Page MenuHomePureOS Tracker

Outgoing requests on live PureOS ISO boot?
Open, Needs TriagePublic

Description

From a user:

Hi Mladen,
I have a disk less pc with no hard drive. I run Pure OS from cd. That pc
is connected to 4G router and its behind RATtrap firewall. During
booting of all three devices rattrap firewall blocks outgoing attempt on
port 80 to ip address in Serbia (Belgrade). The ip is 5.22.191.144. I am
not so sure that there is no virus or hacking attempt against Pure OS.
What would be your opinion about this?

Mladen:

I need more info, what 3 devices? Did you connect more than one device to the same network?

User:

There is only one pc on the network. Let me explain. Pc wich is
connected with ethernet cable to RATtrap firewall and then connected to
ethernet port on the 4G router with 4G usb modem.
During booting i ment this. I switched on the 4G router, RATtrap
firewall start to inspect what traffic goes trough it (green and blue
light start to flash) and while something is blocked red light start to
flash. The RATtrap firewall is in high protection mode.

Mladen:

So it catches that IP ony when you start your computer with PureOS? Can you try with different live GNU/Linux please (like Linux Mint)?

User:

I tried several live linux but not linux mint. I even tried TENS
military public live iso but i did not encounter on that ip address from
that country. Yes that ip was caught during booting of Pure OS. I always
check attacker ip address on the ip address lookup website to get more
info. That is all i can say.


Worth investigating.

Event Timeline

mladen created this task.Feb 24 2019, 12:08
mladen created this object with visibility "Restricted Project (Project)".
mladen created this object with edit policy "Restricted Project (Project)".

Yes, PureOS is a general purpose operating system, it is possible to install things on it that attempts to contact a certain IP number every time it boots.

Not sure what the user expects us to do here.

If it is a _pristine_ live install image, then it is a very different matter.

mladen added a comment.Feb 24 2019, 12:45

@jonas.smedegaard Yes, user starts PureOS live from a CD (they do not have disks in their computer), and this happens during bootup, before they even start desktop. (IIUC)

chris.lamb renamed this task from Outgoing hacker attempt from live PureOS ISO to Outgoing requests on live PureOS ISO boot?.Feb 24 2019, 12:50

You were told that this is a pristine live image, or you are guessing?

I don't see in what you presented if it is a *pristine* *install* system or e.g. an installed system made into a CD install using some Ubuntu helper tool.

Assuming this _is_ a pristine image, then as I read it, the question boils down to "is it suspicious that your live installer makes web queries to (in my case) somewhere in Serbia as part of its routines?"

My answer to that question would be "no that does not seem alarming in itself - but would be interesting to know what that traffic contains, perhaps you discovered something there either in our system or in your use of it..."

no that does not seem alarming in itself

Whilst I might not use the term "alarming", I would be beyond interest in learning what it is doing talking to Serbia...

well, in my splitting-hairs mode it is factually alarming: It set off an alarm, of the cenventional blinkenlight type.

One wild guess at an explanation is that the user lives in or near Serbia too, and some systemd or network-manager am-I truly-online probe making a http lookup to Google gets resolved to a nearby proxy host.

mladen added a comment.EditedFeb 25 2019, 11:51
  • downloaded from pureos.net/download
  • sha sum matched
  • burned from win 7 operating system burning tool
  • user is from Slovenia
  • no VPN is used
  • dns is encrypted by RATtrap firewall

here is another set of outgoing attempts:

5.22.191.144, port 80, Belgrade, Serbia 
5.22.191.138, port 80, Belgrade, Serbia 
52.32.77.100, port 443, Portland, United States 
46.51.179.90, port 443, Dublin, Ireland 
52.39.131.77, port 443, Portland, United States

Maybe they could run opensnitch to see if we can get more detail about the processes opening the ports? It looks like the web browser is doing this since they're 443 or port 80

https://www.opensnitch.io/

Thanks for those new details.

Let's aassume that "win 7 operating system burning tool" does only the equivalent of "cp $foo /dev/$bar" (or for those devoted to that, the equivalent of "dd if=$foo of=$bar") .

So the issue here is that a pristine PureOS installer live-system connects via http or https to unidentified hosts.

Again, I understand how a strongly sensitive measurement system may trigger alarms by that behavior, and can imagine that if such alarms use a red blinking indicator that be cause concern.
I have difficulty, however, seeing how it is a security concern, or more specifically how to conclude that it is an act of a virus or a hacking attempt.

I cannot rule out that it is a virus or a hacking attempt. But then again, I cannot rule out either that I am right now part of a secret government LSD experiment and hallucinating my computer screen - I just cannot make much use of such speculation.

Sorry, I don't know how to proceed any further here.

Perhaps ask the user to capture and examine the _contents_ of (the unencrypted parts of) that observed web traffic.

I cannot rule out that it is a virus or a hacking attempt. But then again, I cannot rule out either that I am right now part of a secret government LSD experiment and hallucinating my computer screen - I just cannot make much use of such speculation.

Hang on... what? :p

@mladen Indeed, please ask the user to try and see what (at least) the port 80 requests actually contain? Thanks.

One difference between us and Debian is that we modify Firefox with various privacy tools and add-ons. @jonas.smedegaard would you be able to determine if the patches we add might be the source of the web calls out? Perhaps there is a black list being downloaded at first run or similar.

And I hope you're feeling better Jonas.

What we do different with Firefox is _remove_ some functionality that Mozilla ships by default and then also force-include some WebExtensions which Debian ship as well but do offer for their users to freely decide if they want part of their Firefox experience.

No, I have no expertise if those WebExtensions might be the cause of these callouts. I just glued them on (technically: added a dependency).

Why do we expand these wild speculations to include how we ship a customized Firefox? If the scenario we are investigating here is *not* a system bootup, but instead a system where Firefox gets started then most certainly there will be *lots* of callouts left and right - Firefox is certainly not starting up without making network connections.

I am totally lost at what we are investigating here, and why we are investigating it.
Can someone please clue me in?

Indeed, this appears to have nothing to do with Firefox (?).

mladen added a comment.Mar 1 2019, 14:18

More info:

This is the ip from outgoing attack from google on port 443.
It was destined to Hamburg, Germany. Here is the ip 172.217.20.10 . Also
Amazon is taking part of this. Here is its ip address on the same port
79.125.105.113 destined to Dublin, Ireland.

  • 79.125.105.113 is duckduckgo. I am not sure why this would load on /boot/
  • Please re-ask the user to get the contents of these requests (ie. the port 80 ones as they won't be encrypted.

Also, could they provide more information, like actual log files or similar? Currently it is just port numbers and IP addresses which are no evidence of anything.

mladen added a comment.Mar 6 2019, 12:46

I asked, user said he is not able to install OpenSnitch manually (by compiling from source).

Also, could they provide more information, like actual log files or similar? Currently it is just port numbers and IP addresses which are no evidence of anything.

Could you clarify the difference between log files and the contents of the requets as requested https://tracker.pureos.net/T712#13385?

I asked, user said he is not able to install OpenSnitch manually (by compiling from source).

Don't see why openstich is required here. You could just use tcpdump or whatever; opensnitch is "just" a fancy UI of sorts if the user's goal is to log/find all outgoing connections.

mladen changed the visibility from "Restricted Project (Project)" to "All Users".Aug 4 2019, 01:47
mladen changed the visibility from "All Users" to "Public (No Login Required)".