Why happens it, and also it’s safe to exclude it in MB?
My Português skills are limited to the shared core French and Português have, if you could copy paste the text instead of sending screenshots it would help a lot.
As far I can tell malware bytes flagged the connection not the binary, Kubo runs a P2P daemon, you connect to a whole lot of machines while doing this. Theses are public P2P connections and should not have any impact.
If I ID the remote node it looks like a normal Kubo node:
$ ipfs id 12D3KooWSXmhu736z9Py6ttjj5aauqxeVUS3otBtyzprK1h7Q575 | jq
{
"ID": "12D3KooWSXmhu736z9Py6ttjj5aauqxeVUS3otBtyzprK1h7Q575",
"PublicKey": "CAESIPhWauOHf828a0R7hQbtI9SZgG2WunenwJ1KAgshKsbo",
"Addresses": [
"/ip4/127.0.0.1/tcp/4001/p2p/12D3KooWSXmhu736z9Py6ttjj5aauqxeVUS3otBtyzprK1h7Q575",
"/ip4/127.0.0.1/udp/4001/quic-v1/p2p/12D3KooWSXmhu736z9Py6ttjj5aauqxeVUS3otBtyzprK1h7Q575",
"/ip4/127.0.0.1/udp/4001/quic-v1/webtransport/certhash/uEiCY3au5_nhZJSyVBwj68_KHIYUDNcpxTVz2CDcJQeJmwQ/certhash/uEiDXMq2iq27Vmsynu5MfyzHudVPMzaFQrgkSEGrPqyzaWA/p2p/12D3KooWSXmhu736z9Py6ttjj5aauqxeVUS3otBtyzprK1h7Q575",
"/ip4/127.0.0.1/udp/4001/quic/p2p/12D3KooWSXmhu736z9Py6ttjj5aauqxeVUS3otBtyzprK1h7Q575",
"/ip4/45.63.61.189/tcp/4001/p2p/12D3KooWSXmhu736z9Py6ttjj5aauqxeVUS3otBtyzprK1h7Q575",
"/ip4/45.63.61.189/udp/4001/quic-v1/p2p/12D3KooWSXmhu736z9Py6ttjj5aauqxeVUS3otBtyzprK1h7Q575",
"/ip4/45.63.61.189/udp/4001/quic/p2p/12D3KooWSXmhu736z9Py6ttjj5aauqxeVUS3otBtyzprK1h7Q575",
"/ip6/::1/tcp/4001/p2p/12D3KooWSXmhu736z9Py6ttjj5aauqxeVUS3otBtyzprK1h7Q575",
"/ip6/::1/udp/4001/quic-v1/p2p/12D3KooWSXmhu736z9Py6ttjj5aauqxeVUS3otBtyzprK1h7Q575",
"/ip6/::1/udp/4001/quic-v1/webtransport/certhash/uEiCY3au5_nhZJSyVBwj68_KHIYUDNcpxTVz2CDcJQeJmwQ/certhash/uEiDXMq2iq27Vmsynu5MfyzHudVPMzaFQrgkSEGrPqyzaWA/p2p/12D3KooWSXmhu736z9Py6ttjj5aauqxeVUS3otBtyzprK1h7Q575",
"/ip6/::1/udp/4001/quic/p2p/12D3KooWSXmhu736z9Py6ttjj5aauqxeVUS3otBtyzprK1h7Q575"
],
"AgentVersion": "kubo/0.18.1/675f8bd/docker",
"ProtocolVersion": "ipfs/0.1.0",
"Protocols": [
"/ipfs/bitswap",
"/ipfs/bitswap/1.0.0",
"/ipfs/bitswap/1.1.0",
"/ipfs/bitswap/1.2.0",
"/ipfs/id/1.0.0",
"/ipfs/id/push/1.0.0",
"/ipfs/kad/1.0.0",
"/ipfs/lan/kad/1.0.0",
"/ipfs/ping/1.0.0",
"/libp2p/autonat/1.0.0",
"/libp2p/circuit/relay/0.1.0",
"/libp2p/circuit/relay/0.2.0/hop",
"/libp2p/circuit/relay/0.2.0/stop",
"/libp2p/dcutr",
"/p2p/id/delta/1.0.0",
"/x/"
]
}
Googling the IP it shows up here blocklist-ipsets/cruzit_web_attacks.ipset at master · firehol/blocklist-ipsets · GitHub and here Akamai Guardicore Segmentation CTI.
Checking on 45.63.61.189 IP Address Details - IPinfo.io it’s a vultr.com machine (VPS provider), so it could be the IP was used to do illegal stuff before but has been moved to a new account idk.
My best educated guess with the information above is that in 2020-05 someone rented or infected a virtual machine hosted by vultr.com which then joined an SSH botnet, this IP was then caught by various honeypots (like akamai’s one). At some point vultr took this down the account and put back the IP in their virtual machine rotation (a single public IPv4 cost ~50$ you can’t afford to discard IPs that have been used to do bad stuff).
Contacting machines that have been spoted doing scanning before is not bad in itself, the swarm connections made by Kubo are untrusted, and unless there is some unfixed vulnerability in Kubo this can’t be used to do lots of bad things to your machine. (note Kubo is written in Go which is a memory safe language, that means the usual Remote Code Execution C and C++ often see are not seen here)
1 Like
Thx, i just added this to exclusions, seeing that alert every second is really annoying.