gnar1ta$ (OP)
Donator
Hero Member
 Offline
Activity: 798
Merit: 500
|
 |
November 04, 2011, 04:49:35 PM
Last edit: November 13, 2011, 04:40:49 PM by gnar1ta$ |
|
Got this today from my firewall when I started client 0.4.0 on OS X:
"Bitcoin wants to connect to �store.esellerate.net� on TCP port 443 (https) IP 209.87.181.216"
Is this normal? I haven't seen it before.
|
Losing hundreds of Bitcoins with the best scammers in the business - BFL, Avalon, KNC, HashFast.
|
|
|
|
|
|
|
|
Even in the event that an attacker gains more than 50% of the network's
computational power, only transactions sent by the attacker could be
reversed or double-spent. The network would not be destroyed.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
November 13, 2011, 06:04:54 PM |
|
I don't think there is any reason the Bitcoin client would attempt to make an outgoing connection on port 443 unless you are specifically telling it to do so through settings (rpcconnect, rpcssl) in your Bitcoin.conf
Are you using a stock Bitcoin.conf?
Where did you get that binary build from?
|
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
November 13, 2011, 06:38:23 PM |
|
That domain belongs to Digital River, a company who, among other things, does third party software activations. Really strange.
|
|
|
|
|
|
bulanula
|
|
November 13, 2011, 06:41:58 PM |
|
That domain belongs to Digital River, a company who, among other things, does third party software activations. Really strange.
Maybe Gavin used that to prevent piracy with the Oracle license  ? |
|
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
November 13, 2011, 06:55:09 PM |
|
That domain belongs to Digital River, a company who, among other things, does third party software activations. Really strange.
Maybe Gavin used that to prevent piracy with the Oracle license ? Well, I would freak out if my Bitcoin client was connecting to that domain, no matter the reason. The real question here is: Where da f*** did the OP got the binary from? |
|
|
|
|
gnar1ta$ (OP)
Donator
Hero Member
Offline
Activity: 798
Merit: 500
|
|
November 13, 2011, 07:05:44 PM |
|
It's the stock client from the Bitcoin.org website. Just downloaded and installed, no compiling or third party sources. If it's something malicious it may be happening to others without them noticing. It isn't detected by the system firewall. I use a network monitor/outgoing connection firewall that catches it.
|
Losing hundreds of Bitcoins with the best scammers in the business - BFL, Avalon, KNC, HashFast.
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
November 13, 2011, 07:25:11 PM |
|
Well, that makes things even more strange. That's an HTTP SSL connection, no reason whatsoever for the Bitcoin client to open it, even if that IP was a node, which would make the port and type of connection different.
|
|
|
|
|
|
bulanula
|
|
November 13, 2011, 07:27:46 PM |
|
It's the stock client from the Bitcoin.org website. Just downloaded and installed, no compiling or third party sources. If it's something malicious it may be happening to others without them noticing. It isn't detected by the system firewall. I use a network monitor/outgoing connection firewall that catches it.
We are in deep trouble then. From official website ? Maybe it has backdoor !? |
|
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
November 13, 2011, 07:34:43 PM |
|
It's the stock client from the Bitcoin.org website. Just downloaded and installed, no compiling or third party sources. If it's something malicious it may be happening to others without them noticing. It isn't detected by the system firewall. I use a network monitor/outgoing connection firewall that catches it.
We are in deep trouble then. From official website ? Maybe it has backdoor !? Too bad I don't have even a Mac VM or I would try it. Will wireshark my 0.3.24 on linux and see if it does the same. Maybe I can use wireshark to monitor the 0.4.0 that I have installed on my windows machine. |
|
|
|
|
odysseus654
Newbie
Offline
Activity: 44
Merit: 0
|
|
November 13, 2011, 11:51:57 PM |
|
If you have ProcessExplorer, maybe grab a stack trace and see where the request originated from? Run Fiddler2 in MITM-attack mode and see what it's sending?
It's possible that it's not the official client technically making this connection anyhow, perhaps there is a DLL inside the process that is initiating this action. Your anti-virus/anti-adware up to date?
|
|
|
|
|
gnar1ta$ (OP)
Donator
Hero Member
Offline
Activity: 798
Merit: 500
|
|
November 14, 2011, 12:24:44 AM |
|
If you have ProcessExplorer, maybe grab a stack trace and see where the request originated from? Run Fiddler2 in MITM-attack mode and see what it's sending?
It's possible that it's not the official client technically making this connection anyhow, perhaps there is a DLL inside the process that is initiating this action. Your anti-virus/anti-adware up to date?
It's a mac...don't have ati-virus/anti-adware. Haven't needed it before, but after this and reviewing my sshd logs (didn't have deny hosts set up properly) I think I'll install Eset. |
Losing hundreds of Bitcoins with the best scammers in the business - BFL, Avalon, KNC, HashFast.
|
|
|
paraipan
In memoriam
Legendary
Offline
Activity: 924
Merit: 1004
Firstbits: 1pirata
|
|
November 14, 2011, 12:24:54 AM |
|
could be the "dnsseed" ? stackexchange |
BTCitcoin: An Idea Worth Saving - Q&A with bitcoins on rugatu.com - Check my rep
|
|
|
|
