You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mynewt.apache.org by "David G. Simmons" <sa...@mac.com> on 2016/10/12 13:16:00 UTC

Odd connection by newt

Good morning,

I'm a bit of a security wonk about some things, so I watch what my machine is doing -- network wise -- pretty carefully. This morning, I was doing a brand-new newt install and came across something odd. 

For some reason, newt tries to make a connection to andyshora.com <http://andyshora.com/> on port 443. 
andyshora.com -> 151.101.32.133
   Server Name: ETHEREUMCLASIC.COM
   IP Address: 151.101.32.133
   Registrar: GOOGLE INC.
   Whois Server: whois.google.com
   Referral URL: http://domains.google.com


Why on earth would Newt be attempting this connection? If I deny the connection request, newt fails. 

dg
--
David G. Simmons
(919) 534-5099
Web <https://davidgs.com/> • Blog <https://davidgs.com/davidgs_blog> • Linkedin <http://linkedin.com/in/davidgsimmons> • Twitter <http://twitter.com/TechEvangelist1> • GitHub <http://github.com/davidgs>
/** Message digitally signed for security and authenticity.  
* If you cannot read the PGP.sig attachment, please go to 
 * http://www.gnupg.com/ <http://www.gnupg.com/> Secure your email!!!
 * Public key available at keyserver.pgp.com <http://keyserver.pgp.com/>
**/
♺ This email uses 100% recycled electrons. Don't blow it by printing!

There are only 2 hard things in computer science: Cache invalidation, naming things, and off-by-one errors.

Re: Odd connection by newt

Posted by Christopher Collins <cc...@apache.org>.

On Wed, Oct 12, 2016 at 12:36:45PM -0400, David G. Simmons wrote:
> Hi Chris,
> 
> I run a program called Little Snitch on my mac that monitors all
> incoming and outgoing network activity. I have the screws tightened
> down pretty hard on it, so it always asks before it allows an incoming
> or outgoing connection from a program to a new address. 
> 
> But in the interim, I have figured it out ... I dig a little deeper,
> and found this:
> 
> DSimmons-Pro:client dsimmons$ dig raw.githubusercontent.com
> 
> ; <<>> DiG 9.8.3-P1 <<>> raw.githubusercontent.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37344
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;raw.githubusercontent.com.	IN	A
> 
> ;; ANSWER SECTION:
> raw.githubusercontent.com. 6	IN	CNAME	github.map.fastly.net.
> github.map.fastly.net.	687	IN	CNAME	prod.github.map.fastlylb.net.
> prod.github.map.fastlylb.net. 6	IN	A	151.101.32.133
> 
> So apparently github is using a shared-hosting or load-balancer that
> resolves to the same address as a bunch of other websites. Like
> andyshora.com <http://andyshora.com/> and deladdiogames.com
> <http://deladdiogames.com/> and probably others. 
> 
> I'm guessing that TCPDump doesn't attempt to resolve the host name for
> the IP address, but LittleSnitch does, and gets a (seemingly random)
> hostname back from the shared host/load balancer and therein lies the
> issue. 

Oh wow, that is interesting.  When I tried, I must have gotten "lucky,"
because github didn't use any unusual looking addresses.

Thanks for following up.

Chris

Re: Odd connection by newt

Posted by "David G. Simmons" <sa...@mac.com>.

Hi Chris,

I run a program called Little Snitch on my mac that monitors all incoming and outgoing network activity. I have the screws tightened down pretty hard on it, so it always asks before it allows an incoming or outgoing connection from a program to a new address. 

But in the interim, I have figured it out ... I dig a little deeper, and found this:

DSimmons-Pro:client dsimmons$ dig raw.githubusercontent.com

; <<>> DiG 9.8.3-P1 <<>> raw.githubusercontent.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37344
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;raw.githubusercontent.com.	IN	A

;; ANSWER SECTION:
raw.githubusercontent.com. 6	IN	CNAME	github.map.fastly.net.
github.map.fastly.net.	687	IN	CNAME	prod.github.map.fastlylb.net.
prod.github.map.fastlylb.net. 6	IN	A	151.101.32.133

So apparently github is using a shared-hosting or load-balancer that resolves to the same address as a bunch of other websites. Like andyshora.com <http://andyshora.com/> and deladdiogames.com <http://deladdiogames.com/> and probably others. 

I'm guessing that TCPDump doesn't attempt to resolve the host name for the IP address, but LittleSnitch does, and gets a (seemingly random) hostname back from the shared host/load balancer and therein lies the issue. 

dg

> On Oct 12, 2016, at 12:25 PM, Christopher Collins <cc...@apache.org> wrote:
> 
> On Wed, Oct 12, 2016 at 09:16:00AM -0400, David G. Simmons wrote:
>> Good morning,
>> 
>> I'm a bit of a security wonk about some things, so I watch what my machine is doing -- network wise -- pretty carefully. This morning, I was doing a brand-new newt install and came across something odd. 
>> 
>> For some reason, newt tries to make a connection to andyshora.com <http://andyshora.com/> on port 443. 
>> andyshora.com -> 151.101.32.133
>>   Server Name: ETHEREUMCLASIC.COM
>>   IP Address: 151.101.32.133
>>   Registrar: GOOGLE INC.
>>   Whois Server: whois.google.com
>>   Referral URL: http://domains.google.com
>> 
>> 
>> Why on earth would Newt be attempting this connection? If I deny the connection request, newt fails. 
> 
> I don't see that same behavior.  While running tcpdump, I executed the
> following commands (latest develop branch of newt):
> 
>    newt new myproj3
>    cd myproj3
>    newt install
> 
> The only peer I see newt connecting to is github (a variety of IP
> addresses).
> 
> Which branch of newt are you using?  Also, out of curiosity, how did you
> determine that it is newt that tries to connect to that domain?
> 
> Thanks,
> Chris

--
David G. Simmons
(919) 534-5099
Web <https://davidgs.com/> • Blog <https://davidgs.com/davidgs_blog> • Linkedin <http://linkedin.com/in/davidgsimmons> • Twitter <http://twitter.com/TechEvangelist1> • GitHub <http://github.com/davidgs>
/** Message digitally signed for security and authenticity.  
* If you cannot read the PGP.sig attachment, please go to 
 * http://www.gnupg.com/ <http://www.gnupg.com/> Secure your email!!!
 * Public key available at keyserver.pgp.com <http://keyserver.pgp.com/>
**/
♺ This email uses 100% recycled electrons. Don't blow it by printing!

There are only 2 hard things in computer science: Cache invalidation, naming things, and off-by-one errors.

Re: Odd connection by newt

Posted by Christopher Collins <cc...@apache.org>.

On Wed, Oct 12, 2016 at 09:16:00AM -0400, David G. Simmons wrote:
> Good morning,
> 
> I'm a bit of a security wonk about some things, so I watch what my machine is doing -- network wise -- pretty carefully. This morning, I was doing a brand-new newt install and came across something odd. 
> 
> For some reason, newt tries to make a connection to andyshora.com <http://andyshora.com/> on port 443. 
> andyshora.com -> 151.101.32.133
>    Server Name: ETHEREUMCLASIC.COM
>    IP Address: 151.101.32.133
>    Registrar: GOOGLE INC.
>    Whois Server: whois.google.com
>    Referral URL: http://domains.google.com
> 
> 
> Why on earth would Newt be attempting this connection? If I deny the connection request, newt fails. 

I don't see that same behavior.  While running tcpdump, I executed the
following commands (latest develop branch of newt):

    newt new myproj3
    cd myproj3
    newt install

The only peer I see newt connecting to is github (a variety of IP
addresses).

Which branch of newt are you using?  Also, out of curiosity, how did you
determine that it is newt that tries to connect to that domain?

Thanks,
Chris