Has the network been compromised

Hi,

Just got the following from my firewall.

Only got port 8444 open.

1 Like

There was an incident where they snuck malware links to the wiki. Is it possible you installed that version ? It was about 2 weeks ago I think.

I downloaded it from Releases · Chia-Network/chia-blockchain · GitHub

When you downloaded it, did it download as a .exe file or a .rar file? Should be easy to check, look in your downloads. If it was a .rar, you got the malicious download. Uninstall it and do it again. If .exe, you are good.

Seeing issues like this incoming would be no big deal. Upnp is not a dedicated port for just chia. It is a standard port. But that appears to be coming from you. Outbound. If that is the case:

  1. You have the bad software and it is doing bad things (but if this was the case, it would have been reporting these events from day one of the install.

  2. Your firewall is just creating a false positive.

  3. You have a trojan on your system that has nothing to do with Chia and is also using the Upnp port.

My bet is #3.

The download file is a .exe

I have Kaspersky (I am aware that this doesn’t necessary mean the machine is protected) installed on the machine, so I assume if it was a trojan, Kaspersky maybe should of picked it up already, knowing how quickly they update their DB. Also UPNP is disabled on the router.

I have been monitoring the network and have not seen it happen again. So not sure if its a false positive.

Everyone has their antivirus preference so I won’t get into that.

Here is information on that threat so if you want to look around in your folders to see if you have it, you can.

https://www.virusradar.com/en/Win32_TrickBot.V/description

Also, you may want to run a full scan of your system. If it was me, I would also throw another product at it just to make sure. Because antivirus products are not 100% effective. Download the free version of Malwarebytes (make sure you don’t agree to some free trial of their main product). Scan it and see if it finds anything.

If it were me, I would do all of the above. If it all came up clean, then I would feel alright.

Another simple thing to do would be to check your peer connections in your GUI and see if that IP and port are present.

It could be as simple as whoever now has that IP is running CHIA with UPNP without 8444 port forwarding and they’re on your peer connections list.

Don’t take this as advice to not do a full system scan though.

I just did a full scan and found no virus/trojans. Also I don’t see that connections on the GUI.

Did you look in the folders the article mentions? Anything there?

And when suspicious of something like this, don’t trust the antivirus that may have let it through. Always run another (it’s free, so why not).

But that is just my two cents. That is how far I go when I have a gut feeling something is up. This is from 11 years of owning/running an IT support company. So take it for what you think it’s worth.

I bet it is nothing, but you should always confirm.

I don’t have any folder or file within %appdata% called winapp. I agree with you. I am going to try digging a bit deeper and see what else i can find.

1 Like

Your pc tried to connect to an IP know to have been used to run a botnet, doesn’t necessary mean your pc is compromised. Maybe some scamers are farming chia… But to be safe, block the IP and run a scan