Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

Dark Dreams of Furiae - a new module for NWN:EE! Buy now
Attention, new and old users! Please read the new rules of conduct for the forums, and we hope you enjoy your stay!

Mirai Worm & Beamdog?!

kinda sounds like something a pill is need for ;)
[just mix it the food] :p

I am finding that Beamdog Client.exe is complaining about communicating on the Internet, digging into the process' TCP/IP usage, I find that it seems to want to communicate to "epicrustserver.cf "
Can someone explain WHY?
Especially considering that the #Mirai worm uses the domain epicrustserver[.]cf at port 23823
for its Command & Control communications.
Have any steps been taken to ensure the Player Base's security & welfare online regarding Beamdog Client?

Comments

  • JuliusBorisovJuliusBorisov Member, Administrator, Moderator, Developer Posts: 21,442
    Can you please post a screenshot or two?

  • CeyarrecksCeyarrecks Member Posts: 44
    as indicated by Process Explorer:

    3e9nlbnr35gu.jpg


    reference from bleepingcomputer.com...(very long url) https://tinyurl.com/y442lk9c

    8a4rtr2qp2f3.jpg

    HOSTS file FTW and all,.... :)

  • nivniv Member, Moderator, Developer Posts: 400
    Do you have epicrustserver.cf in your hosts file mapped to 127.0.0.1? That would explain why your DNS resolver shows these addresses in the Local column.

  • CeyarrecksCeyarrecks Member Posts: 44
    yes. of course I use a security-specific HOSTS file, et al.

    I believe the point is missed,...
    the use of epicrustserver OPENS a dire security problem for. the. PLAYER. BASE.
    Hence this post to make more aware.

    So, at least, I await the out-sourced Support ticket, and maybe Atlassian can speak on Beamdog policies,..

  • nivniv Member, Moderator, Developer Posts: 400
    Well, the point I tried to make was:

    * Beamdog Client opens some listening sockets bound to the local interface (127.0.0.1) or to all interfaces (0.0.0.0), for the torrent system that delivers the game data to your system. This is completely benign and expected.
    * You add a host file override that reads (0.0.0.0 epicrustserver.cf) or (127.0.0.1 ...) as part of your blacklisting effort.
    * Then the Windows DNS resolver will use the first entry that matches your hosts file to render the alias, since you checked the checkbox in the screenshot you gave ("Resolve addresses").

    This would make this a presentation issue on your end, and not an actual communication with the displayed host in question.

    To verify, please uncheck said checkbox and let it show what actual IP is displayed.

    Hope that's a bit clearer!

    JuliusBorisovSymphony
Sign In or Register to comment.