Why does PIA_NW.exe have network activity even though I am disconnected?

PIA_NW.exe typically always comes second or third on my Resource Monitors list of active processes, even when I am disconnected. Why is this happening? Sometimes I am forced to end the process in order to maintain high Ping levels when gaming. Why so much traffic?

Comments

  • Posts: 112
    Amephest said:
    PIA_NW.exe typically always comes second or third on my Resource Monitors list of active processes, even when I am disconnected. Why is this happening? Sometimes I am forced to end the process in order to maintain high Ping levels when gaming. Why so much traffic?
    You scanned for virus/malware?
  • Posts: 575
    Likely it is the service checking the PIA servers for the best ping.
  • You are dealing with Zeus virus scam only if you have been interrupted by aggressive warning messages, claiming that Windows Defender or similar program detected this virus on your computer. Typically, they show up while you are browsing the Internet what is a total nonsense because security programs warn users about detected malware right after they turn on their computer. If you haven't seen alerts looking like that, it is just the main PIA service. 
  • Posts: 389
    I can confirm pia_nw's traffic is normal. The PIA application is split into two separate components internally: the VPN management daemon (pia_manager), and the GUI which is handled by pia_nw. They talk to eachother locally over the network. This is why you see traffic from pia_nw.

    Additionally, pia_manager also does ping tests to the servers to find out which is the closest region, so that's to be kept in mind as well.
  • Posts: 9
    [Before Installation]
    Searching for Linux.Xor.DDoS ... nothing found
    Searching for Linux.Proxy.1.0 ... nothing found
    Searching for suspect PHP files... nothing found


    [After Installation]
    Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installed
    /tmp/pia_upscript.sh
    /tmp/pia_openvpn_client
    /tmp/pia_route


    You guys really need to fix that, when I was using the socks 5 proxy it saved a malicious file in my ~/.cache/mozilla/firefox/6ble7ds3.default/cache2/entries/      directory with the file name 099C83595A0E73187C5052B1DC5BED19CEB4A0E9            you can quickly google search that file name and see what it comes up as. Your Socks5 proxy or proxies may have been compromised.


    PS:  "OHH WE DON'T KEEP LOGS"    half your server ips have port 22 open 
    the feds probably keep your logs for you at this point.
  • Posts: 9
    2 seperate connections is 100% correct
    Max-P said:
    I can confirm pia_nw's traffic is normal. The PIA application is split into two separate components internally: the VPN management daemon (pia_manager), and the GUI which is handled by pia_nw. They talk to eachother locally over the network. This is why you see traffic from pia_nw.

    Additionally, pia_manager also does ping tests to the servers to find out which is the closest region, so that's to be kept in mind as well.

  • edited December 7 Posts: 389
    Grim said:
    [After Installation]
    Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installed
    /tmp/pia_upscript.sh
    You do realize that you can literally just open the shell script with any text editor and see exactly what it does right?



    Also

    PS:  "OHH WE DON'T KEEP LOGS"    half your server ips have port 22 open 
    the feds probably keep your logs for you at this point.


    That's the SSH port. It's very common for a very large majority of Linux servers to have it open. It is not a security vulnerability.
    Post edited by Max-P on
  • Posts: 9
    you know how easy it is to bruteforce any linux server that has the ssh port open right, its a security risk they have it open.
  • edited December 7 Posts: 9
    you do realize its not hard to bind 2 files together and have one run silently, the fact they have their SSH ports open on a vpn connection really baffles me, its not hard to pop a box. It is a security risk not only for PIA but for all the customers that use the service. run a chkrootkit on your system I bet you $100 it pops up as xor.DDoS , while this may be a false positive it makes you wonder because their ports on all servers for TCP SSH on 22 is open and xor.DDoS is known to spread across networks.
    Post edited by Grim on
  • Posts: 9
    its not just a false positive either, clamav, sophos, comodo, chkrootkit   everything I have scanned my system with has come up with xor.DDoS from those files. I uninstall it and re run the scans and its not infected lol. It only shows up after installing PIA
  • Posts: 9
    I even recreated the file, same code in the file, same .sh extension and even the file sizes don't match LOL come on man if you are gonna troll someone don't try and troll me https://gyazo.com/bf58faf9d4cef6a916a9f28f7d2f1b31
  • edited December 8 Posts: 112
    @Grim Your claims are wild and unsubstantiated. If you have an actual issue please issue a support ticket so we can get to the bottom of it. Any future off-topic comments will be removed from this thread.
    Post edited by sn0wmonster on
Sign In or Register to comment.