Java making outbound network requests on Mac client after launching Ignition client

I have a laptop running Mac OS 10.12.3 (Sierra) and noticed the laptop trying to make outbound connections to unknown private IP addresses. Using a combination of netstat, lsof, and Little Snitch I found my the outgoing network SYN requests were coming from a process called and destined for the following addresses: TCP port 44818 (rockwell-encap) TCP port 44818 (rockwell-encap) TCP port 1234 (Infoseek Search Agent but also tied to known malicious backdoors) TCP port 80 (http)

This process is running as root and tied to the system process id for java. I saw the name come up under another thread related to running a gateway on Mac OS X, but I have never installed gateway software on this mac. I’ve only executed the client or designer via the .jnlp files.

Any insight into where this may be coming from or how to stop it, especially since it occurs when Ignition isn’t even running would be much appreciated.

This sure sounds like a leftover Ignition gateway install with a couple Logix devices under the OPC server. The open files of that process should point you to the install folder.

1 Like

Phil is probably right.

You’ve definitely got a gateway running if you see
as the source.

44818 is the EtherNet/IP port and used by the AB drivers.

The addresses, and, are curious… did you at some point restore a backup from someone here at IA? or maybe a demo backup or university backup?

1 Like

Those IP addresses match device connections that are pre-configured in the Inductive University Challenge File. Check the devices page on the Gateway’s configure section. Specifically, the devices titled “CLX”, “MLX”, and “Scale”.

You can delete or disable them. That should stop the outbound requests.

1 Like

Thanks for all of the replies, I need to take another look at the machine, but there doesn’t appear to be indication that the Ignition Gateway is still installed. It makes me feel a lot more comfortable that those IPs were known to be pre-configured in the University Challenge File as I had run through that previously.

Thanks again!

Addresses in the 10.x.x.x range are private and non-routable so will never go outside your LAN anyway.

If the connections are still being created, the service is still installed. Consider looking through the filesystem in detail to locate it. { I don’t use Macs, so I can’t be more help. }

Still looking through the file system, but I haven’t found any files yet. It’s probably something hidden deep within the Mac System or Library files. I’m going to check with IA to see if they have a document where those applications may drop files.

Yes, those are private addresses, but if you’re concerned about security it is always disconcerting to see your machine reach out to private addresses which are unknown and not in use on the network. Especially with process control protocols. I would never connect this computer to an ICS network, but it’s still good practice to understand all of your networks and investigate unusual activity (public or private.)

Ignition runs as a java process, so it might be worth it to do a reboot and then run ‘jps’ in the terminal and see if any java processes are running. If so, compare the pids to activity monitor, htop or whatever, and see if you can track it down that way. Another route might be to run a find in the terminal for gateway.xml, config.idb or ignition.conf (files that would almost certainly exist if ignition were running somewhere on your system). They might help if find where an installation might have ended up.

I tried running jps but only saw one newly created process id. It didn’t have any files associated with it. I’m still seeing active outgoing TCP SYN packets destined to the 4 private IPs, but haven’t found any relevant files. I found 3 jnlp files for 2 previously run Ignition projects and the Designer, but removing those didn’t stop the connections.

Try running sudo jps. If ignition is running as a service that was installed through the installer, it’s probably running as a system process, not user.