Puppy Linux Discussion Forum

fucimin · Joined: 18 Apr 2011 Posts: 4

Hope this is the right place.
Hi all, I'm a new happy puppy linux user.
Do you know why puppy always connects to 50.56.84.181? All browsers are closed and this happens when puppy finds out the internet link.
I'm using 5.2.5 puppy version.

Thanks in advance!
Carlo

Flash · Posted: Mon 18 Apr 2011, 08:54 Post subject:

That translates to http://majorhayden.com/. What gives?

fucimin · Joined: 18 Apr 2011 Posts: 4

Bernie_by_the_Sea · Joined: 09 Feb 2011 Posts: 329

Curious.

Major Hayden is an expert on Linux and by that I mean he gets paid for advising on Linux and for teaching Linux by such proprietary Linux developers as Red Hat.

This isn't malware or harmful by how in the world did it get in a new install of Puppy? Is someone counting how many people install Puppy?

rcrsn51 · Posted: Mon 18 Apr 2011, 11:39 Post subject:

Some Puppy versions ping a known Internet site to confirm that a live network has been established. That seems like an odd choice.

James C · Joined: 26 Mar 2009 Posts: 4741 Location: Kentucky

There was a similar thread to this here
http://www.murga-linux.com/puppy/viewtopic.php?p=446990&search_id=543813567#446990

nooby · Joined: 29 Jun 2008 Posts: 9385 Location: SwedenEurope

No demands at all but is there not even more such threads. Some time ago fail to remember when I did a search and this is a repeating pattern.

Me, Myself and I also felt alarmed by this behavior. Okay not all Newbies react like me but enough many write to the forum. Think of all the people that never writes to forums.

so my kind and humble advice would be to place an explanation that every user see on the welcome screen when they boot up the first time.

Is that unrealistic to wish Smile

Flash · Posted: Mon 18 Apr 2011, 15:36 Post subject:

Could it be a way for him to get a lot of hits to his website and therefore rank it higher in a Google search? In any case it begs the question: how did this get in Puppy? Is is an example of a rootkit in action?

nooby · Joined: 29 Jun 2008 Posts: 9385 Location: SwedenEurope

As you know I have a bad memory but AFAIK the programmers need a reliable server that they know have 100% uptime and then they use that one and ping it to get if the LAN or WAN are working.

Some of the devs used Google server but that got much criticism too so maybe they switch to him as a Linux guy?

Part vague memory and part wild guess.

The purpose is to fast find out if it works.

scsijon · Posted: Tue 19 Apr 2011, 02:03 Post subject:

it's a google session start address,

but i've been unable to track within puppy from where it is being started, could those with a bit more networking knowledge please help.

and I have only the network up, no browsers or other external use packages, nothing shows in logs either!

Alternately sugest where / how to deny it!

thanks
scsijon

01micko · Joined: 11 Oct 2008 Posts: 7018 Location: qld

see /usr/sbin/ipinfo

This has been discussed many times. If you don't like it remove it.

scsijon · Posted: Sat 23 Apr 2011, 19:24 Post subject:

mick,

all I wanted to do is be able to find where the link was coming from and if needed set it for somewhere else, ie control the call, especially with google being somewhat on the 'nose'.

thanks for the reply, I wondered why a find didn't find it.

scsijon

fucimin · Joined: 18 Apr 2011 Posts: 4

Hi all, to drop that connection to the link 50.56.84.181, I run the command:
iptables -A OUTPUT -d 50.56.84.181 -j DROP

If I check with iptables -L, then I find the destination argon.mhtx.net blocked:

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere state INVALID
DROP all -- anywhere argon.mhtx.net

Unfortunately command iptables-save seems not to save the rule, and when I restart puppy I have to enter the first command again Sad

When that connection drops, I noticed that if do the ipinfo, then in Interfaces tab there is External IP number no more but internet still runs.

I hope this could help some more skilled than me.
Regards
Carlo

2byte · Joined: 09 Oct 2006 Posts: 356

The fix for this was reported here last October. http://murga-linux.com/puppy/viewtopic.php?p=455824#455824

A simple fix, never implemented in Puppy.

CLAM01 · Joined: 22 May 2010 Posts: 68

To answer the question asked in this thread, "Who is Major Hayden? ", here is a recent quote by now General Hayden:

[““As an intelligence professional, I stand back in absolute awe and wonderment at the Chinese espionage effort against the United States of America,” Gen. Michael Hayden, the former CIA director, said at cyber security conference last year. “It is magnificent in its breath, its depth and its efficiency.””]

This indicates the address queried about in this thread, 50.56.84.181, probably a CIA net-connection monitoring site. Connection monitors record times and addresses and MAC IDs. Theoretically if anything should ever flag as a threat in connection to the MAC the monitor system record can be combed to obtain a general previous connection pattern for the MAC, if it was disconnected and reconnected. Used to be the CIA recorded outside the USA, the FBI in, though both fudged, with other agencies, private and of other nations doing the same. Usually no one shared, since sharing would reveal doing or extent of doing.

Today at least four of these auto-triggered "connection-test" sites are ubiquitous, becoming built-in for being included in programs connection program builders use. Some are added after. Not all are public agency maintained. They are potential-spyware, since the data recorded is for use only if a reason to wonder should ever arise...

Today, of course, mobile-phones record more, more gratuitously and more geographically accurately, with your phone conversations also being recorded. Recorded by Big-Brother Government in places like China, and by obedient private enterprises, "As Required By Law", in places like the USA, where the "Democratic Government" façade is maintained.