problem, but it has happened several times.

I normally just quit it from activity monitor...
But I dont like it when others are worried!

 

[mkrishnan]

Mmm, it *is* strange. What do you have running on this Mac? The telnet process looks like it's owned by *YOU* in the first picture.... not that it couldn't be someone hacking you, but that seems unlikely. More likely is that you have some program or something that is launching a script periodically, and the telnet task is being invoked for some weird reason to act the script out.

 

[Tinhead]

Mail Widget?

I had a similar problem a while back. It turned out to be a mail widget that I used (and still use) that, for some reason, launched telnet. Usually it was terminated, but sometimes it remained. See if tapping F12 creates instances of telnet, that's how I realized it was connected with dashboard somehow.

 

[MacsRgr8]

Tinhead's is the most plausable.

A widget could easily generate Telnet traffic, and for the user still be "invisible"

Please check this possibility out, Me1000!

 

[Me1000]

It could be that, but i goto my dashboard a lot, and this doesnt happen that often!

I just went to dashboard, but it didnt come on in activity monitor; but I didnt have nay mail either.

I do have a mail widget though!

 

[Tinhead]

[...] I just went to dashboard, but it didnt come on in activity monitor; but I didnt have nay mail either.

I do have a mail widget though!

Try tapping F12 repeatedly and rapidly, see if that makes telnet appear. It does not matter whether or not you have new mail in your inbox.

 

[Me1000]

I tried it for about a minute, and nothing happened! I was looking at activity monitor the whole time too

 

[Me1000]

OK it turned on again, I just restarted my macbook
Updated iTunes (7.1.1 I think)

Ran the
ps auxl telnet

but I dont understand any of it

USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME UID PPID CPU PRI NI WCHAN COMMAND
randy 356 98.1 -0.1 27404 1172 ?? Rs 2:42PM 8:01.09 501 1 0 51 0 - /usr/bin/telnet
randy 357 97.2 -0.1 27404 1172 ?? Rs 2:42PM 8:00.13 501 1 0 23 0 - /usr/bin/telnet
windowse 96 0.9 -2.9 390680 60200 ?? Ss 2:40PM 0:53.34 88 1 0 63 0 - /System/Library/
randy 437 0.5 -0.4 366720 8036 ?? R 2:56PM 0:00.34 501 96 0 47 0 - /Applications/Ut
randy 239 0.4 -0.9 383692 18012 ?? S 2:41PM 0:03.10 501 96 0 63 0 - /System/Library/
root 435 0.4 -0.1 37344 1704 ?? Ss 2:54PM 0:13.48 0 434 0 31 0 - /Applications/Ut
randy 330 0.3 -2.5 402532 52208 ?? S 2:41PM 0:09.62 501 96 0 62 0 - /Applications/Ac
randy 434 0.1 -0.6 373068 12328 ?? S 2:54PM 0:03.27 501 96 0 46 0 - /Applications/Ut
root 67 0.0 -0.0 27288 1032 ?? Ss 2:40PM 0:00.38 0 1 0 31 0 - /usr/sbin/syslog
root 69 0.0 -0.3 30000 5464 ?? Ss 2:40PM 0:02.84 0 1 0 31 0 - /usr/sbin/config
root 70 0.0 -0.3 31940 7020 ?? Ss 2:40PM 0:00.20 0 1 0 31 0 - /usr/sbin/coreau
root 71 0.0 -0.2 27776 4436 ?? Ss 2:40PM 0:00.15 0 1 0 31 0 - /usr/sbin/diskar
root 72 0.0 -0.2 28324 3148 ?? Ss 2:40PM 0:00.02 0 1 0 31 0 - /usr/sbin/member
root 73 0.0 -0.3 29268 6032 ?? Ss 2:40PM 0:00.18 0 1 0 31 0 - /usr/sbin/securi
root 75 0.0 -0.0 27864 908 ?? Ss 2:40PM 0:00.14 0 1 0 31 0 - /usr/sbin/notify
root 76 0.0 -0.4 30744 8860 ?? Ss 2:40PM 0:00.22 0 1 0 31 0 - /usr/sbin/Direct
root 81 0.0 -0.0 27252 804 ?? Ss 2:40PM 0:01.10 0 1 0 31 0 - /usr/sbin/update
root 90 0.0 -0.2 27676 3616 ?? Ss 2:40PM 0:00.13 0 1 0 31 0 - /usr/sbin/distno
root 91 0.0 -0.1 37828 2764 ?? S 2:40PM 0:00.14 0 69 0 31 0 - /usr/sbin/blued
root 95 0.0 -0.4 36972 7632 ?? Ss 2:40PM 0:00.60 0 1 0 31 0 - /System/Library/
randy 100 0.0 -0.3 102532 6020 ?? Ss 2:40PM 0:01.73 501 1 0 31 0 - /System/Library/
randy 101 0.0 -0.2 354860 4980 ?? Ss 2:40PM 0:00.41 501 1 0 48 0 - /System/Library/
root 138 0.0 -0.0 27252 224 ?? Ss 2:40PM 0:00.00 0 1 0 31 0 - /usr/libexec/cra
root 159 0.0 -0.3 45176 5332 ?? Ss 2:40PM 0:03.18 0 1 0 50 0 - /System/Library/
root 162 0.0 -0.1 28536 2116 ?? Ss 2:40PM 0:00.04 0 1 0 31 0 - /usr/sbin/cupsd
daemon 165 0.0 -0.1 100256 1768 ?? Ss 2:40PM 0:00.01 1 1 0 31 0 - /Library/Startup
nobody 169 0.0 -0.2 73376 4912 ?? SNs 2:40PM 0:00.24 4294967294 1 0 13 18 - /System/Library/
root 171 0.0 -0.1 29204 1896 ?? Ss 2:40PM 0:02.14 0 1 0 31 0 - /usr/sbin/lookup
root 186 0.0 -0.0 29848 628 ?? S 2:40PM 0:00.09 0 1 0 31 0 - /Library/Startup
root 189 0.0 -0.0 27740 428 ?? Ss 2:40PM 0:00.06 0 1 0 31 0 - ntpd -f /var/run
root 209 0.0 -0.0 29312 200 ?? Ss 2:40PM 0:00.00 0 1 0 31 0 - nfsiod -n 4
root 218 0.0 -0.0 27312 212 ?? Ss 2:40PM 0:00.00 0 1 0 31 0 - rpc.lockd -w
root 221 0.0 -0.1 29720 1524 ?? Ss 2:40PM 0:00.03 0 1 0 31 0 - /usr/sbin/automo
root 225 0.0 -0.1 29424 1492 ?? Ss 2:40PM 0:00.02 0 1 0 31 0 - /usr/sbin/automo
randy 230 0.0 -0.1 55892 2464 ?? Ss 2:41PM 0:00.14 501 101 0 31 0 - /System/Library/
randy 240 0.0 -0.5 373512 9844 ?? S 2:41PM 0:00.53 501 96 0 46 0 - /System/Library/
randy 243 0.0 -0.2 40596 4096 ?? SNs 2:41PM 0:00.39 501 1 0 13 18 - /System/Library/
randy 246 0.0 -0.2 358456 5240 ?? S 2:41PM 0:03.64 501 96 0 46 0 - /System/Library/
randy 247 0.0 -0.4 367052 7604 ?? S 2:41PM 0:08.33 501 96 0 46 0 - /Library/Prefere
randy 249 0.0 -1.2 395852 24412 ?? S 2:41PM 0:02.05 501 96 0 63 0 - /Applications/Ne
randy 250 0.0 -0.7 374792 15644 ?? S 2:41PM 0:01.56 501 96 0 63 0 - /Applications/Me
randy 251 0.0 -0.3 363600 6452 ?? S 2:41PM 0:00.24 501 96 0 46 0 - /Applications/St
randy 252 0.0 -2.0 403364 41052 ?? S 2:41PM 0:03.75 501 96 0 62 0 - /Users/randy/Des
randy 262 0.0 -0.8 365412 16536 ?? S 2:41PM 0:01.14 501 96 0 63 0 - /Users/randy/Lib
randy 263 0.0 -0.1 38096 1916 ?? S 2:41PM 0:00.03 501 96 0 46 0 - /System/Library/
randy 331 0.0 -1.8 2570868 37848 ?? SNs 2:41PM 0:04.97 501 330 0 27 20 - /System/Library/
randy 354 0.0 -0.2 353596 5196 ?? S 2:42PM 0:00.40 501 96 0 46 0 - /System/Library/
randy 383 0.0 -0.5 345460 9972 ?? S 2:50PM 0:00.06 501 1 0 46 0 - /Applications/iT
randy 402 0.0 -0.4 371080 8108 ?? S 2:50PM 0:00.45 501 96 0 46 0 - /System/Library/
randy 408 0.0 -2.5 408792 52328 ?? S 2:52PM 0:03.55 501 96 0 62 0 - /Applications/iT
randy 411 0.0 -3.8 473412 78864 ?? S 2:52PM 0:24.66 501 96 0 62 0 - /Applications/Sa
randy 413 0.0 -0.4 363796 8380 ?? S 2:54PM 0:00.26 501 402 0 63 0 - /System/Library/
randy 414 0.0 -0.5 364948 9788 ?? S 2:54PM 0:00.30 501 402 0 63 0 - /System/Library/
randy 415 0.0 -0.5 365532 10900 ?? S 2:54PM 0:00.56 501 402 0 63 0 - /System/Library/
randy 416 0.0 -0.4 363936 8524 ?? S 2:54PM 0:00.29 501 402 0 63 0 - /System/Library/
randy 417 0.0 -0.4 363000 8752 ?? S 2:54PM 0:00.31 501 402 0 63 0 - /System/Library/
randy 418 0.0 -0.4 369680 8304 ?? S 2:54PM 0:00.25 501 402 0 63 0 - /System/Library/
randy 419 0.0 -0.6 367060 11604 ?? S 2:54PM 0:00.47 501 402 0 63 0 - /System/Library/
randy 420 0.0 -0.4 347004 7864 ?? S 2:54PM 0:00.24 501 402 0 63 0 - /System/Library/
randy 421 0.0 -0.4 362820 7736 ?? S 2:54PM 0:00.23 501 402 0 63 0 - /System/Library/
randy 422 0.0 -0.5 367844 11276 ?? S 2:54PM 0:00.45 501 402 0 63 0 - /System/Library/
randy 423 0.0 -0.5 364196 9960 ?? S 2:54PM 0:00.34 501 402 0 63 0 - /System/Library/
randy 424 0.0 -0.4 366220 8264 ?? S 2:54PM 0:00.25 501 402 0 63 0 - /System/Library/
randy 425 0.0 -0.4 353976 7796 ?? S 2:54PM 0:00.23 501 402 0 63 0 - /System/Library/
root 439 0.0 -0.0 27576 948 p1 Ss 2:56PM 0:00.01 0 437 0 31 0 - login -pf randy
randy 440 0.0 -0.0 27728 784 p1 S 2:56PM 0:00.01 501 439 0 31 0 - -bash
root 353 0.0 -0.0 0 0 ?? ZN 31Dec69 0:00.00 0 331 0 0 20 - (java)
root 447 0.0 -0.0 27328 452 p1 R+ 2:59PM 0:00.00 0 440 0 31 0 - ps auxl telnet
root 1 0.0 -0.0 28356 564 ?? S<s 2:40PM 0:00.14 0 0 0 32 -1 - /sbin/launchd
root 23 0.0 -0.0 27268 368 ?? Ss 2:40PM 0:00.00 0 1 0 63 0 - /sbin/dynamic_pa
root 27 0.0 -0.3 31764 5928 ?? Ss 2:40PM 0:05.02 0 1 0 31 0 - kextd
root 64 0.0 -0.2 28244 3428 ?? Ss 2:40PM 0:00.01 0 1 0 31 0 - /usr/sbin/Kernel
root 65 0.0 -0.2 29080 4172 ?? Ss 2:40PM 0:00.11 0 1 0 31 0 - /usr/sbin/mDNSRe
root 66 0.0 -0.1 27580 1372 ?? Ss 2:40PM 0:00.26 0 1 0 31 0 - /usr/sbin/netinf

This time it's a little different in activity monitor it is running twice!

 

[Me1000]

When I double click on the telnet app in the activity monitor the first line on "open files and ports" is
/Users/randy/Library/Widgets/MailWidget.wdgt

I removed the widget from dashboard, and restarted the dashboard with this widget

http://www.apple.com/downloads/dashboard/developer/quitdock.html

but it is still running both cores at 100%

 

[setatakahashi]

OK it turned on again, I just restarted my macbook
Updated iTunes (7.1.1 I think)

Ran the
ps auxl telnet

but I dont understand any of it

This time it's a little different in activity monitor it is running twice!

The PID 501 started the telnet (the PPID of telnet is 501) and telnet is consuming near 100% of your CPU time. But the listing doesn't have any PID with this number (501) .

 

[dr_lha]

The PID 501 started the telnet (the PPID of telnet is 501) and telnet is consuming near 100% of your CPU time. But the listing doesn't have any PID with this number (501) .

501 is the UID of "randy", not the PID. 501 is the standard UID of the main user on Mac OS X. What is happening here is that the MailWidget uses telnet to communicate with POP and IMAP servers to enquire about email. This is mainly due to the fact that the program is poorly written.

However, the important thing is it's nothing nefarious. I.e. its not a hack/exploit or virus.

 

[setatakahashi]

501 is the UID of "randy", not the PID. 501 is the standard UID of the main user on Mac OS X. What is happening here is that the MailWidget uses telnet to communicate with POP and IMAP servers to enquire about email. This is mainly due to the fact that the program is poorly written.

However, the important thing is it's nothing nefarious. I.e. its not a hack/exploit or virus.

You're right. PPID is 1.