Waterfox keeps sending packets to a weird IP

Any chance you could capture the packet and see what data it contains?

On Sat, 30 Dec 2017 at 13:30, memorable111 notifications@github.com wrote:

https://i.imgur.com/0vStPeK.png
I was using version 55 and waterfox kept sending packets to this IP (in
blue, look at the image) Exactly every 25 minutes

this exclusively happens to me, and i know for sure that this ip
(41.xx.xx.xx) is totally unrelated to waterfox

so as soon as i purged my waterfox data and updated to current version 56,
it actually started pinging that IP every 2 minutes
i tested with other browsers (firefox, palemoon) and only waterfox does
this.

I'm currently blocking it with peerblock, but just what the hell causes
this?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/MrAlex94/Waterfox/issues/341, or mute the thread
https://github.com/notifications/unsubscribe-auth/AEgoWLzxo1Q8-pWFcECp-3bNrH6qhmSMks5tFjr7gaJpZM4RPmW7
.

Alright, hold on

https://www.sendspace.com/file/ncy9r7
here's the capture
@MrAlex94

Cheers! Will have a look.

Any add-ons you use that might be connecting to the addresses?

On Sat, 30 Dec 2017 at 13:56, memorable111 notifications@github.com wrote:

https://www.sendspace.com/file/ncy9r7
here's the capture

—
You are receiving this because you commented.

Reply to this email directly, view it on GitHub
https://github.com/MrAlex94/Waterfox/issues/341#issuecomment-354547510,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AEgoWGuWlsJRdIQEnnOLwv_hGie1KMG-ks5tFkEcgaJpZM4RPmW7
.

@MrAlex94
None, like i said earlier, even a clean version of 56 (no addons, no changed config) still connects.

thanks for the help

The IP address's point to Tunisie Telecom in Africa, if this is not your location then your system could potentially infected with something, did Waterfox import any profile data from Firefox ?

… (41.xx.xx.xx) is totally unrelated to waterfox …

From the .cap file:

$  tshark -r Waterfox\ capture.cap | grep -C 2 41.2
    1 0.000000000  192.168.1.5 → 192.168.1.1  DNS 84 Standard query 0x7a6c A detectportal.firefox.com
    2 0.035557700  192.168.1.1 → 192.168.1.5  DNS 197 Standard query response 0x7a6c A detectportal.firefox.com CNAME detectportal.firefox.com.edgesuite.net CNAME a1089.d.akamai.net A 41.231.245.131 A 41.231.245.130
    3 0.108990500  192.168.1.5 → 41.231.245.131 TCP 66 50491 → 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
    4 0.139156500 41.231.245.131 → 192.168.1.5  TCP 66 80 → 50491 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1400 SACK_PERM=1 WS=32
    5 0.139231300  192.168.1.5 → 41.231.245.131 TCP 54 50491 → 80 [ACK] Seq=1 Ack=1 Win=65800 Len=0
    6 0.139368300  192.168.1.5 → 41.231.245.131 HTTP 369 GET /success.txt HTTP/1.1 
    7 0.139844000  192.168.1.5 → 192.168.1.1  DNS 78 Standard query 0x62df A a1089.d.akamai.net
    8 0.144486900  192.168.1.1 → 192.168.1.5  DNS 110 Standard query response 0x62df A a1089.d.akamai.net A 41.231.245.130 A 41.231.245.131
    9 0.172381100 41.231.245.131 → 192.168.1.5  TCP 60 80 → 50491 [ACK] Seq=1 Ack=316 Win=30272 Len=0
   10 0.174107300 41.231.245.131 → 192.168.1.5  HTTP 438 HTTP/1.1 200 OK  (text/plain)
   11 0.426397500 41.231.245.131 → 192.168.1.5  TCP 438 [TCP Retransmission] 80 → 50491 [PSH, ACK] Seq=1 Ack=316 Win=30272 Len=384
   12 0.426433700  192.168.1.5 → 41.231.245.131 TCP 66 50491 → 80 [ACK] Seq=316 Ack=385 Win=65416 Len=0 SLE=1 SRE=385
   13 5.032404600 Sagemcom_33:91:12 → Dell_e9:42:1d ARP 60 Who has 192.168.1.5? Tell 192.168.1.1
   14 5.032429900 Dell_e9:42:1d → Sagemcom_33:91:12 ARP 42 192.168.1.5 is at 14:fe:b5:e9:42:1d
   15 10.184277300  192.168.1.5 → 41.231.245.131 TCP 55 [TCP Keep-Alive] 50491 → 80 [ACK] Seq=315 Ack=385 Win=65416 Len=1
   16 10.212330200 41.231.245.131 → 192.168.1.5  TCP 66 [TCP Keep-Alive ACK] 80 → 50491 [ACK] Seq=385 Ack=316 Win=30272 Len=0 SLE=315 SRE=316
   17 20.215135300  192.168.1.5 → 41.231.245.131 TCP 55 [TCP Keep-Alive] 50491 → 80 [ACK] Seq=315 Ack=385 Win=65416 Len=1
   18 20.243504800 41.231.245.131 → 192.168.1.5  TCP 66 [TCP Keep-Alive ACK] 80 → 50491 [ACK] Seq=385 Ack=316 Win=30272 Len=0 SLE=315 SRE=316
   19 30.245947500  192.168.1.5 → 41.231.245.131 TCP 55 [TCP Keep-Alive] 50491 → 80 [ACK] Seq=315 Ack=385 Win=65416 Len=1
   20 30.274865600 41.231.245.131 → 192.168.1.5  TCP 66 [TCP Keep-Alive ACK] 80 → 50491 [ACK] Seq=385 Ack=316 Win=30272 Len=0 SLE=315 SRE=316
   21 34.879074600 Dell_e9:42:1d → Sagemcom_33:91:12 ARP 42 Who has 192.168.1.1? Tell 192.168.1.5
   22 34.879435500 Sagemcom_33:91:12 → Dell_e9:42:1d ARP 60 192.168.1.1 is at e8:be:81:33:91:12
--
   24 37.207111700 Sagemcom_33:91:12 → Broadcast    ARP 60 Who has 192.168.1.4? Tell 192.168.1.1
   25 38.207105300 Sagemcom_33:91:12 → Broadcast    ARP 60 Who has 192.168.1.4? Tell 192.168.1.1
   26 40.292376900  192.168.1.5 → 41.231.245.131 TCP 55 [TCP Keep-Alive] 50491 → 80 [ACK] Seq=315 Ack=385 Win=65416 Len=1
   27 40.321915700 41.231.245.131 → 192.168.1.5  TCP 66 [TCP Keep-Alive ACK] 80 → 50491 [ACK] Seq=385 Ack=316 Win=30272 Len=0 SLE=315 SRE=316
   28 41.635507400 Sagemcom_33:91:12 → Broadcast    ARP 60 Who has 192.168.1.4? Tell 192.168.1.1
   29 42.632063600 Sagemcom_33:91:12 → Broadcast    ARP 60 Who has 192.168.1.4? Tell 192.168.1.1
--
   34 48.052156600 Sagemcom_33:91:12 → Broadcast    ARP 60 Who has 192.168.1.4? Tell 192.168.1.1
   35 49.052160700 Sagemcom_33:91:12 → Broadcast    ARP 60 Who has 192.168.1.4? Tell 192.168.1.1
   36 50.323196500  192.168.1.5 → 41.231.245.131 TCP 55 [TCP Keep-Alive] 50491 → 80 [ACK] Seq=315 Ack=385 Win=65416 Len=1
   37 50.352964700 41.231.245.131 → 192.168.1.5  TCP 66 [TCP Keep-Alive ACK] 80 → 50491 [ACK] Seq=385 Ack=316 Win=30272 Len=0 SLE=315 SRE=316
   38 51.575498500 Sagemcom_33:91:12 → Broadcast    ARP 60 Who has 192.168.1.4? Tell 192.168.1.1
   39 52.572101900 Sagemcom_33:91:12 → Broadcast    ARP 60 Who has 192.168.1.4? Tell 192.168.1.1
--
   45 58.687202800 Sagemcom_33:91:12 → Broadcast    ARP 60 Who has 192.168.1.4? Tell 192.168.1.1
   46 59.687268900 Sagemcom_33:91:12 → Broadcast    ARP 60 Who has 192.168.1.4? Tell 192.168.1.1
   47 59.925146500  192.168.1.5 → 41.231.245.131 HTTP 369 GET /success.txt HTTP/1.1 
   48 59.956851100 41.231.245.131 → 192.168.1.5  TCP 60 80 → 50491 [ACK] Seq=385 Ack=631 Win=31360 Len=0
   49 59.958839400 41.231.245.131 → 192.168.1.5  HTTP 438 HTTP/1.1 200 OK  (text/plain)
   50 60.166804800  192.168.1.5 → 41.231.245.131 TCP 54 50491 → 80 [ACK] Seq=631 Ack=769 Win=65032 Len=0
   51 60.796515700 Sagemcom_33:91:12 → Broadcast    ARP 60 Who has 192.168.1.4? Tell 192.168.1.1
   52 61.792160900 Sagemcom_33:91:12 → Broadcast    ARP 60 Who has 192.168.1.4? Tell 192.168.1.1
--
   59 68.902376300 Sagemcom_33:91:12 → Broadcast    ARP 60 Who has 192.168.1.4? Tell 192.168.1.1
   60 69.961718100 Sagemcom_33:91:12 → Broadcast    ARP 60 Who has 192.168.1.4? Tell 192.168.1.1
   61 69.963658600  192.168.1.5 → 41.231.245.131 TCP 55 [TCP Keep-Alive] 50491 → 80 [ACK] Seq=630 Ack=769 Win=65032 Len=1
   62 69.992383900 41.231.245.131 → 192.168.1.5  TCP 66 [TCP Keep-Alive ACK] 80 → 50491 [ACK] Seq=769 Ack=631 Win=31360 Len=0 SLE=630 SRE=631
   63 70.957220500 Sagemcom_33:91:12 → Broadcast    ARP 60 Who has 192.168.1.4? Tell 192.168.1.1
   64 71.957225000 Sagemcom_33:91:12 → Broadcast    ARP 60 Who has 192.168.1.4? Tell 192.168.1.1
--
   77 79.131112900 Sagemcom_33:91:12 → Broadcast    ARP 60 Who has 192.168.1.4? Tell 192.168.1.1
   78 79.308085600  192.168.1.5 → 192.168.1.255 NBNS 92 Name query NB COMPOOTER<1c>
   79 79.994426900  192.168.1.5 → 41.231.245.131 TCP 55 [TCP Keep-Alive] 50491 → 80 [ACK] Seq=630 Ack=769 Win=65032 Len=1
   80 80.023504400 41.231.245.131 → 192.168.1.5  TCP 66 [TCP Keep-Alive ACK] 80 → 50491 [ACK] Seq=769 Ack=631 Win=31360 Len=0 SLE=630 SRE=631
   81 80.072465400  192.168.1.5 → 192.168.1.255 NBNS 92 Name query NB COMPOOTER<1c>
   82 80.127201800 Sagemcom_33:91:12 → Broadcast    ARP 60 Who has 192.168.1.4? Tell 192.168.1.1
$ 

Attention to the first two lines …

detectportal.firefox.com

From Firefox — Notes (52.0) — Mozilla:

Added automatic captive portal detection, for easier access to Wi-Fi hotspots. When accessing the Internet via a captive portal, Firefox will alert users and open the portal login page in a new tab.

From https://webmasters.stackexchange.com/q/104628/18125:

… XHR requests to http://detectportal.firefox.com/success.txt which is a text/plain resource whose body contains the text success. …

… used by Firefox when detecting whether it is using a captive portal. …

Related

Privacy Settings

Add option for captive portal detection · Issue #81 · schomery/privacy-settings

@grahamperrin Thank you, so helpful!

For future search purposes, from https://redd.it/dmu2mv:

104.123.50.88

Google finds an association with detectportal.firefox.com at three pages, each of which I captured in the Wayback Machine:

1. Detectportal.firefox.com Safe? Check it Now | URLVoid (captured) – 36 records, no blacklisting
2. https://any.run/report/5f8b03b0322a014ceed47118372db82630aa954381a06717423d11d899bf5d41/0d244b5c-bb6c-44c7-94b4-262961dde9a4 (captured) – whitelisted
3. https://any.run/report/3d361a2a75b6463788c9929fc210bcf532a5c1adac4ece497e0466d742157c0c/773a83c0-2bdc-4fc2-a36f-20e481228a6f (captured) – whitelisted

Linked from the first:

• Find Websites Hosted in 104.123.50.88 | URLVoid (captured)

According to that page, around four sites, none of which is blacklisted:

• detectportal.firefox.com
• img.phone.baidu.com
• cdn-localization.covethome.com
• a1293.dspd.akamai.net