Browser connects to mc.yandex.ru before loading any website

Support
1

I recently noticed through Wireshark that every time I open my Firefox browser and visit let’s say google.com or whatever site, my system connects to mc.yandex.ru in the background. I found that very suspicious as it turned out that my system connects nearly by every new website visit to mc.yandex.ru, mail.yandex.ru or cdn.yandex.net.

I tried to use Chromium but the same happened here when I visit any website. The only way this is not happening is when I send HTTP-Traffic through curl.

Now I’m curious about why this is happening and suspect a malware/adware or something like that. I installed all software by pacman or pamac (for AUR-packages). At the beginning I was kinda scared by AUR but people said that it’s ultra rare that malware would be distributed by the AUR.
The only packages I installed by AUR were “ledger-live”, “tor-browser” and “openvpn-update-resolv-conf-git”.

It would calm me down if I knew that I’m the only one with extreme bad luck at some point and that this is not a “common thing” with which many people currently are dealing with without knowing it.

2

Do you have addons?

3

Try with a clean profile and no add-ons enabled.

1 Like
4

Duckduckgo has been associated with yandex. Try selecting a different default search engine, delete duckduckgo, and disable prefetching network requests (ublock origin settings is a convenient way to do it.)

5

It is well known that DuckDuckGo does not provide it’s own search engine but accumulates searches from different sources - among them google, bing, yandex et al. - so there is nothing weird about duckduckgo providing results from yandex - they most likely only uses yandex in the area where yandex results would make sense - like Russia or Asia.

Documentation please …

When you say it is both Chromium and Firefox - my guess is a package common to network connection. I would be suspicious too - so my suggestion would be to retrace your history - both your package installation history - but also your browsing history as you may have been hit by a drive-by.

Rename the folders holding your Firefox and Chromium profiles - then start fresh - check if the issue persist.

2 Likes
6

Search for Yandex.

7

Your comment is worthless.

In the context it is documentation for hidden connections to yandex - or another for that matter - not a general search everyone can do.

When I used duckduckgo - there was no hidden connections to other sites.

So just throwing in a well-known privacy search engine into an issue of suspicious connection on browser start - is a sign of ignorance.

3 Likes
8

:point_up:

Why mention DuckDuckGo when OP does not? Heck, they even mention Google instead… :person_facepalming:

2 Likes
9

My ass just fell off from laughter

Here - that is more accurate.

More probably you went somewhere where you could pick up a uninvited hitchhiker.
Check extensions, add-ons, etc.
If you have another machine at home, see if the same behavior is present there. Try from your phone.

10

First of all, I would like to thank you all and say that I am very impressed with how much effort this community is putting into my problem. I haven’t experienced anything like this in a long time.

Yes, “AdBlock Plus” and nothing else. I haven’t installed any extensions. But as this problem also occurs with Chromium I wouldn’t expect that this problem is caused by an addon. I have also tried starting Firefox in the safe-mode but nothing has changed.

I will do some research based on browsing history and package installation history and tell you all if I did find something or not.
But how could I got hitten by a drive-by? Isn’t this very rare if my Firefox browser was always updated to the latest version? My system is literally 1 or 2 weeks old. I must have been extremely unlucky for this to happen.

I couldn’t find any suspicious traffic going from my PC. How would I inspect the traffic from my phone if I understood you right? Do I have to spin up a Wifi network on my PC for my phone or are there easier methods?

I found out that my laptop is not only communicating with Yandex but also with disqus.com, dropbox.com, github.com, slack.com, 500px.com and gitbook.io. I have never visited these sites in this session, nor do I know of any installed packages which communicate with these servers.

It’s also communicating to a very suspicious server (185.167.97.191) via SSH on port 22 without actively browsing. I really want to know what the hell my laptop is transmitting but there is no chance since it’s obviously encrypted… I suspect that my laptop is uploading my user files, as I can’t think of any other scenario for which SSH on port 22 could be used for. I’m very sure that my laptop is not just listing directories on the SSH server : ))

1 Like
11

Both Firefox and Chromium has support for what is sometimes called webworkers.

These workers uses websocket and runs in the background unless you deliberately disable the functionality.

These are usually legit - that is if one doesn’t exhibit extremely lazy or outright dangerous browsing habits. Not so long ago I only had a shrug for those saying javascript whas dangerous - I was ignorant - javascript can be used to start websockets and thus scan your system for vulnerabililties and try to exploit them.

I am by no means saying this is the case - just venting the possibility.

With your last edit - while something could appear legit - others raise eyebrows - such as censys.io - note - I am not saying there isn’t a legit reason for hiding - it could be they don’t want to expose the employee which registered the domain on behalf of the company - nonetheless - initially it raises my eyebrows

$ whois censys.io
Domain Name: censys.io
Registry Domain ID: 66224c6b278243f1ab3261f34df5c7c4-DONUTS
Registrar WHOIS Server: key-systems.net
Registrar URL: http://key-systems.net
Updated Date: 2021-06-21T15:33:21Z
Creation Date: 2015-08-13T19:50:44Z
Registry Expiry Date: 2026-08-13T19:50:44Z
Registrar: Key-Systems GmbH
Registrar IANA ID: 269
Registrar Abuse Contact Email: abuse@key-systems.net
Registrar Abuse Contact Phone: +49 6894 9396 850
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: c/o whoisproxy.com
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: VA
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: US
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext: REDACTED FOR PRIVACY
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext: REDACTED FOR PRIVACY
Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registry Admin ID: REDACTED FOR PRIVACY
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext: REDACTED FOR PRIVACY
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext: REDACTED FOR PRIVACY
Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registry Tech ID: REDACTED FOR PRIVACY
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: REDACTED FOR PRIVACY
Tech State/Province: REDACTED FOR PRIVACY
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: REDACTED FOR PRIVACY
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext: REDACTED FOR PRIVACY
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext: REDACTED FOR PRIVACY
Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Name Server: arturo.ns.cloudflare.com
Name Server: anastasia.ns.cloudflare.com
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2022-04-29T13:12:20Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

Terms of Use: Donuts Inc. provides this Whois service for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Donuts does not guarantee its accuracy. Users accessing the Donuts Whois service agree to use the data only for lawful purposes, and under no circumstances may this data be used to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the registrar's own existing customers and b) enable high volume, automated, electronic processes that send queries or data to the systems of Donuts or any ICANN-accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. When using the Donuts Whois service, please consider the following: The Whois service is not a replacement for standard EPP commands to the SRS service. Whois is not considered authoritative for registered domain objects. The Whois service may be scheduled for downtime during production or OT&E maintenance periods. Queries to the Whois services are throttled. If too many queries are received from a single IP address within a specified time, the service will begin to reject further queries for a period of time to prevent disruption of Whois service access. Abuse of the Whois system through data mining is mitigated by detecting and limiting bulk query access from single sources. Where applicable, the presence of a [Non-Public Data] tag indicates that such data is not made publicly available due to applicable data privacy laws or requirements. Should you wish to contact the registrant, please refer to the Whois records available through the registrar URL listed above. Access to non-public data may be provided, upon request, where it can be reasonably confirmed that the requester holds a specific legitimate interest and a proper legal basis for accessing the withheld data
. Access to this data can be requested by submitting a request via the form found at https://donuts.domains/about/policies/whois-layered-access/ Donuts Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.

It could be as simple as a service used by an adblocker or a malware scanner.

Remember that both Firefox and Chromium has settings which enables lookups in databases for malware domains - to prevent the casual user from accidently browse such bad places.

censys.io is registered in 2015 - malware domains or domains connected to shady activity usually don’t last that long

A lot of possibilities exist to explain the traffic.

Without knowing anything - the members of this forum litereally doesn’t know anything - of what is going on your system.

It depend on the services you use - the applications you have installed - e.g. snap, flatpak, appimage - custom PKGBUILD from AUR - Electron based applications (yes they are webbrowser subsets) usually based on Chromium.

The list of recently visited websites - the dashboard of a browser - they all initiale a request when you open the browser.

Firefox defaults to send telemetry unless you actively disable it - try browsing this in firefox about:preferences#privacy

3 Likes
12

Depending on the websites you browse, there can very well be connections to third parties in order to retrieve some features. For instance:

  • disqus.com allows to post comments
  • 500px.com is an image hosting service

You could give uMatrix a try to check what connections you (try to) make while browsing.

13

If you are using wireshark, and your devices are in the same network… This can eliminate machines which do not act as you’ve mentioned and give you extra info on what is the unit calling yandex, dropbox, etc.
Or - if more are acting like this - you know it is a bigger case :slight_smile:

Otherwise - linux-aarhus is as far I know, giving good explanations/ advises :slight_smile:

14

An ssh connection that you know nothing about should be viewed critically.
It is easy to enable a reverse shell with ssh. If I have ssh running, I know that. If ssh is running without me knowing, I would only touch my computer with disposable gloves and pliers.

It should be possible to find out what privileges ssh is running with, how it was started, and whether or not it allows a reverse shell. On my computer I would stop that as soon as possible!

If you have caught a trojan, ssh may not be the only access! Usually 2 or more paths are laid. So that if one is discovered, access is not lost.

So if you come to the conclusion that a trojan or something else is active, the first course of action is to unplug the network cable, shut down the computer, and run all scans from a clean LIVE ISO. (Unless you want to watch live, how someone encrypts your hard drive after stealing all your data).

P.S.
In some cases it is legitimate that ssh is used. The company I work for, distributes their updates via ssh. BUT the ssh process is only started when the user becomes active and requests an update!

2 Likes
15

I think I resolved the problem with yandex, dropbox, github, etc. After visiting an IP checker site my browser also connects to yandex etc as it’s coded into the HTML source code of my visited site. I assume that these connections were kept alive due to the corresponding HTTP header.

I haven’t found anything useful for the SSH problem and I urgently needed my laptop back so I did a reset after monitoring the network traffic from my laptop a couple of hours and not finding anything useful.
I have also checked the pacman logs, but there was also nothing malicious to see. I also didn’t find anything malicious with “ps aux”.

This totally screw me up as on this laptop were very sensitive data…