Created attachment 213850 [details]
Wireshark network monitoring log file
Firefox & Chromium appear to have been compromised with what looks like a "backdoor".
I recently upgraded all my FreeBSD boxes to 12.1-p3 and ALL packages including the latest Firefox i.e. 75.0.2_1
One of my FreeBSD 12.1 boxes uses WIFI (wpa) and after opening the Firefox browser the WIFI network became extremely slow. So I installed Wireshark (GUI) from packages to see what was happening.
With just Firefox running and Google's home page loaded, I saw WireShark displaying dozens of WAN IP addresses connecting to my FreeBSD box. Network traffic suddenly went very high, and it seems all of the connections were using TCP ports r80 (HTTP) and 443 (HTTPS) through my machine.
With Firefox closed the WAN connections disappeared. Just to be clear, Firefox was open but there was no web activity initiated by me.
To be absolutely sure, I systematically made sure that EVERY wired and wireless device (that could possibly browse the internet) was switched off, changed the WIFI ssid and password, and I ran the above tests again, I got the same result.
Would someone else run the same tests and confirm please?
- Install the latest Firefox & Wireshark from packages.
- Start Wireshark first (internet->wireshark), select your network adapter and monitor the network - traffic to and from your machine.
- Start Firefox (or Chromium) only
- Now look at the network traffic to and from your IP address
I have attached a log, my IP address is 192.168.1.14 in the log, this file should be opened in Wireshark only.
@Greg Could you please provide:
- pkg version -v output (as an attachment)
- package repository configuration (as an attachment)
Note: It is expected behaviour that browsers produce network traffic (in either, and both directions), particularly with regard to bootstrapping, on initial loads, and in particular (for example) downloading/updating internal databases such as safebrowsing data, among other things.
Can you provide any additional information/evidence which indicates that the network traffic in question is specifically unexpected or malicious in nature?
I undertsand what is normal, I been using FreeBSD since version 1.0 around Jan 1994. :)
If you look at the log I have provided, which was less than two minutes of logging, there are an abnormal number of connections to/from my Freebsd system.
The recent log is for my whole network, which includes two PCs running Windows 10 with Chrome or Firefox running. There is no such output from these machines! The Windows PC I am currently on, typing this reply, is currently running Chrome version 81.0.4044.122.
Chrome or Firefox on a Windows 10 machine do not produce anything like this. This is not normal!
Getting the files requested.
Created attachment 213852 [details]
Pkg version output
pkg version -v output
Created attachment 213853 [details]
Package conf file from /usr/local/etc/pkg.conf
I saved a logfile as txt and used awk to extract some of the IP addresses that my FreeBSD box is talking to...
using `nslookup` here is the output:
184.108.40.206.in-addr.arpa name = server-13-224-227-40.lhr61.r.cloudfront.net.
220.127.116.11.in-addr.arpa name = server-13-227-170-28.lhr52.r.cloudfront.net.
18.104.22.168.in-addr.arpa name = time.cloudflare.com.
22.214.171.124.in-addr.arpa name = time.cloudflare.com.
126.96.36.199.in-addr.arpa canonical name = 123.64-127.34.120.185.in-addr.arpa.
123.64-127.34.120.185.in-addr.arpa name = time.netweaver.uk.
188.8.131.52.in-addr.arpa name = ns0.luns.net.uk.
184.108.40.206.in-addr.arpa name = ec2-34-208-242-139.us-west-2.compute.amazonaws.com.
220.127.116.11.in-addr.arpa name = 18.104.22.168.bc.googleusercontent.com.
253.118.10.52.in-addr.arpa name = ec2-52-10-118-253.us-west-2.compute.amazonaws.com.
22.214.171.124.in-addr.arpa name = a92-122-188-20.deploy.static.akamaitechnologies.com.
126.96.36.199.in-addr.arpa name = server-99-86-255-121.lhr3.r.cloudfront.net.
188.8.131.52.in-addr.arpa name = server-99-86-255-18.lhr3.r.cloudfront.net.
Ok, I have left the Firefox browser "do its thing" for nearly an hour, the network traffic that I was seeing has settled down.
Embarrassing is this may sound, after a considerable amount of network activity Wireshark is not showing any more connections being made.
This appears to be a false positive, I just did not expected to be "hammered" when starting the browser every time!!!
Sorry .. but I think this can be closed.
(In reply to Greg Quinlan from comment #6)
It has started again... browser sitting idle (from a user's perspective) and loads of traffic to/from lots of WAN addresses appearing in Wireshark.
None of my other OSes (aka Windows 10) are doing this!
(In reply to Greg Quinlan from comment #5)
You forgot one (mozilla's "phone home"):
It's address changes. So not included.
not directly a ports-secteam problem. Back to pool
Hmm, looking at your Wireshark dump it seems like your laptop (192.168.1.14) is connecting to all those services, not the other way around. As Kubilay mentions, it all seems to do with preloading and caching stuff (including tabs that you left open from your last session?). So nothing to see here really from a FreeBSD point of view.