Hello,
I have a report from Malwarebytes Premium that mudflow.exe was a Trojan using the Port of 10007 to connect to the IP 125.212.218.98, when I searched for this IP, it’s actually one of our ISP in Vietnam named as Viettel.
The thing is my connection was established to Google in Sydney for World of Warcraft (Oceanic), why does mudflow.exe tried to reach that specific IP domestically?
Thank you for your supports!
Corgei
Sorry for this inconvenience. 125.212.218.98 IP is a public IP of mudfish node “VN Asia (Vietnam - Viettel 2)” and TCP port 10007 is a echo daemon which is used to measure RTT between your desktop and mudfish nodes.
I think testing to 125.212.218.98:10007 is one expected. And I guess that it’s a false positive from Malwarebytes.
However if you’re thinking something is wrong with mudflow.exe, please visit ‘Setup -> Nodes’ menu and set “VN Asia (Vietnam - Viettel 2)” as a blacklist.
I was expecting it were some kinds of measurement from my client to Mudfish nodes since it kept connecting with that IP address.
However, since the behaviors were detected as “Potential threats” so I added it into exclusion already.
For the Google nodes in Sydney, is there any measurement of when it will be at peak hours or prevent users from connecting when the nodes are fully occupied? Hopefully you guys are using Google Cloud Platform (GCP) and can make it scalable when the nodes need more resources.
Yep… If AV program thinks mudfish as “Potential threats” you need to exclude mudflow.exe.
Yes mudfish nodes are on GCP but without scaling. 
So at this moment no policy to detect whether the mudfish node is fully occupied or under heavy load. Only MRTG graphs are available in UI.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
