Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Data theft by Amazon Server (Amazonaws)


  • Please log in to reply
21 replies to this topic

#1 Aperio

Aperio

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 27 February 2016 - 04:48 PM

Quite by accident when I was investigating a slow internet connection using ThinkBroadband's tbbMeter, I discovered that data was being uploaded by a server owned by Amazon. I never use Amazon.

 

Just bringing up my browser (firefox) caused Amazonaws and other websites to begin uploading data.

 

Surely this should be publicised as no one wants the data from their home computers in the hands of unknown people/organisations.

 

***********************************************************************************************************************************

 

I tried blocking Amazonaws via my router (bthomehub) and also by installing Acrylic which is a proxy DNS and specifying wild cards in the hosts file. Nothing seems to work!

 

If anyone can come up with a way of blocking Amazonaws I would be very grateful.

 

A summary of what I've done so far follows:

 

**************************************************************************************************************************************

 

I found this out by googling:

 

QUOTE:

Amazonaws = Amazon web services

This is a new service by Amazon (trying to do a bit of a Google).

They are renting out space and bandwidth on their servers to developers. Those developers then use the services supplied by Amazon to scan other people's websites - it's not Amazon themselves who are doing it. If your websites' bandwidth is being racked up by amazonaws then you can complain to amazonaws with details of when and what happened and they'll "warn" the person doing it, and then cut them off if they keep doing it (or so they imply).

The only good point about this is that the person using their service has to pay them by the hour and by the Gigabyte, so if they rack up your bandwidth they rack up their own bill. The bad point is that they don't charge a lot for this service.

There is no valid reason that I can see why amazonaws.com should be on people's websites at all - so ban away!

 

END QUOTE

 

*******************************************************************************************************************************

I tried blocking the site via the router. This failed.

 

The Windows host file does not accept wild cards, so I installed Acrylic which is a proxy DNS server.

 

However, it did not block the unwanted web sites - see log. There are no Bs!

 

You will also note there are other websites, Akamaitechnologies and Facebook, which are uploading data.

 

I am not a member of Facebook.

 
**********************************************************************************************************************************

Here is some information on what I've done....

Acrylic Hosts file
127.0.0.1 localhost localhost.localdomain
::1 localhost localhost.localdomain

# Block Amazonaws IPv4
127.0.0.1 *.*.compute.amazonaws.com
127.0.0.1 *.amazonaws.com

# Block Akamaitechnologies
127.0.0.1 *.deploy.static.akamaitechnologies.com

# Must add to end
127.0.0.1 *.localhost
127.0.0.1 *.local
127.0.0.1 *.lc

Sample of the log:
; In the hit log, along with the packet timestamp, client address and request
; description there's a treatment field code (how Acrylic treated it):
;
; B -> Explicitly blocked
; H -> Resolved from the hosts cache
; C -> Resolved from the address cache
; F -> Forwarded to the configured DNS servers
; R -> Received from one of the configured DNS servers
; U -> Silent update from one of the configured DNS servers

2016-02-26 07:34:48.450 127.0.0.1 H Q[1]=frontend-Diagnost-1SCNCG3BR1RFE-634346662.eu-west-1.elb.amazonaws.com;T[1]=A
2016-02-26 07:34:48.450 127.0.0.1 C Q[1]=frontend-Diagnost-1SCNCG3BR1RFE-634346662.eu-west-1.elb.amazonaws.com;T[1]=AAAA
2

2016-02-26 07:37:17.042 127.0.0.1 C Q[1]=246.96.198.23.in-addr.arpa;T[1]=PTR
2016-02-26 07:37:17.044 127.0.0.1 H Q[1]=a23-198-96-246.deploy.static.akamaitechnologies.com;T[1]=A
2016-02-26 07:37:17.946 127.0.0.1 C Q[1]=38.56.30.52.in-addr.arpa;T[1]=PTR
2016-02-26 07:37:17.948 127.0.0.1 H Q[1]=ec2-52-30-56-38.eu-west-1.compute.amazonaws.com;T[1]=A
2016-02-26 07:37:21.052 127.0.0.1 F Q[1]=67.18.31.185.in-addr.arpa;T[1]=PTR
2016-02-26 07:37:21.072 8.8.4.4 R RC=3;QDC=1;ANC=0;Z=0000818300010000000100000236370231380233310331383507696E2D61646472046172706100000C0001C01500060001000007000030037072690761757468646E730472697065036E65740003646E73C04356CF907300000E1000000258000D2F0000000E10
2016-02-26 07:37:25.132 127.0.0.1 F Q[1]=207.19.31.185.in-addr.arpa;T[1]=PTR
2016-02-26 07:37:25.143 8.8.4.4 R RC=3;QDC=1;ANC=0;Z=000081830001000000010000033230370231390233310331383507696E2D61646472046172706100000C0001C016000600010000052D0030037072690761757468646E730472697065036E65740003646E73C04456CF907300000E1000000258000D2F0000000E10
2016-02-26 07:37:26.146 127.0.0.1 C Q[1]=226.198.58.216.in-addr.arpa;T[1]=PTR
2016-02-26 07:37:26.147 127.0.0.1 C Q[1]=lhr26s04-in-f2.1e100.net;T[1]=A
2016-02-26 07:37:26.884 127.0.0.1 F Q[1]=207.43.235.23.in-addr.arpa;T[1]=PTR

 

**************************************************************************************************************************************

 

These are the details reported by tbbMeter (in excel xls format) copied and pasted:


IP Address Host Name Ports First Seen Last Seen Down(KB) Up (KB)
54.173.221.102 ec2-54-173-221-102.compute-1.amazonaws.com 443 23/02/2016 08:24 23/02/2016 15:14 1 2
52.73.236.192 ec2-52-73-236-192.compute-1.amazonaws.com 443 23/02/2016 14:44 23/02/2016 14:44 0 1
52.72.183.180 ec2-52-72-183-180.compute-1.amazonaws.com 443 23/02/2016 07:59 23/02/2016 13:44 1 2
52.71.121.157 ec2-52-71-121-157.compute-1.amazonaws.com 443 23/02/2016 12:24 23/02/2016 13:19 1 2
52.20.245.150 ec2-52-20-245-150.compute-1.amazonaws.com 443 23/02/2016 05:04 23/02/2016 12:59 1 2
54.152.225.202 ec2-54-152-225-202.compute-1.amazonaws.com 443 23/02/2016 08:59 23/02/2016 11:24 1 2
184.72.240.238 ec2-184-72-240-238.compute-1.amazonaws.com 80 23/02/2016 07:14 23/02/2016 11:14 6 6
52.32.59.229 ec2-52-32-59-229.us-west-2.compute.amazonaws.com 443 23/02/2016 05:14 23/02/2016 10:29 1 0
52.5.232.33 ec2-52-5-232-33.compute-1.amazonaws.com 443 23/02/2016 10:24 23/02/2016 10:24 0 0
54.174.179.70 ec2-54-174-179-70.compute-1.amazonaws.com 443 23/02/2016 10:04 23/02/2016 10:04 0 1
54.165.14.197 ec2-54-165-14-197.compute-1.amazonaws.com 443 23/02/2016 09:24 23/02/2016 09:25 0 1
52.34.69.143 ec2-52-34-69-143.us-west-2.compute.amazonaws.com 443 23/02/2016 08:31 23/02/2016 08:32 1 0
52.88.112.239 ec2-52-88-112-239.us-west-2.compute.amazonaws.com 443 23/02/2016 08:31 23/02/2016 08:32 1 1
54.194.162.177 ec2-54-194-162-177.eu-west-1.compute.amazonaws.com 80 23/02/2016 08:31 23/02/2016 08:31 43 1
52.27.10.252 ec2-52-27-10-252.us-west-2.compute.amazonaws.com 443 23/02/2016 08:27 23/02/2016 08:28 0 0
176.34.122.196 ec2-176-34-122-196.eu-west-1.compute.amazonaws.com 443 23/02/2016 05:15 23/02/2016 07:30 396 50
52.72.232.16 ec2-52-72-232-16.compute-1.amazonaws.com 443 23/02/2016 07:24 23/02/2016 07:24 0 1
52.88.155.162 ec2-52-88-155-162.us-west-2.compute.amazonaws.com 443 23/02/2016 07:11 23/02/2016 07:12 0 0
52.71.137.67 ec2-52-71-137-67.compute-1.amazonaws.com 443 23/02/2016 06:54 23/02/2016 06:54 0 1
52.0.46.15 ec2-52-0-46-15.compute-1.amazonaws.com 443 23/02/2016 06:24 23/02/2016 06:24 0 1
52.21.197.186 ec2-52-21-197-186.compute-1.amazonaws.com 443 23/02/2016 05:54 23/02/2016 05:54 0 1
52.70.20.16 ec2-52-70-20-16.compute-1.amazonaws.com 443 23/02/2016 05:24 23/02/2016 05:24 0 0
52.30.56.38 ec2-52-30-56-38.eu-west-1.compute.amazonaws.com 443 23/02/2016 05:15 23/02/2016 05:17 2 5
52.30.193.137 ec2-52-30-193-137.eu-west-1.compute.amazonaws.com 443 23/02/2016 05:17 23/02/2016 05:17 1 0
52.88.174.121 ec2-52-88-174-121.us-west-2.compute.amazonaws.com 443 23/02/2016 05:16 23/02/2016 05:17 5 0
176.34.103.181 ec2-176-34-103-181.eu-west-1.compute.amazonaws.com 443 23/02/2016 05:15 23/02/2016 05:16 2 1
176.34.107.218 ec2-176-34-107-218.eu-west-1.compute.amazonaws.com 443 23/02/2016 05:15 23/02/2016 05:15 2 1
54.204.12.158 ec2-54-204-12-158.compute-1.amazonaws.com 443 23/02/2016 05:15 23/02/2016 05:15 1 0
52.22.204.30 ec2-52-22-204-30.compute-1.amazonaws.com 443 23/02/2016 04:24 23/02/2016 04:24 0 4


Edited by Aperio, 27 February 2016 - 05:48 PM.


BC AdBot (Login to Remove)

 


#2 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:12:15 PM

Posted 27 February 2016 - 05:35 PM

As you mentioned, Amazon AWS runs servers for other companies. They do not only run 'web crawling' services, you can essentially run any type of application on their servers (like all public clouds) if you pay for your resource usage. Dropbox uses AWS to store your files/run itself, and that is what those connections are to. I would advise uninstalling Dropbox if you do not want any connections to made to AWS; do note that if you completely block AWS, you will prevent access to a very large portion of the internet, including Netflix and other major sites.

Edited by iangcarroll, 27 February 2016 - 05:39 PM.

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#3 Aperio

Aperio
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 28 February 2016 - 02:51 AM

Thankyou for replying.

Uninstalling Dropbox is good advice. I only use Dropbox as one of a number of backup mechanisms so there will be no loss in functionality,

I would like to be able to block the websites listed on a PC-by-PC basis and your reply does not tell me how to do that.

The Internet must change so that it is more regulated.

For example. it should be a rule that ALL websites uploading computer data should be make the user aware that this is happening and tell them what data is being uploaded and what it is going to be used for.

Furthermore, inexperienced users should be able to block any site they want easily.

Paul
 


Edited by Aperio, 28 February 2016 - 03:17 AM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:15 PM

Posted 28 February 2016 - 02:57 AM

For example. it should be a rule that ALL websites uploading computer data should be make the user aware that this is happening and tell them what data is being uploaded and what it is going to be used for.


Not going to happen anytime soon, I can tell you that. Also, the issue here isn't "websites", but programs. Programs, services, etc. that connects to servers hosted on AWS (and not websites) in order to either upload and/or download data. In that case, you should be able to find on that program's website, and/or EULA what kind of data is being uploaded, and obviously what kind of data is being downloaded. It'll often be listed under the Privacy section of a website.

Pretty much every programs are connecting to AWS-based servers, because Amazon IS the biggest player when it comes to Cloud computing and renting servers, storage space, etc. so this isn't going to change anytime soon.

Also, I agree that a user should be able to block any website they want, but then, you cannot really complain after if X or Y program isn't working. As soon as you're connected to the Internet, you'll be uploading/downloading data. It cannot be avoided, it's simply how it is. If you don't like it, then don't use, nor connect to the Internet.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:12:15 PM

Posted 28 February 2016 - 03:05 AM

Uninstalling Dropbox is good advice. I only use Dropbox as one of a number of backup mechanisms so there will be no loss in functionality,


To be clear, I do not advise uninstalling Dropbox in general. It will stop it from connecting to AWS, but there really isn't anything to be concerned about there.
 

I would like to be able to block the websites listed on a PC-by-PC basis and your reply does not tell me how to do that.


I will defer to someone else who knows more about options on Windows for this.
 

For example. it should be a rule that ALL websites uploading computer data should be make the user aware that this is happening and tell them what data is being uploaded and what it is going to be used for.


As Aura has said, the only way this happens, ignoring malware, is if you install a program and accept its EULA, which documents this, or provide a website information/files, which has a privacy policy.
 

Furthermore, inexperienced users should be able to block any site they want.


Well, to be honest, we'd probably have you and others blocking AWS and wondering why 1/5 of the internet no longer functions. It doesn't make much sense for the process to be as simple as you'd like because people are careless.

Edited by iangcarroll, 28 February 2016 - 03:11 AM.

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:15 PM

Posted 28 February 2016 - 03:11 AM

I would like to be able to block the websites listed on a PC-by-PC basis and your reply does not tell me how to do that.


Forgot to address that one. I guess a program like PeerBlock will please you.

http://www.peerblock.com/

A bit outdated, but still really popular.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Wandleb

Wandleb

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 29 February 2016 - 01:52 PM

I agree with Aperio.  This problem must be sorted out.  It's all very well saying if you don't like it, don't connect to the Internet, but everything nowadays is geared up to the internet.   



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:15 PM

Posted 29 February 2016 - 02:04 PM

Then what do you suggest? You want to force companies not to use AWS? Good luck with that.


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:12:15 PM

Posted 29 February 2016 - 02:33 PM

I'm not sure what you want to happen, exactly. Every program you install does a fairly good job at explaining how it handles your data in its EULA or privacy policy. 

 

Do you not like AWS or what?


Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#10 Wandleb

Wandleb

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 29 February 2016 - 05:55 PM

Good heavens, I don't want to "force" companies not to use AWS!     It's not a question of whether I like or dislike AWS either.   There just needs to be a way to stop hings being uploaded if you don't want that to happen.  



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:15 PM

Posted 29 February 2016 - 05:58 PM

In that case, simply disable background services, programs, etc. Also, you know that data upload is a necessity right? Let's say that you install a program and it needs to know what kind of settings to apply for your system, the program needs to upload your system basic information so the program knows what settings to apply, as they might be different depending on the version of Windows you are using.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 Wandleb

Wandleb

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 01 March 2016 - 04:50 AM

I'm not a technical person, just a concerned one.  I can't see why it isn't possible to organise a system so that certain things are off limits while others are accessible.

 

For instance, I understand that a bank would want to take data and that is fine if you are using its services.  But why should Facebook or Twitter do the same if you are not even a member of those sites?



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:15 PM

Posted 01 March 2016 - 06:20 AM

Where do you see that Twitter and Facebook are taking your data? And the reason why a connection is made to these on most websites is because they use social media button integrations. This can be stopped by using privacy-based extensions like Ghostery.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Aperio

Aperio
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 01 March 2016 - 10:15 AM

Hello

 

I have uninstalled Dropbox from all our computers and this has reduced the uploads to Amazonaws.

 

There was an unexpected benefit.

 

The message "Critical Error – Start menu is not working. We’ll try to fix it the next time you sign in” appeared on a computer with Windows 10.

 

Uninstalling Dropbox got rid of the problem.

 

It is too soon to say if this is going to be a permanent solution.

 

Aperio



#15 GataPandu

GataPandu

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 01 March 2016 - 05:33 PM

This looks like an actual case in point for the suggested professional email list on 'safe computing for the rest of us' that alerts subscribers on daily threats http://www.bleepingcomputer.com/forums/t/606500/how-do-you-keep-up-with-security-issues-of-the-day/?p=3946344






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users