Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

On two Macbooks, my browser attempts to connect to random IP addresses


  • Please log in to reply
4 replies to this topic

#1 Guest_oamru8_*

Guest_oamru8_*

  • Guests
  • OFFLINE
  •  

Posted 07 October 2015 - 02:33 AM

I recently bought a brand new Macbook last week because my old one (running Yosemite 10.10.5) was compromised. After this event, I erased the hard drive and reinstalled the OS on the old one and started using Little Snitch, a firewall application. However, while using Chrome on the old Macbook that had its hard drive erased and OS reinstalled, I got a connection alert to a random IP address while loading Gmail through Chrome and I freaked out, thinking my machine was somehow still compromised (amongst other little things). It freaked me out because even while using LS on this old Macbook with the clean reinstall, I hadn't gotten a strange connection attempt like this before.
 
So, on this brand new Macbook with only four three-party applications all downloaded directly from the providers (Chrome, LS, Flux and Spotify) while using Chrome and doing regular things like checking Facebook or opening a new tab, Little Snitch lets me know Chrome is attempting to connect to random IP addresses via port 80. I got three connection alerts recently. The 54 IP addresses are Amazonaws servers. The 4 IP address belongs to Level 3 Communications, a random American ISP. I don't know why Chrome would attempt to connect to these addresses. I've been told that the IP addresses don't resolve anywhere, so does that mean Chrome's attempting to connect to a server of some sort rather than it being a browser hijack?
 
I once again took this as a sign that my system was somehow still compromised (even if it was a brand new Macbook), so I went to my local Genius Bar to erase my hard drive and have OS El Capitan installed on the new Macbook from a bootable drive. Set up the system as new. Downloaded Chrome, Flux, Spotify and LS and podcasts via iTunes using the Apple Store wifi. OK, so far so good. One day into this new system, I get a connection alert to another amazonaws IP address when loading Gmail for the first time today. The IP address is on Spamhaus' PBL blocklist and comes up as high risk in McAfee's Threat Centre.
 
I'm pretty sure it's not any of my extensions (Ghostery, Wot, Xkit, Xmarks and previously Adblock/Plus) attempting to download updates from servers. They have hostnames rather than IP addresses, e.g. d.ghostery.com. Someone suggested to me it might've been Adblock as it's recently been sold and it's sneakily attempting to show ads but on the new Macbook with El Capitan, I still got a connection alert even without Adblock or Adblock Plus installed.
 
The only times I've gotten connection alerts to amazonaws is when I'm loading Gmail. Apart from that Level 3 IP address, I haven't gotten any non-amazonaws connection alerts.
 
Also for some reason, Chrome also attempts to connect to Apple related pages, even if I'm not using anything Apple related that would prompt an alert. I would understand if a process would attempt to connect to an Apple page, but why Chrome? For example, Chrome attempted to connect to support-sp.apple.com, which is related to when you click About this Mac. I did check my Macbook's information around this time, and the IP address is the same IP address for other hostnames for sites I use. But Chrome was specifically attempting to connect to support-sp.apple.com. Why would it need to do that?
 
-
 
I guess the common factor in all setups (on the old Macbook with the clean reinstall, on the new Macbook with the original set up and then the new setup with El Capitan) is that this has happened while I'm using the home wi-fi network (secured with WPA2 but as far as I know I can't change the router password because my ISP is like that...). I haven't used the internet on any other wifi network just due to circumstance. I can't use Open DNS on the router/modem I use, but I've got it set up on my own Macbook and I haven't noticed any other suspicious browser behaviour like ad redirects etc. I haven't downloaded anything via a P2P network/anything cracked because I'm pretty sure that's what hosed my old Macbook in the first place.
 
Because it's IP addresses instead of actual hostnames with letters and because Chrome's attempted to connect to them while I'm doing things where there really would be no reason for Chrome to connect to them (loading Gmail, opening a new tab), I'm a little suspicious. Should I be worried or am I just being overly paranoid?


BC AdBot (Login to Remove)

 


#2 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling

Posted 09 October 2015 - 01:08 AM

Does the same thing happen if you try to connect to Gmail in Safari?

 

Does the same thing happen if you use a wired connection at home instead of WiFi?

 

Also, try a different network (i.e. go to Starbucks or Wendy's or some other place with a free WiFi network).  You don't necessarily need to actually log into Gmail, just go to the page and see if the same strange IP stuff happens.

 

I don't have a concrete thought at this point, just suggesting some basic trouble shooting options to see if we can narrow down circumstances.


Edited by smax013, 09 October 2015 - 01:09 AM.


#3 Guest_oamru8_*

Guest_oamru8_*

  • Guests
  • OFFLINE
  •  

Posted 09 October 2015 - 02:06 AM

Does the same thing happen if you try to connect to Gmail in Safari?

 

Does the same thing happen if you use a wired connection at home instead of WiFi?

 

Also, try a different network (i.e. go to Starbucks or Wendy's or some other place with a free WiFi network).  You don't necessarily need to actually log into Gmail, just go to the page and see if the same strange IP stuff happens.

 

I don't have a concrete thought at this point, just suggesting some basic trouble shooting options to see if we can narrow down circumstances.

 

Update: when I was still using Chrome, a connection alert to an IP address hosted by AmazonAWS occurred when I wasn't loading Gmail. It was when I was loading a webstore I browse...because I know what sites that store needs to connect to, I accidentally clicked accept on the IP address connection alert. Uploaded and downloaded some bytes...freaked out again, erased the hard drive and restored from a clean base backup I made at the Apple store.

 

I've been using Safari for all my browsing since then, and it hasn't happened at all while loading Gmail or any other site. However, when Safari automatically added Chrome's bookmarks to Safari, Safari attempted to connect to some of them. Out of three connection alerts, I recognised two sites as part of a site I definitely bookmarked, but then I got a connection alert to a website for checking Apple serial numbers and related specs. I don't think it's a malicious site, but I definitely do not have anything like that bookmarked.

 

So I do think it might be a Chrome-specific thing. I know Google collects information on you but presumably if it was to send information to a server it wouldn't be a random IP address and it wouldn't be an IP owned by AmazonAWS.

 

I'm going back to the Apple store, and I'll trying surfing using Chrome and using the Apple store wifi.



#4 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:53 AM

Posted 09 October 2015 - 08:59 PM

I forget...have you tried browsing in Chrome with NO extensions? If so, did you get the same results?

#5 Guest_oamru8_*

Guest_oamru8_*

  • Guests
  • OFFLINE
  •  

Posted 10 October 2015 - 01:08 AM

I forget...have you tried browsing in Chrome with NO extensions? If so, did you get the same results?

 

I tried very briefly. Probably too short a session to trigger any prompt. For the next two days before I go to the Apple store I'll try using Chrome in incognito mode with no extensions enabled.

 

I would really prefer to use Chrome over Safari but I need to figure out what's causing this prompt!

 

Thanks for your suggestions.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users