With the WorldIP Flag addon for Firefox, the https://addons.mozilla.org site is shown as originating from a server in Beijing owned by Beijing Blue I. T Technologies (AS number: 37958; AS name: CNNIC-CHINACACHE-AP). Is this OK? Previously the addons.mozilla.org site is shown as located in the US. Can you please also post the answer on the support forums. Thanks.
- All posts
- Helpful Solutions
This could be due to your ip address and because this is a question with a add-on we have trouble with these questions. Your best bet would be to contact the developer of the add-on.
From California, I see 220.127.116.11 but you might be seeing a mirror. Can you open a command window or console and use nslookup or dig to check what you get from your network stack?
Thanks for the replies. Here's the dig output:
- <<>> DiG 9.9.1-P2 <<>> addons.mozilla.org
- global options: +cmd
- Got answer:
- ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46186
- flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
- OPT PSEUDOSECTION:
- EDNS: version: 0, flags:; udp: 512
- QUESTION SECTION:
- addons.mozilla.org. IN A
- ANSWER SECTION:
- Query time: 31 msec
- SERVER: 18.104.22.168#53(22.214.171.124)
- WHEN: Thu Feb 28 14:07:47 2013
- MSG SIZE rcvd: 102
Could this be related to:
Thanks in advance.
Also, excerpt of rkhunter.log (first run, only warnings/info/summary included):
[18:57:15] Running Rootkit Hunter version 1.4.0 on art-eight [18:57:15] [18:57:15] Info: Start date is Thu Feb 28 18:57:15 PHT 2013 [18:57:15] [18:57:15] Checking configuration file and command-line options... [18:57:15] Info: Detected operating system is 'Linux' [18:57:15] Info: Uname output is 'Linux art-eight.site 3.4.6-2.10-desktop #1 SMP PREEMPT Thu Jul 26 09:36:26 UTC 2012 (641c197) i686 i686 i386
[18:57:15] Info: Command line is /usr/bin/rkhunter --checkall [18:57:15] Info: Environment shell is /bin/bash; rkhunter is using bash [18:57:15] Info: Using configuration file '/etc/rkhunter.conf' [18:57:15] Info: Installation directory is '/usr' [18:57:15] Info: Using language 'en' [18:57:15] Info: Using '/var/lib/rkhunter/db' as the database directory [18:57:15] Info: Using '/usr/lib/rkhunter/scripts' as the support script directory [18:57:15] Info: Using '/home/opensuse-12/bin /usr/local/bin /usr/bin /sbin /usr/sbin /bin /usr/bin/X11 /usr/X11R6/bin /usr/games /usr/local/s bin' as the command directories [18:57:15] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory [18:57:15] Info: No mail-on-warning address configured [18:57:15] Info: X will be automatically detected [18:57:15] Info: Using second color set [18:57:15] Info: Found the 'basename' command: /usr/bin/basename [18:57:15] Info: Found the 'diff' command: /usr/bin/diff [18:57:16] Info: Found the 'dirname' command: /usr/bin/dirname [18:57:16] Info: Found the 'file' command: /usr/bin/file [18:57:16] Info: Found the 'find' command: /usr/bin/find [18:57:16] Info: Found the 'ifconfig' command: /sbin/ifconfig [18:57:16] Info: Found the 'ip' command: /sbin/ip [18:57:16] Info: Found the 'ldd' command: /usr/bin/ldd [18:57:16] Info: Found the 'lsattr' command: /usr/bin/lsattr [18:57:16] Info: Found the 'lsmod' command: /sbin/lsmod [18:57:16] Info: Found the 'lsof' command: /usr/bin/lsof [18:57:16] Info: Found the 'mktemp' command: /usr/bin/mktemp [18:57:16] Info: Found the 'netstat' command: /bin/netstat [18:57:16] Info: Found the 'perl' command: /usr/bin/perl [18:57:16] Info: Found the 'pgrep' command: /usr/bin/pgrep [18:57:16] Info: Found the 'ps' command: /usr/bin/ps [18:57:16] Info: Found the 'pwd' command: /usr/bin/pwd [18:57:16] Info: Found the 'readlink' command: /usr/bin/readlink [18:57:16] Info: Found the 'stat' command: /usr/bin/stat [18:57:16] Info: Found the 'strings' command: /usr/bin/strings [18:57:16] Info: System is not using prelinking [18:57:17] Info: Using the '/usr/bin/sha1sum' command for the file hash checks [18:57:17] Info: The hash function field index is set to 1 [18:57:17] Info: Using package manager 'RPM' for file property checks [18:57:17] Info: Found the 'rpm' command: /bin/rpm [18:57:17] Info: Previous file attributes were stored [18:57:17] Info: Enabled tests are: all [18:57:17] Info: Disabled tests are: suspscan hidden_ports hidden_procs deleted_files packet_cap_apps [18:57:17] Info: Including user files for file properties check: [18:57:17] /etc/rkhunter.conf [18:57:17] Info: Found ksym file '/proc/kallsyms' [18:57:17] Info: Using 'date' to process epoch second times. [18:57:17] Info: Locking is not being used [18:57:17] [18:57:17] Starting system checks... [18:57:17] [18:57:17] Info: Starting test name 'system_commands' [18:57:17] Checking system commands... [18:57:17] [18:57:17] Info: Starting test name 'strings'
[18:57:31] Info: Starting test name 'properties' [18:57:31] Performing file properties checks [18:57:31] Warning: Checking for prerequisites [ Warning ] [18:57:31] The file of stored file properties (rkhunter.dat) does not exist, and should be created. To do this type in 'rkhunter --pro pupd'. [18:57:31] Info: The file properties check will still run as there are checks that can be performed without the rkhunter.dat file. [18:57:31] [18:57:31] Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
is used, all the files on their system are known to be genuine, and installed from a reliable source. The rkhunter '--check' option will compare the current file properties against previously stored values, and report if any values differ. However, rkhunter cannot determine what has caused the change, that is for the user to do.
[18:57:38] /usr/bin/ldd [ Warning ]
[18:57:38] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable
[18:57:49] /sbin/chkconfig [ Warning ] [18:57:49] Warning: The command '/sbin/chkconfig' has been replaced by a script: /sbin/chkconfig: Perl script, ASCII text executable
[18:57:50] /sbin/ifup [ Warning ] [18:57:50] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script, ASCII text executable
[18:58:05] [18:58:05] Info: Starting test name 'rootkits' [18:58:05] Checking for rootkits... [18:58:05] [18:58:05] Info: Starting test name 'known_rkts' [18:58:05] Performing check of known rootkit files and directories
[19:00:41] Info: Starting test name 'malware' [19:00:41] Performing malware checks [19:00:41] [19:00:41] Info: Test 'deleted_files' disabled at users request. [19:00:41] [19:00:41] Info: Starting test name 'running_procs' [19:00:46] Checking running processes for suspicious files [ Warning ] [19:00:46] Warning: The following processes are using suspicious files: [19:00:46] Command: cron [19:00:47] UID: 0 PID: 626 [19:00:47] Pathname: /etc/crontab [19:00:47] Possible Rootkit: Unknown rootkit [19:00:47] [19:00:47] Info: Test 'hidden_procs' disabled at users request. [19:00:47] [19:00:47] Info: Test 'suspscan' disabled at users request.
[19:01:13] Info: Starting test name 'passwd_changes' [19:01:13] Checking for passwd file changes [ Warning ] [19:01:13] Warning: Unable to check for passwd file differences: no copy of the passwd file exists. [19:01:13] [19:01:13] Info: Starting test name 'group_changes' [19:01:13] Checking for group file changes [ Warning ] [19:01:13] Warning: Unable to check for group file differences: no copy of the group file exists.
[19:01:14] Checking for SSH configuration file [ Found ] [19:01:14] Info: Found SSH configuration file: /etc/ssh/sshd_config [19:01:14] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'yes'. [19:01:14] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'. [19:01:14] Checking if SSH root access is allowed [ Warning ] [19:01:14] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[19:01:14] Checking if SSH protocol v1 is allowed [ Warning ] [19:01:14] Warning: The SSH configuration option 'Protocol' has not been set.
The default value may be '2,1', to allow the use of protocol version 1.
[19:01:14] Checking for running syslog daemon [ Found ] [19:01:14] Info: Found rsyslog configuration file: /etc/rsyslog.conf [19:01:14] Checking for syslog configuration file [ Found ] [19:01:15] Checking if syslog remote logging is allowed [ Not allowed ] [19:01:15] Performing filesystem checks [19:01:15] Info: SCAN_MODE_DEV set to 'THOROUGH' [19:01:15] Info: Found file '/dev/shm/pulse-shm-3079114224': it is whitelisted. [19:01:15] Info: Found file '/dev/shm/pulse-shm-3474843283': it is whitelisted. [19:01:15] Info: Found file '/dev/shm/pulse-shm-2716027020': it is whitelisted. [19:01:15] Info: Found file '/dev/shm/pulse-shm-1642625505': it is whitelisted. [19:01:15] Checking /dev for suspicious file types [ Warning ] [19:01:15] Warning: Suspicious file types found in /dev: [19:01:16] /dev/.sysconfig/network/new-stamp-2: ASCII text [19:01:16] Checking for hidden files and directories [ Warning ] [19:01:16] Warning: Hidden directory found: '/dev/.sysconfig'
[19:01:20] System checks summary [19:01:20] ===================== [19:01:20] [19:01:20] File properties checks... [19:01:20] Required commands check failed [19:01:20] Files checked: 178 [19:01:20] Suspect files: 3 [19:01:20] [19:01:20] Rootkit checks... [19:01:20] Rootkits checked : 307 [19:01:20] Possible rootkits: 1 [19:01:20] Rootkit names : Unknown rootkit [19:01:21] [19:01:21] Applications checks... [19:01:21] Applications checked: 4 [19:01:21] Suspect applications: 0 [19:01:21] [19:01:21] The system checks took: 4 minutes and 3 seconds [19:01:21] [19:01:21] Info: End date is Thu Feb 28 19:01:21 PHT 2013
I'm a noob on opensuse.
-Thanks in advance
The line breaks disappear after I post. Can't fix. :-(
I turned off ssh root login just now. Any other recommended settings?
- $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $
- This is the sshd server system-wide configuration file. See
- sshd_config(5) for more information.
- This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
- The strategy used for options in the default sshd_config shipped with
- OpenSSH is to specify options with their default value where
- possible, but leave them commented. Uncommented options override the
- default value.
- Port 22
- AddressFamily any
- ListenAddress 0.0.0.0
- ListenAddress ::
- The default requires explicit activation of protocol 1
- HostKey for protocol version 1
- HostKey /etc/ssh/ssh_host_key
- HostKeys for protocol version 2
- HostKey /etc/ssh/ssh_host_rsa_key
- HostKey /etc/ssh/ssh_host_dsa_key
- HostKey /etc/ssh/ssh_host_ecdsa_key
- Lifetime and size of ephemeral version 1 server key
- KeyRegenerationInterval 1h
- ServerKeyBits 1024
- obsoletes QuietMode and FascistLogging
- SyslogFacility AUTH
- LogLevel INFO
- LoginGraceTime 2m
- StrictModes yes
- MaxAuthTries 6
- MaxSessions 10
- RSAAuthentication yes
- PubkeyAuthentication yes
- The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
- but this is overridden so installations will only check .ssh/authorized_keys
- For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
- RhostsRSAAuthentication no
- similar for protocol version 2
- HostbasedAuthentication no
- Change to yes if you don't trust ~/.ssh/known_hosts for
- RhostsRSAAuthentication and HostbasedAuthentication
- IgnoreUserKnownHosts no
- Don't read the user's ~/.rhosts and ~/.shosts files
- IgnoreRhosts yes
- To disable tunneled clear text passwords, change to no here!
- PermitEmptyPasswords no
- Change to no to disable s/key passwords
- ChallengeResponseAuthentication yes
- Kerberos options
- KerberosAuthentication no
- KerberosOrLocalPasswd yes
- KerberosTicketCleanup yes
- KerberosGetAFSToken no
- GSSAPI options
- GSSAPIAuthentication no
- GSSAPICleanupCredentials yes
- Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
- mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
- in this release. The use of 'gssapi' is deprecated due to the presence of
- potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
- GSSAPIEnableMITMAttack no
- Set this to 'yes' to enable PAM authentication, account processing,
- and session processing. If this is enabled, PAM authentication will
- be allowed through the ChallengeResponseAuthentication and
- PasswordAuthentication. Depending on your PAM configuration,
- PAM authentication via ChallengeResponseAuthentication may bypass
- the setting of "PermitRootLogin without-password".
- If you just want the PAM account and session checks to run without
- PAM authentication, then enable this but set PasswordAuthentication
- and ChallengeResponseAuthentication to 'no'.
- AllowAgentForwarding yes
- AllowTcpForwarding yes
- GatewayPorts no
- X11DisplayOffset 10
- X11UseLocalhost yes
- PrintMotd yes
- PrintLastLog yes
- TCPKeepAlive yes
- UseLogin no
- UsePrivilegeSeparation yes
- PermitUserEnvironment no
- Compression delayed
- ClientAliveInterval 0
- ClientAliveCountMax 3
- UseDNS yes
- PidFile /var/run/sshd.pid
- MaxStartups 10
- PermitTunnel no
- ChrootDirectory none
- no default banner path
- Banner none
- override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
- This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL
- Example of overriding settings on a per-user basis
- Match User anoncvs
- X11Forwarding no
- AllowTcpForwarding no
- ForceCommand cvs server
Hi Art8, you can add a space at the beginning of each line of a post to preserve line breaks.
This is not the best site for resolving malware issues, but some volunteers familiar with Linux might be able to recommend next steps for you.
you get this IP (126.96.36.199) because DNS servers from China returns it to users from china. To check it make in command line:
host addons.mozilla.org 188.8.131.52
"184.108.40.206" is one free DNS server from China.
Thanks Alrond, jscher.
But, I'm not in China, and I don't use DNS servers in China.
Hi Art8, it appears your dig ran against Google's DNS servers (220.127.116.11). If Firefox is not using your system's DNS settings, you might have a proxy set. Could you check here:
Edit > Preferences > Advanced > Network > "Settings" button
Either "No Proxy" or "Use system proxy settings" is more reliable than "Auto-detect".
Note that DNS lookups also may be cached, so after making changes try Ctrl+Shift+r to reload bypassing the cache.
Yes, I had set the DNS sites on the modem. Strange because I've never had this problem before. The WorldIP addon consistently reported the server in the US. Also, I've always used the "No Proxy" setting.
It's ok. I'd just re-installed the os and added the Perspectives addon in addition to Certificate Patrol. Hope that helps. Wish that all websites though start using DNSSEC.
Thanks again jscher.