The references on that page are explaining that Solo is known to use TCP port 5010, which is officially reserved for the TelepathStart protocol, and ditto for TCP 5011. If you look thru that list you'll see that lots of malware uses ports that are reserved for other services.

TelepathStart and TelepathAttack are properly listed with IANA as using those ports, so I would expect them to be benign, although I've drawn a bit of a blank as to what those protocols actually are.

  Let's look at port 5011. IANA writes:

• Service name: telelpathattack
• Description: TelepathAttack
• Assignee: Helmuth Breitenfellner

I suppose the contact's email address was hbreitenf@vnet.ibm.com at the time.

A Google search for [ helmuth breitenfellner telepath ] leads us to discover that Helmuth Breitenfellner "ported networking code (TelePath) for IBM FlowMark" (a workflow-management system) "to AIX RS6000".

Sandy Kemsley writes that FlowMark was later rebranded as MQSeries Workflow, and is now WebSphere MQ Workflow.

How come your box is running this protocol?

Three thoughts:

• Today is a good day to run some malware scans.
• You might want to poke at nmap's options a little, and see how much confidence it's service detection has about what's listening on those ports. Maybe use --version-intensity 9, for example.
• You could also try the old sysadmin trick of blocking it, and seeing what breaks.

The references on that page are explaining that Solo is known to use TCP port 5010, which is officially reserved for the TelepathStart protocol, and ditto for TCP 5011. If you look thru that list you'll see that lots of malware uses ports that are reserved for other services.

TelepathStart and TelepathAttack are properly listed with IANA as using those ports, so I would expect them to be benign. Let's investigate what runs on those ports. IANA writes:

• Ports: 5010 / 5011
• Service names: telelpathstart / telelpathattack
• Descriptions: TelepathStart / TelepathAttack
• Assignee: Helmuth Breitenfellner

I suppose the contact's email address was hbreitenf@vnet.ibm.com at the time.

A Google search for [ helmuth breitenfellner telepath ] leads us to discover that Helmuth Breitenfellner ported the code of the messaging platform (TelePath) of IBM FlowMark (a workflow-management system) to AIX RS6000.

Sandy Kemsley writes that FlowMark was later rebranded as MQSeries Workflow, and is now WebSphere MQ Workflow.

Is your box running WebSphere MQ Workflow?

If not, then here are three thoughts:

• Today is a good day to run some malware scans.
• You might want to poke at nmap's options a little, and see how much confidence it's service detection has about what's listening on those ports. Maybe use --version-intensity 9, for example.
• You could also try the old sysadmin trick of blocking it, and seeing what breaks.

The references on that page are explaining that Solo is known to use TCP port 5010, which is officially reserved for the TelepathStart protocol, and ditto for TCP 5011. If you look thru that list you'll see that lots of malware uses ports that are reserved for other services.

TelepathStart and TelepathAttack are properly listed with IANA as using those ports, so I would expect them to be benign, although I've drawn a bit of a blank as to what those protocols actually are - IANA have a contact name on the registration that Google doesn't find. I thought maybe the Telepathy framework that Linux IM apps use, but I don't think that requires any ports...

This is a little worrying, because while it's perfectly possible that these are old protocols that no-one uses any more, which is why Google doesn't have much on them, that then raises the question of how come your box is running them?

Three thoughts:

• Today is a good day to run some malware scans.
• You might want to poke at nmap's options a little, and see how much confidence it's service detection has about what's listening on those ports. Maybe use --version-intensity 9, for example.
• You could also try the old sysadmin trick of blocking it, and seeing what breaks.

The references on that page are explaining that Solo is known to use TCP port 5010, which is officially reserved for the TelepathStart protocol, and ditto for TCP 5011. If you look thru that list you'll see that lots of malware uses ports that are reserved for other services.

TelepathStart and TelepathAttack are properly listed with IANA as using those ports, so I would expect them to be benign, although I've drawn a bit of a blank as to what those protocols actually are.

Let's look at port 5011. IANA writes:

• Service name: telelpathattack
• Description: TelepathAttack
• Assignee: Helmuth Breitenfellner

I suppose the contact's email address was hbreitenf@vnet.ibm.com at the time.

A Google search for [ helmuth breitenfellner telepath ] leads us to discover that Helmuth Breitenfellner "ported networking code (TelePath) for IBM FlowMark" (a workflow-management system) "to AIX RS6000".

Sandy Kemsley writes that FlowMark was later rebranded as MQSeries Workflow, and is now WebSphere MQ Workflow.

How come your box is running this protocol?

Three thoughts:

• Today is a good day to run some malware scans.
• You might want to poke at nmap's options a little, and see how much confidence it's service detection has about what's listening on those ports. Maybe use --version-intensity 9, for example.
• You could also try the old sysadmin trick of blocking it, and seeing what breaks.