6

I am running a MacBook Pro, and have never installed Chrome, Google Earth, or anything blatantly Google.

Just installed Little Snitch (are there no good free firewalls for Mac?) and see that CURL is sending to Google every few minutes, as is a request to Google update and more.

Little Snitch doesn't say what program set up these requests.

So, how do I find out how Google got on my machine, why is it sending so many requests (every minute or so) and how do I remove it (and is it there for reasons other than to help Google spy on me)?

Improve this question
2
  • 1
    wireshark may be useful here, as would netstat - the former detects network traffic more in depth than little snitch, and netstat detects current connections and what applications are sending stuff
    – Journeyman Geek
    Commented Oct 14, 2012 at 8:48
  • Have you configured any google service at all? say, google talk? calendar? mail? And can you provide the exact request sent to google?
    – Nir Levy
    Commented Oct 14, 2012 at 12:48

1 Answer 1

Reset to default
10

Just installed Little Snitch (are there no good free firewalls for Mac?)

One could say you don't really need a third party firewall for OS X. There's one built in, and while Little Snitch certainly does the job, I don't see lots of practical uses for it. If only, to make users paranoid. Most of the time, you want to check if some application is "phoning home", but after you get hundreds of alerts just to start up a program, it could become more annoying than useful.

If you don't want to spend any money, stick with the built-in one.

CURL is sending to Google every few minutes

This could be almost anything. If you have Google synchronization enabled through Address Book or Calendar, then contactsd will connect to Google. If not, then it's very likely that any application you have installed pings Google to check whether you're connected to the internet at all. Not very classy, but how often do you find yourself checking ping google.com in the terminal?

The primary problem here is that Little Snitch doesn't report the process that is calling curl or ping. What you can do to find out the parent process is described in this Security.SE answer. Basically, you can create a wrapper script for the binaries to find out who called them:

sudo cp /usr/bin/curl /usr/bin/curl.bin
sudo nano /usr/bin/curl.wrapper

Here, copy this:

#!/bin/sh

date >> /var/tmp/curl_ppid.log
ps -f -p $PPID >> /var/tmp/curl_ppid.log

exec curl.bin "$@"

Save with CtrlO, then press . Now:

sudo chmod 755 /usr/bin/curl.wrapper
sudo touch /var/tmp/curl_ppid.log
sudo chmod a+w /var/tmp/curl_ppid.log
sudo ln -sf /usr/bin/curl.wrapper /usr/bin/curl

Now you can see who called curl by inspecting the newly created log file in /var/tmp/curl_ppid.log.

To check which process belongs to a PID, use:

ps -fp <pid>

where <pid> is the process ID you acquired from the logfile.

If you ever want to reverse this process, this is enough:

sudo cp /usr/bin/curl.bin /usr/bin/curl
Improve this answer
4
  • 1
    You don't see a practical use for Little Snitch? Wow. I guess you have absolute trust in every application on your Mac. I sure as hell don't.
    – Fake Name
    Commented Oct 14, 2012 at 10:48
  • 2
    I said I don't see lots of practical uses for it, not "none at all". I certainly wouldn't trust every application.
    – slhck
    Commented Oct 14, 2012 at 11:03
  • It's annoying for the first week, after that, you'll only encounter annoying firewall confirmations every once in a while. In the 6 years I've used Little Snitch, I've fended off Strange Calls Home and Located a Trojan.
    – Sandwich
    Commented Aug 31, 2016 at 17:19
  • This doesn't work is System Integrity Protection is turned on (one cannot make changes inside /usr/bin. How does one do this without turning off SIP?
    – Technical Bard
    Commented Mar 18, 2018 at 14:32

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .