No Script connect unknown IP 77.222.148.121 Why?
Posted: Tue Apr 12, 2016 3:48 pm
When I run my browser No Script make short connect (2-3 sec) w3.hackademix.net and long connect (3-5 min) 77.222.148.121 Whу?
InformAction Forums
NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/
No Script connect unknown IP 77.222.148.121 Why?
Page 1 of 2
Re: Update
Posted: Tue Apr 12, 2016 3:51 pm
Update: also 77.222.148.105
Re: No Script connect unknown IP 77.222.148.121 Why?
Posted: Tue Apr 12, 2016 3:54 pm
NoScript does make connections on startup, but that IP doesn't look right...
Please install HTTPFox and set it to monitor requests on browser startup, and post here any traffic not related to whatever pages you set to open on browser startup. (Will be easier if you temporarily set browser to start up to only something local, such as about:mozilla; then you can just post the whole HTTPFox log.)
Code: Select all
$ dig -x 77.222.148.121
; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> -x 77.222.148.121
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16421
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;121.148.222.77.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
148.222.77.in-addr.arpa. 1799 IN SOA datagroup.com.ua. hostmaster.newline.net.ua. 2015120500 28800 7200 2419200 86400
;; Query time: 178 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: xxxxxxxxxxxxxxxxxxx
;; MSG SIZE rcvd: 131
Re: No Script connect unknown IP 77.222.148.121 Why?
Posted: Tue Apr 12, 2016 3:55 pm
Yeah, same-looking reverse DNS lookup...D7001 wrote:Update: also 77.222.148.105
Re: No Script connect unknown IP 77.222.148.121 Why?
Posted: Tue Apr 12, 2016 4:15 pm
barbaz wrote:Please install HTTPFox and set it to monitor requests on browser startup, and post here any traffic not related to whatever pages you set to open on browser startup. (Will be easier if you temporarily set browser to start up to only something local, such as about:mozilla; then you can just post the whole HTTPFox log.)
Code: Select all
00:00:01.463 2.622 123 182 GET 200 text/plain https://secure.informaction.com/ipecho/
00:00:03.463 0.433 448 743 POST 200 application/ocsp-response http://ocsp.int-x3.letsencrypt.org/
00:00:03.493 0.466 448 743 POST 200 application/ocsp-response http://ocsp.int-x3.letsencrypt.org/
00:00:04.086 94.704 100 0 GET (Error) NS_ERROR_ABORT http://91.***.***.***/
00:01:38.791 * 422/422 * GET * * https://forums.informaction.com/viewtopic.php?f=7&t=21819
Re: No Script connect unknown IP 77.222.148.121 Why?
Posted: Tue Apr 12, 2016 4:21 pm
If No Scrip disabled no connections with 77.222.148.***
Re: No Script connect unknown IP 77.222.148.121 Why?
Posted: Tue Apr 12, 2016 5:29 pm
That's odd. Those are just the expected connections made by NoScript, but none of those domains should lookup to IP in that range:
What does your DNS lookup of those domains show? (Command Prompt, use nslookup as in this example: )
Code: Select all
$ dig secure.informaction.com
; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> secure.informaction.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28972
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;secure.informaction.com. IN A
;; ANSWER SECTION:
secure.informaction.com. 74736 IN A 69.195.158.197
secure.informaction.com. 74736 IN A 69.195.158.194
secure.informaction.com. 74736 IN A 69.195.158.198
secure.informaction.com. 74736 IN A 69.195.158.196
secure.informaction.com. 74736 IN A 69.195.158.195
;; Query time: 6 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: xxxxxxxxxxxxxxx
;; MSG SIZE rcvd: 121
Code: Select all
$ dig ocsp.int-x3.letsencrypt.org
; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> ocsp.int-x3.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61253
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ocsp.int-x3.letsencrypt.org. IN A
;; ANSWER SECTION:
ocsp.int-x3.letsencrypt.org. 564 IN CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 13409 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net. 5 IN A 23.217.138.120
a771.dscq.akamai.net. 5 IN A 23.217.138.72
;; Query time: 35 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: xxxxxxxxxxxxxxx
;; MSG SIZE rcvd: 174
Code: Select all
nslookup secure.informaction.comRe: No Script connect unknown IP 77.222.148.121 Why?
Posted: Tue Apr 12, 2016 5:33 pm
What does this mean ?barbaz wrote:Yeah, same-looking reverse DNS lookup...D7001 wrote:Update: also 77.222.148.105
Re: No Script connect unknown IP 77.222.148.121 Why?
Posted: Tue Apr 12, 2016 5:36 pm
barbaz wrote:What does your DNS lookup of those domains show? (Command Prompt, use nslookup as in this example: )Code: Select all
nslookup secure.informaction.com
Code: Select all
nslookup secure.informaction.com
Server: 127.0.1.1
Address: 127.0.1.1#53
Non-authoritative answer:
Name: secure.informaction.com
Address: 69.195.158.197
Name: secure.informaction.com
Address: 69.195.158.196
Name: secure.informaction.com
Address: 69.195.158.198
Name: secure.informaction.com
Address: 69.195.158.195
Name: secure.informaction.com
Address: 69.195.158.194Re: No Script connect unknown IP 77.222.148.121 Why?
Posted: Tue Apr 12, 2016 5:43 pm
Great, your DNS lookup of secure.informaction.com is correct, now can you please repeat that for ocsp.int-x3.letsencrypt.org ?
(And what are your actual DNS server(s)? You seem to be running some sort of DNS proxy...)
(What I don't understand is what NXDOMAIN status means in that context, when it's returning a domain...)
(And what are your actual DNS server(s)? You seem to be running some sort of DNS proxy...)
It means basically that both those IPs likely belong to the same entity.D7001 wrote:What does this mean ?barbaz wrote:Yeah, same-looking reverse DNS lookup...D7001 wrote:Update: also 77.222.148.105
(What I don't understand is what NXDOMAIN status means in that context, when it's returning a domain...)
Re: No Script connect unknown IP 77.222.148.121 Why?
Posted: Tue Apr 12, 2016 5:59 pm
Unknown entity. I can not understand why the No Script make connect with these IP. I like No Script but it looks spyware. What should I do?barbaz wrote:It means basically that both those IPs likely belong to the same entity.
(What I don't understand is what NXDOMAIN status means in that context, when it's returning a domain...)
Re: No Script connect unknown IP 77.222.148.121 Why?
Posted: Tue Apr 12, 2016 6:03 pm
barbaz wrote:Great, your DNS lookup of secure.informaction.com is correct, now can you please repeat that for ocsp.int-x3.letsencrypt.org ?
(And what are your actual DNS server(s)? You seem to be running some sort of DNS proxy...)
Code: Select all
nslookup ocsp.int-x3.letsencrypt.org
Server: 127.0.1.1
Address: 127.0.1.1#53
Non-authoritative answer:
ocsp.int-x3.letsencrypt.org canonical name = ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net canonical name = a771.dscq.akamai.net.
Name: a771.dscq.akamai.net
Address: 77.222.148.105
Name: a771.dscq.akamai.net
Address: 77.222.148.121
Re: No Script connect unknown IP 77.222.148.121 Why?
Posted: Tue Apr 12, 2016 6:16 pm
So that answers the question "why NoScript cause connections to those IPs" - the OCSP server for secure.informaction.com / LetsEncrypt is hosted by akamai and that's what DNS lookup of that akamai domain is returning.
If there is any malicious here it's not on NoScript's side or even your browser.
If there is any malicious here it's not on NoScript's side or even your browser.
Re: No Script connect unknown IP 77.222.148.121 Why?
Posted: Tue Apr 12, 2016 6:42 pm
barbaz wrote:So that answers the question "why NoScript cause connections to those IPs" - the OCSP server for secure.informaction.com / LetsEncrypt is hosted by akamai and that's what DNS lookup of that akamai domain is returning.
If there is any malicious here it's not on NoScript's side or even your browser.
I change my DNS on Google DNS 8.8.8.8 and No Sript connect with ip 87.245.222.216.barbaz wrote:So that answers the question "why NoScript cause connections to those IPs" - the OCSP server for secure.informaction.com / LetsEncrypt is hosted by akamai and that's what DNS lookup of that akamai domain is returning.
If there is any malicious here it's not on NoScript's side or even your browser.
HttpFox:
Code: Select all
00:00:01.500 2.596 123 182 GET 200 text/plain https://secure.informaction.com/ipecho/
00:00:03.658 0.380 448 743 POST 200 application/ocsp-response http://ocsp.int-x3.letsencrypt.org/
00:00:04.097 * 100/100 * GET * * http://91.*.*.*/
00:01:00.677 * 422/422 * GET * * https://forums.informaction.com/viewtopic.php?f=7&t=21819
00:01:00.984 0.721 446 7987 GET 200 text/html https://forums.informaction.com/viewtopic.php?f=7&t=21819
00:01:01.122 0.056 448 743 POST 200 application/ocsp-response http://ocsp.int-x3.letsencrypt.org/I want to understand why this is happening. Who are letsencrypt.org.
Re: No Script connect unknown IP 77.222.148.121 Why?
Posted: Tue Apr 12, 2016 6:55 pm
Update: I delete No Script but have connect with 87.245.222.216 and 87.245.222.206 when I come to this forum.D7001 wrote:I change my DNS on Google DNS 8.8.8.8 and No Sript connect with ip 87.245.222.216.