Stop FF calls out to IP address 126.96.36.199 every 15 minutes
Why does FF call out to the IP address 188.8.131.52? I found that the IP is part of Edgecast and seemed to be possibly related to FF live bookmarks and/or the latest headline live book mark.
But FF is still trying to go to that IP even after the live bookmark was removed. It tries to do this every 15 minutes and sometimes more often.
Currently I am blocking that IP with my firewall. This seems to be a privacy & security problem. But I have not found a way to completely block live bookmarks. This ONLY happens if FF is open and happens regardless of what site the browser is or has been visiting.
This is an older system and FF ver 3.6.28 ( it's a good old stable W2k OS system). FF is using NoScript, Ghostery, & ADP. The system passes all virus checks, including Malware Bytes and Super AntiSpyware.
tia for help with this Sam177
Progress !!! Have determined that FF was calling out to a news feed which was going the the IP 184.108.40.206. Still not sure why it was going there, though.
I installed "Fiddler" and it showed me the url that was involved. http://fxfeeds.mozilla.com/en-US/firefox/headlines.xml
Eventually I found that my booksmaks contained an second "liveFeed" for "headline news" in a duplicate of the Bookmarks Toolbar folder. It was located way in the middle of the actual bookmakrs file. Btw searching FF bookmarks can be a real pain. I had to export the bookmarks as an html file and use a text editor to do the searching thru it.
I have now removed that folder. And so far the calls out to IP 220.127.116.11 have not reappeared at all.
Also curiously the repeated calls out stopped happening regularly every 15 minutes after I had installed Fiddler. On installation, Fiddler did install an addon into FF. Niot sure if thsi had any effect. But apparently starting the Fiddler program disables the Fiddler addon. Noit sure I want the fiddler addon in FF, though.
So for now this seems to have been caused by FF's live feed and that feed going thru Edgecast. Mozilla should change this.
thanks for the help with this. Wish there were a more effective way to search bookmarks for say ALL "livefeed" bookmarks.
Sam177Read this answer in context 0
Additional System Details
- Foxit Reader Plug-In For Firefox and Netscape
- Office Plugin for Netscape Navigator
- Default Plug-in
- CANON iMAGE GATEWAY Mycamera Plugin
- Windows Presentation Foundation (WPF) plug-in for Mozilla browsers
- VLC media player Web Plugin 2.1.0
- User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168) Gecko/20120306 Firefox/3.6.28
In Firefox 3.6.x the Live (RSS) feeds are still reloaded once an hour by default (in current releases you will have to do this manually), so if it happens every 16 minutes then it sounds that it is something different.
Start Firefox in Safe Mode to check if one of the extensions (Firefox/Tools > Add-ons > Extensions) or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox/Tools > Add-ons > Appearance).
- Do NOT click the Reset button on the Safe Mode start window.
22.214.171.124 = 404 - Not Found
Thanks for these replies. I am a bit late replying, we were outside yesterday still digging out of the snow here.
Interesting links. I will go thru the config and turn off all the mentioned items to see if that makes any difference. And report back the results. Curious that this box calls out regularly every 15 minutes vs the 1 hour you mention. See item 2 below.
Yes. I had already done the domain search. Though this IP belonging to Edgecast being a content provider does not relieve my concern. After I found that I had expected that deleting the live bookmark for the latest headlines would have stopped the un-authorized calling out. But it has not.
1) I mistakenly ID'd the system as W2k but this machine is actually an XP machine & not one of my old W2k boxes. I have stayed with FF 3.6.x due to the simpler ways to control what it does like being able to block auto-updates, etc.
2) I have now found an even more disconcerting aspect of this calling out to 126.96.36.199. When I am not at this computer, ie when it is just sitting with emails only running (Eudora on SSL), the calling out stops. ??? But when I come back to the computer and do anything, the calling home starts back up. ??? ??? And my FF goes right back to calling out to that same IP. That happens without even opening FF's window or doing anything with FF. And happens even when FF is only looking at my home start page which is a local html page on this machine.
3) Note that only seems to be FF doing anomalous things. If FF is not started, there are no unexpected calls out. But it happens every time as soon as I start FF.
more machine details: FW = OutPost; AV = Nod32; an old Dell Box running Dell XP home. It's fairly well updated (still need to get the Feb updates) & yes it is not set to do auto updates. It runs on a local lan with an good old Linksys BEF Sx41 NAT router. Wall Watcher tracks the router activity.
4) I could use a decent packet sniffer. So if anyone has suggestions for one, please let me know. It might be interesting to grab these outgoing packets.
thanks for the help. Any more ideas & suggestions?
Also, I did try running in FF safe mode and there was no difference. FF still called home. And I had previously tired disabling my add-ons before posting this question
Thus we can eliminate my add-ons as causing this, right?
Modified by Sam177
I don' want to alarm you because I don't know, but that sounds like how a key logger or spyware would work. Here is a thought. Run Firefox, but close the firewall. That is tell the firewall to BLOCK ALL TRAFFIC. Then see what happens.
Did you try a new profile?
Create a new profile as a test to check if your current profile is causing the problems.
See "Creating a profile":
If the new profile works then you can transfer some files from an existing profile to the new profile, but be cautious not to copy corrupted files to avoid carrying over the problem
Do a clean reinstall and delete the Firefox program folder before (re)installing a fresh copy of the current Firefox release.
Download a fresh Firefox copy and save the file to the desktop.
- Firefox 27: http://www.mozilla.org/en-US/firefox/all.html
If possible uninstall your current Firefox version to cleanup the Windows registry and settings in security software.
- Do NOT remove personal data when you uninstall your current Firefox version, because all profile folders will be removed and you lose personal data like bookmarks and passwords from profiles of other Firefox versions.
Remove the Firefox program folder before installing that newly downloaded copy of the Firefox installer.
- (32 bit Windows) "C:\Program Files\Mozilla Firefox\"
- (64 bit Windows) "C:\Program Files (x86)\Mozilla Firefox\"
- It is important to delete the Firefox program folder to remove all the files and make sure that there are no problems with files that were leftover after uninstalling.
Your bookmarks and other personal data are stored in the Firefox profile folder and won't be affected by an uninstall and (re)install, but make sure that "remove personal data" is NOT selected when you uninstall Firefox.
Good suggestions. I will work on them probably tomorrow and report back.
Yes the timing of this repeating itself does make it look suspicious, doesn't it? So this evening I followed your suggestion and completely closed the firewall for a while with FF running. Then checked the FW logs to see what showed up. Then reset the FW to its normal operation and watched its logs some more.
1) With the FW (OutPost FW) closed, the FF outgoing calls to the IP 188.8.131.52 completely stopped. No call out attempts from FF occurred.
2) No other items tried to get out than what would be expected. Except for SVCHOST.exe & System which did try to do 4 types of UDP connections.
a) 2/23/2014 11:57:43 PM SYSTEM OUT UDP 192.168.1.255 138 Block All Activity 0 0
b) 2/23/2014 11:47:16 PM SYSTEM IN UDP 192.168.1.11 138 Block All Activity 0 229
c) 2/23/2014 11:45:27 PM SVCHOST.EXE OUT UDP 192.168.1.1 53 Block All Activity 0 0
d) 2/23/2014 11:33:42 PM SYSTEM IN UDP 192.168.1.11 137 Block All Activity 0 234
3) The other programs that were running with LAN or net expected connections were email (Eudora 5 instances), Wall Watcher. They were blocked as expected.
4) During the time the FW was closed, I periodically left the macine alone at times and then did various things like typing text files & saving them, checking different directories, reading and paging thru already open site pages with FF, opening & closing Word Docs. NO FF call outs were attempted. And no call outs except those listed above System & SVCHOST were attempted /blocked.
5) But when I opened the FW to allow internet connections, in less than a minute, the FF call out to 184.108.40.206 started up again.
Btw the FW log sequence below shows the FW log details for these questionable FF call outs. The sequence of the 4 steps happens at the same recorded time. IE they happen one after the other quickly. And the sequence is commensurate with the way I understand Eset Nod32 Anti-Virus handle the firefox browser by inserting itself between the browser & the internet.
From the FW logs
A) 2/23/2014 9:45:25 PM SVCHOST.EXE IN UDP 192.168.1.1 53 Generic Host Process DNS UDP connection 0 147
B) 2/23/2014 9:45:25 PM FIREFOX.EXE OUT TCP localhost 30606 Allow local TCP activity 0 0
C) 2/23/2014 9:45:25 PM EKRN.EXE IN TCP localhost 4735 Eset NOD32 Service connection 0 0
D) 2/23/2014 9:45:25 PM EKRN.EXE OUT TCP 220.127.116.11 80 Blocked by IP Blocklist 0 0
Now to add to the discovery, I just added the IP address to the block list for one of my W2k machines. AND on that machine also FF tries to call to that IP address immediately on start up. So this happens with 2 installations of this FF version.
Thanks for this help.
Any specifics on the request being sent to the server? Perhaps you can use Fiddler or another proxy to capture the details.
This is a thought. An outside something sends a ping or something to your system. The system sends a ping or something back.
Update: Have just completed thorough scans of this machine once again. And found nothing that would contribute to this problem. Malware Bytes, SuperAntiSpyware, Nod32.
Am thinking the next thing is to do things to FF like cor-el has suggested. Turn off every blasted thing that might involve some automation to call out to anything.
re Pings: FW handles ICMP pings incoming requests blocked; outgoing requests allowed; incoming replies allowed thru; outgoing replies blocked.
To capture packets from this may be a good idea. I'll look up Fiddler. But I would have thought a packet sniffer would have been the way to do that?
On upgrading to a newer FF version: I've stayed with the 3.6.28 series for a number of reasons: it is the last version that runs on my W2k machines which means I can have FF be the same on all the machines in this group; I can not abide the FF forced updates, I don't trust them enough for that; and with the newer versions there have been more and more things that affect user control; As an "old timer" I am not impressed with many of the "new browser features that always seem to get added.
thanks for the help. I will report back as I try different things that have been suggested. More ideas are always appreciated. Well positive ones any way. :-)
This MozillaZine support thread deals with an unofficial SP5 for W2K, to allow W2K to run newer versions (13+) of Firefox.
Fiddler only intercepts HTTP requests, and has easy viewing for headers and body content, so it generally is easiest to use when it works. If you already are familiar with WireShark/winpcap, you could use those.
Update: 4pm 02-25
Just went thru the settings to block "FF from automatically making connections with out my permission". Made changes as suggested. but most things were already set as suggested. Exceptions were:
1) Add-on blocklist updating =NOW set to false
2) Link Prefetching =NOW set to false
3) Network.prefetch-next =NOW set to false
4) But did not find any entry for "extensions.GetAddons.cache.enabled"
5) found items for extensions.AdblockPlus.subscriptions_autoupdate; & extensions.AdblockPlus.subscriptions_exceptions checkbox that were set for true; Now they are set to false
6) found lines for Grease Monkey that looked like possible call outs; Greasemonkey.autoinstallUpdates; GreaseMonkey.enableScriptRefreshing; GreaseMonkey.enableUpdateChecking; set all these to false
Then closed the about:config & restarted FF. It STILL calls out to the same IP
Can anyone tell me where do I look to find the config file so I can grab & save a copy of it?
Most of the preferences you see in about:config are in prefs.js. You can copy it from your currently active settings folder (active Firefox profile folder). Since it's hidden, the easiest way to get to it is:
Help > Troubleshooting Information > "Show Folder" button
If you find a file named prefs but not prefs.js, Windows may be hiding file extensions from you. To work with files as accurately as possible, I suggest unhiding them. This Microsoft support article has the steps: http://support.microsoft.com/kb/865219.
Thanks for that info. However I am not sure I get the same list that one sees by using FF to "about:config". I am looking into that file you suggested after copying it over to another location & renaming the file. Then accessing it with a file view using Total Commander.
It would be handy to be able to more easily search thru the list if I could look thru it as a word doc, text file or even an html page with Dreamweaver.
Are the rest of the items that show when FF accesses "about:config" in that directory but in other files?
The format of prefs.js is different than about:config.
I misspoke about what was in prefs.js: the file only stores customized preferences (ones marked as "user set" in about:config).
I don't know whether there is any master list of all preferences. This file from the Firefox source code lists many (not in alpha order) along with some explanatory information. So possibly useful as a partial reference.
Note: That file might be for Firefox 30 instead of Firefox 27.
You can open the built-in files in Firefox via the resource protocol:
Not sure how the "resource" protocol works. If I enter the lines you posted, I get the "Try Again" pop-up. Does it exist for this version of FF?
That is quite a list. 1400+ lines. Thanks. I've dropped it into Notepad+++ in order to look thru it.
So far nothing has made any difference. So tomorrow I will look at more of the suggestions for changing profiles & maybe doing the un-install & reinstall.
Sorry, I forgot to read back and check your details, so I missed that you use Firefox 3.6.x
You can use these instead for Firefox 3.6.x: