man-in-the-middle’d packets have bad and incorrect checksums on localhost, how to find the malware?

Am trying to fix a man-in-the-middle’d macOS Catalina machine. Have been viewing packets with tcpdump and noticed, on connecting to any web address, there are legit packet that gets sent to the DNS server… then… there are packets that get sent from 127.0.0.1:53482 (or some port) to 127.0.0.1:443 — the packet headers are labelled with incorrect checksum (cksum -> incorrect). Also, there are packets 127.0.0.1:62692 (or some other port) -> 127.0.0.1:32376 labelled bad checksum (bad udp cksum). And, again localhost, 127.0.0.1:5353 -> 224.0.0.251:5353 again with bad checksum (bad udp cksum). All this traffic is on the lo0 adapter.

Example of a man-in-the-middle incident on the machine:

Legit: Wiki article on different machine and different network Wiki article on man-in-the-middle'd machine

MITM: Wiki article on man-in-the-middle’d machine Wiki article on different machine and different network

Packet traces

Incorrect checksum destination 127.0.0.1:443 Incorrect checksum destination 127.0.0.1:443

Bad checksum destination 127.0.0.1:32376 Bad checksum destination 127.0.0.1:32376

Bad checksum source 127.0.0.1:5353 destination 224.0.0.251:5353 Bad checksum source 127.0.0.1:5353 destination 224.0.0.251:5353

Attempts to find process:

sudo lsof -i sudo lsof -i

netstat netstat

My guess is this is related to some corruption with mDNSResponder? Welcoming and appreciate any tips or suggestions on how to solve.

Many thanks

OAuth native app without localhost redirect

Section 4.1 of RFC 8252 describes the OAuth authorization flow for native apps using the browser (i.e., external user-agent). In this flow, the native app receives the authorization code in step 4 by setting the redirect URI to the loopback IP. This, of course, requires the native app to open a port on the loopback interface and subjects us to attacks where other apps could get the authorization code (unless we use something like PKCE).

Our system is a client-server model where the clients are various custom command line tools with no real user interface. In our deployments, we can’t always guarantee that we will be able to open a port on the loopback (and we’d like to avoid the added security concerns that PKCE addresses). We would like to tweak the flow for our use case but want to make sure we aren’t leaving the door open for security issues. Here is the flow we’d like to use:

  1. Command line tool initiates intent to perform OAuth flow to Application Server.
  2. Application Server generates a random in progress session token and a separate random OAuth flow state value
  3. Application Server stores both values in the database together
  4. Application Server returns both values to the Command line tool
  5. Command line tool launches the external user-agent (e.g., browser) and starts the authentication process against the Authorization Server using the OAuth state value provided by the Application Server
  6. User authenticates
  7. Authorization Server redirects to the Application Server along with the state value
  8. Application Server retrieves authorization code and stores it in the database along with the in progress session token and OAuth state value
  9. Command line tool submits the in progress session token to the application server
  10. Application server retrieves the authorization code from the database and treats it as if the command line tool provided it

Outside of the potential for DoS abuse on submitting lots of OAuth initiations and the potential for the command line tool to initiate step 9 before the application server has completed step 8, are there other security issues to be concerned with?

How to migrate production WordPress to Localhost

I am trying to migrate a production WordPress site to a localhost install on MacOS using MAMP pro. What steps do I need to preform to enable this.

I have the data base configured and connecting.

I am able to hit localhost:8888/readme.html and get served the WordPress readme from Apache.

Unfortunately If I hit http://localhost:8888 or http://localhost:8888/index.php I get a 301 redirect to http://localhost The port is dropped and nothing gets served.

I am unsure where this 301 is coming from and currently blocked on this

How to get a new mail alert notification popup for Postfix localhost mail in Ubuntu MATE 19.04

I have configured Postfix along with Mailutils to send and receive mails from localhost in Ubuntu MATE 19.04. I can read mails through terminal just fine.

Now how do I get new mail alert notification popups in system tray for incoming mails? Like upon a system boot and whenever new mail arrives afterwards. I’d like the notifications to stay there until dismissed. Many thanks.

Note: Just to be extra clear this setup is for “local only” mails.

Postfix version: 3.3.2-4 Mailutils version: 1:3.5-2build1 

How to get a new mail alert notification popup for Postfix localhost mail in Ubuntu MATE 19.04

I have configured Postfix along with Mailutils to send and receive mails from localhost in Ubuntu MATE 19.04. I can read mails through terminal just fine.

Now how do I get new mail alert notification popups in system tray for incoming mails? Like upon a system boot and whenever new mail arrives afterwards. I’d like the notifications to stay there until dismissed. Many thanks.

Note: Just to be extra clear this setup is for “local only” mails.

Postfix version: 3.3.2-4 Mailutils version: 1:3.5-2build1