Firefox sends "nice ports,/Trinity.txt.bak"
I, today, found that Firefox 88.0.1(64bit) sends "/nice%20ports%2C/Tri%6Eity.txt%2ebak" to an website. What is this? Am I infected? The Apache log at the HTTP server is as follows:
snip --------------------
192.168.1.188 - - [10/May/2021:07:42:41 +0900] "GET / HTTP/1.1" 200 665 "-" "Mozilla/5.0" xps8940 192.168.1.188 - - [10/May/2021:07:42:42 +0900] "GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0" 403 - "-" "-" 192.168.1.188 192.168.1.188 - - [10/May/2021:07:42:42 +0900] "GET / HTTP/1.0" 403 - "-" "-" 192.168.1.188 192.168.1.188 - - [10/May/2021:07:43:58 +0900] "GET /Picture/MicroS5S.gif HTTP/1.1" 200 3042 "http://wista.jp/Index.htm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0" xps8940
snip --------------------
The server is located within my home LAN. 192.168.1.188 and xps8940 is the captioned machine that sends this unknown protocol. Tested by Chrome and found no such protocol sent. Could any guru enlighten me? Tak
Ausgewählte Lösung
What is the connection with Firefox? Does this happen a certain time after Firefox startup, or when making certain requests?
You could delete the Firefox program folder and reinstall. The program folder usually is
C:\Program Files\Mozilla Firefox
You can download the installer from
https://www.mozilla.org/firefox/all/#product-desktop-release
Diese Antwort im Kontext lesen 👍 0Alle Antworten (4)
Hmm, I assumed that was a random phrase, but actually Google has some matching results:
Seems to be something you could find in your logs if the Nmap utility ran on your network. I don't think that would come from within Firefox.
When I look at the log more closely, if the last parameter is the host sending the request, the second and third seem to be from the server itself or the return IP address is spoofed:
| Server | ? | ? | Date-Time | Request | Status | bytes | referrer | user-agent | remote host |
| 192.168.1.188 | - | - | [10/May/2021:07:42:41 +0900] | "GET / HTTP/1.1" | 200 | 665 | "-" | "Mozilla/5.0" | xps8940 |
| 192.168.1.188 | - | - | [10/May/2021:07:42:42 +0900] | "GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0" | 403 | - | "-" | "-" | 192.168.1.188 |
| 192.168.1.188 | - | - | [10/May/2021:07:42:42 +0900] | "GET / HTTP/1.0" | 403 | - | "-" | "-" | 192.168.1.188 |
Thanks for response, but,,, IP 192.168.1.188 is not for the server but client, as well as xps8940. This log is taken from the sever, so there is no need to record the server's IP. Response code 403 is sent out because my httpd.conf setting is to reject the request if no user-agent is specified. So, the server side is safe even if the client is infected.
Have read some pages you suggested beforehand, that is why I suspected any malware penetration into FF. BTW, two ?-marks you indicated are for %l and %u in Apache log format, they are remote-logname and remote-user respectively. You can just ignore them. Tak
Ausgewählte Lösung
What is the connection with Firefox? Does this happen a certain time after Firefox startup, or when making certain requests?
You could delete the Firefox program folder and reinstall. The program folder usually is
C:\Program Files\Mozilla Firefox
You can download the installer from
https://www.mozilla.org/firefox/all/#product-desktop-release
Connection is normal http protocol, via LAN cable. It seems happening first thing in the morning after launching FF. Strange is the "GET /", which I never requested. Although (not requested) the response code is 200, and this page did not appear.
I deleted the folder, as you suggested, and re-installed. Rebooted, launched FF, browsed the site, and looked into the log. Alas, the strange access does not exist. Although I could not grab the culprit, I consider the problem resolved. Thanks for your help anyway. Tak