I have a laptop running Mac OS 10.12.3 (Sierra) and noticed the laptop trying to make outbound connections to unknown private IP addresses. Using a combination of netstat, lsof, and Little Snitch I found my the outgoing network SYN requests were coming from a process called java.org.tanukisoftware.wrapper.WrapperSimpleApp and destined for the following addresses:
10.20.4.50 TCP port 44818 (rockwell-encap)
10.20.4.55 TCP port 44818 (rockwell-encap)
10.20.8.100 TCP port 1234 (Infoseek Search Agent but also tied to known malicious backdoors)
www.inductiveautomation.com TCP port 80 (http)
This process is running as root and tied to the system process id for java. I saw the name come up under another thread related to running a gateway on Mac OS X, but I have never installed gateway software on this mac. Iâve only executed the client or designer via the .jnlp files.
Any insight into where this may be coming from or how to stop it, especially since it occurs when Ignition isnât even running would be much appreciated.
This sure sounds like a leftover Ignition gateway install with a couple Logix devices under the OPC server. The open files of that process should point you to the install folder.
1 Like
Phil is probably right.
Youâve definitely got a gateway running if you see java.org.tanukisoftware.wrapper.WrapperSimpleApp
as the source.
44818 is the EtherNet/IP port and used by the AB drivers.
The addresses, 10.20.4.50 and 10.20.4.55, are curious⌠did you at some point restore a backup from someone here at IA? or maybe a demo backup or university backup?
1 Like
Those IP addresses match device connections that are pre-configured in the Inductive University Challenge File. Check the devices page on the Gatewayâs configure section. Specifically, the devices titled âCLXâ, âMLXâ, and âScaleâ.
You can delete or disable them. That should stop the outbound requests.
1 Like
Thanks for all of the replies, I need to take another look at the machine, but there doesnât appear to be indication that the Ignition Gateway is still installed. It makes me feel a lot more comfortable that those IPs were known to be pre-configured in the University Challenge File as I had run through that previously.
Thanks again!
Addresses in the 10.x.x.x range are private and non-routable so will never go outside your LAN anyway.
If the connections are still being created, the service is still installed. Consider looking through the filesystem in detail to locate it. { I donât use Macs, so I canât be more help. }
Still looking through the file system, but I havenât found any files yet. Itâs probably something hidden deep within the Mac System or Library files. Iâm going to check with IA to see if they have a document where those applications may drop files.
Yes, those are private addresses, but if youâre concerned about security it is always disconcerting to see your machine reach out to private addresses which are unknown and not in use on the network. Especially with process control protocols. I would never connect this computer to an ICS network, but itâs still good practice to understand all of your networks and investigate unusual activity (public or private.)
Ignition runs as a java process, so it might be worth it to do a reboot and then run âjpsâ in the terminal and see if any java processes are running. If so, compare the pids to activity monitor, htop or whatever, and see if you can track it down that way. Another route might be to run a find in the terminal for gateway.xml, config.idb or ignition.conf (files that would almost certainly exist if ignition were running somewhere on your system). They might help if find where an installation might have ended up.
I tried running jps but only saw one newly created process id. It didnât have any files associated with it. Iâm still seeing active outgoing TCP SYN packets destined to the 4 private IPs, but havenât found any relevant files. I found 3 jnlp files for 2 previously run Ignition projects and the Designer, but removing those didnât stop the connections.
Try running sudo jps. If ignition is running as a service that was installed through the installer, itâs probably running as a system process, not user.