Process 如何识别病毒或进程

我注意到未经授权从我的电脑（Catalina iMac）访问我的路由器（默认网关）。
我之所以对此进行调查，是因为我们有几台Mac PC具有相同的行为。
我想识别导致此未经授权访问的病毒或进程，并将其删除

我们用杀毒软件和Avast Antivirus扫描了我们的电脑，但它没有检测到任何病毒

为了进行调查，我获取了我电脑的tcpdump日志。
我确认数据包正在访问路由器。
启动电脑几分钟后，观察到以下可疑行为

很多DNS查询我都不认识。 我不记得访问过它们

可以访问各种端口

大量http、https访问

如果您有任何关于这种行为的病毒等的信息，这将非常有用。

---

另外，请回复我，知道您是否需要任何其他信息来识别它。

经过大量研究，我发现这是由Avast Antivirus的Wi-Fi Inspector功能引起的
单击Wi-Fi Inspector按钮时tcpdump日志的模式几乎相同

myspace.com, qq.com, baidu.com, weebly.com, mail.ru, odnoklassniki.ru, aol.com, ebay.com, alibaba.com etc.

21, 22, 23, 53, 81, 111, 135, 139, 192, 427, 443, 445, 515, 548, 554, 631, 873, 1433, 1688, 1801, 1900, 1980, 1990, 2105, 2323, 2869, 3000, 3283, 3306, 3389, 3910, 4070, 4071, 5000, 5001, 5040, 5060, 5094, 5357, 5431, 5555, 5800, 5900, 5916, 5985, 6668, 7547, 7676, 7680, 7777, 8000, 8001, 8002, 8008, 8009, 8080, 8081, 8082, 8089, 8090, 8099, 8181, 8182, 8291, 8443, 8728, 8888, 9080, 9100, 9101, 9112, 9220, 9295, 9999, 10001, 10243, 12323, 15500, 16992, 16993, 17500, 18181, 20005, 30005, 30102, 37215, 37777, 41800, 41941, 44401, 47001, 47546, 49000, 49152, 49153, 49200, 49443, 49667, 52869, 52881, 53048, 55442, 55443, 57621, 59777, 60000, 62078

GET / HTTP/1.1
GET /admin HTTP/1.1
GET /AvastUniqueURL HTTP/1.1
GET /cgi-bin/a2/out.cgi HTTP/1.1
GET /cgi-bin/ajaxmail HTTP/1.1
GET /cgi-bin/arr/index.shtml HTTP/1.1
GET /cgi-bin/at3/out.cgi HTTP/1.1
GET /cgi-bin/atc/out.cgi HTTP/1.1
GET /cgi-bin/atx/out.cgi HTTP/1.1
GET /cgi-bin/auth HTTP/1.1
GET /cgi-bin/bbs/postlist.pl HTTP/1.1
GET /cgi-bin/bbs/postshow.pl HTTP/1.1
GET /cgi-bin/bp_revision.cgi HTTP/1.1
GET /cgi-bin/br5.cgi HTTP/1.1
GET /cgi-bin/click.cgi HTTP/1.1
GET /cgi-bin/clicks.cgi HTTP/1.1
GET /cgi-bin/crtr/out.cgi HTTP/1.1
GET /cgi-bin/fg.cgi HTTP/1.1
GET /cgi-bin/findweather/getForecast HTTP/1.1
GET /cgi-bin/findweather/hdfForecast HTTP/1.1
GET /cgi-bin/frame_html HTTP/1.1
GET /cgi-bin/getattach HTTP/1.1
GET /cgi-bin/hotspotlogin.cgi HTTP/1.1
GET /cgi-bin/hslogin.cgi HTTP/1.1
GET /cgi-bin/ib/301_start.pl HTTP/1.1
GET /cgi-bin/index HTTP/1.1
GET /cgi-bin/index.cgi HTTP/1.1
GET /cgi-bin/krcgi HTTP/1.1
GET /cgi-bin/krcgistart HTTP/1.1
GET /cgi-bin/link HTTP/1.1
GET /cgi-bin/login HTTP/1.1
GET /cgi-bin/login.cgi HTTP/1.1
GET /cgi-bin/logout HTTP/1.1
GET /cgi-bin/mainmenu.cgi HTTP/1.1
GET /cgi-bin/mainsrch HTTP/1.1
GET /cgi-bin/msglist HTTP/1.1
GET /cgi-bin/navega HTTP/1.1
GET /cgi-bin/openwebmail/openwebmail-main.pl HTTP/1.1
GET /cgi-bin/out.cgi HTTP/1.1
GET /cgi-bin/passremind HTTP/1.1
GET /cgi-bin/rbaccess/rbcgi3m01 HTTP/1.1
GET /cgi-bin/rbaccess/rbunxcgi HTTP/1.1
GET /cgi-bin/readmsg HTTP/1.1
GET /cgi-bin/rshop.pl HTTP/1.1
GET /cgi-bin/search.cgi HTTP/1.1
GET /cgi-bin/spcnweb HTTP/1.1
GET /cgi-bin/sse.dll HTTP/1.1
GET /cgi-bin/start HTTP/1.1
GET /cgi-bin/te/o.cgi HTTP/1.1
GET /cgi-bin/tjcgi1 HTTP/1.1
GET /cgi-bin/top/out HTTP/1.1
GET /cgi-bin/traffic/process.fcgi HTTP/1.1
GET /cgi-bin/verify.cgi HTTP/1.1
GET /cgi-bin/webproc HTTP/1.1
GET /cgi-bin/webproc?getpage=/../../etc/passwd&var:language=en_us&var:page=* HTTP/1.1
GET /cgi-bin/webproc?getpage=/etc/shadow HTTP/1.1
GET /cgi-bin/webproc?getpage=/etc/shadow&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=wizard HTTP/1.1
GET /cgi-bin/webscr HTTP/1.1
GET /cgi-bin/wingame.pl HTTP/1.1
GET /das/cgi-bin/session.cgi HTTP/1.1
GET /dd.xml HTTP/1.1
GET /fcgi-bin/dispatch.fcgi HTTP/1.1
GET /fcgi-bin/performance.fcgi HTTP/1.1
GET /Frontend HTTP/1.1
GET /HNAP1/ HTTP/1.1
GET /L3F.xml HTTP/1.1
GET /login.html HTTP/1.1
GET /menu.html?images/ HTTP/1.1
GET /picsdesc.xml HTTP/1.1
GET /redir/cgi-bin/ajaxmail HTTP/1.1
GET /rom-0 HTTP/1.1
GET /rootDesc.xml HTTP/1.1
GET /ssdp/device-desc.xml HTTP/1.1
GET /upnp/dev/a266dba0-8baa-3406-a010-2db481ceabf3/desc HTTP/1.1
GET /WANCfg.xml HTTP/1.1
GET /WANIPCn.xml HTTP/1.1
GET /WANIPCn.xml HTTP/1.1 )
POST /ctl/CmnIfCfg HTTP/1.1
POST /ctl/IPConn HTTP/1.1
POST /uuid:0cd2a2e0-68c2-a366-b2f1-8d93ddce634b/WANIPConnection:1 HTTP/1.1