No Script connect unknown IP 77.222.148.121 Why?
-
D7001
No Script connect unknown IP 77.222.148.121 Why?
When I run my browser No Script make short connect (2-3 sec) w3.hackademix.net and long connect (3-5 min) 77.222.148.121 Whу?
Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
-
D7001
Re: Update
Update: also 77.222.148.105 
Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Re: No Script connect unknown IP 77.222.148.121 Why?
NoScript does make connections on startup, but that IP doesn't look right...
Please install HTTPFox and set it to monitor requests on browser startup, and post here any traffic not related to whatever pages you set to open on browser startup. (Will be easier if you temporarily set browser to start up to only something local, such as about:mozilla; then you can just post the whole HTTPFox log.)
Code: Select all
$ dig -x 77.222.148.121
; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> -x 77.222.148.121
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16421
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;121.148.222.77.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
148.222.77.in-addr.arpa. 1799 IN SOA datagroup.com.ua. hostmaster.newline.net.ua. 2015120500 28800 7200 2419200 86400
;; Query time: 178 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: xxxxxxxxxxxxxxxxxxx
;; MSG SIZE rcvd: 131
*Always* check the changelogs BEFORE updating that important software!
-
Re: No Script connect unknown IP 77.222.148.121 Why?
Yeah, same-looking reverse DNS lookup...D7001 wrote:Update: also 77.222.148.105
*Always* check the changelogs BEFORE updating that important software!
-
-
D7001
Re: No Script connect unknown IP 77.222.148.121 Why?
barbaz wrote:Please install HTTPFox and set it to monitor requests on browser startup, and post here any traffic not related to whatever pages you set to open on browser startup. (Will be easier if you temporarily set browser to start up to only something local, such as about:mozilla; then you can just post the whole HTTPFox log.)
Code: Select all
00:00:01.463 2.622 123 182 GET 200 text/plain https://secure.informaction.com/ipecho/
00:00:03.463 0.433 448 743 POST 200 application/ocsp-response http://ocsp.int-x3.letsencrypt.org/
00:00:03.493 0.466 448 743 POST 200 application/ocsp-response http://ocsp.int-x3.letsencrypt.org/
00:00:04.086 94.704 100 0 GET (Error) NS_ERROR_ABORT http://91.***.***.***/
00:01:38.791 * 422/422 * GET * * https://forums.informaction.com/viewtopic.php?f=7&t=21819
Last edited by barbaz on Tue Apr 12, 2016 5:27 pm, edited 1 time in total.
Reason: partially obscure user's WAN IP
Reason: partially obscure user's WAN IP
Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
-
D7001
Re: No Script connect unknown IP 77.222.148.121 Why?
If No Scrip disabled no connections with 77.222.148.***
Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Re: No Script connect unknown IP 77.222.148.121 Why?
That's odd. Those are just the expected connections made by NoScript, but none of those domains should lookup to IP in that range:
What does your DNS lookup of those domains show? (Command Prompt, use nslookup as in this example: )
Code: Select all
$ dig secure.informaction.com
; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> secure.informaction.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28972
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;secure.informaction.com. IN A
;; ANSWER SECTION:
secure.informaction.com. 74736 IN A 69.195.158.197
secure.informaction.com. 74736 IN A 69.195.158.194
secure.informaction.com. 74736 IN A 69.195.158.198
secure.informaction.com. 74736 IN A 69.195.158.196
secure.informaction.com. 74736 IN A 69.195.158.195
;; Query time: 6 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: xxxxxxxxxxxxxxx
;; MSG SIZE rcvd: 121
Code: Select all
$ dig ocsp.int-x3.letsencrypt.org
; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> ocsp.int-x3.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61253
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ocsp.int-x3.letsencrypt.org. IN A
;; ANSWER SECTION:
ocsp.int-x3.letsencrypt.org. 564 IN CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 13409 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net. 5 IN A 23.217.138.120
a771.dscq.akamai.net. 5 IN A 23.217.138.72
;; Query time: 35 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: xxxxxxxxxxxxxxx
;; MSG SIZE rcvd: 174
Code: Select all
nslookup secure.informaction.com*Always* check the changelogs BEFORE updating that important software!
-
-
D7001
Re: No Script connect unknown IP 77.222.148.121 Why?
What does this mean ?barbaz wrote:Yeah, same-looking reverse DNS lookup...D7001 wrote:Update: also 77.222.148.105
Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
-
D7001
Re: No Script connect unknown IP 77.222.148.121 Why?
barbaz wrote:What does your DNS lookup of those domains show? (Command Prompt, use nslookup as in this example: )Code: Select all
nslookup secure.informaction.com
Code: Select all
nslookup secure.informaction.com
Server: 127.0.1.1
Address: 127.0.1.1#53
Non-authoritative answer:
Name: secure.informaction.com
Address: 69.195.158.197
Name: secure.informaction.com
Address: 69.195.158.196
Name: secure.informaction.com
Address: 69.195.158.198
Name: secure.informaction.com
Address: 69.195.158.195
Name: secure.informaction.com
Address: 69.195.158.194Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Re: No Script connect unknown IP 77.222.148.121 Why?
Great, your DNS lookup of secure.informaction.com is correct, now can you please repeat that for ocsp.int-x3.letsencrypt.org ?
(And what are your actual DNS server(s)? You seem to be running some sort of DNS proxy...)
(What I don't understand is what NXDOMAIN status means in that context, when it's returning a domain...)
(And what are your actual DNS server(s)? You seem to be running some sort of DNS proxy...)
It means basically that both those IPs likely belong to the same entity.D7001 wrote:What does this mean ?barbaz wrote:Yeah, same-looking reverse DNS lookup...D7001 wrote:Update: also 77.222.148.105
(What I don't understand is what NXDOMAIN status means in that context, when it's returning a domain...)
*Always* check the changelogs BEFORE updating that important software!
-
-
D7001
Re: No Script connect unknown IP 77.222.148.121 Why?
Unknown entity. I can not understand why the No Script make connect with these IP. I like No Script but it looks spyware. What should I do?barbaz wrote:It means basically that both those IPs likely belong to the same entity.
(What I don't understand is what NXDOMAIN status means in that context, when it's returning a domain...)
Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
-
D7001
Re: No Script connect unknown IP 77.222.148.121 Why?
barbaz wrote:Great, your DNS lookup of secure.informaction.com is correct, now can you please repeat that for ocsp.int-x3.letsencrypt.org ?
(And what are your actual DNS server(s)? You seem to be running some sort of DNS proxy...)
Code: Select all
nslookup ocsp.int-x3.letsencrypt.org
Server: 127.0.1.1
Address: 127.0.1.1#53
Non-authoritative answer:
ocsp.int-x3.letsencrypt.org canonical name = ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net canonical name = a771.dscq.akamai.net.
Name: a771.dscq.akamai.net
Address: 77.222.148.105
Name: a771.dscq.akamai.net
Address: 77.222.148.121
Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Re: No Script connect unknown IP 77.222.148.121 Why?
So that answers the question "why NoScript cause connections to those IPs" - the OCSP server for secure.informaction.com / LetsEncrypt is hosted by akamai and that's what DNS lookup of that akamai domain is returning.
If there is any malicious here it's not on NoScript's side or even your browser.
If there is any malicious here it's not on NoScript's side or even your browser.
*Always* check the changelogs BEFORE updating that important software!
-
-
D7001
Re: No Script connect unknown IP 77.222.148.121 Why?
barbaz wrote:So that answers the question "why NoScript cause connections to those IPs" - the OCSP server for secure.informaction.com / LetsEncrypt is hosted by akamai and that's what DNS lookup of that akamai domain is returning.
If there is any malicious here it's not on NoScript's side or even your browser.
I change my DNS on Google DNS 8.8.8.8 and No Sript connect with ip 87.245.222.216.barbaz wrote:So that answers the question "why NoScript cause connections to those IPs" - the OCSP server for secure.informaction.com / LetsEncrypt is hosted by akamai and that's what DNS lookup of that akamai domain is returning.
If there is any malicious here it's not on NoScript's side or even your browser.
HttpFox:
Code: Select all
00:00:01.500 2.596 123 182 GET 200 text/plain https://secure.informaction.com/ipecho/
00:00:03.658 0.380 448 743 POST 200 application/ocsp-response http://ocsp.int-x3.letsencrypt.org/
00:00:04.097 * 100/100 * GET * * http://91.*.*.*/
00:01:00.677 * 422/422 * GET * * https://forums.informaction.com/viewtopic.php?f=7&t=21819
00:01:00.984 0.721 446 7987 GET 200 text/html https://forums.informaction.com/viewtopic.php?f=7&t=21819
00:01:01.122 0.056 448 743 POST 200 application/ocsp-response http://ocsp.int-x3.letsencrypt.org/I want to understand why this is happening. Who are letsencrypt.org.
Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
-
D7001
Re: No Script connect unknown IP 77.222.148.121 Why?
Update: I delete No Script but have connect with 87.245.222.216 and 87.245.222.206 when I come to this forum.D7001 wrote:I change my DNS on Google DNS 8.8.8.8 and No Sript connect with ip 87.245.222.216.
Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0