Why does my computer create web connections to addresses in the Amazon, Google and Youtube range when I start Firefox?
I think I already disabled all the updating functions, yet, SOMETIMES when I start Firefox, (with about:blank), my network monitor shows one to five connections to IP addresses mostly in the 74.125.225.x, 74.125.227.x, 74.125.228.x, and 72.21.x.x ranges. Those ranges include Google, Amazon, and Youtube. I use Kaspersky, and have scanned multiple times for malware, and even had their technical support look into my computer. They see no malware. It is the Kaspersky Network Monitor that revealed the problem. As I find them happening, I try to jot down the addresses, (quickly, because some of these connections only last a second or two), then add those to a firewall rule I created to try to combat the problem. Yet, next time I start, new addresses are "attacking". Of course, some get away, because I don't get the address jotted down before it goes away. At one point I used masking that ended up keeping me from Google and Youtube, so I have to add the addresses individually, and my block list in that one rule is 13 items long now. The only IPs not in those ranges are 220.127.116.11, and 18.104.22.168. Not sure where those go. I used to get attacked by addresses in the range that includes Amazon ... 72.21.x.x. I have a separate firewall rule for them that has 33 addresses being blocked. I should not have to do all that. Firefox should start and just sit there quietly until I start clicking or typing in it. This has been happening in Firefox versions going back to 11. May have gone on before that, but I wasn't tracking it then. Also, it doesn't always happen, or, more precisely, with addresses I have not already blocked, (because my only way to know it's happening is when the connections are allowed to be made). It does not always happen right after Firefox is up, but sometimes several minutes later. I have started Firefox and just sat and watched the network monitor without doing anything in Firefox, and have seen this happen up to 15 minutes after I start Firefox ... mostly just two or three minutes when there's a delay at all.
I am not familiar with specific address ranges. Does Kaspersky monitor the requests sent to those addresses, so that you might be able to associate the connections with more detailed URLs?
In case you didn't see it during the question submission process, I suggest checking your list against this article: How to stop Firefox from making automatic connections.
Thanks, but nothing seems to help. Some of the addresses that come up while just sitting on About:blank after starting Firefox, that I have blocked, are now keeping me out of Youtube, and causing problems with Gmail. In the past, I had to use x.x.x.0/24 subnet blocks to keep that from happening, because the addresses "attacking", (which is the best word to describe it), though in the same subnet as Google, Youtube, Amazon, etc., did not hinder my use of those sites. Now the attacks are coming from addresses in those subnets that are effecting the use of those sites.
No one seems to have an answer for this. I've seen other reports of other users having similar issues ... particularly with the Amazon range.
I have sent my configuration report to this site, and no one found anything in it that I have overlooked. I have taken care of everything suggested to stop unsolicited connections.
A bigger question is; we know the address ranges, we know who the address range owners are, we know it doesn't come from random places or anything near hacker sites, so, why aren't these companies being investigated for the cause? Every time I call them, I get put on hold by the first person who finally answers the phone that I describe the problem to, then, after a few minutes, am simply hung up on. You try.
Is this part of some sort of strategy of our new draconian government, to "protect" its citizens by snooping into their very homes through their computers ... at the very least to monitor web activity? I don't understand how this problem can be existing for so long through so many version of Firefox, with no answers as to why, or suggestions to fix it that work, (other than blocking them while we still can), without it being some sort of, perhaps forced coercion with an entity such as a secret mongering government.
Further, if this is not being initiated by persons or entities at computers that have these addresses, and that it is strictly something coming at them from computer users such as myself, why haven't these companies themselves investigated why my computer is making unsolicited connections to them? Shouldn't they be concerned about some sort of cyber attack? Unless, of course, they already know it's not us citizens attacking them, but the other way around.
Call it a "conspiracy theory", but I'm open to any other answers that could explain this unabated behavior and prove me wrong. I am sincerely hoping there is one. This is not something I'm imagining happening. It really is happening. I'm just at a loss as to, as I said, how it can go on so long unabated, unaddressed, and the only answers involve changing something on the users computer, and do not solve the problem. I'm just SO reminded of 1984 by George Orwell.
If it is true, of course anyone involved or even entering into such through coercion could not possibly be patriotic, and I would define them as absolutely un-American. If anyone reading this recognizes that description as them, and are under some sort of threat, or perhaps realize they are working against citizens of their own country, and do not want that evil position on their conscience any more, PLEASE GO PUBLIC IN EVERY WAY YOU CAN.
Willing to bet this post gets deleted.
One of the complexities of the web these days is that content is distributed across so many different servers and networks. As a result, it can be difficult to track the addresses back to the URLs being requested. Perhaps you can find something to add to your toolkit that will log those URLs so you can fit together all the pieces of the puzzle.
I wonder whether the requests would show up in the optional HTTP log? This article describes how to set it up: https://developer.mozilla.org/docs/Mozilla/Debugging/HTTP_logging#Logging_HTTP_activity
Firefox does not do anything but sit on about:blank after I start it as long as I have a firewall rule enabled that completely blocks these subnets: 22.214.171.124/24 126.96.36.199/24 188.8.131.52/24 184.108.40.206/24 220.127.116.11/24 18.104.22.168/24 22.214.171.124/24 126.96.36.199/24 188.8.131.52/24 184.108.40.206/24 220.127.116.11/24 18.104.22.168/24 22.214.171.124/24
Otherwise, Fire fox creates connections to one to five addresses in those ranges. Note that there are more than 5 subnets above, but usually three connections satisfies whatever purpose these connections are being made for. If I had some links or whatever that is causing these connections, I would expect all of them would come up every time.
Also, these connections do not start immediately upon starting Firefox, they wait up to 15 minutes to start ... fifteen minutes of just sitting idle ... no actions on my part that could possibly initiate them. Usually these start within three minutes. A typical ploy of malware is to wait until no one is looking, or the until there's a forest to put their tree in so it won't be noticed.
While the above rules are in place, I do not have access to Amazon, Youtube, or Google, (or any of the various blog sites and services sponsored by Google, including Google Maps and Gmail). That list may not be complete, as I have other firewall rules in place that mainly block individual addresses.
It seems to me as simple as; figure out who owns those subnets, and you have your bad guys. Then go after them.
It's true that I have a bookmarks to Google, Gmail, and Youtube, but these are not "active" bookmarks nor RSS feeds. I have not voluntarily gone to Amazon on this computer.
The traffic being transmitted is unknown. It is usually not extremely large amounts of data ... less than a meg, but I have seen close to a Gig transmitted out of my computer, and over 400 meg transmitted to my computer, when I was not paying attention to block the offender. Even if it's small amounts, things like cookies, path structures, configuration settings, histories, etc. do not involve a lot of data, but, to me, represent a security breach, if someone decides to look at them unsolicited by me, not unlike your landlord, mortgage holder, or neighborhood police officer walking into your home while you're not there, and taking pictures of, or simply inventorying your belongings.
It is VERY much like some sort of backdoor malware. No malware is detected on my computer.
I looked at the suggestion above for OS changes for logging HTTP activity, but the author neglected to include instructions for backing out these changes after using them. If this were to create more jewels in a drawer the thief has access to, reformatting and restoring my drive is not the kind of back out process I enjoy. Therefore it would be foolish to apply them. To me it would be like bungee diving with no bungee. Fun until you hit the bottom. Give me the bungee, let me make sure it's short enough, then I'll dive.
Good topic, this has come up many times and nobody can answer it.
Being an IT grad, I also noticed Google secretly chiming in on TCPView every time I opened my 100% non-updating Firefox browser (been using firefox since version 3, long time educated web user, believe me)
I don't care what anyone says, it's 100% fishy.
-We have nothing turned on to update from Google -All security is locked down tight, again, you can recheck the settings on this browser and NOTHING is set to update. -This thread explains it exactly from another user 3 years ago -Google is fishy because they have their servers spied on, any IT expert knows this, not conspiracy, we are talking actual facts here.
Here is the old thread about this also, even after "turning off" the updaters, it calls to Google SECRETLY BEHIND EVERYONES BACK. This is fishy, why is there no setting or legit dev talking about this?
Again, no answer except from snarky people calling others paranoid when their browser SECRETLY calls back to Google servers for no legit reason apparently. Needs explaining........big time, or I share this topic to major IT groups and get the word out on this unusual callback to Google......
Hi googlecallback, I think this thread contains the basic suggestions for researching this, and I don't have any new ideas at this point. If there are other forums or mailing lists you want to post this question to, that probably would help you get a more thorough answer. Please post back with what you learn.
Also, if you are using a North American version of Firefox 34, it would be interesting to see whether changing the default search provider from Google to Yahoo has had any effect on the mystery connections.
googlecallback said: Good topic, this has come up many times and nobody can answer it.
Answers were provided in that old thread, but the "Owner" of that thread came up with an insulting analogy to try to make his point; from there that thread degenerated. IOW, he started the "snarky" talk in that thread And now you sound like you are resorting to "threats" to make yourself heard. "Needs explaining........big time, or I share this topic to major IT groups and get the word out on this unusual callback to Google......" Please moderate your tone of conversation or this thread will be closed.
Firefox is open source, the code is available to everyone - there are no secrets with Mozilla, [other than reported but unresolved security Bugs]. Being an IT grad why don't you view the source code yourself to satisfy your quest for answers. Or, if you choose to, share this topic with anyone you care to - Mozilla has no secrets, those "callbacks to Google" are well documented in the Mozilla Developers Network documentation and aren't "hidden" - anyone can view the source code.