puppy 501 hooking up

Using applications, configuring, problems
Message
Author
800
Posts: 17
Joined: Tue 31 Aug 2010, 17:28

puppy 501 hooking up

#1 Post by 800 »

Hi All

When pup 500 and 501 boot they make connections to 74.125.53.106 and to 174.143.209.250. The first connection disappears pretty quickly, but the second one hangs up and remains connected, even though LAST_ACK is sent.

This looks very suspicious to me, especially since my cisco firewall will not allow that second IP to be entered into the block IP window, it returns an error code.

This happens both with my SSD install and with the boot CD.

Why is the puppy connecting to this outside URL. How can I prevent this behavior? What script is making this connection?

I have tried putting the url in the host.deny file but it doesn't deny it.

It's very strange behavior and not something that is security friendly. For example Knoppix live CD does not make any connections when it boots up, and it also establishes the internet connection automatically.

Does anyone have any insight or info about this? You can see it by opening ipinfo and looking at the last tab.

thanks in advance

800
Attachments
pup501ipinfo.png
(14.9 KiB) Downloaded 2328 times

User avatar
upnorth
Posts: 287
Joined: Mon 11 Jan 2010, 19:32
Location: Wisconsin UTC-6 (-5 DST)
Contact:

re: 174.143.209.250

#2 Post by upnorth »

The first one:
NetRange: 74.125.0.0 - 74.125.255.255
CIDR: 74.125.0.0/16
OriginAS:
NetName: GOOGLE
----------------------
The second one is harmless and a part of the network utility ipinfo, it is to show you your externally visible ipaddress, which is usually the ip address of your cablebox or dsl modem if you have a router in between your box and the service provider's device.

So everytime you open ipinfo, the brief connection is made. I did block it once for a test, using the rc.firewall file; I don't know why your firefall won't accept it.

line 21 of ipinfo:
var0="`wget -O - -q icanhazip.com`"

Icanhazip.com
icanhazip.com IP:
174.143.209.250
icanhazip.com server location:
San Antonio in United States
icanhazip.com ISP:
Rackspace Hosting

In terminal, you can instead use: netstat -tu or netstat -tn to see ip connections. In that case, you shouldn't see the 174.143.209.250 address.

If no internet apps are open when you do this, you shouldn't see anything.

User avatar
Karl Godt
Posts: 4199
Joined: Sun 20 Jun 2010, 13:52
Location: Kiel,Germany

#3 Post by Karl Godt »

http://www.domaincrawler.com/ip/view/ns1.rkrhkr.com

took me to a manuela page

time to get my SecretSetviceIntelligenceHat on :D

800
Posts: 17
Joined: Tue 31 Aug 2010, 17:28

#4 Post by 800 »

upnorth,

thanks for the description. now I wonder why pup wants to talk to google. is there a script that I can reconfigure to stop that behavior?

I just prefer the PARANOID setups. So if there is a way I can retrain him, I'd sure like to know what it is.

For that matter I'd like to give him better manners so he doesn't connect at boot time. Where is that option found?

Thanks again

800

User avatar
upnorth
Posts: 287
Joined: Mon 11 Jan 2010, 19:32
Location: Wisconsin UTC-6 (-5 DST)
Contact:

#5 Post by upnorth »

Thanks Karl! for manuela page - should be included in Puppy Documentation :lol:

@800

That google one is a mystery, unless firefox, chrome, chromium, or some other internet app is open - like an rss feed or mail app. Firefox and chrome/chromium will periodically connect with google for the "block reported attack sites" and "block reported web forgeries" features or "fraud protection" as its called. Also the rss feeds will automatically connect periodically. Is there any app that starts automatically at system startup? You can look in the folder /root/Startup - those files are all readable in geany with a right click.

It's possible too with some desktop eyecandy apps like conky and similar widgets.

I can't think of anything at the system level that would make connections automatically.

800
Posts: 17
Joined: Tue 31 Aug 2010, 17:28

#6 Post by 800 »

upnorth

I did some more checking. My current pup, 431, doesn't check any sites that I can detect. Firefox 2.0.0.7 doesn't call out when it opens up.

But the current 51 with the current firefox does call out. I have it connecting to a different site from the ones above, on port 443, the https socket. I'll add the picture when I get that box rebooted.

So it's the new version of the browser plus the new autoconnecting puppy.

I'll 'browse' around about:config to see if there's something going on. I have adblock and noscript add-ons in both versions. They are both configured the same. I will disable them next go-around and see if that alters the behavior.

Is there a script or tail command that would keep netstat -t up and running? It would be great if there was a way to get the monitoring running before the ethernet connection happens. Is there a way to do that?



Anyway, it makes me extremely uncomfortable to have something on my box connecting somewhere without my prior knowledge and consent. I hope I can track it down.

Maybe some more PARANOIDS can check it out too and explain what is happening.

Regards All

800

800
Posts: 17
Joined: Tue 31 Aug 2010, 17:28

#7 Post by 800 »

here's a look at firefox 3.6.8 connecting itself to an outside server.

thoughts?

thanks!
Attachments
firefox_connects_itself.png
(3.89 KiB) Downloaded 2085 times

User avatar
Makoto
Posts: 1665
Joined: Fri 04 Sep 2009, 01:30
Location: Out wandering... maybe.

#8 Post by Makoto »

Firefox 3 has additional features to check for phishing and 'unwanted' sites, so I believe it does request the info from some outside sources (which probably do include Google).

If you want, you can turn this behavior off in Preferences. (I don't remember the exact settings and tabs, as I've uninstalled FF3.6.8 from my Puppy setup, for the moment, and I'm not sitting at any of my other systems with FF3.6.8 installed. :oops: )
[ Puppy 4.3.1 JP, Frugal install ] * [ XenialPup 7.5, Frugal install ] * [XenialPup 64 7.5, Frugal install] * [ 4GB RAM | 512MB swap ]
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#9 Post by rcrsn51 »

Makoto wrote:If you want, you can turn this behavior off in Preferences.
Edit > Preferences > Security > Block reported attack sites and Block reported web forgeries.

Also, Edit > Preferences > Advanced > Automatically check for updates.

800
Posts: 17
Joined: Tue 31 Aug 2010, 17:28

#10 Post by 800 »

thanks guys. I altered all of those preferences and it still hooks up to the 443 socket..... and the Pup makes his connection besides.....

I can't use this version, my favorite, until I get this sorted. thanks for the help.

regards

User avatar
Makoto
Posts: 1665
Joined: Fri 04 Sep 2009, 01:30
Location: Out wandering... maybe.

#11 Post by Makoto »

Oh, right, I forgot (but remembered on seeing the URL in your picture above). The NoScript extension just added a feature where it makes a call to the dev's servers about every fifteen minutes or so... (though one of the earliest versions to implement it made the call more often than that.) I forgot the reason why, but I believe the feature's called 'ABE' and is another anti-spoofing measure.

Try disabling NoScript (disabling the extension itself from the Add-Ons window), or the ABE settings in NoScript (NoScript > Options > Advanced tab > ABE tab), then restart Firefox and see if the problem persists.

Edit: Here's what NoScript's dev has to say about ABE: http://hackademix.net/2010/07/28/abe-pa ... r-routers/
The new feature was added in NoScript 2.0, I believe.
[ Puppy 4.3.1 JP, Frugal install ] * [ XenialPup 7.5, Frugal install ] * [XenialPup 64 7.5, Frugal install] * [ 4GB RAM | 512MB swap ]
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).

800
Posts: 17
Joined: Tue 31 Aug 2010, 17:28

#12 Post by 800 »

Makoto

Thanks so much! That link solves it as far as firefox goes. I am still perplexed about Pup hooking up to google....

Google ?

What was he thinking? Still looking for that one. SOMETHING is making the connection.

thanks and regards,

800

User avatar
upnorth
Posts: 287
Joined: Mon 11 Jan 2010, 19:32
Location: Wisconsin UTC-6 (-5 DST)
Contact:

#13 Post by upnorth »

Thought of another thing:

Edit>preferences>general>startup>
select "show a blank page"
and clear out the homepage field

and delete the rss feed to world news that exists on bookmarks bar. after that you can go to http://www.bbc.co.uk/news/ instead and resubscribe there.

800
Posts: 17
Joined: Tue 31 Aug 2010, 17:28

#14 Post by 800 »

Thanks upnorth

those are my default settings. no feeds, blank home page...

I have the firefox issues sorted, but still not getting the Pup Guy's predilection for hooking up, apparently during boot when the adapter is addressed...

thanks all for comments and suggestions

800

User avatar
Makoto
Posts: 1665
Joined: Fri 04 Sep 2009, 01:30
Location: Out wandering... maybe.

#15 Post by Makoto »

Could it be a simple connection test? (I'm still on a custom version of Puppy 4.3.1, so I don't know what 5.0.1 does :oops: )

Some years ago, I learned from posts (somewhere... I don't remember where or what forum) that a quick and simple way to test the connection is to ping Google or Microsoft's sites (those, among a few others, simply because they're most likely to be up, running and present).
[ Puppy 4.3.1 JP, Frugal install ] * [ XenialPup 7.5, Frugal install ] * [XenialPup 64 7.5, Frugal install] * [ 4GB RAM | 512MB swap ]
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).

800
Posts: 17
Joined: Tue 31 Aug 2010, 17:28

#16 Post by 800 »

Makoto

That's a good question. Sorry about the version error, I'm goofy with numbers, the correct version is 5.1.

I wonder why the test isn't satisfied by the lease obtained from the DNS server?

It's somewhere in the code that executes during boot when it gets to the "let's address the adapter and call out now" portion.

Hopefully whoever WROTE THAT PART will fess up and perhaps even teach us how to stop it from happening.

It does not happen in any of the prior versions that I've tried, it perplexes me why it should happen in this guy.

Personally I prefer to have a copy of Pup that doesn't autoconnect for my trouble-shooting-repair CD for fixing the other OS. Heh.

Thanks for the comeback

800

User avatar
Aitch
Posts: 6518
Joined: Wed 04 Apr 2007, 15:57
Location: Chatham, Kent, UK

#17 Post by Aitch »

800

unlike upnorth, I tracked 174.143.209.250 to this

http://urldogg.com/174.143.209.250

http://www.robtex.com/dns/*.evanhayden.net.html[/url]

Evan Hayden aka Rackerhacker/pleskhacker.com and mysqltuner.pl. dedicated server with one IP, located in San Antonio, TX, United States zip code 78225, and the area code 210.

http://rackerhacker.com/

I also found a url which after translation shows 74.125.53.106 which upnorth had as google.com, in a hijackthis listing....many times

http://putera.forumotion.com/utiliti-da ... -t6862.htm

I suspect you may have a rootkit virus or something equally nasty

Clean your PC before using puppy - use an updated AV program

If you have a windows partition check for [and delete] RtkBtMnt.exe if present

I would also reset your router if I were you, as something seems compromised, and I doubt it's Puppy, unless you have a save file it's picking up

Try booting puppy=pfix ram


HTH

Aitch :)

User avatar
upnorth
Posts: 287
Joined: Mon 11 Jan 2010, 19:32
Location: Wisconsin UTC-6 (-5 DST)
Contact:

http://www.robtex.com/ip/174.143.209.250.html

#18 Post by upnorth »

I love that robtex site 8)

http://www.robtex.com/ip/174.143.209.250.html

I just installed the showip extension a few days ago and it has robtex on the right click popup menu - pretty handy.

Btw, I type just 174.143.209.250 into url box on browser, i get major hayden's manual page which is majorhayden.com.

Here is original link to icanhazip.com with explanation:
http://rackerhacker.com/2009/07/31/get- ... hazip-com/

If I type 74.125.53.106 into url box on browser, the mountainview chocolate factory comes up :wink: .
same for this one:
Pw-in-f106.1e100.net

Here is another pretty good dns info site:
https://dns.l4x.org/74.125.53.106

User avatar
Aitch
Posts: 6518
Joined: Wed 04 Apr 2007, 15:57
Location: Chatham, Kent, UK

#19 Post by Aitch »

upnorth

/aside

showip extension? the firefox one? Jan Dittmer again - clever so and so...also does Chrome extension

http://code.google.com/p/firefox-showip ... eExtension

his name crops up all over the place - does kernel cross compiles....

Wonder if he could do puppy/arm kernel??

Jan, if this shows up anywhere....we're in need of assistance! :wink: :lol:

http://l4x.org/

Aitch :)

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#20 Post by nooby »

Wow Aitch you scare the shit out of me. Rootkit?

How does one know. What do you base that fearful conclusion on?
I use Google Search on Puppy Forum
not an ideal solution though

Post Reply