Malwarebytes RTP triggered by start_full_node.exe - three websites blocked

[pmarson]

I have three hits, showing as blocked websites. 222.137.199.212, 141.98.10.149, 222.138.142.20
Addresses are in china and lithuania. I'm in New Zealand.
Could the chia network be under attack already? These hits (incoming and outgoing) were on port 8444.

System virus scans haven't revealed anything local to my machine.

Apologies for the long post - trying to include anything that could be relevant.

Malware bytes report:
-Log Details-
Protection Event Date: 5/21/21
Protection Event Time: 6:28 PM

-System Information-
OS: Windows 10 (Build 19042.985)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Users***\AppData\Local\chia-blockchain\app-1.1.5\resources\app.asar.unpacked\daemon\start_full_node.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Trojan
Domain:
IP Address: 222.137.199.212
Port: 8444
Type: Outbound
File: C:\Users***\AppData\Local\chia-blockchain\app-1.1.5\resources\app.asar.unpacked\daemon\start_full_node.exe

-Log Details-
Protection Event Date: 5/23/21
Protection Event Time: 9:00 AM
Log File: af2a20d6-bb40-11eb-a3e6-244bfe972848.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1292
Update Package Version: 1.0.40786
License: Premium

-System Information-
OS: Windows 10 (Build 19042.985)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Users***\AppData\Local\chia-blockchain\app-1.1.5\resources\app.asar.unpacked\daemon\start_full_node.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Compromised
Domain:
IP Address: 141.98.10.149
Port: 8444
Type: Inbound
File: C:\Users***\AppData\Local\chia-blockchain\app-1.1.5\resources\app.asar.unpacked\daemon\start_full_node.exe

-Log Details-
Protection Event Date: 5/28/21
Protection Event Time: 12:02 PM
Log File: 073f527c-bf48-11eb-b7ff-244bfe972848.json

-Software Information-
Version: 4.4.0.117
Components Version: 1.0.1308
Update Package Version: 1.0.41004
License: Premium

-System Information-
OS: Windows 10 (Build 19042.985)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Users***\AppData\Local\chia-blockchain\app-1.1.5\resources\app.asar.unpacked\daemon\start_full_node.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Compromised
Domain:
IP Address: 222.138.142.20
Port: 8444
Type: Outbound
File: C:\Users***\AppData\Local\chia-blockchain\app-1.1.5\resources\app.asar.unpacked\daemon\start_full_node.exe

222.137.199.212 : whois shows
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '222.136.0.0 - 222.143.255.255'

% Abuse contact for '222.136.0.0 - 222.143.255.255' is '[email protected]'

inetnum: 222.136.0.0 - 222.143.255.255
netname: UNICOM-HA
descr: China Unicom Henan province network
descr: China Unicom
country: CN
admin-c: CH1302-AP
tech-c: WW444-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-HA
mnt-routes: MAINT-CNCGROUP-RR
mnt-irt: IRT-CU-CN
status: ALLOCATED PORTABLE
last-modified: 2013-08-08T23:17:12Z
source: APNIC

irt: IRT-CU-CN
address: No.21,Financial Street
address: Beijing,100033
address: P.R.China
e-mail: [email protected]
abuse-mailbox: [email protected]
admin-c: CH1302-AP
tech-c: CH1302-AP
auth: # Filtered
mnt-by: MAINT-CNCGROUP
last-modified: 2017-10-23T05:59:13Z
source: APNIC

person: ChinaUnicom Hostmaster
nic-hdl: CH1302-AP
e-mail: [email protected]
address: No.21,Jin-Rong Street
address: Beijing,100033
address: P.R.China
phone: +86-10-66259764
fax-no: +86-10-66259764
country: CN
mnt-by: MAINT-CNCGROUP
last-modified: 2017-08-17T06:13:16Z
source: APNIC

person: Wei Wang
nic-hdl: WW444-AP
e-mail: [email protected]
address: #55 San Quan Road, Zhengzhou, Henan Provice
phone: +86-371-65952358
fax-no: +86-371-65968952
country: CN
mnt-by: MAINT-CNCGROUP-HA
last-modified: 2010-03-05T08:20:01Z
source: APNIC

% Information related to '222.136.0.0/13AS4837'

route: 222.136.0.0/13
descr: CNC Group CHINA169 Henan Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
last-modified: 2008-09-04T07:54:44Z
source: APNIC

% This query was served by the APNIC Whois Service version 1.88.15-SNAPSHOT (WHOIS-US4)

---

141.98.10.149: whois shows
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '141.98.10.0 - 141.98.10.255'

% Abuse contact for '141.98.10.0 - 141.98.10.255' is '[email protected]'

inetnum: 141.98.10.0 - 141.98.10.255
netname: LT-HOSTBALTIC-10
country: LT
admin-c: PV7242-RIPE
tech-c: PV7242-RIPE
status: ASSIGNED PA
mnt-by: mnt-lt-hostbaltic-1
created: 2019-01-10T13:11:38Z
last-modified: 2019-01-10T13:11:38Z
source: RIPE

person: Paulius Vancugovas
address: Draugystes g. 19
address: 51230
address: Kaunas
address: LITHUANIA
phone: +37067358624
nic-hdl: PV7242-RIPE
mnt-by: mnt-lt-hostbaltic-1
created: 2019-01-08T13:14:38Z
last-modified: 2019-01-09T13:14:40Z
source: RIPE

% Information related to '141.98.10.0/24AS209605'

route: 141.98.10.0/24
origin: AS209605
mnt-by: mnt-lt-hostbaltic-1
created: 2019-01-23T11:43:09Z
last-modified: 2019-01-23T11:43:09Z
source: RIPE

% This query was served by the RIPE Database Query Service version 1.100 (HEREFORD)

---

222.138.142.20 whois shows

% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '222.136.0.0 - 222.143.255.255'

% Abuse contact for '222.136.0.0 - 222.143.255.255' is '[email protected]'

inetnum: 222.136.0.0 - 222.143.255.255
netname: UNICOM-HA
descr: China Unicom Henan province network
descr: China Unicom
country: CN
admin-c: CH1302-AP
tech-c: WW444-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-HA
mnt-routes: MAINT-CNCGROUP-RR
mnt-irt: IRT-CU-CN
status: ALLOCATED PORTABLE
last-modified: 2013-08-08T23:17:12Z
source: APNIC

irt: IRT-CU-CN
address: No.21,Financial Street
address: Beijing,100033
address: P.R.China
e-mail: [email protected]
abuse-mailbox: [email protected]
admin-c: CH1302-AP
tech-c: CH1302-AP
auth: # Filtered
mnt-by: MAINT-CNCGROUP
last-modified: 2017-10-23T05:59:13Z
source: APNIC

person: ChinaUnicom Hostmaster
nic-hdl: CH1302-AP
e-mail: [email protected]
address: No.21,Jin-Rong Street
address: Beijing,100033
address: P.R.China
phone: +86-10-66259764
fax-no: +86-10-66259764
country: CN
mnt-by: MAINT-CNCGROUP
last-modified: 2017-08-17T06:13:16Z
source: APNIC

person: Wei Wang
nic-hdl: WW444-AP
e-mail: [email protected]
address: #55 San Quan Road, Zhengzhou, Henan Provice
phone: +86-371-65952358
fax-no: +86-371-65968952
country: CN
mnt-by: MAINT-CNCGROUP-HA
last-modified: 2010-03-05T08:20:01Z
source: APNIC

% Information related to '222.136.0.0/13AS4837'

route: 222.136.0.0/13
descr: CNC Group CHINA169 Henan Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
last-modified: 2008-09-04T07:54:44Z
source: APNIC

% This query was served by the APNIC Whois Service version 1.88.15-SNAPSHOT (WHOIS-US4)

[BrandtH22]

@pmarson , if you are still experiencing the issues it is recommended to upgrade to the latest version of chia. Please download it from here: https://www.chia.net/downloads/

Since this issue has been open for a number of years without additional comments, we will be closing this ticket but if we have closed this ticket in error do not hesitate to reach out to us again with any followup questions, comments, or if the issue persists after an update.

Please note that upgrading major versions of chia generally requires the config.yaml to be recreated using these steps:
1. Stop chia
2. Rename the config or move it to a different directory
3. In CLI run chia init
4. Copy any custom settings from the old config to the new (plot drive directories, pool info, trusted node info, etc) - be careful here as yaml is very picky about formatting including those leading spaces
5. Start Chia

The best place to reach our support team is on Discord (https://discord.gg/chia) or by reopening this ticket.