Outbounds to Google ? WTF !

Discussion in 'privacy problems' started by CloneRanger, Oct 30, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Just been checking my outbound connections with CurrPorts and found some Very disturbing ones :eek:

    74.125.77.121 = Google Inc - Port 80 http

    173.194.37.190 = Google Inc - Port 443 https

    So i closed FF cleaned out my cache and reloaded FF, and came here. Straightaway i got a 74.125.77.121 = Google Inc - Port 80 http connection, as well as the Wilders ones of course. I'm NOT saying it's Anything to do with Wilders.

    I recently updated FF to v3.6.11 and also updated 2 Add Ons yesterday, which were NoScript to v2.0.4 and Ghostery to v2.4.1 Plus i added another new one, which i disabled to eliminate that possibility.

    I'm going to disable ALL my Add Ons and see what happens without them, and then one by one enable them all to find the culprit/s.

    In the meantime i've posted this as a heads up so you can check and see if it's happening to you.

    I searched for Google with about:config and saw these entries.

    google.gif

    I'm guessing that the Strings are not in themselves responsible ? and the ones i've set to True are OK. The Integer entry is ASFAIK "supposed" to be long enough not to make contact ? So if ALL those entries are OK, then it's none of those causing the connections. If anyone sees a problem with ANY of them, please advise :thumb:

    Once i've established what the issue/s is/are i'll let you know.
     
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I've seen this behavior with Chromium, but only for https connections. It happens when I open it. I always thought that this https connection was related to safebrowsing database (it downloads it). But, looking at your image, I see that it is http traffic, or doesn't Firefox download it? Will it just check against the online safebrowsing database?

    -Edit-

    The picture shows https connections as well for safebrowsing. :)

    Anyways, this is the IP I see here 173.194.36.104. The range is 173.194.0.0 - 173.194.255.255.

    I don't know if blocking this entire IP range would cripple other services, like gmail. Never actually tried it.

    -edit-

    mail.google.com translates to 209.85.229.18. IP range is 209.85.128.0 - 209.85.255.255.

    No harm blocking the other IP range.

    This ones are also for gmail 216.239.32.0/19; 64.233.160.0/19; 66.249.80.0/20; 72.14.192.0/18; 209.85.128.0/17; 66.102.0.0/20; 74.125.0.0/16; 64.18.0.0/20; 207.126.144.0/20
     
  3. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    If you update again it will update to 3.6.12. This fixes the latest flaw
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ m00nbl00d

    Yes i wondered if it might be related in some way/s to safebrowsing, but as i've disabled both options how can this be ?

    I went ahead and put these into my HOSTS file.

    74.125.77.121 = Google Inc

    173.194.37.190 = Google Inc

    But still get the 74.125.77.121 connection ? :(

    I checked to see if i could still surf to Google, and i can. I expect it's a different IP.

    OK, just have :thumb:

    I looked at the release notes, but didn't understand how it relates to my issues. Could you please explain :)

    TIA
     
  5. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    That makes sense. A HOSTS file doesn't block IPs. It blocks domains. You can't place 127.0.0.1 (or 0.0.0.0) xxx.xxx.xxx.xxx (the IP).
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    From your link

    That's good of course, but as i have SafeBrowsing disabled i don't see the relation to my outbounds to Google ?

    So i'm still puzzled :(

    If you could say exactly how this update affects my situation, i would be grateful :)
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Maybe the safebrowsing database still gets downloaded anyway o_O
     
  9. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Exactly it has nothing to do with your present issue. It is a wider security fix for Firefox. The update was only mentioned because you were on a lower version and not as a solution to this issue.
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Duh :oops:

    So what's the best way to configure these in my HOSTS ?

    127.0.0.0 ?

    Obviously i don't want to block ALL of google, just the ones that relate to the outbounds

    TIA
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I would hope not :eek: That would be very bad practice, surreptitious DL's are not what we expect :( Who knows though, right now i don't, but want to :thumb:

    That's what i thought. So you were just giving me an update heads up. OK well thanks for that :thumb:
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    The thing is, you can't block IPs with the HOSTS file, only domains. You can use the portable version of PeerBlock and add those entries to be blocked. Or, perhaps to your firewall, if it allows to add IPs (IP ranges) to be blocked.
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Yeah bummer, how naff is that :(

    The funny thing is, i'm sure in the past when i used to install various HOSTS files, they had IP's in there ?

    OK thanks i'll try it :thumb:

    Just looked/tried to see if i could. But ZA free v5.5.062.000 doesn't "appear" to be able to do that :(
     
  14. katio

    katio Guest

    Load up wireshark and see what exactly is being sent to that IP.

    Try creating a new firefox profile, disable all safebrowsing features and check again. You can do so by typing "firefox -P" into the run dialog and following along the GUI options.
     
  15. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    378
    Location:
    England
    Just out of curiosity, I checked CurrPorts and also saw 173.194.36.104 amongst several other "unusual" connections that I couldn`t initially account for straight away.....one was to MS that I recall.

    CurrPorts did NOT specify that it was Firefox making the outbound connection from what I could see, but rather an Unknown process.

    Haven`t had chance to try to check what`s going on yet, but will be following this thread in case any more info appears in the meantime.
     
  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I DL'd it and tried, but couldn't get it run ? :(

    Thanks :thumb: i'll try that with SD enabled so i can go straight back.

    @ Fad

    Yeah 173.194.36.104 = Google too :thumbd:

    Do you have MS updates on auto ? If not :eek: Be interesting to find out what those others are as well :thumb:

    Yes i also see Unknowns off and on too ?
     
  17. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    378
    Location:
    England
    To my (limited) knowledge, I have everything that may connect to MS turned off.
    The only thing that is allowed to autoupdate is Prevx, so that particular one did make me wonder.

    As I said, I haven`t really done much detective work yet and can`t say what`s happening routinely, but some of them do seem sporadic - and appear then disappear randomly, or rather - not when Firefox loads up initially for example.

    It would be interesting to find out what these things could be just out of curiosity.
     
  18. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    :thumb:

    Hope it's not Prevx :eek: Can't see why it would, but ?

    I know what you're saying !

    Absolutely :thumb:
     
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ katio

    Tried your "firefox -P" trick, Thanks :thumb:

    Out of interest, if i did that without using ShadowDefender to revert to afterwards, would i lose ALL my about:config settings etc ?

    Disabled ALL my Add Ons & one by one enabled them, each time re-launching FF until i discovered the culprit.

    This is what causes the Google connections :mad: This little bugger

    long.gif

    Who would have thought it ?

    https://addons.mozilla.org/en-US/firefox/addon/9549

    http://www.longurlplease.com

    Don't know if it's related to this, or not ?

    He has a new version now

    So i thought i'd see what that does ! Sure enough i get an outbound :( but this time to - 83.169.39.221 = indisposable.de Whatever/whoever that is, or what it's supposed to do ?

    Closed & relaunched FF numerous times to test, and off & on these IP's also appeared :eek:

    173.194.36.104 = Google Inc.

    209.85.229.102 = Google Inc.

    Very bad practice indeed So i won't be using those Long URL Add Ons ANY more :thumbd:

    I'll be keeping my eyes on CurrPorts to make sure nothing else is outbounding, without my permission.
     
    Last edited: Oct 31, 2010
  20. katio

    katio Guest

    No.
    To be on the safe side you can backup the folder %APPDATA%\Roaming\Mozilla\Firefox\Profiles
    But as long as you don't delete any profile you won't lose your settings.
    More info...
     
  21. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    To be sure FF doesn't download the safebrowsing database, change all the safebrowsing URL's to "none" or something invalid in about:config in your screenshot. Also keyword.URL is for when you don't type the complete website or forgetting .com and things like that. For example if you type wilderssecurity.com the browser itself can change it to https://www.wilderssecurity.com but if it can't discern what the user wanted then it will do a search query and asks the searchprovider specified by the URL for keyword.URL for the first hit and goes there instead of giving an error. You can turn that off(set keyword.enabled to false) or change it to Scroogle(http://www.scroogle.org/cgi-bin/nbbw.cgi?Gw=) for example to make sure Google isn't contacted by that feature.

    EDIT: I just read you already found the culprit, anyway the keyword.URL is still nice to change or disable if you don't like Google.
     
    Last edited: Oct 31, 2010
  22. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    'IP : 83.169.39.221:27015 ; [ISE69] Counter-Strike: Source -- Bot Server' (link)

    '83.169.39.221:27015 [Launch] de_cbble' (link) ;related to the 'indisposable.de' perhaps?
     
  23. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ BoerenkoolMetWorst

    Thank you Sir :thumb: I was hoping someone would respond to those entries i mentioned about safebrowsing in my screenie in Post # 1 :)

    I've now changed ALL google entries to something benign ;)

    @ Baserk

    Thanks :thumb: Yes that's a bit disconcerting :( I'll keep my eyes on things, even though i've disabled Long URL.
     
  24. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,014
    Location:
    Ontario, Canada
  25. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Triple Helix

    Yes you remembered correctly i'm still using Win XP/SP2 :)

    Thanks for the Port Explorer link :thumb: It does indeed supply a lot more info etc. So far so good, as google connections go anyway ;)
     
Loading...
Thread Status:
Not open for further replies.