Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sharing a user experience #21

Closed
gustavo-iniguez-goya opened this issue May 22, 2020 · 4 comments
Closed

sharing a user experience #21

gustavo-iniguez-goya opened this issue May 22, 2020 · 4 comments

Comments

@gustavo-iniguez-goya
Copy link
Owner

Some weeks ago, while hanging around on the internet, a new opensnitch dialog popped up. I don't have a set of permanent rules, most of them are temporary, so it looked normal to see yet another connection dialog, but something caught my attention. The port was 89, and I was testing a regex for destination ports like "(53|80|443)", so some web was connecting to the port 89? At least it seemed strange to me.

image

I ignored it for some days, until I got bored of it and decided to investigate what was creating it, because it was starting to be very annoying and repetitive. As it was being created from chromium, and after discard all the possible pages/tabs, I grepped the extensions for the urls (ext.*.extenbalanc.org) and I realized that the extension Video Downloader Plus was the culprit.

2

The extension sends a lot of data to remote servers, not only every page you visit along with your IP, country, user-agent, etc, as you can see in the video (note: null fields in the video are because the dns server points to a pi-hole docker, otherwise it would reveal the real data).

This is not new news, others analyzed this and other extensions and concluded that they were ad/spyware at best: https://adguard.com/en/blog/unimania-spyware-campaign.html

In summary, glad that opensnitch caught it, I thought I had to share it :)
@Ph0rk0z
Copy link

Ph0rk0z commented May 22, 2020

This is why I've been searching for a real firewall on linux since forever. Eset does the same thing for me on windows. It is surprising what connects.

@gustavo-iniguez-goya
Copy link
Owner Author

I've read a post about websockets that is worth mentioning here:
https://nullsweep.com/why-is-this-website-port-scanning-me/

When I added support for intercepting connections to localhost I didn't think in that scenario, but the truth is that some pages are abusing websockets.

@jonau01 jonau01 mentioned this issue May 22, 2020
Closed
@Pain-Patate
Copy link

This is why I've been searching for a real firewall on linux since forever. Eset does the same thing for me on windows. It is surprising what connects.

I'm agree with you

Some weeks ago
,...
In summary, glad that opensnitch caught it, I thought I had to share it :)

Great to your share. I'm a fucking noob in ports, firewall, but I hope to help you, on Openitch

@gustavo-iniguez-goya
Copy link
Owner Author

created a new wiki page where I'll add others examples like this one. You're wellcome to share other experiences if you find something suspicious, curious or interesting.

Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gustavo-iniguez-goya @Pain-Patate @Ph0rk0z