Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Chrome requestinq inbound UDP connections


  • Please log in to reply
11 replies to this topic

#1 Maike13

Maike13

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 23 May 2017 - 01:49 PM

Hope this is the right forum for this question.  I just changed internet provider and now I am getting this weird event.  When using Google Chrome, every 30 seconds or so my Firewall pops up a warning that Google Chrome is requesting an inbound connection from remote address 192.168.77.1 UDP:62698 (for example).  It doesn't matter whether I click Block or Allow, about 30 seconds later the message pops up again, same IP address but different UDP address.  I don't have any equipment at 192.168.77.1.  If I ping -a that IP address it says it belongs to 173.219.227.47.suddenlink.net (Suddenlink is my new ISP).  If I turn my new router off, and turn on and connect to router from my old ISP (we still have service until the end of the month), I no longer get the warnings when using Chrome.  I created a new firewall rule for chrome blocking all UNB inbound access.  This stops the warnings popping up and chrome still seems to work fine, but I'm curious as to what's going on here.

 

Anyone have any ideas?

Thanks



BC AdBot (Login to Remove)

 


#2 unopie

unopie

  • Malware Study Hall Senior
  • 252 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:02:51 AM

Posted 23 May 2017 - 02:08 PM

With it coming from your ISP, I hardly think that it would be malicious, however many ISP's do this in order to provide targeted advertisements.

 

I'd say its 100% some type of surveying from your new ISP.



#3 Maike13

Maike13
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 23 May 2017 - 02:18 PM

With it coming from your ISP, I hardly think that it would be malicious, however many ISP's do this in order to provide targeted advertisements.

 

I'd say its 100% some type of surveying from your new ISP.

Thanks for the reply.  That sounds like a likely explanation.  In that case, I think I'll just leave chrome's inbound UDP access blocked.  Don't need any more ads :-)



#4 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:04:51 PM

Posted 23 May 2017 - 11:21 PM

Just remember that ISP's have been caught injecting java script in web traffic!



#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 25 May 2017 - 03:34 AM

FYI: you probably shared your public IP address in your first post. There are people who prefer to keep this information private (of course I don't know if you are in that case, just pointing this out in case you would not be aware).

 

192.168.77.1 could be your new ISP's modem itself. Check if it matches your gateway address.

 

If you want to know what is happening, we can try to inspect the traffic.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 Maike13

Maike13
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 25 May 2017 - 12:54 PM

Just remember that ISP's have been caught injecting java script in web traffic!

Thanks.  good to know.



#7 Maike13

Maike13
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 25 May 2017 - 12:57 PM

FYI: you probably shared your public IP address in your first post. There are people who prefer to keep this information private (of course I don't know if you are in that case, just pointing this out in case you would not be aware).

 

192.168.77.1 could be your new ISP's modem itself. Check if it matches your gateway address.

 

If you want to know what is happening, we can try to inspect the traffic.

Thanks.  Yes, that probably wasn't too smart.  I'd be interested to know how to inspect the traffic and interpret what it means.



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 25 May 2017 - 05:16 PM

What OS & version are you using?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Maike13

Maike13
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 25 May 2017 - 05:30 PM

What OS & version are you using?

Windows 7 Pro



#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 27 May 2017 - 05:14 AM

Are you comfortable installing WireShark on your machine to do the capture and analysis? Or do you rather not install anything on that machine (since it's pro, it could be a business machine)?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 Maike13

Maike13
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 27 May 2017 - 10:16 AM

Are you comfortable installing WireShark on your machine to do the capture and analysis? Or do you rather not install anything on that machine (since it's pro, it could be a business machine)?

It is a business machine, but they have some sort of protection program on it where anything I install is completely removed when the PC is rebooted.  So I can install anything I like (temporarily), as long as it doesn't require a reboot to work.



#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 30 May 2017 - 01:38 PM

OK, then you can install Wireshark, capture traffic until you get the alert, stop the capture and save the capture file.

 

If you need more help on how to do that, let me know.

 

Then report back here with the alert (ip addresses and ports), and I will give you a display filter to search your traffic.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users