Quick question. Binary is try to connect out on port 41

teslatech
teslatech
Joined: 29 Jan 11
Posts: 14
Credit: 50724666
RAC: 0
Topic 196746

Lately I have been seeing the einstein@home binary trying to talk out over port 41. This not boinc, but the program binary running. I am wondering why does it need to do this while it is running?

Just want to make sure this is normal operation and not something injected into the binary without anyone knowing.

edit to fix spelling

Neil Newell
Neil Newell
Joined: 20 Nov 12
Posts: 176
Credit: 169699457
RAC: 0

Quick question. Binary is try to connect out on port 41

Sounds odd - what makes you think it's the e@h binary, and where is it trying to connect to?

On most OS's you need admin privileges to use ports below 1024 (no idea about Windows though).

Also highly unlikely to be something nasty injected into the binary, since I understand they are generally signed by a private key on a non-connected host (and I'd be confident that E@H are doing this properly).

Khangollo
Khangollo
Joined: 17 Feb 11
Posts: 42
Credit: 928047659
RAC: 0

The limit is, non-root can't

The limit is, non-root can't open port for listening below 1024, not connecting to.

Are you sure, you're not using some proxy that happens to be on on port 41? Check Options... in your BOINC manager.

tcp 1 0 192.168.99.7:50709 192.168.99.1:3128 CLOSE_WAIT 6895/einstein_S6LV1 netstat -nap shows me, that einstein subprocesses do indeed make http connections to project servers (according to proxy's logs). (in my case, 192.168.99.1:3128 is a HTTP proxy I'm using)

MaU38.gif

Michael Karlinsky
Michael Karlinsky
Joined: 22 Jan 05
Posts: 888
Credit: 23502182
RAC: 0

educated

educated guess

michael@kyle:~> cat /etc/services | grep " 41/"
graphics 41/tcp # Graphics
graphics 41/udp # Graphics

screensaver?

teslatech
teslatech
Joined: 29 Jan 11
Posts: 14
Credit: 50724666
RAC: 0

I'm on a windows machine.

I'm on a windows machine.

This is a single log from the firewall

C:\ProgramData\BOINC\projects\einstein.phys.uwm.edu\einsteinbinary_BRP4_1.22_windows_intelx86__BRP4SSE.exe Asked Out IPV6 192.168.1.121 66.152.109.104

When the firewall pops up it says that binary is trying to connect out on port 41.

It just seems odd that is why I am asking here. I block it and everything still seems to work.

Mike Hewson
Mike Hewson
Moderator
Joined: 1 Dec 05
Posts: 6534
Credit: 284727526
RAC: 105878

My lookup on port 41 uses is

My lookup on port 41 uses is 'graphics services' and 'data exchange', but also 'denial of service attacks' alas ....

Cheers, Mike.

I have made this letter longer than usual because I lack the time to make it shorter ...

... and my other CPU is a Ryzen 5950X :-) Blaise Pascal

Neil Newell
Neil Newell
Joined: 20 Nov 12
Posts: 176
Credit: 169699457
RAC: 0

RE: The limit is, non-root

Quote:
The limit is, non-root can't open port for listening below 1024, not connecting to.

Indeed; but "over port 41" doesn't make it clear which end.

Quote:
C:\ProgramData\BOINC\projects\einstein.phys.uwm.edu\einsteinbinary_BRP4_1.22_windows_intelx86__BRP4SSE.exe Asked Out IPV6 192.168.1.121 66.152.109.104

I tried a telnet to the IP address on port 41, but no connection. It is however running nginx on port 80, redirecting users to suddenlink.net (some sort of broken link catcher). The IP address resolves back to tvc-ip.com, which seems to belong to tvconline.net (quite possibly a customer of theirs).

Could the warning have said protocol 41 rather than port 41? Because that's IPv6 encapsulation (hence 'IPV6' in the log message).

If it was port 41, the bad new is there is a Trojan known as "win32.deepthroat" or "Foreplay" that uses port 41. If so, it's unlikely it arrived in the BRP4 exe - could be a cross-infection?

teslatech
teslatech
Joined: 29 Jan 11
Posts: 14
Credit: 50724666
RAC: 0

I checked back though all of

I checked back though all of my firewall logs and it seems it happened on the milkyway@home binary too.

May be signs there is something bad on this desktop.

It seams both e@home and milky@home try to connect to two ip addresses.

66.152.109.104
and
198.105.251.17

It is random what ip it tries to connect.

I apologize as I am realizing this is not just a e@home problem.

I will pay attention to see if it is saying "protocol 41" or port.

Thank you for your help.

teslatech
teslatech
Joined: 29 Jan 11
Posts: 14
Credit: 50724666
RAC: 0

I know this is e@home, but

I know this is e@home, but this time the firewall came up with milkyway@home binary trying to connect.(I first noticed it with e@home so that is why I though it was it).

I hate windows.....I have a feeling my machine is infected, but virus scan shows nothing.

teslatech
teslatech
Joined: 29 Jan 11
Posts: 14
Credit: 50724666
RAC: 0

Ok more more post for right

Ok more more post for right now.
Here is the hit from e@home

I did nmap on the two IP address.

Starting Nmap 6.25 ( http://nmap.org ) at 2013-01-17 17:47 CST
Nmap scan report for 66-152-109-104.tvc-ip.com (66.152.109.104)
Host is up (0.066s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp closed https
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.32

Starting Nmap 6.25 ( http://nmap.org ) at 2013-01-17 17:50 CST
Nmap scan report for 198.105.251.17
Host is up (0.070s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp closed https
Device type: general purpose|WAP|storage-misc
Running (JUST GUESSING): Linux 3.X|2.6.X|2.4.X (95%), Linksys Linux 2.4.X (90%), HP embedded (90%), Encore embedded (88%), EnGenius embedded (88%), Netgear embedded (87%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.22 cpe:/o:linksys:linux:2.4 cpe:/o:linux:linux_kernel:2.4 cpe:/h:hp:p2000_g3 cpe:/h:engenius:esr-9752 cpe:/h:netgear:dg834g
Aggressive OS guesses: Linux 3.0 (95%), Linux 2.6.32 (93%), Linux 2.6.38 (93%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (91%), OpenWrt White Russian 0.9 (Linux 2.4.30) (90%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (90%), HP P2000 G3 NAS device (90%), Linux 2.4.18 (88%), Encore 3G or EnGenius ESR-9752 WAP (88%), Linux 2.6.19 - 2.6.32 (88%)
No exact OS matches for host (test conditions non-ideal).

I'm thinking of letting it connect and grabbing the TCP frames it sends out and dissecting them

teslatech
teslatech
Joined: 29 Jan 11
Posts: 14
Credit: 50724666
RAC: 0

More info for those willing

More info for those willing to help me.

It is a 6to4 conversion. I have not worked with ipv6 yet so I did not understand it.

If anyone wants I captured the communications with wire shark.

I had to turn on filtering of ipv6 for commodo. Now it says the address it is trying to connect to is fe80::f0ce:11b4:66c1:7c10

It uses a pnrp and then switches to tcp packets.

If anyone would like I could post the pcap file.

I found plain text in a couple of the packets....

America Online Inc.1604..U...-America Online Root Certification Authority 1..0}1.0...U....IL1.0...U....StartCom Ltd.1+0)..U..."Secure Digital Certificate Signing1)0'..U... StartCom Certification Authority.Ã0.Ê1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U.....U...7www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%

Don't know what is all means, but I am trying.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.