The references on that page are explaining that Solo is known to use TCP port 5010, which is officially reserved for the TelepathStart protocol, and ditto for TCP 5011. If you look thru that list you'll see that lots of malware uses ports that are reserved for other services.
TelepathStart and TelepathAttack are properly listed with IANA as using those ports, so I would expect them to be benign, although I've drawn a bit of a blank as to what those protocols actually are.
Let's look at port 5011. IANA writes:
- Service name: telelpathattack
- Description: TelepathAttack
- Assignee: Helmuth Breitenfellner
I suppose the contact's email address was hbreitenf@vnet.ibm.com at the time.
A Google search for [ helmuth breitenfellner telepath ] leads us to discover that Helmuth Breitenfellner "ported networking code (TelePath) for IBM FlowMark" (a workflow-management system) "to AIX RS6000".
Sandy Kemsley writes that FlowMark was later rebranded as MQSeries Workflow, and is now WebSphere MQ Workflow.
How come your box is running this protocol?
Three thoughts:
- Today is a good day to run some malware scans.
- You might want to poke at nmap's options a little, and see how much confidence it's service detection has about what's listening on those ports. Maybe use
--version-intensity 9, for example. - You could also try the old sysadmin trick of blocking it, and seeing what breaks.
