Outbounds to Google ? WTF !

Just been checking my outbound connections with CurrPorts and found some Very disturbing ones

74.125.77.121 = Google Inc - Port 80 http

173.194.37.190 = Google Inc - Port 443 https

So i closed FF cleaned out my cache and reloaded FF, and came here. Straightaway i got a 74.125.77.121 = Google Inc - Port 80 http connection, as well as the Wilders ones of course. I'm NOT saying it's Anything to do with Wilders.

I recently updated FF to v3.6.11 and also updated 2 Add Ons yesterday, which were NoScript to v2.0.4 and Ghostery to v2.4.1 Plus i added another new one, which i disabled to eliminate that possibility.

I'm going to disable ALL my Add Ons and see what happens without them, and then one by one enable them all to find the culprit/s.

In the meantime i've posted this as a heads up so you can check and see if it's happening to you.

I searched for Google with about:config and saw these entries.



I'm guessing that the Strings are not in themselves responsible ? and the ones i've set to True are OK. The Integer entry is ASFAIK "supposed" to be long enough not to make contact ? So if ALL those entries are OK, then it's none of those causing the connections. If anyone sees a problem with ANY of them, please advise

Once i've established what the issue/s is/are i'll let you know.

 

I've seen this behavior with Chromium, but only for https connections. It happens when I open it. I always thought that this https connection was related to safebrowsing database (it downloads it). But, looking at your image, I see that it is http traffic, or doesn't Firefox download it? Will it just check against the online safebrowsing database?

-Edit-

The picture shows https connections as well for safebrowsing.

Anyways, this is the IP I see here 173.194.36.104. The range is 173.194.0.0 - 173.194.255.255.

I don't know if blocking this entire IP range would cripple other services, like gmail. Never actually tried it.

-edit-

mail.google.com translates to 209.85.229.18. IP range is 209.85.128.0 - 209.85.255.255.

No harm blocking the other IP range.

This ones are also for gmail 216.239.32.0/19; 64.233.160.0/19; 66.249.80.0/20; 72.14.192.0/18; 209.85.128.0/17; 66.102.0.0/20; 74.125.0.0/16; 64.18.0.0/20; 207.126.144.0/20

 

If you update again it will update to 3.6.12. This fixes the latest flaw

 

@ m00nbl00d

Yes i wondered if it might be related in some way/s to safebrowsing, but as i've disabled both options how can this be ?

I went ahead and put these into my HOSTS file.

74.125.77.121 = Google Inc

173.194.37.190 = Google Inc

But still get the 74.125.77.121 connection ?

I checked to see if i could still surf to Google, and i can. I expect it's a different IP.

OK, just have

I looked at the release notes, but didn't understand how it relates to my issues. Could you please explain

TIA

 

It helps with this latest flaw
http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/

 

That makes sense. A HOSTS file doesn't block IPs. It blocks domains. You can't place 127.0.0.1 (or 0.0.0.0) xxx.xxx.xxx.xxx (the IP).

 

From your link

That's good of course, but as i have SafeBrowsing disabled i don't see the relation to my outbounds to Google ?

So i'm still puzzled

If you could say exactly how this update affects my situation, i would be grateful

 

Maybe the safebrowsing database still gets downloaded anyway

 

Exactly it has nothing to do with your present issue. It is a wider security fix for Firefox. The update was only mentioned because you were on a lower version and not as a solution to this issue.

 

Duh

So what's the best way to configure these in my HOSTS ?

127.0.0.0 ?

Obviously i don't want to block ALL of google, just the ones that relate to the outbounds

TIA

 

I would hope not That would be very bad practice, surreptitious DL's are not what we expect Who knows though, right now i don't, but want to

That's what i thought. So you were just giving me an update heads up. OK well thanks for that

 

The thing is, you can't block IPs with the HOSTS file, only domains. You can use the portable version of PeerBlock and add those entries to be blocked. Or, perhaps to your firewall, if it allows to add IPs (IP ranges) to be blocked.

 

Yeah bummer, how naff is that

The funny thing is, i'm sure in the past when i used to install various HOSTS files, they had IP's in there ?

OK thanks i'll try it

Just looked/tried to see if i could. But ZA free v5.5.062.000 doesn't "appear" to be able to do that

 

Load up wireshark and see what exactly is being sent to that IP.

Try creating a new firefox profile, disable all safebrowsing features and check again. You can do so by typing "firefox -P" into the run dialog and following along the GUI options.

 

Just out of curiosity, I checked CurrPorts and also saw 173.194.36.104 amongst several other "unusual" connections that I couldn`t initially account for straight away.....one was to MS that I recall.

CurrPorts did NOT specify that it was Firefox making the outbound connection from what I could see, but rather an Unknown process.

Haven`t had chance to try to check what`s going on yet, but will be following this thread in case any more info appears in the meantime.

 

I DL'd it and tried, but couldn't get it run ?

Thanks i'll try that with SD enabled so i can go straight back.

@ Fad

Yeah 173.194.36.104 = Google too

Do you have MS updates on auto ? If not Be interesting to find out what those others are as well

Yes i also see Unknowns off and on too ?

 

To my (limited) knowledge, I have everything that may connect to MS turned off.
The only thing that is allowed to autoupdate is Prevx, so that particular one did make me wonder.

As I said, I haven`t really done much detective work yet and can`t say what`s happening routinely, but some of them do seem sporadic - and appear then disappear randomly, or rather - not when Firefox loads up initially for example.

It would be interesting to find out what these things could be just out of curiosity.

 

Hope it's not Prevx Can't see why it would, but ?

I know what you're saying !

Absolutely

 

@ katio

Tried your "firefox -P" trick, Thanks

Out of interest, if i did that without using ShadowDefender to revert to afterwards, would i lose ALL my about:config settings etc ?

Disabled ALL my Add Ons & one by one enabled them, each time re-launching FF until i discovered the culprit.

This is what causes the Google connections This little bugger



Who would have thought it ?

https://addons.mozilla.org/en-US/firefox/addon/9549

http://www.longurlplease.com

Don't know if it's related to this, or not ?

He has a new version now

So i thought i'd see what that does ! Sure enough i get an outbound but this time to - 83.169.39.221 = indisposable.de Whatever/whoever that is, or what it's supposed to do ?

Closed & relaunched FF numerous times to test, and off & on these IP's also appeared

173.194.36.104 = Google Inc.

209.85.229.102 = Google Inc.

Very bad practice indeed So i won't be using those Long URL Add Ons ANY more

I'll be keeping my eyes on CurrPorts to make sure nothing else is outbounding, without my permission.

 

No.
To be on the safe side you can backup the folder %APPDATA%\Roaming\Mozilla\Firefox\Profiles
But as long as you don't delete any profile you won't lose your settings.
More info...

 

To be sure FF doesn't download the safebrowsing database, change all the safebrowsing URL's to "none" or something invalid in about:config in your screenshot. Also keyword.URL is for when you don't type the complete website or forgetting .com and things like that. For example if you type wilderssecurity.com the browser itself can change it to https://www.wilderssecurity.com but if it can't discern what the user wanted then it will do a search query and asks the searchprovider specified by the URL for keyword.URL for the first hit and goes there instead of giving an error. You can turn that off(set keyword.enabled to false) or change it to Scroogle(http://www.scroogle.org/cgi-bin/nbbw.cgi?Gw=) for example to make sure Google isn't contacted by that feature.

EDIT: I just read you already found the culprit, anyway the keyword.URL is still nice to change or disable if you don't like Google.

 

'IP : 83.169.39.221:27015 ; [ISE69] Counter-Strike: Source -- Bot Server' (link)

'83.169.39.221:27015 [Launch] de_cbble' (link) ;related to the 'indisposable.de' perhaps?

 

@ BoerenkoolMetWorst

Thank you Sir I was hoping someone would respond to those entries i mentioned about safebrowsing in my screenie in Post # 1

I've now changed ALL google entries to something benign

@ Baserk

Thanks Yes that's a bit disconcerting I'll keep my eyes on things, even though i've disabled Long URL.

 

If I remember correctly you are still using Win XP download Port Explorer and you can see more info as to what is contacting Google! It good for 30 days or 50 uses as you can't buy it no more! http://download.cnet.com/DiamondCS-Port-Explorer/3000-2085_4-10191769.html

HTH,

TH

 

@ Triple Helix

Yes you remembered correctly i'm still using Win XP/SP2

Thanks for the Port Explorer link It does indeed supply a lot more info etc. So far so good, as google connections go anyway