I am concerned that something is wrong with my pNode unit. Could it be infector, or is it supposed to be doing this? Here are four highlights from the things I noticed.
-
Trend Micro AiProtection Infected Device Prevention and Blocking has flagged the device 51 times and blocked the communication to a hostname. It’s report states botnet C&C Server with a destination of aa.hostasa.org.
-
Network stability. My home network stability is reduced with the node plugged in. It has periodic dropouts where it loses internet connection. For example. I can leave a streaming service running. While it’s constantly buffering, if I unplug the node unit, the buffering immediately disappears, streaming resumes and the network issues disappear. I’m wondering if it has anything to do with point 4 below.
-
The traffic analyzer of the router has found these COMs from the device. Some of these seem curious to me. BackOrifice, 56.com, QQ? (This is a copy and paste sorry it’s hard to read)
Client Name: theminer
App Name Upload Download Total
General 259.93 MB 2.45 GB 2.70 GB
DNS 1.94 MB 2.40 MB 4.34 MB
HTTP Protocol over TLS SSL 1.38 MB 1.94 MB 3.32 MB
KNOwShowGo P2P 208.53 KB 163.36 KB 371.89 KB
World Wide Web HTTP 101.08 KB 56.04 KB 157.12 KB
L2TP 3.51 KB 14.52 KB 18.03 KB
blackjack 11.10 KB 3.27 KB 14.36 KB
PowerFolder 6.07 KB 5.09 KB 11.16 KB
PPTV (PPLive) 5.75 KB 4.83 KB 10.58 KB
Google APIs(SSL) 1.50 KB 8.79 KB 10.29 KB
Windows RPC 7.97 KB 738.00 Bytes 8.69 KB
HTTP 4.17 KB 302.00 Bytes 4.47 KB
QQ/TM 2.67 KB 1.22 KB 3.89 KB
NFS 1.44 KB 1.83 KB 3.26 KB
Network Time Protocol 1.26 KB 1.26 KB 2.52 KB
Vagaa 175.00 Bytes 2.00 KB 2.17 KB
WCCP 1.84 KB 177.00 Bytes 2.01 KB
Sina Video 177.00 Bytes 1.65 KB 1.83 KB
BackOrifice 471.00 Bytes 555.00 Bytes 1.00 KB
NetPanzer 942.00 Bytes 0.00 Bytes 942.00 Bytes
QQ Private Protocol 328.00 Bytes 380.00 Bytes 708.00 Bytes
56.com 129.00 Bytes 273.00 Bytes 402.00 Bytes
OpenVPN 157.00 Bytes 185.00 Bytes 342.00 Bytes
Microsoft WINS 155.00 Bytes 183.00 Bytes 338.00 Bytes
OpenTTD 157.00 Bytes 0.00 Bytes 157.00 Bytes
msantipiracy
- Active connections log is FILLED UP with between 3,000 - 4,000 SYN_SENT connections from the MAC/IP associated with the node. I think it’s maxing out my router which has plenty of RAM. The SYN_SENT are pages and pages in my active connection log, but they will look like this. All connections being left open to just two or three IPs at port 80. Over 3000 connections at one time from the pNode. This is just a partial list, cut and paste.
tcp | 192.168.XX.XXX | 33016 | 51.68.183.108 | 1430 | ESTABLISHED |
---|---|---|---|---|---|
tcp | 192.168.XX.XXX | 59585 | 110.42.6.27 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 390 | 47.242.107.63 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 9534 | 8.210.72.91 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 5096 | 8.210.72.91 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 28507 | 47.242.107.63 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 22596 | 42.194.243.183 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 54843 | 42.194.243.183 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 37909 | 8.210.72.91 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 21144 | 8.210.72.91 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 600 | 8.210.72.91 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 58139 | 8.210.72.91 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 38745 | 47.242.107.63 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 9811 | 42.194.243.183 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 49832 | 47.242.107.63 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 28288 | 110.42.6.27 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 32766 | 47.242.107.63 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 26593 | 110.42.6.27 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 698 | 47.242.107.63 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 49215 | 8.210.72.91 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 10354 | 110.42.6.27 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 3116 | 8.210.72.91 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 48491 | 47.242.107.63 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 25212 | 42.194.243.183 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 8070 | 42.194.243.183 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 30982 | 47.242.107.63 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 8182 | 110.42.6.27 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 12086 | 8.210.72.91 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 63888 | 47.242.107.63 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 48840 | 110.42.6.27 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 22871 | 110.42.6.27 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 35011 | 8.210.72.91 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 54136 | 47.242.107.63 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 55668 | 42.194.243.183 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 64246 | 8.210.72.91 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 41453 | 110.42.6.27 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 63169 | 47.242.107.63 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 19469 | 42.194.243.183 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 32799 | 110.42.6.27 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 6940 | 47.242.107.63 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 10593 | 110.42.6.27 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 46321 | 8.210.72.91 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 9837 | 47.242.107.63 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 1008 | 110.42.6.27 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 52533 | 47.242.107.63 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 58226 | 42.194.243.183 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 38601 | 110.42.6.27 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 27700 | 8.210.72.91 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 3076 | 47.242.107.63 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 19156 | 42.194.243.183 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 60701 | 8.210.72.91 | 80 | SYN_SENT |
tcp | 192.168.XX.XXX | 60806 | 47.242.107.63 | 80 | SYN_SENT |
Summary: I monitored this over a period of time, on multiple days and with time between to make sure it wasn’t an anomaly. Every time I check the active connections, the table looks like what I have shown above. I have screen shots of all of these items. I’m very concerned of what my pNode is doing. So much that I cannot in good conscience leave this on my network.
Can someone help me explain if this is all normal communications, or am I worried for nothing?
Thank you.
EDIT: replaced local IP with XX.XXX in the table for privacy.