privoxy is connecting to PublIC.poPCORN-TRAckEr.org on TCP6 port 9050

[GreenLunar]

Hello

I want to trace down the executable which attempts to connect to PublIC.poPCORN-TRAckEr.org

I suspect it's an old Reverse Shell attempt using a tracker which originally intended for BitTorrent file sharing.

In contract to #612, this is of PROXY ENVIRONMENT issue which applies to all software respecting rnvironment variables.

For this attempt to trace down spy attempts of software, I'll disable the following rules:

Name: deny-always-simple-tracker-ds-is
Host: TRacker.dS.IS

Name: deny-always-simple-popcorn-tracker-org
Host: ^(|.*\.)popcorn-tracker\.org

Saying out laud SystemD or Systemd or sYStEmD MAKES IT SO EASY TO ATTACKERS TO INFILTRATE INTO LINUX BECAUSE SYSTEMD CONNECTS FOR SOFTWARE, MEANING THAT WHEN BITTORRENT CLIENT (CONNECTS TO MILLIONS OF ADDRESSES) WEB BROWSER (THAUSANDS) AND EMAIL CLIENT (A FEW) WOULD ASK SYSTEMD TO CONNECT FOR THEM AND USER WILL SEE ONLY SYSTEMD AND NOT KNOWING FROM WHERE THE CONNECTIONS COMES FROM

SO ON SYSTEMD SYSTEMS, IT'S SIMPLE TO MAKE YOUR EMAIL CLIENT TO TRACK YOU USING A BITTORRENT TRACKER. uSER MIGHT THINK THAT IT'S A CONNECTION FROM A BITTORRENT SOFTWARE, BUT IT IS NOT.

If I wouldn't have removed Systemd from my system and migrated to Artix Linux, I would not have realized this issue in question.

GET RID OF SYSTEMD FFF

[gustavo-iniguez-goya]

hey @GreenLunar ,

If I understand you correctly, an application is establishing a new outbound connection through Privoxy, and OpenSnitch detects Privoxy trying to establish a connection with PublIC.poPCORN-TRAckEr.org instead of the original application.

I haven't tested this scenario. Could you mark [x] Debug invalid connections under Preferences -> Nodes and see if it prompts to allow/deny something?

[gustavo-iniguez-goya]

Regarding this rule: ✔ /usr/bin/python3.10 -> ip174217646.ahcdn.com:443 (allow-1h-simple-usr-bin-python3-10)

I'd suggest to filter connections by Command line, instead of Executable. By allowing python3.10 you're allowing any python script, and maybe that's not what you wanted to do.

[gustavo-iniguez-goya]

@GreenLunar please, update your opensnitch installation and verify that this problem is solved.

[GreenLunar]

I've the most recent installation opensnitch 1.5.0-3 from AUR.
Do you want me to update to git?

[GreenLunar]

It seems that PUbLiC.pOPcoRn-TRACKER.Org points to localhost. We exclude domains that point to 127.0.0.1 but no ::1 , so when privoxy tries to connect to localhost ipv6, we get the domain's IP, save it and display "PUbLiC.pOPcoRn-TRACKER.Org" to the user.

What about TraCkER.dS.IS?

[gustavo-iniguez-goya]

It also resolves to 127.0.0.1/::1, so it should be fixed. If you haven't restarted the daemon, do it now: $ sudo systemctl restart opensnitch

Then you can reproduce it as follow:

$ ping TraCkER.dS.IS
(allow or deny the connection, Duration Once, 30s, etc)
$ telnet 127.0.0.1 25

It should display a pop-up showing that telnet is trying to connect to 127.0.0.1 instead of TraCkER.dS.IS

[gustavo-iniguez-goya]

Could you post what OpenSnitch version are you using and the output of # cat /sys/kernel/debug/tracing/kprobe_events ?

Also please, post how your system is configured to use privoxy: global envirionment variable like http_proxy? other method?

[GreenLunar]

opensnitch 1.5.0 installed from https://aur.archlinux.org/packages/opensnitch

# cat /sys/kernel/debug/tracing/kprobe_events
p:kprobes/ptcp_v4_connect tcp_v4_connect
r32:kprobes/rtcp_v4_connect tcp_v4_connect
p:kprobes/ptcp_v6_connect tcp_v6_connect
r32:kprobes/rtcp_v6_connect tcp_v6_connect
p:kprobes/pudp_sendmsg udp_sendmsg
p:kprobes/pudpv6_sendmsg udpv6_sendmsg
p:kprobes/piptunnel_xmit iptunnel_xmit

From .bashrc:

#proxy
export http_proxy=http://127.0.0.1:8118/
export https_proxy=$http_proxy
export ftp_proxy=$http_proxy
export rsync_proxy=$http_proxy

Operating System: Archlinux (with f***** systemd installed)