puppy 501 hooking up
puppy 501 hooking up
Hi All
When pup 500 and 501 boot they make connections to 74.125.53.106 and to 174.143.209.250. The first connection disappears pretty quickly, but the second one hangs up and remains connected, even though LAST_ACK is sent.
This looks very suspicious to me, especially since my cisco firewall will not allow that second IP to be entered into the block IP window, it returns an error code.
This happens both with my SSD install and with the boot CD.
Why is the puppy connecting to this outside URL. How can I prevent this behavior? What script is making this connection?
I have tried putting the url in the host.deny file but it doesn't deny it.
It's very strange behavior and not something that is security friendly. For example Knoppix live CD does not make any connections when it boots up, and it also establishes the internet connection automatically.
Does anyone have any insight or info about this? You can see it by opening ipinfo and looking at the last tab.
thanks in advance
800
When pup 500 and 501 boot they make connections to 74.125.53.106 and to 174.143.209.250. The first connection disappears pretty quickly, but the second one hangs up and remains connected, even though LAST_ACK is sent.
This looks very suspicious to me, especially since my cisco firewall will not allow that second IP to be entered into the block IP window, it returns an error code.
This happens both with my SSD install and with the boot CD.
Why is the puppy connecting to this outside URL. How can I prevent this behavior? What script is making this connection?
I have tried putting the url in the host.deny file but it doesn't deny it.
It's very strange behavior and not something that is security friendly. For example Knoppix live CD does not make any connections when it boots up, and it also establishes the internet connection automatically.
Does anyone have any insight or info about this? You can see it by opening ipinfo and looking at the last tab.
thanks in advance
800
- Attachments
-
- pup501ipinfo.png
- (14.9 KiB) Downloaded 2328 times
re: 174.143.209.250
The first one:
NetRange: 74.125.0.0 - 74.125.255.255
CIDR: 74.125.0.0/16
OriginAS:
NetName: GOOGLE
----------------------
The second one is harmless and a part of the network utility ipinfo, it is to show you your externally visible ipaddress, which is usually the ip address of your cablebox or dsl modem if you have a router in between your box and the service provider's device.
So everytime you open ipinfo, the brief connection is made. I did block it once for a test, using the rc.firewall file; I don't know why your firefall won't accept it.
line 21 of ipinfo:
var0="`wget -O - -q icanhazip.com`"
Icanhazip.com
icanhazip.com IP:
174.143.209.250
icanhazip.com server location:
San Antonio in United States
icanhazip.com ISP:
Rackspace Hosting
In terminal, you can instead use: netstat -tu or netstat -tn to see ip connections. In that case, you shouldn't see the 174.143.209.250 address.
If no internet apps are open when you do this, you shouldn't see anything.
NetRange: 74.125.0.0 - 74.125.255.255
CIDR: 74.125.0.0/16
OriginAS:
NetName: GOOGLE
----------------------
The second one is harmless and a part of the network utility ipinfo, it is to show you your externally visible ipaddress, which is usually the ip address of your cablebox or dsl modem if you have a router in between your box and the service provider's device.
So everytime you open ipinfo, the brief connection is made. I did block it once for a test, using the rc.firewall file; I don't know why your firefall won't accept it.
line 21 of ipinfo:
var0="`wget -O - -q icanhazip.com`"
Icanhazip.com
icanhazip.com IP:
174.143.209.250
icanhazip.com server location:
San Antonio in United States
icanhazip.com ISP:
Rackspace Hosting
In terminal, you can instead use: netstat -tu or netstat -tn to see ip connections. In that case, you shouldn't see the 174.143.209.250 address.
If no internet apps are open when you do this, you shouldn't see anything.
http://www.domaincrawler.com/ip/view/ns1.rkrhkr.com
took me to a manuela page
time to get my SecretSetviceIntelligenceHat on
took me to a manuela page
time to get my SecretSetviceIntelligenceHat on
upnorth,
thanks for the description. now I wonder why pup wants to talk to google. is there a script that I can reconfigure to stop that behavior?
I just prefer the PARANOID setups. So if there is a way I can retrain him, I'd sure like to know what it is.
For that matter I'd like to give him better manners so he doesn't connect at boot time. Where is that option found?
Thanks again
800
thanks for the description. now I wonder why pup wants to talk to google. is there a script that I can reconfigure to stop that behavior?
I just prefer the PARANOID setups. So if there is a way I can retrain him, I'd sure like to know what it is.
For that matter I'd like to give him better manners so he doesn't connect at boot time. Where is that option found?
Thanks again
800
Thanks Karl! for manuela page - should be included in Puppy Documentation
@800
That google one is a mystery, unless firefox, chrome, chromium, or some other internet app is open - like an rss feed or mail app. Firefox and chrome/chromium will periodically connect with google for the "block reported attack sites" and "block reported web forgeries" features or "fraud protection" as its called. Also the rss feeds will automatically connect periodically. Is there any app that starts automatically at system startup? You can look in the folder /root/Startup - those files are all readable in geany with a right click.
It's possible too with some desktop eyecandy apps like conky and similar widgets.
I can't think of anything at the system level that would make connections automatically.
@800
That google one is a mystery, unless firefox, chrome, chromium, or some other internet app is open - like an rss feed or mail app. Firefox and chrome/chromium will periodically connect with google for the "block reported attack sites" and "block reported web forgeries" features or "fraud protection" as its called. Also the rss feeds will automatically connect periodically. Is there any app that starts automatically at system startup? You can look in the folder /root/Startup - those files are all readable in geany with a right click.
It's possible too with some desktop eyecandy apps like conky and similar widgets.
I can't think of anything at the system level that would make connections automatically.
upnorth
I did some more checking. My current pup, 431, doesn't check any sites that I can detect. Firefox 2.0.0.7 doesn't call out when it opens up.
But the current 51 with the current firefox does call out. I have it connecting to a different site from the ones above, on port 443, the https socket. I'll add the picture when I get that box rebooted.
So it's the new version of the browser plus the new autoconnecting puppy.
I'll 'browse' around about:config to see if there's something going on. I have adblock and noscript add-ons in both versions. They are both configured the same. I will disable them next go-around and see if that alters the behavior.
Is there a script or tail command that would keep netstat -t up and running? It would be great if there was a way to get the monitoring running before the ethernet connection happens. Is there a way to do that?
Anyway, it makes me extremely uncomfortable to have something on my box connecting somewhere without my prior knowledge and consent. I hope I can track it down.
Maybe some more PARANOIDS can check it out too and explain what is happening.
Regards All
800
I did some more checking. My current pup, 431, doesn't check any sites that I can detect. Firefox 2.0.0.7 doesn't call out when it opens up.
But the current 51 with the current firefox does call out. I have it connecting to a different site from the ones above, on port 443, the https socket. I'll add the picture when I get that box rebooted.
So it's the new version of the browser plus the new autoconnecting puppy.
I'll 'browse' around about:config to see if there's something going on. I have adblock and noscript add-ons in both versions. They are both configured the same. I will disable them next go-around and see if that alters the behavior.
Is there a script or tail command that would keep netstat -t up and running? It would be great if there was a way to get the monitoring running before the ethernet connection happens. Is there a way to do that?
Anyway, it makes me extremely uncomfortable to have something on my box connecting somewhere without my prior knowledge and consent. I hope I can track it down.
Maybe some more PARANOIDS can check it out too and explain what is happening.
Regards All
800
here's a look at firefox 3.6.8 connecting itself to an outside server.
thoughts?
thanks!
thoughts?
thanks!
- Attachments
-
- firefox_connects_itself.png
- (3.89 KiB) Downloaded 2085 times
Firefox 3 has additional features to check for phishing and 'unwanted' sites, so I believe it does request the info from some outside sources (which probably do include Google).
If you want, you can turn this behavior off in Preferences. (I don't remember the exact settings and tabs, as I've uninstalled FF3.6.8 from my Puppy setup, for the moment, and I'm not sitting at any of my other systems with FF3.6.8 installed. )
If you want, you can turn this behavior off in Preferences. (I don't remember the exact settings and tabs, as I've uninstalled FF3.6.8 from my Puppy setup, for the moment, and I'm not sitting at any of my other systems with FF3.6.8 installed. )
[ Puppy 4.3.1 JP, Frugal install ] * [ XenialPup 7.5, Frugal install ] * [XenialPup 64 7.5, Frugal install] * [ 4GB RAM | 512MB swap ]
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).
Oh, right, I forgot (but remembered on seeing the URL in your picture above). The NoScript extension just added a feature where it makes a call to the dev's servers about every fifteen minutes or so... (though one of the earliest versions to implement it made the call more often than that.) I forgot the reason why, but I believe the feature's called 'ABE' and is another anti-spoofing measure.
Try disabling NoScript (disabling the extension itself from the Add-Ons window), or the ABE settings in NoScript (NoScript > Options > Advanced tab > ABE tab), then restart Firefox and see if the problem persists.
Edit: Here's what NoScript's dev has to say about ABE: http://hackademix.net/2010/07/28/abe-pa ... r-routers/
The new feature was added in NoScript 2.0, I believe.
Try disabling NoScript (disabling the extension itself from the Add-Ons window), or the ABE settings in NoScript (NoScript > Options > Advanced tab > ABE tab), then restart Firefox and see if the problem persists.
Edit: Here's what NoScript's dev has to say about ABE: http://hackademix.net/2010/07/28/abe-pa ... r-routers/
The new feature was added in NoScript 2.0, I believe.
[ Puppy 4.3.1 JP, Frugal install ] * [ XenialPup 7.5, Frugal install ] * [XenialPup 64 7.5, Frugal install] * [ 4GB RAM | 512MB swap ]
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).
Thought of another thing:
Edit>preferences>general>startup>
select "show a blank page"
and clear out the homepage field
and delete the rss feed to world news that exists on bookmarks bar. after that you can go to http://www.bbc.co.uk/news/ instead and resubscribe there.
Edit>preferences>general>startup>
select "show a blank page"
and clear out the homepage field
and delete the rss feed to world news that exists on bookmarks bar. after that you can go to http://www.bbc.co.uk/news/ instead and resubscribe there.
Could it be a simple connection test? (I'm still on a custom version of Puppy 4.3.1, so I don't know what 5.0.1 does )
Some years ago, I learned from posts (somewhere... I don't remember where or what forum) that a quick and simple way to test the connection is to ping Google or Microsoft's sites (those, among a few others, simply because they're most likely to be up, running and present).
Some years ago, I learned from posts (somewhere... I don't remember where or what forum) that a quick and simple way to test the connection is to ping Google or Microsoft's sites (those, among a few others, simply because they're most likely to be up, running and present).
[ Puppy 4.3.1 JP, Frugal install ] * [ XenialPup 7.5, Frugal install ] * [XenialPup 64 7.5, Frugal install] * [ 4GB RAM | 512MB swap ]
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).
Makoto
That's a good question. Sorry about the version error, I'm goofy with numbers, the correct version is 5.1.
I wonder why the test isn't satisfied by the lease obtained from the DNS server?
It's somewhere in the code that executes during boot when it gets to the "let's address the adapter and call out now" portion.
Hopefully whoever WROTE THAT PART will fess up and perhaps even teach us how to stop it from happening.
It does not happen in any of the prior versions that I've tried, it perplexes me why it should happen in this guy.
Personally I prefer to have a copy of Pup that doesn't autoconnect for my trouble-shooting-repair CD for fixing the other OS. Heh.
Thanks for the comeback
800
That's a good question. Sorry about the version error, I'm goofy with numbers, the correct version is 5.1.
I wonder why the test isn't satisfied by the lease obtained from the DNS server?
It's somewhere in the code that executes during boot when it gets to the "let's address the adapter and call out now" portion.
Hopefully whoever WROTE THAT PART will fess up and perhaps even teach us how to stop it from happening.
It does not happen in any of the prior versions that I've tried, it perplexes me why it should happen in this guy.
Personally I prefer to have a copy of Pup that doesn't autoconnect for my trouble-shooting-repair CD for fixing the other OS. Heh.
Thanks for the comeback
800
800
unlike upnorth, I tracked 174.143.209.250 to this
http://urldogg.com/174.143.209.250
http://www.robtex.com/dns/*.evanhayden.net.html[/url]
Evan Hayden aka Rackerhacker/pleskhacker.com and mysqltuner.pl. dedicated server with one IP, located in San Antonio, TX, United States zip code 78225, and the area code 210.
http://rackerhacker.com/
I also found a url which after translation shows 74.125.53.106 which upnorth had as google.com, in a hijackthis listing....many times
http://putera.forumotion.com/utiliti-da ... -t6862.htm
I suspect you may have a rootkit virus or something equally nasty
Clean your PC before using puppy - use an updated AV program
If you have a windows partition check for [and delete] RtkBtMnt.exe if present
I would also reset your router if I were you, as something seems compromised, and I doubt it's Puppy, unless you have a save file it's picking up
Try booting puppy=pfix ram
HTH
Aitch
unlike upnorth, I tracked 174.143.209.250 to this
http://urldogg.com/174.143.209.250
http://www.robtex.com/dns/*.evanhayden.net.html[/url]
Evan Hayden aka Rackerhacker/pleskhacker.com and mysqltuner.pl. dedicated server with one IP, located in San Antonio, TX, United States zip code 78225, and the area code 210.
http://rackerhacker.com/
I also found a url which after translation shows 74.125.53.106 which upnorth had as google.com, in a hijackthis listing....many times
http://putera.forumotion.com/utiliti-da ... -t6862.htm
I suspect you may have a rootkit virus or something equally nasty
Clean your PC before using puppy - use an updated AV program
If you have a windows partition check for [and delete] RtkBtMnt.exe if present
I would also reset your router if I were you, as something seems compromised, and I doubt it's Puppy, unless you have a save file it's picking up
Try booting puppy=pfix ram
HTH
Aitch
http://www.robtex.com/ip/174.143.209.250.html
I love that robtex site
http://www.robtex.com/ip/174.143.209.250.html
I just installed the showip extension a few days ago and it has robtex on the right click popup menu - pretty handy.
Btw, I type just 174.143.209.250 into url box on browser, i get major hayden's manual page which is majorhayden.com.
Here is original link to icanhazip.com with explanation:
http://rackerhacker.com/2009/07/31/get- ... hazip-com/
If I type 74.125.53.106 into url box on browser, the mountainview chocolate factory comes up .
same for this one:
Pw-in-f106.1e100.net
Here is another pretty good dns info site:
https://dns.l4x.org/74.125.53.106
http://www.robtex.com/ip/174.143.209.250.html
I just installed the showip extension a few days ago and it has robtex on the right click popup menu - pretty handy.
Btw, I type just 174.143.209.250 into url box on browser, i get major hayden's manual page which is majorhayden.com.
Here is original link to icanhazip.com with explanation:
http://rackerhacker.com/2009/07/31/get- ... hazip-com/
If I type 74.125.53.106 into url box on browser, the mountainview chocolate factory comes up .
same for this one:
Pw-in-f106.1e100.net
Here is another pretty good dns info site:
https://dns.l4x.org/74.125.53.106
upnorth
/aside
showip extension? the firefox one? Jan Dittmer again - clever so and so...also does Chrome extension
http://code.google.com/p/firefox-showip ... eExtension
his name crops up all over the place - does kernel cross compiles....
Wonder if he could do puppy/arm kernel??
Jan, if this shows up anywhere....we're in need of assistance!
http://l4x.org/
Aitch
/aside
showip extension? the firefox one? Jan Dittmer again - clever so and so...also does Chrome extension
http://code.google.com/p/firefox-showip ... eExtension
his name crops up all over the place - does kernel cross compiles....
Wonder if he could do puppy/arm kernel??
Jan, if this shows up anywhere....we're in need of assistance!
http://l4x.org/
Aitch