Lately I have been seeing the einstein@home binary trying to talk out over port 41. This not boinc, but the program binary running. I am wondering why does it need to do this while it is running?
Just want to make sure this is normal operation and not something injected into the binary without anyone knowing.
edit to fix spelling
Copyright © 2024 Einstein@Home. All rights reserved.
Quick question. Binary is try to connect out on port 41
)
Sounds odd - what makes you think it's the e@h binary, and where is it trying to connect to?
On most OS's you need admin privileges to use ports below 1024 (no idea about Windows though).
Also highly unlikely to be something nasty injected into the binary, since I understand they are generally signed by a private key on a non-connected host (and I'd be confident that E@H are doing this properly).
The limit is, non-root can't
)
The limit is, non-root can't open port for listening below 1024, not connecting to.
Are you sure, you're not using some proxy that happens to be on on port 41? Check Options... in your BOINC manager.
tcp 1 0 192.168.99.7:50709 192.168.99.1:3128 CLOSE_WAIT 6895/einstein_S6LV1
netstat -nap shows me, that einstein subprocesses do indeed make http connections to project servers (according to proxy's logs). (in my case, 192.168.99.1:3128 is a HTTP proxy I'm using)educated
)
educated guess
michael@kyle:~> cat /etc/services | grep " 41/"
graphics 41/tcp # Graphics
graphics 41/udp # Graphics
screensaver?
Team Linux Users Everywhere
I'm on a windows machine.
)
I'm on a windows machine.
This is a single log from the firewall
C:\ProgramData\BOINC\projects\einstein.phys.uwm.edu\einsteinbinary_BRP4_1.22_windows_intelx86__BRP4SSE.exe Asked Out IPV6 192.168.1.121 66.152.109.104
When the firewall pops up it says that binary is trying to connect out on port 41.
It just seems odd that is why I am asking here. I block it and everything still seems to work.
My lookup on port 41 uses is
)
My lookup on port 41 uses is 'graphics services' and 'data exchange', but also 'denial of service attacks' alas ....
Cheers, Mike.
I have made this letter longer than usual because I lack the time to make it shorter ...
... and my other CPU is a Ryzen 5950X :-) Blaise Pascal
RE: The limit is, non-root
)
Indeed; but "over port 41" doesn't make it clear which end.
I tried a telnet to the IP address on port 41, but no connection. It is however running nginx on port 80, redirecting users to suddenlink.net (some sort of broken link catcher). The IP address resolves back to tvc-ip.com, which seems to belong to tvconline.net (quite possibly a customer of theirs).
Could the warning have said protocol 41 rather than port 41? Because that's IPv6 encapsulation (hence 'IPV6' in the log message).
If it was port 41, the bad new is there is a Trojan known as "win32.deepthroat" or "Foreplay" that uses port 41. If so, it's unlikely it arrived in the BRP4 exe - could be a cross-infection?
I checked back though all of
)
I checked back though all of my firewall logs and it seems it happened on the milkyway@home binary too.
May be signs there is something bad on this desktop.
It seams both e@home and milky@home try to connect to two ip addresses.
66.152.109.104
and
198.105.251.17
It is random what ip it tries to connect.
I apologize as I am realizing this is not just a e@home problem.
I will pay attention to see if it is saying "protocol 41" or port.
Thank you for your help.
I know this is e@home, but
)
I know this is e@home, but this time the firewall came up with milkyway@home binary trying to connect.(I first noticed it with e@home so that is why I though it was it).
I hate windows.....I have a feeling my machine is infected, but virus scan shows nothing.
Ok more more post for right
)
Ok more more post for right now.
Here is the hit from e@home
I did nmap on the two IP address.
Starting Nmap 6.25 ( http://nmap.org ) at 2013-01-17 17:47 CST
Nmap scan report for 66-152-109-104.tvc-ip.com (66.152.109.104)
Host is up (0.066s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp closed https
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.32
Starting Nmap 6.25 ( http://nmap.org ) at 2013-01-17 17:50 CST
Nmap scan report for 198.105.251.17
Host is up (0.070s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp closed https
Device type: general purpose|WAP|storage-misc
Running (JUST GUESSING): Linux 3.X|2.6.X|2.4.X (95%), Linksys Linux 2.4.X (90%), HP embedded (90%), Encore embedded (88%), EnGenius embedded (88%), Netgear embedded (87%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.22 cpe:/o:linksys:linux:2.4 cpe:/o:linux:linux_kernel:2.4 cpe:/h:hp:p2000_g3 cpe:/h:engenius:esr-9752 cpe:/h:netgear:dg834g
Aggressive OS guesses: Linux 3.0 (95%), Linux 2.6.32 (93%), Linux 2.6.38 (93%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (91%), OpenWrt White Russian 0.9 (Linux 2.4.30) (90%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (90%), HP P2000 G3 NAS device (90%), Linux 2.4.18 (88%), Encore 3G or EnGenius ESR-9752 WAP (88%), Linux 2.6.19 - 2.6.32 (88%)
No exact OS matches for host (test conditions non-ideal).
I'm thinking of letting it connect and grabbing the TCP frames it sends out and dissecting them
More info for those willing
)
More info for those willing to help me.
It is a 6to4 conversion. I have not worked with ipv6 yet so I did not understand it.
If anyone wants I captured the communications with wire shark.
I had to turn on filtering of ipv6 for commodo. Now it says the address it is trying to connect to is fe80::f0ce:11b4:66c1:7c10
It uses a pnrp and then switches to tcp packets.
If anyone would like I could post the pcap file.
I found plain text in a couple of the packets....
America Online Inc.1604..U...-America Online Root Certification Authority 1..0}1.0...U....IL1.0...U....StartCom Ltd.1+0)..U..."Secure Digital Certificate Signing1)0'..U... StartCom Certification Authority.Ã0.Ê1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U.....U...7www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%
Don't know what is all means, but I am trying.