Ubuntu – Suspicious connections coming from Firefox (possible malware)

firefoxmalwareSecurity

I was playing around with Wireshark when I noticed something very suspicious: every time I open Firefox (official build from Ubuntu repos), it immediately connects to a server with an apparently random name like d2ddoduugvun08.cloudfront.net and sends some encrypted data.

I couldn't find anything specific on this domain, but it pops up on some malware sites.

At first I thought it was some Firefox telemetry server but it is disabled and the server is not a Mozilla server.

I deleted my ~/.mozilla folder, in case my profile was the problem, but the connection was still there every time.

At this point I thought my installation of Firefox was compromised, so I purged it and redownloaded it from the repos. The connection was still there.

I moved to another machine with Windows, and it doesn't make this connection; when I booted into an Ubuntu live USB, it does.

I decided to build Firefox from source and it does not make this connection.

I tried to use mitmproxy to intercept it but it ignores my system proxy settings.

So my question is: is this a legit thing added by Canonical? Is the Firefox package on Ubuntu compromised by some malware?

Thanks

Best Answer

It appears to be firefox heartbeat telemetry. It could be disabled in about:config settings (that particular one can probably be disabled with app.normandy.enabled=false in about:config)

If you do not like firefox phoning home (and elsewhere), there are also a few other settings you may want to change

Nuke the old profile.

Here's a little script that moves the old profile to another location. I'm making this up as I go, so there might be a bug or two in it. You should be able to copy and paste this into a terminal.

cd ~/.mozilla/firefox/
export FFPROFILE=`cat profiles.ini | grep "Path=" | sed 's/^Path=//'`
mv $FFPROFILE $FFPROFILE.BAK
rm profiles.ini

When Firefox next launches, it will create a new profile.

Save bookmarks, saved passwords, etc

After firefox has created the new profile, you can go to ~/.mozilla/firefox/ in nautilus and copy back some of the files into the new profile and then deletes the profile configuration file so that Firefox has to create a new profile. Start by closing Firefox and then punch these lines into a terminal:

cd ~/.mozilla/firefox/
export FFPROFILE=`cat profiles.ini | grep "Path=" | sed 's/^Path=//'`
export OLDFFPROFILE=`ls -1 | grep .BAK`
cp $OLDFFPROFILE/*.sqlite $FFPROFILE/

You can of course do both these parts manually. It's actually easier to do it manually, you just need to know your way around the filesystem a little better. I was just thinking of you needing to do push this off to somebody else... it might just be easier if they copy and paste it into a terminal... Or you do it via SSH.

Ubuntu – Firefox is slow

What is slow? Switching between tabs, opening a site, scrolling the window...? It might be your graphic drivers. If you have an nVidia card try installing the non-free nVidia drivers rather than the stock ones that come with Ubuntu.

UPDATE:
Okay, if it's the network access that is slow my guess would be that you have IPv6 enabled. Try running sudo apt-get update from a terminal window, and if you get the same 5-10 second pause then try disabling IPv6. The "quick" way to do that (just for testing) would be to edit /etc/gai.conf and add the following line to it:

precedence ::ffff:0:0/96  100

Restart firefox and see if that speeds things up. If it does, a better way to disable IPv6 is described in this answer to the question How to disable IPv6 in Ubuntu 14.04?

Best Answer

Related Solutions

Firefox Malware – How to Track Down Firefox Malware on Ubuntu 10.04

Nuke the old profile.

Save bookmarks, saved passwords, etc

Ubuntu – Firefox is slow

Related Question