Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Tue 21 Oct 2014, 11:42
All times are UTC - 4
 Forum index » House Training » Users ( For the regulars )
puppy 501 hooking up
Moderators: Flash, Ian, JohnMurga
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
Page 1 of 2 Posts_count   Goto page: 1, 2 Next
Author Message
800

Joined: 31 Aug 2010
Posts: 17

PostPosted: Tue 31 Aug 2010, 13:43    Post_subject:  puppy 501 hooking up
Sub_title: puppy makes connections to outside servers when he boots
 

Hi All

When pup 500 and 501 boot they make connections to 74.125.53.106 and to 174.143.209.250. The first connection disappears pretty quickly, but the second one hangs up and remains connected, even though LAST_ACK is sent.

This looks very suspicious to me, especially since my cisco firewall will not allow that second IP to be entered into the block IP window, it returns an error code.

This happens both with my SSD install and with the boot CD.

Why is the puppy connecting to this outside URL. How can I prevent this behavior? What script is making this connection?

I have tried putting the url in the host.deny file but it doesn't deny it.

It's very strange behavior and not something that is security friendly. For example Knoppix live CD does not make any connections when it boots up, and it also establishes the internet connection automatically.

Does anyone have any insight or info about this? You can see it by opening ipinfo and looking at the last tab.

thanks in advance

800
pup501ipinfo.png
 Description   
 Filesize   14.9 KB
 Viewed   2159 Time(s)

pup501ipinfo.png

Back to top
View user's profile Send_private_message 
upnorth


Joined: 11 Jan 2010
Posts: 262
Location: Wisconsin UTC-6 (-5 DST)

PostPosted: Tue 31 Aug 2010, 15:37    Post_subject: re: 174.143.209.250
Sub_title: 174.143.209.250
 

The first one:
NetRange: 74.125.0.0 - 74.125.255.255
CIDR: 74.125.0.0/16
OriginAS:
NetName: GOOGLE
----------------------
The second one is harmless and a part of the network utility ipinfo, it is to show you your externally visible ipaddress, which is usually the ip address of your cablebox or dsl modem if you have a router in between your box and the service provider's device.

So everytime you open ipinfo, the brief connection is made. I did block it once for a test, using the rc.firewall file; I don't know why your firefall won't accept it.

line 21 of ipinfo:
var0="`wget -O - -q icanhazip.com`"

Icanhazip.com
icanhazip.com IP:
174.143.209.250
icanhazip.com server location:
San Antonio in United States
icanhazip.com ISP:
Rackspace Hosting

In terminal, you can instead use: netstat -tu or netstat -tn to see ip connections. In that case, you shouldn't see the 174.143.209.250 address.

If no internet apps are open when you do this, you shouldn't see anything.
Back to top
View user's profile Send_private_message Visit_website 
Karl Godt


Joined: 20 Jun 2010
Posts: 3972
Location: Kiel,Germany

PostPosted: Tue 31 Aug 2010, 17:41    Post_subject:    

http://www.domaincrawler.com/ip/view/ns1.rkrhkr.com

took me to a manuela page

time to get my SecretSetviceIntelligenceHat on Very Happy
Back to top
View user's profile Send_private_message Visit_website 
800

Joined: 31 Aug 2010
Posts: 17

PostPosted: Tue 31 Aug 2010, 18:59    Post_subject:  

upnorth,

thanks for the description. now I wonder why pup wants to talk to google. is there a script that I can reconfigure to stop that behavior?

I just prefer the PARANOID setups. So if there is a way I can retrain him, I'd sure like to know what it is.

For that matter I'd like to give him better manners so he doesn't connect at boot time. Where is that option found?

Thanks again

800
Back to top
View user's profile Send_private_message 
upnorth


Joined: 11 Jan 2010
Posts: 262
Location: Wisconsin UTC-6 (-5 DST)

PostPosted: Tue 31 Aug 2010, 22:14    Post_subject:  

Thanks Karl! for manuela page - should be included in Puppy Documentation Laughing

@800

That google one is a mystery, unless firefox, chrome, chromium, or some other internet app is open - like an rss feed or mail app. Firefox and chrome/chromium will periodically connect with google for the "block reported attack sites" and "block reported web forgeries" features or "fraud protection" as its called. Also the rss feeds will automatically connect periodically. Is there any app that starts automatically at system startup? You can look in the folder /root/Startup - those files are all readable in geany with a right click.

It's possible too with some desktop eyecandy apps like conky and similar widgets.

I can't think of anything at the system level that would make connections automatically.
Back to top
View user's profile Send_private_message Visit_website 
800

Joined: 31 Aug 2010
Posts: 17

PostPosted: Thu 02 Sep 2010, 20:04    Post_subject:  

upnorth

I did some more checking. My current pup, 431, doesn't check any sites that I can detect. Firefox 2.0.0.7 doesn't call out when it opens up.

But the current 51 with the current firefox does call out. I have it connecting to a different site from the ones above, on port 443, the https socket. I'll add the picture when I get that box rebooted.

So it's the new version of the browser plus the new autoconnecting puppy.

I'll 'browse' around about:config to see if there's something going on. I have adblock and noscript add-ons in both versions. They are both configured the same. I will disable them next go-around and see if that alters the behavior.

Is there a script or tail command that would keep netstat -t up and running? It would be great if there was a way to get the monitoring running before the ethernet connection happens. Is there a way to do that?



Anyway, it makes me extremely uncomfortable to have something on my box connecting somewhere without my prior knowledge and consent. I hope I can track it down.

Maybe some more PARANOIDS can check it out too and explain what is happening.

Regards All

800
Back to top
View user's profile Send_private_message 
800

Joined: 31 Aug 2010
Posts: 17

PostPosted: Thu 02 Sep 2010, 21:08    Post_subject:  

here's a look at firefox 3.6.8 connecting itself to an outside server.

thoughts?

thanks!
firefox_connects_itself.png
 Description   
 Filesize   3.89 KB
 Viewed   1995 Time(s)

firefox_connects_itself.png

Back to top
View user's profile Send_private_message 
Makoto


Joined: 03 Sep 2009
Posts: 1797
Location: Out wandering... maybe.

PostPosted: Thu 02 Sep 2010, 21:20    Post_subject:  

Firefox 3 has additional features to check for phishing and 'unwanted' sites, so I believe it does request the info from some outside sources (which probably do include Google).

If you want, you can turn this behavior off in Preferences. (I don't remember the exact settings and tabs, as I've uninstalled FF3.6.8 from my Puppy setup, for the moment, and I'm not sitting at any of my other systems with FF3.6.8 installed. Embarassed )

_________________
[ Puppy 4.3.1 JP, Frugal install | 1GB RAM | 1.3GB swap ] * My Pidgin Builds for Puppy 4.3.1+
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).
Back to top
View user's profile Send_private_message 
rcrsn51


Joined: 05 Sep 2006
Posts: 9200
Location: Stratford, Ontario

PostPosted: Fri 03 Sep 2010, 09:56    Post_subject:  

Makoto wrote:
If you want, you can turn this behavior off in Preferences.

Edit > Preferences > Security > Block reported attack sites and Block reported web forgeries.

Also, Edit > Preferences > Advanced > Automatically check for updates.
Back to top
View user's profile Send_private_message 
800

Joined: 31 Aug 2010
Posts: 17

PostPosted: Fri 03 Sep 2010, 10:23    Post_subject:  

thanks guys. I altered all of those preferences and it still hooks up to the 443 socket..... and the Pup makes his connection besides.....

I can't use this version, my favorite, until I get this sorted. thanks for the help.

regards
Back to top
View user's profile Send_private_message 
Makoto


Joined: 03 Sep 2009
Posts: 1797
Location: Out wandering... maybe.

PostPosted: Fri 03 Sep 2010, 12:05    Post_subject:  

Oh, right, I forgot (but remembered on seeing the URL in your picture above). The NoScript extension just added a feature where it makes a call to the dev's servers about every fifteen minutes or so... (though one of the earliest versions to implement it made the call more often than that.) I forgot the reason why, but I believe the feature's called 'ABE' and is another anti-spoofing measure.

Try disabling NoScript (disabling the extension itself from the Add-Ons window), or the ABE settings in NoScript (NoScript > Options > Advanced tab > ABE tab), then restart Firefox and see if the problem persists.

Edit: Here's what NoScript's dev has to say about ABE: http://hackademix.net/2010/07/28/abe-patrols-the-routes-to-your-routers/
The new feature was added in NoScript 2.0, I believe.

_________________
[ Puppy 4.3.1 JP, Frugal install | 1GB RAM | 1.3GB swap ] * My Pidgin Builds for Puppy 4.3.1+
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).
Back to top
View user's profile Send_private_message 
800

Joined: 31 Aug 2010
Posts: 17

PostPosted: Sat 04 Sep 2010, 23:00    Post_subject:  

Makoto

Thanks so much! That link solves it as far as firefox goes. I am still perplexed about Pup hooking up to google....

Google ?

What was he thinking? Still looking for that one. SOMETHING is making the connection.

thanks and regards,

800
Back to top
View user's profile Send_private_message 
upnorth


Joined: 11 Jan 2010
Posts: 262
Location: Wisconsin UTC-6 (-5 DST)

PostPosted: Mon 06 Sep 2010, 17:15    Post_subject:  

Thought of another thing:

Edit>preferences>general>startup>
select "show a blank page"
and clear out the homepage field

and delete the rss feed to world news that exists on bookmarks bar. after that you can go to http://www.bbc.co.uk/news/ instead and resubscribe there.
Back to top
View user's profile Send_private_message Visit_website 
800

Joined: 31 Aug 2010
Posts: 17

PostPosted: Wed 08 Sep 2010, 09:55    Post_subject:  

Thanks upnorth

those are my default settings. no feeds, blank home page...

I have the firefox issues sorted, but still not getting the Pup Guy's predilection for hooking up, apparently during boot when the adapter is addressed...

thanks all for comments and suggestions

800
Back to top
View user's profile Send_private_message 
Makoto


Joined: 03 Sep 2009
Posts: 1797
Location: Out wandering... maybe.

PostPosted: Wed 08 Sep 2010, 21:59    Post_subject:  

Could it be a simple connection test? (I'm still on a custom version of Puppy 4.3.1, so I don't know what 5.0.1 does Embarassed )

Some years ago, I learned from posts (somewhere... I don't remember where or what forum) that a quick and simple way to test the connection is to ping Google or Microsoft's sites (those, among a few others, simply because they're most likely to be up, running and present).

_________________
[ Puppy 4.3.1 JP, Frugal install | 1GB RAM | 1.3GB swap ] * My Pidgin Builds for Puppy 4.3.1+
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).
Back to top
View user's profile Send_private_message 
Display_posts:   Sort by:   
Page 1 of 2 Posts_count   Goto page: 1, 2 Next
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
 Forum index » House Training » Users ( For the regulars )
Jump to:  

Rules_post_cannot
Rules_reply_cannot
Rules_edit_cannot
Rules_delete_cannot
Rules_vote_cannot
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0959s ][ Queries: 13 (0.0187s) ][ GZIP on ]