Welcome Guest.   Make a donation to an author on the site April 24, 2014, 10:08:32 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
The N.A.N.Y. Challenge 2012! Download dozens of custom programs!
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: How to prove which Firefox add-on is trying to access 128.127.110.10 ?  (Read 3792 times)
IainB
Supporting Member
**
Posts: 4,288


Slartibartfarst

see users location on a map View Profile Give some DonationCredits to this forum member
« on: July 06, 2012, 05:19:30 AM »

For some time now, my Malwarebytes has kept announcing that it has blocked an attempt to access 128.127.110.10 - which is in MWB's blacklist. I checked, and it seems to be an IP address in Denmark. The certainty of this location may be in some doubt, as, when I googled it, various diverse and misleading results popped up in the search.

The MWB announcement occurred every time I started up Firefox. I therefore concluded that a FF Add-on was probably making the outgoing call - i.e., rather than FF itself.
I was going to post a query in DCF today to ask for help but have luckily discovered, by a process of elimination, that it is the FF add-on Google Reverse Image Search that is apparently making the calls.

The call to that IP address occurs every time FF is started up, without fail.
Disabling/removing the add-on causes the calls to not occur when FF is started up (all other features of FF remaining the same).

I had previously searched for that IP address string inside the files in the directory for FF and for its add-ons, but did not come up with any hits.

I would be interested if anyone has any ideas as to how you could identify/prove the source of such an outgoing call from an add-on, other than the hit-or-miss process of elimination that I employed.
Logged
Curt
Supporting Member
**
Posts: 6,262

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #1 on: July 06, 2012, 07:34:41 AM »

The various security related programs that I have, can merely tell it came from Firefox, not which add-on.
Logged
Carol Haynes
Waffles for England (patent pending)
Global Moderator
*****
Posts: 7,922



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #2 on: July 06, 2012, 07:48:39 AM »

Simple - disable 50% of your addons and see if it goes away - and continue by salami tactics until you find the offending addon!

Should be able to get it in a few tries.

Don't know any other way to do it.
Logged

4wd
Supporting Member
**
Posts: 3,222



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #3 on: July 06, 2012, 07:49:22 AM »

Probably the most efficient way to narrow it down is just using a good old fashioned binary chop search on your add-ons.  eg. For my 25 add-ons it would have taken a maximum of 5 Firefox restarts to find the offensive add-on.

Worst cases:
Disable 13
Disable 6
Disable 3
Disable 1 - at this point you've found it, or
Disable 1 - it's this one or the one still enabled.

Disable 13
Enable 7 + Disable other 12
Disable 3
Disable 2
Disable 1 - this one or the one still enabled.

EDIT: Carol beat me smiley
Logged

Four wheel drive: Helping you get stuck faster, harder, further from help...........and it's no different on this forum Evil
IainB
Supporting Member
**
Posts: 4,288


Slartibartfarst

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #4 on: July 06, 2012, 08:13:01 AM »

Simple - disable 50% of your addons and see if it goes away
Yes, that's exactly what I did - that's what I mean by "a process of elimination".
I felt sure there could be a more techie approach though!
Logged
IainB
Supporting Member
**
Posts: 4,288


Slartibartfarst

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #5 on: July 06, 2012, 08:18:59 AM »

Presumably the outgoing call was up to no good - 128.127.110.10 is on the MWB blacklist, for example, and when you google it, it is not a good look.
If that is true, then it raises concerns about what sort of trojans etc. developers might be building into their add-ons.
Made me even more cautious anyway.
Logged
IainB
Supporting Member
**
Posts: 4,288


Slartibartfarst

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #6 on: July 06, 2012, 08:23:20 AM »

Maybe what we need is a security auditing add-on to audit the installed add-ons...    huh
Logged
40hz
Supporting Member
**
Posts: 9,871



A'Tuin

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #7 on: July 06, 2012, 08:43:07 AM »

Maybe what we need is a security auditing add-on to audit the installed add-ons...    huh

It would be too easy to get around. As it stands, the binary "salami chop" (love that!) method suggested by Carol and 4wd is still your best bet. Don't be surprised if it turns out not to be caused by an add-on however. I've seen some incredibly subtle and clever bugs that install in drive-by fashion if you so much as land on the wrong website. A few of them even got by fully updated antimalware products and weren't caught by them until much later. It's a jungle out there.

FWIW there used to be an old MacOS (not OSX) app called Conflict Catcher that diagnosed startup extension problems by doing the exact same thing Carol suggested, albeit in a semi-automated fashion. It would disable half your extensions and then reboot and ask if everything looked ok. It would then repeat the process in binary tree fashion until it found the culprit. It was an extremely useful and popular (i.e. widely bootlegged mrgreen) app. Almost every Mac I ever saw had a copy installed.

 Cool


Logged

Don't you see? It's turtles all the way down!
Carol Haynes
Waffles for England (patent pending)
Global Moderator
*****
Posts: 7,922



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #8 on: July 06, 2012, 08:46:20 AM »

Not sure about MWB web blocking - I get constant pops whenever I use a torrent client and have to disable the scanner. Seems more a nuisance than a help - just ramps up the paranoia!
Logged

Curt
Supporting Member
**
Posts: 6,262

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #9 on: July 06, 2012, 09:52:41 AM »

128.127.110.10 seems to be an IP address in Denmark.

Servers in Netherlands and United Kingdom (Isle Of Man), office in Sweden
- but not Denmark.

Quote
inetnum:         128.127.110.0 - 128.127.111.255
netname:         AS51430-NL
descr:           AltusHost Inc.
remarks:         AW-INFRA
country:         NL
admin-c:         AHN-RIPE
tech-c:          AHN-RIPE
status:          ASSIGNED PA
mnt-by:          ALTUSHOST-MNT
mnt-by:          ALTUSHOST-MNT
mnt-lower:       ALTUSHOST-MNT
mnt-routes:      ALTUSHOST-MNT
source:          RIPE # Filtered

role:            AltusHost - Contact Role
address:         ALTUSHOST INC.
address:         Artillerigatan 6
address:         SE-114 51 Stockholm
address:         Sweden
phone:           +46.852506060
fax-no:          +46.844680015
abuse-mailbox:   Search for this email address
Logged
Curt
Supporting Member
**
Posts: 6,262

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #10 on: July 07, 2012, 07:57:03 AM »

@IainB - I don't know why your version didn't work properly, but GRIS was updated the day before yesterday and works perfectly. And it doesn't do anything out of order.

https://addons.mozilla.or...gle-reverse-image-search/

 thumbs up

Notice who the author is: Baris Derin (Readability, etcetera) http://barisderin.com
Logged
J-Mac
Supporting Member
**
Posts: 2,809


see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #11 on: July 07, 2012, 08:39:36 AM »

I'd say that you are infected. Take a look at  http://www.scumware.org/report/128.127.110.10

Might want to run a few online scans, like Eset's and Kaspersky's. It appears that a lot of malware sites are based at that same server/host.

Jim
Logged

J-Mac
PhilB66
Supporting Member
**
Posts: 1,510


View Profile Give some DonationCredits to this forum member
« Reply #12 on: July 07, 2012, 09:16:04 AM »

Quote
1tvlive.in Server Details
 
IP address: 128.127.110.10
 
Server Location: Netherlands
 
ISP: Altushost

1tvlive.in  Whois

Registrar: Net4India (R7-AFIN)
 
Registrant: 
NET4INDIA NET4INDIA
D-25,Sec-3
Noida, Ut 201301
IN
Telephone: +91.1204323500
Fax: +91.120432350
Email: email@net4.in

Administrative Contact:
NET4INDIA NET4INDIA
D-25,Sec-3
Noida, Ut 201301
IN
Telephone: +91.1204323500
Fax: +91.120432350
Email: email@net4.in

Technical Contact:
NET4INDIA NET4INDIA
D-25,Sec-3
Noida, Ut 201301
IN
Telephone: +91.1204323500
Fax: +91.120432350
Email: email@net4.in

Nameservers:
NS21.ALTUSHOST.COM
NS22.ALTUSHOST.COM

Scan result: clean
http://www.urlvoid.com/scan/1tvlive.in/
Logged
PhilB66
Supporting Member
**
Posts: 1,510


View Profile Give some DonationCredits to this forum member
« Reply #13 on: July 07, 2012, 09:18:51 AM »

The site had issues before but seems clean now:

http://support.clean-mx.d...in&sort=netname%20ASC
Logged
tslim
Honorary Member
**
Posts: 209


View Profile Give some DonationCredits to this forum member
« Reply #14 on: July 07, 2012, 11:04:03 AM »

I would be interested if anyone has any ideas as to how you could identify/prove the source of such an outgoing call from an add-on, other than the hit-or-miss process of elimination that I employed.

Knowing exactly who is the sender and thus able to block outgoing traffic is supposed to be the job of a firewall -- a software firewall like Outpost Pro. This is the major reason I do not use a hardware firewall (generally speaking, one which is made available in a modem or networking switch) which is hopeless in filtering outgoing traffic.

If you use Outpost, just disable the Windows DNS Client Service and that will force every single outgoing traffic to use Outpost's service (for DNS request). You can then tells exactly "what program" is trying to call home... It is the "Should I allow" or "Should I block" game that I often play with Outpost firewall.

Try it and you will like it.
Logged
IainB
Supporting Member
**
Posts: 4,288


Slartibartfarst

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #15 on: July 07, 2012, 07:01:36 PM »

Many thanks to you for all the helpful suggestions above. What a "Brains trust"!
Situation so far:
  • My Malwarebytes repeatedly announced, every time FF started up, that it had blocked an attempt to by FF (the Firefox process) to access 128.127.110.10 - which is in MWB's blacklist. This alert/block was logged by MWB.
  • On googling, that IP address seems to come up with various mention as an undesirable source of malware.
  • That IP address is apparently located (per whois, etc.) on a server in the Netherlands, and is registered to an India-based agent.
  • Removing the FF Add-on GRIS (Google Reverse Image Search) caused the MWB alert to not repeat. (No other changes were made.)

Conclusions and implications at this stage:
  • Therefore, by deduction, the GRIS (Google Reverse Image Search) add-on to Firefox was somehow making/enabling the call to access 128.127.110.10
  • We have not identified a forensic IT method of otherwise proving whether this add-on was making the call, nor (by extension) how it might be doing so.
  • The GRIS add-on either contained or enabled malware functionality.
  • Firefox add-ons as a whole cannot be trusted/guaranteed to not contain either malware or malware-enabling functionality.
  • MWB is successful at blocking running processes from accessing IP addresses in its blocklist database.
  • MWB or similar provide a useful/necessary additional layer of security if the user wishes to overcome some of the potential lack of trust/insecurity of a FF process with malware or malware-enabling add-ons.
  • Since the usefulness of FF is for many users dependent on its large library of add-ons, then it is safest to suppose that FF is always likely to be a potential security risk.

I find this quite surprising, really. Have I made a mistake somewhere?
« Last Edit: July 07, 2012, 07:09:08 PM by IainB » Logged
4wd
Supporting Member
**
Posts: 3,222



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #16 on: July 07, 2012, 10:36:16 PM »

I find this quite surprising, really. Have I made a mistake somewhere?

  • You have failed to prove whether it is repeatable, (ie. you didn't re-install the add-on to verify or you haven't said), and;
  • You haven't installed the add-on into a new installation of Firefox, (preferably on a base Windows install), to prove whether it happens in conjunction with something else or not.

Reason for the last point: the conditions that are present for the phenomenon to occur could still be present awaiting a specific confluence of events that will make it manifest itself again, (ie. maybe the addition of another add-on, another process running, etc).

That's just the technician in me coming out, the need to definitely pin it down.

BTW, I looked through the GRIS javascript, (and the other files), and couldn't see anything other than barisderin.com, (and Google naturally), as a destination point.
Are you running any other add-ons that might perform an IP redirection, (like the MAFIAAFire add-on does) ?
Logged

Four wheel drive: Helping you get stuck faster, harder, further from help...........and it's no different on this forum Evil
IainB
Supporting Member
**
Posts: 4,288


Slartibartfarst

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #17 on: July 07, 2012, 11:21:01 PM »

...
  • You have failed to prove whether it is repeatable, (ie. you didn't re-install the add-on to verify or you haven't said), and;
  • You haven't installed the add-on into a new installation of Firefox, (preferably on a base Windows install), to prove whether it happens in conjunction with something else or not.
...
BTW, I looked through the GRIS javascript, (and the other files), and couldn't see anything other than barisderin.com, (and Google naturally), as a destination point.
Are you running any other add-ons that might perform an IP redirection, (like the MAFIAAFire add-on does) ?
Yes, you are quite right, of course.
I did consider pinning it down as you say, but decided against it - as I didn't really want to invest any more of my cognitive surplus in the thing by proving repeatability on the current or a new platform. I had spent enough time fiddling about over it already. I was just glad to be shot of it actually. I'm not intending to be a ß-tester or virus-hunter on this.
I too looked through the javascript and the other files, and could not identify anything amiss (could have missed something though).

The thing that surprised me was the conclusion that FF could actually be a big risk - in a corporate environment, never mind as a personal browser.
I had a degree of trust in FF and that trust was rather shattered.

I am using MAFIAAFire redirection, yes, but there's no more calls happening to IP 128...
Logged
4wd
Supporting Member
**
Posts: 3,222



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #18 on: July 08, 2012, 12:01:55 AM »

The thing that surprised me was the conclusion that FF could actually be a big risk - in a corporate environment, never mind as a personal browser.

It's always been the case - unless every add-on for a browser, (any browser), is subject to analysis before release then I guess it's going to be always that way.

And that's why we have so many anti-virus, anti-malware, anti-everything software smiley
Logged

Four wheel drive: Helping you get stuck faster, harder, further from help...........and it's no different on this forum Evil
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.043s | Server load: 0.04 ]