Sign in to follow this  
G_girl

www.iranian.ws attaching to local host permission box again

Recommended Posts

I'm still confused as to why a site I never went to (www.iranian.ws which is in samoa) keeps showing up when I start firefox asking permission for firefox to use local host 127.0.0.1 (www.iranian.ws)

why is my 127.0.0.1 resolving to this website ?

Share this post


Link to post
Share on other sites

Please run OTL by following the instructions below:

  1. Click this link to save OTL onto your desktop (please make sure to click 'Save' instead of 'Run').
  2. Double click on the OTL icon on your desktop to run it. Make sure all other windows are closed and to let it run uninterrupted.
  3. Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan will take a few minutes.
  4. When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. The first one (OTL.txt) will be automatically saved on your desktop next to OTL, and the second one will need to be saved manually.
  5. Please make sure that both OTL.txt and Extras.txt are saved on your desktop, and then attach both of them to a reply so that we can take a look at them.

Share this post


Link to post
Share on other sites

I don't see anything in the log that explains it. HOSTS file looks pretty much empty, and there's no proxy set up in your Firefox. This is probably being caused by some of your security software. It is not uncommon for security software to redirect malicious domains to the IP address 127.0.0.1 in order to block them.

Share this post


Link to post
Share on other sites

I'm only running your products right now that I'm aware of for "security" other than browser plugins for privacy, but thanks for the explanation. I didn't know sending it to that address would render it harmless.

Share this post


Link to post
Share on other sites

I'm only running your products right now that I'm aware of for "security" other than browser plugins for privacy, but thanks for the explanation. I didn't know sending it to that address would render it harmless.

You're quite welcome. ;)

Share this post


Link to post
Share on other sites

The iranian.ws thing is still "stuck" in the window that asks permission for 127.0.0.1 local host, its starting to creep me out seeing it all the time, isn't there some way I can remove it ? I hate to be a squeaky wheel, but googling got me nowhere.

Share this post


Link to post
Share on other sites

Do you know why your computer keeps trying to connect to this iranian.ws domain? Does it only happen when you use Internet Explorer, Firefox, Chrome, or does it happen when you use all three? Does it happen even when you do not have an Internet browser open?

Share this post


Link to post
Share on other sites

I think I've only seen it when I'm opening up Firefox (I don't use IE or Chrome). Attaching a pic of it (I only saw the starteam once, but the iranian.ws is persistently on it)

wXLnq.jpg

I looked up starteam (Port 49201) and apparently its some sort of team software development thing. I dont develop software on a team. I've blocked that port for now for all programs but I dont know if that's going to cause me problems ? I hope something isnt using it to "develop" something on my system.

UPDATE: Since blocking port 49201 in OA, iranian.ws no longer showing up when Firefox asks for local host permissions. Now I hope I can find what's doing it so it doesnt happen without OA protecting me. Trying to stay safe on the internet is like a full time job, it's so annoying.

Share this post


Link to post
Share on other sites

Does it only happen when you are on a specific website, or does it happen regardless of what website you are browsing in Firefox?

Share this post


Link to post
Share on other sites

The permission box happens whenever I open Firefox (prior to the firefox window appearing), which was configured to open to about:blank as my homepage. (though some plugins still try to call home)

That particular iranian.ws Im not seeing anymore since i blocked TeamStar port (tcp 49201) in OAs firewall port rules

I noticed today when running GRC's DNS Benchmark test, something showed up on that same local host window again, but I think it may be one of the servers Steve Gibson uses to do the benchmarks, so its not such a mystery.

PXU9E.jpg

Share this post


Link to post
Share on other sites

I've been talking to our developers, and they've let me know that Online Armor doesn't have the information to determine what domain your browser is trying to access at the time it blocks the connection (TCP/IP communication does not include domain names). Online Armor will attempt to guess a domain name by checking DNS to see what domain names resolve to that IP address, so please note that the domain name listed in the notification may not be accurate.

I suggest that you try disabling your Firefox extensions one at a time until and test to see if one of them is the cause of the notifications.

Share this post


Link to post
Share on other sites

The way that I see what tries to connect when I open Firefox is in the firewall status window while the browser opens. Sometimes the things that call home do it extremely fast and you could miss them. If the resolve addresses box is checked you can see the domain.

It's not easy narrowing down which plugins/extensions are calling home since the domain names are understandably not something you would associate with the individual plugin names.

.I disable realtime lookups and automatic updates, so they really shouldnt be connecting without asking.

Share this post


Link to post
Share on other sites

The way that I see what tries to connect when I open Firefox is in the firewall status window while the browser opens. Sometimes the things that call home do it extremely fast and you could miss them. If the resolve addresses box is checked you can see the domain.

Please note that, with the option to resolve addresses enabled, Online Armor is merely trying to guess what address should be displayed on the notification by checking DNS to see what domains names resolve to that IP address. In the case of 127.0.0.1 you can have countless domain names resolving to that address (hundreds, thousands, etc).

It's not easy narrowing down which plugins/extensions are calling home since the domain names are understandably not something you would associate with the individual plugin names.

Since the domain name displayed in the Online Armor notification is a guess, please note that you cannot attempt to find out what extension is the cause simply from the domain name. You will need to disable each extension one and a time to test and see if the notifications stop. That would involve a process such as this:

  1. Disable an extension.
  2. Close Firefox.
  3. Reopen Firefox, and wait for the notification to pop up.
  4. If there's no notification from Online Armor then you found the extension that was causing it, if the notification appears again then go back to step 1 and continue to repeat these 4 steps until you find out which extension is causing the notification.

Please note that this is the only way, short of marking Firefox as 'Trusted' in Online Armor, of preventing these notifications.

.I disable realtime lookups and automatic updates, so they really shouldnt be connecting without asking.

Extensions should be able to access information over the Internet through Firefox's API's even with those settings disabled. That's why it is important to ensure that extensions are safe, as they can be an exploit vector.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.