0
I'm not sure whether or not it is normal for keepass to connect to the following IP addresses and sites
I have installed below plugins from keepass.info
- KeeAgent.plgx
- KeeAnywhere-1.5.1.plgx
- KeeOtp.plgx
- KeePassQRCodeView.plgx
- KPEnhancedListview.plgx
- KPEntryTemplates.plgx
- PasswordChangeAssistant.plgx
- prox.fluky.org
- QrCodeGenerator.plgx
Below is an output from PStool (Process Monitor):
10:06:46.9738011 PM KeePass.exe 16192 TCP Connect Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 0, mss: 1460, sackopt: 1, tsopt: 0, wsopt: 1, rcvwin: 262800, rcvwinscale: 8, sndwinscale: 9, seqnum: 0, connid: 0
10:06:46.9747633 PM KeePass.exe 16192 TCP Connect Jacobs:58636 -> ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https SUCCESS Length: 0, mss: 1436, sackopt: 1, tsopt: 0, wsopt: 1, rcvwin: 262788, rcvwinscale: 8, sndwinscale: 10, seqnum: 0, connid: 0
10:06:46.9839967 PM KeePass.exe 16192 TCP Receive Jacobs:58636 -> ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https SUCCESS Length: 2770, seqnum: 0, connid: 0
10:06:47.3202964 PM KeePass.exe 16192 TCP Send Jacobs:58642 -> prox.fluky.org:http SUCCESS Length: 153, startime: 8363532, endtime: 8363532, seqnum: 0, connid: 0
10:06:47.5841685 PM KeePass.exe 16192 TCP Connect Jacobs:58644 -> bh-50.webhostbox.net:http SUCCESS Length: 0, mss: 1460, sackopt: 1, tsopt: 0, wsopt: 1, rcvwin: 262800, rcvwinscale: 8, sndwinscale: 4, seqnum: 0, connid: 0
1
10:06:47.8812923 PM KeePass.exe 16192 TCP Receive Jacobs:58643 -> vern.gendns.com:http SUCCESS Length: 272, seqnum: 0, connid: 0
10:06:47.9470829 PM KeePass.exe 16192 TCP Send Jacobs:58641 -> 134.119.143.231:https SUCCESS Length: 177, startime: 8363561, endtime: 8363595, seqnum: 0, connid: 0
[PSTool Output][1]
I have disabled the plugins but I'm curious to know why keepass is connecting to the above sites and whether those plugins are safe to use
Jacobs
Posted 2019-08-27T02:26:27.477
Reputation: 11
Search google for "prox.fluky.org" with quotes around it and "vern.gendns.com" for a starting point and see what you can come up with. Google search the other URLs like that as well that you see and see if you come up with anything common those are used for. It's likely KeePass using these technologies, etc. You can always run a network trace and look it over with Wireshark to see what it is really doing though. – Pimp Juice IT – 2019-08-27T02:37:49.007
Can you confirm that you are seeing this output once the plugins are disabled or is this what you see only when those are enabled? – Pimp Juice IT – 2019-08-27T02:38:36.523
I just want to check if someone has the same experience as i am before i turn off the firewall for keepass. – Jacobs – 2019-08-27T12:57:27.520
ive also posted this issue in keepass ofrum but few days still flagged as in moderation. I've also posted the same question in reddit r/KeePass but i guess no response too – Jacobs – 2019-08-27T13:03:14.217
With KeePass up and running without any plugins, I do not see anything from my machine. I think this means it's one of the plugins or their correlated functionality doing this which is what I assume you already know. You'd have to dig into each plugin to see which is doing which connection, and then ask the developers of those plugins to see what those are doing. Maybe this is why you are not getting any responses from the KeePass forum because it's plugin specific. I'm not familiar enough with the working of KP to know what their forum support can answer, etc. – Pimp Juice IT – 2019-08-27T14:09:16.397
1It may be easier to have only one plugin that you use enabled at a time, sniff the traffic, and then look it over with WireShark. If I was that worries about it, that's how I would handle it. – Pimp Juice IT – 2019-08-27T14:10:07.097
I will, Thanks for the advice. – Jacobs – 2019-08-27T14:40:34.027