First thing is to determine if it's port 41 or protocol 41. My suspicion that it's the latter is much stronger now, because looking at the images on this page you can see "TCP" where the "41" appears on our screenshot. That implies strongly that it's IPv6 encapsulation (and that Comodo doesn't recognise it).
All that aside, there's clearly something wrong; e@h binaries surely wouldn't be trying to connect to IP addresses like those, especially if you don't recognise them as related to your ISP.
Hate to say it, but the strong suspicion is it's a virus. Spending lots of time analysing it really isn't worth it (unless you're interested from a learning point of view).
On a linux box I'd find the executable, run md5sum on it and compare that to a known good copy from someone else (and ditto any libraries it uses). Presumably it's possible to do the same on a Windows box - though as a starting point you can post the file size and date for someone else to compare against.
Thanks for the input Neil. I am trying to turn it into a learning experience. I am very knowledgeable when it comes to linux and computers. I do my best to make sure my window machines don't get infected(in and outgoing firewall, virus scanner and I don't install anything I would consider dangerous).
I wonder if it is a virus why is it picking on BOINC binaries?
Should I stop all BOINC work on my computer till I get it under control?
...
I wonder if it is a virus why is it picking on BOINC binaries?
Should I stop all BOINC work on my computer till I get it under control?
Really can't answer about Windows (I gave up using that after getting yet another virus) but do you run other applications that use network comms? If not, maybe it's just that your firewall software is reporting apps (like BOINC binaries) that it doesn't know about, when they try to use the Internet.
Your BOINC work appears to be validating ok so it seems the problem - whatever it is - isn't affecting that.
Thanks for checking my work units. I will just keep the network on lock down until I wipe and re-install windows(give me a reason to finally move it to SSD).
I will keep investigating it just for fun and something new to play with.
I've had a quick look at the BRP4 source code and can't see any code to make the kind of connection you're seeing. From my limited knowledge, I'd only expect it to communicate with the BOINC application itself, and for that to then communicate with the project servers (i.e. no direct network communication from the e@h binary itself) - someone correct me if I'm wrong.
Did you check the date and size of the .exe? You could take a copy of it, then re-install BOINC/e@h and compare the new binary with the old one.
Also have you tried looking at the packet in, say, Wireshark? It may give a breakdown that helps to explain its content.
Started install with firewall and anti-virus. Everything installed on this computer was fresh downloads.
Installed boinc on yesterday the first. Today I installed virtualbox and then the firewall hits happened a bit after that. Don't know if they are related. I disabled the virtualbox host-only virtual network adapter to see if that does anything.
Looking at the two IP addresses that are being hit, one is arin.net and the other is tvc-ip.com (as covered before). As you've done a fresh install, it seems quite possible that Comodo is misleading you and the underlying cause is that your ISP is intercepting your traffic.
This post may be useful - anything in it ring any bells?
First thing is to determine
)
First thing is to determine if it's port 41 or protocol 41. My suspicion that it's the latter is much stronger now, because looking at the images on this page you can see "TCP" where the "41" appears on our screenshot. That implies strongly that it's IPv6 encapsulation (and that Comodo doesn't recognise it).
All that aside, there's clearly something wrong; e@h binaries surely wouldn't be trying to connect to IP addresses like those, especially if you don't recognise them as related to your ISP.
Hate to say it, but the strong suspicion is it's a virus. Spending lots of time analysing it really isn't worth it (unless you're interested from a learning point of view).
On a linux box I'd find the executable, run md5sum on it and compare that to a known good copy from someone else (and ditto any libraries it uses). Presumably it's possible to do the same on a Windows box - though as a starting point you can post the file size and date for someone else to compare against.
Thanks for the input Neil. I
)
Thanks for the input Neil. I am trying to turn it into a learning experience. I am very knowledgeable when it comes to linux and computers. I do my best to make sure my window machines don't get infected(in and outgoing firewall, virus scanner and I don't install anything I would consider dangerous).
I wonder if it is a virus why is it picking on BOINC binaries?
Should I stop all BOINC work on my computer till I get it under control?
RE: ... I wonder if it is a
)
Really can't answer about Windows (I gave up using that after getting yet another virus) but do you run other applications that use network comms? If not, maybe it's just that your firewall software is reporting apps (like BOINC binaries) that it doesn't know about, when they try to use the Internet.
Your BOINC work appears to be validating ok so it seems the problem - whatever it is - isn't affecting that.
Any Windows people here who can help?
Thanks for checking my work
)
Thanks for checking my work units. I will just keep the network on lock down until I wipe and re-install windows(give me a reason to finally move it to SSD).
I will keep investigating it just for fun and something new to play with.
There's another thread about
)
There's another thread about Problems with comodo firewall, which is about signature verification. That might be related.
BM
BM
I did read about that, but I
)
I did read about that, but I have comodo stripped down to just the firewall. No defense+(<---super annoying).
What ever the program is it did talk to the internet over ipv6(I captured the communications).
So it is not just comodo firewall. It really does talk with the internet(or something that is masquerading as the work unit binary).
I've had a quick look at the
)
I've had a quick look at the BRP4 source code and can't see any code to make the kind of connection you're seeing. From my limited knowledge, I'd only expect it to communicate with the BOINC application itself, and for that to then communicate with the project servers (i.e. no direct network communication from the e@h binary itself) - someone correct me if I'm wrong.
Did you check the date and size of the .exe? You could take a copy of it, then re-install BOINC/e@h and compare the new binary with the old one.
Also have you tried looking at the packet in, say, Wireshark? It may give a breakdown that helps to explain its content.
Ok now a new side to the
)
Ok now a new side to the problem. Got some new computer gear to upgrade my desktop. Complete fresh install and moved to an ssd.
http://dl.dropbox.com/u/11454916/log.htm
Started install with firewall and anti-virus. Everything installed on this computer was fresh downloads.
Installed boinc on yesterday the first. Today I installed virtualbox and then the firewall hits happened a bit after that. Don't know if they are related. I disabled the virtualbox host-only virtual network adapter to see if that does anything.
Looking at the two IP
)
Looking at the two IP addresses that are being hit, one is arin.net and the other is tvc-ip.com (as covered before). As you've done a fresh install, it seems quite possible that Comodo is misleading you and the underlying cause is that your ISP is intercepting your traffic.
This post may be useful - anything in it ring any bells?
I tried it with a google
)
I tried it with a google search
One of the results was
http://www.ipaddressden.com/ip/198.105.251.17.html
This one seems to be a location in Boulder, Colorado.
utrace gives the same result.
http://www.netinfo.org.ua/198.105.251.17.htm
gives more info.