Nmap indicates that "telepathstart" and "telepathattack" are listening on ports 5010 and 5011 of my Linux box. What are these?

Question

I have a linux box on my network which, according to Nmap, contains two services called telepathstart and telepathattack listening on ports 5010 and 5011.

From the same box, I am receiving inbound requests to my computer on port 113, which my firewall is blocking.

This page lists both of these services listening on these ports as Solo and OOTLT, is this accurate? Should I be concerned?

The name of telepathattack is what gave me cause for concern, has anybody heard of this? What does it do?

Thanks

Answer 1

The references on that page are explaining that Solo is known to use TCP port 5010, which is officially reserved for the TelepathStart protocol, and ditto for TCP 5011. If you look thru that list you'll see that lots of malware uses ports that are reserved for other services.

TelepathStart and TelepathAttack are properly listed with IANA as using those ports, so I would expect them to be benign. Let's investigate what runs on those ports. IANA writes:

• Ports: 5010 / 5011
• Service names: telelpathstart / telelpathattack
• Descriptions: TelepathStart / TelepathAttack
• Assignee: Helmuth Breitenfellner

I suppose the contact's email address was hbreitenf@vnet.ibm.com at the time.

A Google search for [ helmuth breitenfellner telepath ] leads us to discover that Helmuth Breitenfellner ported the code of the messaging platform (TelePath) of IBM FlowMark (a workflow-management system) to AIX RS6000.

Sandy Kemsley writes that FlowMark was later rebranded as MQSeries Workflow, and is now WebSphere MQ Workflow.

Is your box running WebSphere MQ Workflow?

If not, then here are three thoughts:

• Today is a good day to run some malware scans.
• You might want to poke at nmap's options a little, and see how much confidence it's service detection has about what's listening on those ports. Maybe use --version-intensity 9, for example.
• You could also try the old sysadmin trick of blocking it, and seeing what breaks.

Answer 2

NMAP might not be correct in the guessing of what service is running. I've seen it mistaken several times.

I would check the following things:

Run the following command to check the process of the listening ports.

netstat -tulpn 

Here is an example output:

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:7337 0.0.0.0:* LISTEN 863/postgres tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1670/sshd tcp6 0 0 ::1:7337 :::* LISTEN 863/postgres tcp6 0 0 :::22 :::* LISTEN 1670/sshd udp 0 0 0.0.0.0:68 0.0.0.0:* 551/dhclient3 

Here you can see that port 863 is postgres and 1670 is sshd.

I would also run these commands just to make sure:

lsof -i #Also lists listening programs nmap -sV <host ip> #nmap version detection grep 5010 /etc/services #linux's port to service name mapping 

Here is example output when I grepped for port 22

ssh 22/tcp # SSH Remote Login Protocol ssh 22/udp imap3 220/tcp # Interactive Mail Access imap3 220/udp # Protocol v3 xmpp-client 5222/tcp jabber-client # Jabber Client Connection xmpp-client 5222/udp jabber-client bpjava-msvc 13722/tcp # BP Java MSVC Protocol bpjava-msvc 13722/udp wnn6 22273/tcp # wnn6 wnn6 22273/udp xtell 4224/tcp # xtell server 

Answer 3

It's impossible for us to tell what program it is without looking at your computer. To do this yourself, run this:

sudo netstat -ntpl | grep -e ":5010" -e ":5011" 

The program you're looking for will be listed as the far-right field in the output.

^{Security note: never just blindly type in a command you read on the Internet. As always make sure you understand it first.}