I know this might not be the right place to ask, so I apologize in advance.
I use the built-in Python 3 http.server module to transfer files through the local NAT across multiple computers occasionally. Unless you explicitly specify a port, 8000 is the default one.
I accidentally left my personal Mac running overnight, and hence the http.server as well. Apart from the HTTP server in the Terminal window, only Apple Music and iMessage were running in the background. Here is what I woke up to waiting for me in my connections log:
::1 - - [20/Dec/2024 20:24:30] code 404, message File not found
::1 - - [20/Dec/2024 20:24:30] "GET /setuid?bidder=rise&gdpr=&gdpr_consent=&gpp=&gpp_sid=&f=b&uid=xwtlCz-9C HTTP/1.1" 404 -
::1 - - [21/Dec/2024 10:19:38] code 404, message File not found
::1 - - [21/Dec/2024 10:19:38] "GET /setuid?bidder=rise&gdpr=&gdpr_consent=&gpp=&gpp_sid=&f=b&uid=xwtlCz-9C HTTP/1.1" 404 -
::1 - - [22/Dec/2024 09:31:47] code 404, message File not found
::1 - - [22/Dec/2024 09:31:47] "GET /setuid?bidder=rise&gdpr=&gdpr_consent=&gpp=&gpp_sid=&f=b&uid=xwtlCz-9C HTTP/1.1" 404 -
A quick google search of this strange URL lead me to an application called Prebid Server, which is some sort of library for programmatically interacting with advertisement services, as far as I understand. Coincidentally, by default, it also runs on port 8000, especially in development mode, so I suspect that some kind of app on my Mac found a living TCP 8000 port and tried sending these requests believing it was Prebid or something.
In any case, this threw me completely off-guard, because up until this point I wasn't even aware of this library existing. Not only that, but this is certainly something running locally, because the requests are coming from localhost (::1). None of the software projects I am working on are known to be exhibiting this kind of behavior, so it only could be a third-party app or something malicious.
I ran multiple scans on this Mac through conventional anti-malware software, like Malwarebytes and Avira, and they found nothing. I've always been skeptical about this kind of software being accurate, so I expected them to provide me with such results.
My question is still, what could this possibly be? What kind of other clues I should be looking for to find out what it is (logs, leave Proxyman running overnight to try to see from which app the request is coming from, etc)? I know this is going to be hard to figure out, but I am willing to provide as much information as I can about this computer, if that helps with the search.
Thanks to everyone in advance!
code 400, message Bad request version ('\x9fX\x89\x88ã') code 400, message Bad request version ('·ü\x19.\x9f]\x00\x12\x00\x00ÿ\x01\x00\x01\x00\x00#\x00\x00\x00\x05\x00\x05\x01\x00\x00\x00\x00\x00+\x00\x07\x06ÚÚ\x03\x04\x03\x03\x00') code 400, message Bad request version ('û5') code 400, message Bad request version ('\x00\x12\x00\x10\x04\x03\x08\x04\x04\x01\x05\x03\x08\x05\x05\x01\x08\x06\x06\x01\x00+\x00\x07\x06ºº\x03\x04\x03\x03ÿ\x01\x00\x01\x00\x00#\x00\x00\x00')
Notice that what appear in the apparently binary strings are non-octal characters, presumably because that allows some exploit on parsing.