Random ip connecting to "wallet"

After updating to 1.2.9 latest version, there are random ip connecting to the “wallet” using
chia show -c
Not sure what’s going on.

Before this, there is only localhost (127.0.0.1) connects to the wallet, and several full node peers.

Are you farming any forks and if so, which ones?

No fork. Only the original Chia. Win 10.

1 Like

Probably just do so with new added code, they’re only wallets connecting it seems.

I have only ever the one wallet connection and as far as I know there should be only one.

I would be seriously concerned.

I would suggest ruling out the scariest option first. Check for malware. I would suggest running a malwarebytes scan in safe mode with networking. The free download is more than capable.

I have seen this many times, one or two wallet connections in my peers list. I have UPnP disabled and port 8444 forwarded on my router.

I scratched my head first time I saw it too, and was concerned. But eventually I just assumed it’s what happens when a peer syncs their wallet. Say if they’ve run farmer-no-wallet and are now syncing the wallet. How would the client software understand wallet connections unless they’re an official thing?

But I don’t know this for sure. And I do wonder how the connection is established when the wallet port (I forget which) isn’t forwarded on my router. Each transfer must be initiated by my client.

I run Malwarebytes regularly and never had a hit. I do run Flax on the side, but these wallet connections were there before.

I would love an official response from Chia or an involved dev. This question comes up regularly, but I’ve never seen any definitive responses.

1 Like

Just saw a similar discussion on Reddit (looks to be the same OP) including one reply saying it’s totally normal when the local wallet connects to a full node.

Would still love confirmation from a Chia official, but that answer does make sense :slightly_smiling_face:

The thread you linked was started only 11 hours ago and there is only one comment saying it is not a problem from a peep who is probably incorrect.

I found a thread in the ChiaForum from May with a link to a more thorough but as yet unresolved conversation going on at Chia Github

which ends with, "

lvpcguru on May 24

So I have been doing some research on this. The only port inbound from the internet that you should allow is 8444 the others like 8449 and 8447 can be opened to your remote harvester or GUI machines per the guides but never to the internet. There are a number of api ports that might inadvertently be exposed if you just blanket NAT your router to the full_node instead of just that one port.

I have taken to setting up the firewall to block all but the 8444 port inbound with holes poked for my local harvesters and management."


IMOP having random IPs connecting to your wallet is NOT normal.

1 Like

I’m glad you pioneers download the newest releases and face these issues head on for us, I just wait :wink:

This issue is not version related. I find first mention of it in May.

I have never seen more than one wallet connection in my GUI and it is always connected locally to 127.0.0.1. My understanding and research indicates that having external IP wallet connections is wrong and scary.

1 Like

I’d nvr paid attention, so I checked mine, 1 wallet, 1 harvester, lots of full nodes.

1 Like

As @Aspy68 said, it is not version related. I’ve seen it from time to time going back months. Mostly just full nodes in the peer list (plus the local connections) then sometimes one or two wallet connections.

I am still not seeing anything official in any of the linked discussions, just speculation. But each with some logic. Like we do here.

Edit: Just to be more clear:

My router runs DD-WRT and is kept updated every few weeks, which I consider pretty safe. UPnP is disabled on the router, and only port 8444 (and 6888 for Flax) are forwarded.

That means the Wallet connection must be initiated from my client, not from the internet. I don’t know what makes my client initiate that connection, but I only see two ways: (1) My Chia client is infected with malware, or (2) the connection is by design on Chia’s part.

Since I download the Chia client from chia.net and verify it’s SHA256 I have some confidence it is not infected (though certainly that’s no guarantee). And I’ve always kept my PC pretty clean, as I use it for other critical work. Again, Malwarebytes does not detect anything. Chia runs in a separate user with no access outside its own user folder and the plot drives. (Yes, a VM would be even better.)

So unless I see something either official or very well founded, I am inclined to believe that Chia was designed this way.

Of course there is nothing in my hot wallet anyway, and no rewards will ever go there. I would probably be less sanguine if I had hundreds of XCH in there.

But I am NOT arguing strongly one way or the other. I would still love to see some official Chia comments on this.

1 Like

I am concerned that this may be a serious issue

and the facts that you have a clean installation and are have not farmed forks give a bit more indication that this may be a bug or even an exploit.

I would take your problem to the Chia Team support category at Keybase.

1 Like

I always download install file from Github itself: https://github.com/Chia-Network/chia-blockchain
Never ever download from other sources. My setup is also relative safe without much software.

One follow up - I’ve closed down the 8444 port forward rule in my router and this problem is gone.

@Aspy68 Do you mind share the followup, if there is any.

You will need to look to AnyFarmer for followup. I cannot take his problem to Keybase.

I don’t have a Keybase account and no plans to create one atm. I am not the OP.

For now I am inclined to believe the two posters on Reddit who provided benign explanations, saying essentially that these connections occur when wallets without up-to-date local full nodes (or without full nodes at all) connect to full nodes on the internet for syncing.

But once again, I am not arguing very strongly, as I don’t have the facts to do so.

And I would be very interested in any chia responses, either here or on Reddit. Or pointers to research based on input from chia devs or other authoritative sources. We can all speculate, but that’s all it is for now. IMHO.

Edit: Geez, I am like Columbo, always forgetting something: For my part, I use “chia start farmer-no-wallet” most of the time, and I don’t think these connections can happen without the wallet daemon. That’s another reason I am not freaking out over this. But I WILL if I see solid evidence that I should.

Getting on keybase is easy. You just have to install Keybase and join the Chia team.

Only the peep with the problem should post in support. The team will have questions that only you can answer.

You would probably have an answer in minutes and this would be of great service to the ChiaForum community! :sunglasses:

:back: :on: :top: :soon:

1 Like

That’s the thing, I don’t want to install more software on my PC than I have to. It is primarily used for futures market trading and analysis.

My chia farm is merely two 6TB disks I managed to get from Walmart for $30 each, since the PC is already running 24/7. So I’ll let others who are more heavily invested take the lead. I just wanted to share my experience in this thread, that’s all.

1 Like