2

On my mac when I run Google Chrome, it wants connect at unknown domain on port 80, at example some domain name are: cccpveut, fuflavlorxna, crqzzif, ecc. They appear all domain name of first level.....it seems very strange.... All domains pointing at same ip: 54.72.52.58 (querying the dns it has a ptr record with value amazonws).

I detect this connection with Little Snitch firewall, I tried to disable all extension installed (adblock, ecc), create a new profile, but every time that I run GoogleChrome, it wants connect at this ip.

Safari doesn't connect at this IP....

I run a scan on virustotal on this IP and it is not a malicious ip...

But, why Google Chrome wants connect it? I don't think that it is a legitimate connection.

Further details:

I intercepted the request with proxy, and it sends a request HTTP with HEAD method. Probably is the check of Google for DNS Hijacking. This is the request:

HEAD / HTTP/1.1
Host: tqkoifdrughs
User-Agent: Mozilla/5.0 ....
Connection: close
Stackuser
  • 21
  • 2
  • This IP does indeed belong to AWS, my first thought would be plug-ins but you say those are all disabled. I would install Telerik Fiddler and look at the actual content of these requests, that might give you a better idea of what's going on. – iainpb Jan 17 '17 at 16:18
  • 1
    @Steffen Ullrich: I would largely agree, but a couple of questions. 1) Chrome sends 10-character random addresses. Over here, they seem to be random in length. 2) The Chrome feature seems to resolve to DNS lookup failures, while that doesn't seem to be the case here (resolves to AWS domain) – katrix Jan 17 '17 at 16:33
  • @katrix: regarding 2) if these resolve to IP addresses in your infrastructure then this is a problem of the infrastructure and not of Chrome. Chrome is using a DNS server to resolve names to IP and the DNS server in your infrastructure is obviously lying. This resolving of non-existing domains to IP addresses is exactly what Chrome tries to detect. – Steffen Ullrich Jan 17 '17 at 16:42
  • @Steffen Ullrich: Would that mean this IS indeed an exception? Either the DNS somewhere up the chain is resolving this to a valid AWS domain or the DNS could be poisoned, pointing to a malicious resource hosted by an attacker on AWS. – katrix Jan 17 '17 at 16:48
  • 1
    @katrix: the site in question is a squid proxy which extracts the original target hostname and then answers the request. I cannot see in my tests that it injects any malicious stuff but this might well be the case for specific browsers or sites. – Steffen Ullrich Jan 17 '17 at 16:49
  • There is one thing that I don't understand, how google chrome (or little snitch, or system) resolve these domains (fuflavlorxna, etc) in IP (54.72.52.58)? How to get this IP if these domains are unresolvable..... I added further details to post in top – Stackuser Jan 17 '17 at 19:58

0 Answers0