question about strange js and connections from browser

Discussion in 'other software & services' started by LMHmedchem, May 30, 2014.

Thread Status:
Not open for further replies.
  1. LMHmedchem

    LMHmedchem Registered Member

    Joined:
    Feb 8, 2012
    Posts:
    28
    Hello,

    I'm not sure this is the right place to post, but this forum seemed to be the closest I could find to what I was looking for. I apologize in advance if this is in the wrong place.

    I use seamonkey 2.26 for a browser and I have lately noticed something strange. When I visit the website for one of my credit cards, I need to let noscript allow temporary js permissions for the domain. After I allow the temporary permissions, there are then two additional IP addresses (not domains) that are listed as wanting to run js. The odd thing is that the addresses are local host (127.0.0.1) and my own IP address from my ISP. It would appear that something at my IP address wants to run js on the webpage from my credit card and this makes no sense. I am not running any servers here.

    Even more strange, I also get a popup from my firewall (Comodo ISP) saying that seamonkey wants permission to connect to the same IP address. This is a TCP connection at a port other than 80, so it's not normal web traffic. Why would seamonkey want to connect to the computer that it's running on at some random port? What would it be connecting to? Again, I'm not running any server process that a client app would normally connect to (sshd, ftp, Apache, etc).

    A while ago I remember that when I would start seamonkey, I would get a prompt to allow a cookie to be set from my IP address. This also seemed odd. What would there be at my own IP that would be running code and try to set a cookie in my browser? That issue went away and I haven't run into it since.

    I would like to know if anyone has any idea what is going on here and can provide me with some information. If this is not the right place to post a message on this topic, I would appreciate a push in the right direction.

    LMHmedchem
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi, if you give us the CC www link we can check it on our browsers.
     
  3. LMHmedchem

    LMHmedchem Registered Member

    Joined:
    Feb 8, 2012
    Posts:
    28
    This is the site,

    https://www.capitalone.com/

    I am in a different profile at the moment, but I still get the noscript entries.

    LMHmedchem
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Can you post a screenshot of the two additional js local host (127.0.0.1) IP addresses

    I'm wondering if you have for eg, Trusteer Rapport installed ?
     
  5. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    747
    Location:
    Canada
    I use Chromium and I also see the same thing. Here are the URLs (these are XmlHttpRequests):

    https://[my ip address]/NonExistentImage16368.gif
    https://127.0.0.1/NonExistentImage15486.gif

    Looks like the site is doing some tests to see if your connection is intercepted? The expected result is failure, and I suppose that would raise a flag if the answer to the above requests wasn't a failure.
     
Loading...
Thread Status:
Not open for further replies.