Backdoor in FireFox in Kali and Parrot OSes (and others)

Fresh downloads of each. Run netstat on both and get an ‘established’ TCP connection (outside vpn) to 55.65.117.34 which a ‘whois’ search says is related to US Air Force, USAISC (United States Army Intelligence and Security Command) (and google).
See pics.
netstat_kali_unknown_connection




Checked signatures to the extent poss. Which is not much. The parrot checksums are signed but the signature file is only available from the same website as the download.

Or am I just missing something ? - I’m a user of tech not a dev.

3 Likes

Something more you could check is to find out which process on your computer is responsible for the suspicious TCP connection.

There are probably many ways to do that, here is one command I have used for it:

sudo ss -tp

The output from that ss command should include a “Process” column that tells you which process is handling that specific TCP connection.

For example. when I ran it on my computer just now, it tells me there are a few TCP connections related to firefox, two connections for thunderbird and one for ssh (because of an ongoing ssh connection that I have initiated myself). In my case I think all shown TCP connections are okay, I can understand why they are there. And if I close the corresponding programs, those TCP connections are also closed.

If you run that command (or something else that gives the same info), what process does it show for the TCP connection you are insterested in?

3 Likes

If you do the following command it will show which process has open the connection
lsof -i tcp:<port>
You need to change <port> by the number 55250 in your first screenshot

Also 55.65.117.34.bc.googleusercontent.com has the ip 34.117.65.55 , so you are not connected to 55.65.117.34, but 34.117.65.55

5 Likes

Seems like firefox-esr is connected to 55.65.117.34.bc.googleusercontent.com when you launch it
That sucks… how can I disable this in firefox ???

Edit: seems like my answer is somewhere in here

4 Likes

There is also a mozilla domain pointing to that IP address (34.117.65.55):

$ host 55.65.117.34.bc.googleusercontent.com
55.65.117.34.bc.googleusercontent.com has address 34.117.65.55
$ host push.services.mozilla.com
push.services.mozilla.com is an alias for autopush.prod.mozaws.net.
autopush.prod.mozaws.net has address 34.117.65.55

Probably by checking what push.services.mozilla.com and/or autopush.prod.mozaws.net is about, like looking for them in the Firefox source code, one could figure out which Firefox feature is accessing that.

It is possible to get the source code in this way:

apt-get source firefox-esr
3 Likes

Thanks @Skalman and @fralb5. Yes I noticed the IP came out in reverse in the whois lookups but I don’t know why.
If you use google maps and go to the physical address given is shows a Google data center.

Running:
sudo ss -tp
gives this output:

State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
ESTAB 0 0 10.98.0.2:54426 34.117.65.55:https users:((“firefox-esr”,pid=1777,fd=144))

Killing the relevant process with:

kill 1777

killed the running Firefox browser.

Starting the browser again brought the connection back which netstat says is:

55.65.117.34

and ss -tp says is:

34.117.65.55

I have no idea what’s going on re. the reverse order of the IP address but the point is you’re correct it definitely seems to be Firefox that’s bringing it up, and this is esr 115.3.1 with strict custom cookie controls in place.

So it’s about trying to get rid of that or using a different browser.

By the way, after all that I ran:

lsof -i tcp:54148 , which produced this:

└──╼ $lsof -i tcp:54148
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
firefox-e 3558 user 106u IPv4 127333 0t0 TCP 10.98.0.2:54148->55.65.117.34.bc.googleusercontent.com:https (ESTABLISHED)

. . . handy command, thanks.

Thanks for the help.

1 Like

@code9n in my opinion there is no better tool than OpenSnitch to control which program is allowed to talk to which IP address.
AFAIK you should be able to install it on almost every Linux system.
I use it on all my devices to keep the programs in check, and keep certain connections i don’t want form happening.
Maybe you can also use it to keep Firefox from making that connection.

3 Likes

Thanks, @Manuel , I’ll look it up . . .

1 Like

If you happen to have the Librem 5, there is a guide by @Kyle_Rankin for how to use OpenSnitch on it.

3 Likes

That googevil connection must be related to Safe Browsing (or rather, “safe” browsing /s): Security/Safe Browsing - MozillaWiki
Do you have “Block dangerous and deceptive content” enabled in FF settings?

For shock value, go to about:config and type in “google.”

By the way, have you removed Google search engine from Settings yet?

1 Like

That “Block dangerous and deceptive content” was enabled but tuning it off doesn’t make a lot of difference.
With it off:

ss -tp shows the menacing IP address as 34.117.65.55 and netstat shows it as
65.55.117.34

How that putting the IP address in reverse order is a thing I don’t understand, not how IPv4 works that I ever heard.

The search engine is set to DuckDuckGo but Google is still in the available search engines drop down list. I’ll try to get rid of it . . .

The only thing that works is closing Firefox. I’ve put Mullvad browser on there and that has no such issues but I’m sure you’ll know it’s more limited in what it can do - like uploading pictures to this forum - not possible with standard Mullvad settings.
And of course you don’t want to change them because it’s meant to have the same fingerprint for everyone if we all leave it alone.

1 Like

Totally removed Google from the search engine settings but using FF still connects to that 55.65.117.34 (and / or it’s reverse depending on which command you use to check).

Thanks for the ideas, @amarok .

1 Like

Read up on “reverse dns” it’s a thing that’s been around a long time.

2 Likes

That’s not reverse DNS that I know of, DNS is where you have a domain name and look up the IPv4 address. Reverse DNS is where you have the IP address and want the domain name.
Isn’t it? All the docs I can find say it is . . .

1 Like

netstat by default is showing you the results of a reverse DNS lookup of the IP address rather than the actual IP address. netstat -n should show the IP address only.

The server in this case contains the reverse of it’s IPv4 address in it’s DNS name. A common trend today when coming up with unique indentifiers is to reverse the domain name, you’ll quite often see “com.apple.blah.blah…”, “com.google.blah.blah…” etc,. in file names, package names config settings etc,. What you are seeing is the reverse DNS of the IP which is a machine name that contains the IP in reverse notation, which is probably some scheme being used to make listing, sorting and identifing machines a little easier on their end.

These connections you are seeing are accessing/using Firefox services that are hosted on rented servers from google. It used to be the case that if you set the Firefox home page preference to “Blank” that was enough to stop any connections, I have no idea if that’s still the case tho.

5 Likes

Didnt I see a link here on Purism forums that pointed to an article indicating that 80-90% of all Firefox revenue comes from “a single company” in return for “setting the default search engine” which basically means Firefox is admitting to being a Google-sponsored browser?

So, I do also get the feeling that we live in a world where the controls are gradually getting tighter so that only Chromium and Firefox sucessfully function on websites people need, and both are sponsored by Google even if they sometimes claim independence.

The more you know, the more paranoid we become. It’s a problem with my Librem 5 that I haven’t quite figured out how to solve yet. Even doing host duckduckgo.com and then doing a whois on the IP address returned shows that it’s actually Microsoft. A lot of the things that we think are in opposition to the system might actually only be sponsored opposition, for all I can tell.

Edit: All this being said, I still want my Librem 5 to be my only phone as a matter of principle to believe I was trying even if I don’t succeed. The convergence and other natures of the device are more enjoyable to me than Android, even if I assume that I will never be safe from world governments because to be honest they have more money and power than I do and they always will.

3 Likes

Yes, duckduckgo is not truly independent, it just hopefully strips away personal information before passing on the search queries to Big Tech search engines.

For something more independent that actually has its own index and its own crawler and so on, have a look at Mojeek:

4 Likes

After DuckDuckGo, I used Gigablast for quite a while, but it looks like it was recently shutdown without any announcement or notice. After using several search engines, including Startpage, SearX(NG) and LibreX, I started using Mojeek for the last few months, but very recently decided to go back to Startpage for now. It is one of the few ties I have with Google, even though the relationship is indirect.

2 Likes

re. reverse DNS. Yes, @Loki and @OpojOJirYAlG , looks like the devil’s in the detail as usual, that wikipedia article I quoted goes on to say the same thing essentially.
Thanks.

1 Like

Or perhaps it’s being hosted on Azure…

1 Like