Why does my Firefox goes to this server first before going to the desired website?

[gez...@gmail.com]

Hi,
I'm using v46.0.1 Firefox in Windows XP sp3 and noticed a while back that every time or better said, many times I want to go to a website, Firefox wants to go to this webserver:

E.I. duPont de Nemours and Co., Inc

with any of these IP addresses:
52.222.171.21
52.222.171.33
52.222.171.63
52.222.171.102
52.222.171.125
52.222.171.129
52.222.171.173
52.222.171.178
52.222.171.200
52.222.171.225
52.222.171.231
52.222.171.240
52.222.171.243
52.222.171.248
52.222.171.252

If I block this request using PeerBlock, 9 out of 10 times Firefox just won't go to the website I wanted to.

Now, someone would suggest, that one of the addons or extensions do this to me.
Wrong.

The situation is exactly the same if I launch Firefox in safe mode.

Basically it seems to me, that instead of using my default gateway for DNS lookup, Firefox wants to go to this server to either look up the IP or get permission or for who knows what reason. But it looks pretty weird and suspicious to me.

Can anyone tell me what is going on here and I how can I disable this behavior and have my Firefox go to any website WITHOUT relying on this suspicious webserver?

[Wolf K.]

4 suggestions:

1) Go to:

Tools - Options - Advanced - Network - Connection - Settings.

The button "No Proxy" should be set. Try that.

2) Are the desired websites owned by or part of E.I. duPont de Nemours
and Co., Inc? If so, your request is being channelled through their DNS
server. Don't even try to disable it.

3) Or if not, I would suspect malware. Do a through scan, with at least
three different antimalware/antivirus products.

4) There could also be an issue with your Hosts file, but I can't help
with that.

HTH


--
Wolf K.
kirkwood40.blogspot.ca
It's called "opinion" because it's not knowledge.

[gez...@gmail.com]

Wolf, thanks for your suggestions, none of them helped though to solve my problem.

1) Proxy settings, I had it set to "as it is in system" but now I changed it to No proxy just to be safe, then I restarted FF, same problem.

2) Are the desired websites owned by or part of E.I. duPont de Nemours
and Co., Inc? If so, your request is being channelled through their DNS
server. Don't even try to disable it.

I forgot to mention in my initial post, that FF tries to connect to this DuPont server right after I start FF (my start up page is set to blank).

I cannot know whether any 3rd party website uses these DuPont servers for anything, not all of my targets trigger FF to try to connect.

I'm using PeerBlock to as a soft firewall to have control what is going in or out of my PC, I can see in its scroll window that sometimes FF gives up connecting to DuPont and finishes loading the page but sometimes FF just won't load that particular webpage until I give DuPont a temporary GO in PeerBlock.

What is really strange that when I check for updates in FF plugins or extensions FF wants to go to one of these DuPont servers as well. Like if FF couldn't do anything without it, just like if that Dupont server was a DNS server and somehow FF has an internal policy to ignor the DNS server config of my PC.


3) I do have the paid version of Malwarebytes running on my PC, I scan the disk once a week, nothing.

4) Hosts file: I did have a long host file to prevent ads displayed in Firefox, I removed all entries except 127.0.0.1, the situation hasn't changed.

Even if I start FF in safe mode, it still tries to connect to this DuPont server. I just updated my FF to the latest version: 49.0.2, problem still exists.

[Mayayana]

<gez...@gmail.com> wrote:

| E.I. duPont de Nemours and Co., Inc
|
| with any of these IP addresses:
| 52.222.171.21

I don't know about duPont. The IP you give
resolves to Amazon:

http://www.ip-adress.com/whois/52.222.171.21

I'm guessing you have some kind of Amazon
crapware or plugin that's hijacking your browser.
There was news some time ago about the Silk
web browser on Amazon tablets being fullscale
spyware proxy. I even found that when I tried
SRWare Iron, which is supposed to be a clean
version of Chrome, it tried to call cloudfront.net,
owned by Amazon. So you probably want to look
at what plugins or software you might have from
Amazon.

[gez...@gmail.com]

I say DuPont because this is the name that shows up in PeerBlock under these IP addresses:

E.I. duPont de Nemours and Co., Inc

52.222.171.21
52.222.171.33
52.222.171.63
52.222.171.102
52.222.171.125
52.222.171.129
52.222.171.173
52.222.171.178
52.222.171.200
52.222.171.225
52.222.171.231
52.222.171.240
52.222.171.243
52.222.171.248
52.222.171.252

Here you can see a screenshot of PeerBlock and the list of my FF plugins:
https://tinyurl.com/znfcmgh

By the way, I just ran FF from a user profile that never installed any extension nor plugins in FF, as soon as I start FF, it wants to go one of these IP address if it fails in a few seconds then it tries a different, it never gives it up.

BUT, I already mentioned that in in SAFE MODE FF tries to go to these IP addresses. How come? Is SAFE mode of FF realllly SAFE, or maybe FF itself is the culprit?

[TCW]

Navigate to C:\Windows\System32\Drivers\etc\ and see if there is a
hosts file. If so, open it in Notepad, Word, Word, etc.

It should look like so. If it has any other info in there, some
malware or other bad app has changed it. You maybe copy and paste into
the hosts file the info below and safe it, reboot your PC and try
again. If it *still* wants to connect to 55.222.171.x, then install
Malwarebytes 2.2.1 and do a thorough scan.


# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host
name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

[gez...@gmail.com]

TCW: thanks for the tips but I already mentioned earlier that

"3) I do have the paid version of Malwarebytes running on my PC, I scan the disk once a week, nothing.

4) Hosts file: I did have a long host file to prevent ads displayed in Firefox, I removed all entries except 127.0.0.1, the situation hasn't changed."

...and today before I posted my message here, I scanned the whole system, it didn't make any difference.

[Paul in Houston, TX]

Those are Amazon.com ip addresses, not DuPont.
Do you have an Amazon account?
Try a DNS flush.
Have you cold booted your machine lately? Win10 does not turn off. Pull the plug.
If that did not fix it then it's likely you have a browser highjacker.

[Mark12547]

In article <mailman.123.1477483706.16819.support-
fir...@lists.mozilla.org>, gez...@gmail.com says...

> I'm using v46.0.1 Firefox in Windows XP sp3 and noticed a while back that every time or better said, many times I want to go to a website, Firefox wants to go to this webserver:
>
> E.I. duPont de Nemours and Co., Inc
>
> with any of these IP addresses:
> 52.222.171.21
> 52.222.171.33
> 52.222.171.63
> 52.222.171.102
> 52.222.171.125
> 52.222.171.129
> 52.222.171.173
> 52.222.171.178
> 52.222.171.200
> 52.222.171.225
> 52.222.171.231
> 52.222.171.240
> 52.222.171.243
> 52.222.171.248
> 52.222.171.252
>
>

When I went to ARIN Online to use it's Who Is, I came up with Amazon
Technologies, Inc, with the "point of contact" being Amazon EC2 Network
Operations.
https://whois.arin.net/rest/net/NET-52-192-0-0-1/pft?s=52.222.171.125

If so, it may be Amazon services being used as a content delivery
network for another party.

Do you usually access one of the 52.222.171.x addresses when you use
another browser to the same web sites?

If in Firefox you temporarily turn off these options, is a 52.222.171.x
address still being accessed?

Tools -> Options -> Security:
[ ] Block dangerous and deceptive content
[ ] Block dangerous downloads
[ ] Warn me about unwanted and uncommon software
(I would normally want the above three enabled, but turning these
off is for testing purposes only.)

Tools -> Options -> Advanced -> "Data Choices" tab
[ ] Enable Firefox Health Report
[ ] Share additional Data (i.e., Telemetry)
[ ] Enable Crash Report

Tools -> Options -> Advanced -> "Certificates" tab
[ ] Query OCSP responder servers to confirm the current
validity of certificates
(Again, I would normally recommending having this enabled, but
turn it off just for testing purposes.)


If 52.222.171.x is being accessed by all web browsers, are you running
any software that acts like a "secured DNS" in addition to the regular
DNS settings? (Avast! Internet Security has "Secured DNS" that can be
turned off) Or software that blocks access to known bad sites?

[gez...@gmail.com]

"Those are Amazon.com ip addresses, not DuPont."

I know that now.

"Do you have an Amazon account?"

I do, but I haven't logged into Amazon for months. Why, just by logging on to Amazon could screw my PC?

"Try a DNS flush.
Have you cold booted your machine lately? Win10 does not turn off. Pull the plug."

This is a laptop, I turn it off at the end of every day. So, DNS flush wouldn't make any difference.

"If that did not fix it then it's likely you have a browser highjacker."

If I do, how can I actually detect it? I'm an IT guy, so I know a lot about computers, Internet, I'm not just not a hacker, nor a networking expert or programmer.

If someone could give me some instructions I'm sure I could get somewhere.

Just a question to you: Have you ever checked whether your Firefox tries to communicate right after start up (with blank start up page) in SAFE mode?

Maybe yours does the same thing except you never paid attention to it. You can test this with Peerblock or other firewall that monitors/block outbound traffic.

I looked at the about:config page too, no trace of these IP addresses in it.

[Mayayana]

<gez...@gmail.com> wrote

| "Those are Amazon.com ip addresses, not DuPont."
|
| I know that now.
|
| "Do you have an Amazon account?"
|
| I do, but I haven't logged into Amazon for months. Why, just by logging on
to Amazon could screw my PC?
|

Three people have told you the redirect is to
Amazon but you seem oddly disinterested in
checking that out. Amazon deals in spyware.

http://botcrawl.com/how-to-remove-amazon-shopping-assistant-by-spigot/

http://botcrawl.com/remove-amazon-smart-search-virus/

The Kindle tablet sets up Amazon as a proxy.
You have an account with them. Yes, by logging
on could screw with your PC. You need to check
what programs are running at startup (use
Autoruns) and also check all items in Firefox Tools
-> Add-ons to make sure there's no Amazon
extension or plugin. If that doen't turn anything
up, check services to make sure Amazon hasn't
installed a service.

[Paul in Houston, TX]

I use SeaMonkey on this machine and FF on the work machines and none of them
call out on startup or when idling except for normal UDP and TCP loopbacks.
Just verified with CurrPorts, TCPView, WireShark, and ZoneAlarm.
I periodically check for things like that. Don't like spies.
Start with what Mayayana suggested and let us know if it worked.

[Gabor]

You might want to disable Malwarebytes "Malicious Website Protection" to
see if that is causing the suspicious accesses.

--
Gabor

[TCW]

Ok, here's another thing to try. Go and grab Portable Firefox 49.0.2
and extract it to your desktop. It will run from the self contained
folder and not use your profile nor any add-ons or extensions. See if
it too tries to connect to 52.222.171.x networks. If it doesn't, you
have something seriously jacked up on your machine.

[John McGaw]

The IP addresses you quote belong to Amazon Cloudfront. I would guess that
FF has this cooked in to download some sort of constantly-changing data
needed for security or whatever.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html

I can't imagine why nobody else got beyond 'it belongs to Amazon, not Dupont'.

[gez...@gmail.com]

Thank you guys for all the help, finally I think I found out WHAT made my FF go to the Amazon owned IP addresses (even if I started FF in safe mode), but I still don't have a clue WHY.

Here we go: The extension called "Https Everywhere v5.2.6" was the culprit.

https://www.eff.org/https-everywhere

Once I disabled it, my problem was gone. (I started to disable all extensions and plugins one at a time, restart FF and see it still accessing one of the amazon IPs.)

But first I took your advice and installed SeaMonkey to see if it behaves similarly to FF and it didn't.

WHY this extension has to go to an Amazon IP in order to enforce https connection is beyond me and I also don't get it why is it enabled and working when I run FF in safe mode.

Either FF is not totally safe in safe mode after all or the developers of this extensions stepped over their boundaries. I can only guess without knowledge. :)

In a few days I will get back here and let you guys know if my problem is really solved for good, or this evening by accident or for some strange reasons my FF didn't go to those Amazom IPs but tomorrow they will.

Thanks again for your help!

[James Moe]

On 10/25/2016 05:20 PM, gez...@gmail.com wrote:
> with any of these IP addresses:
> 52.222.171.21
> 52.222.171.33
>

How are y'all discovering these IPs are Amazon Cloudfront? Or anything
at all?

$ host cloudfront.com
cloudfront.com has address 207.171.166.22
cloudfront.com has address 72.21.206.80
cloudfront.com has address 72.21.210.29

I always get this for those addresses?
$ host 52.222.171.33
Host 33.171.222.52.in-addr.arpa. not found: 3(NXDOMAIN)

--
James Moe
jmm-list at sohnen-moe dot com
Think.

[Paul in Houston, TX]

James Moe wrote:
> On 10/25/2016 05:20 PM, gez...@gmail.com wrote:
>> with any of these IP addresses:
>> 52.222.171.21
>> 52.222.171.33
>>
> How are y'all discovering these IPs are Amazon Cloudfront? Or anything
> at all?
>
> $ host cloudfront.com
> cloudfront.com has address 207.171.166.22
> cloudfront.com has address 72.21.206.80
> cloudfront.com has address 72.21.210.29
>
> I always get this for those addresses?
> $ host 52.222.171.33
> Host 33.171.222.52.in-addr.arpa. not found: 3(NXDOMAIN)

https://whois.arin.net/rest/net/NET-52-192-0-0-1/pft?s=52.222.171.33

[Mayayana]

"James Moe" wrote

| How are y'all discovering these IPs are Amazon Cloudfront? Or anything
| at all?
|

I use http://www.ip-adress.com/whois/

There are other options. some of them vary, and
some can only resolve a domain, not an IP.

[John McGaw]

On 10/27/2016 5:41 PM, James Moe wrote:
> On 10/25/2016 05:20 PM, gez...@gmail.com wrote:
>> with any of these IP addresses:
>> 52.222.171.21
>> 52.222.171.33
>>
> How are y'all discovering these IPs are Amazon Cloudfront? Or anything
> at all?
>
> $ host cloudfront.com
> cloudfront.com has address 207.171.166.22
> cloudfront.com has address 72.21.206.80
> cloudfront.com has address 72.21.210.29
>
> I always get this for those addresses?
> $ host 52.222.171.33
> Host 33.171.222.52.in-addr.arpa. not found: 3(NXDOMAIN)
>

I used browser magic by entering 52.222.171.21 into the address bar of
Firefox and then reading the Cloudfront error message that came back. I ran
a couple more of them to make sure.

[Delrio]

or:
http://network-tools.com/default.asp?prog=whois&host=52.222.171.33

http://preview.tinyurl.com/zekm2mp

[James Moe]

On 10/27/2016 02:41 PM, James Moe wrote:
>> > with any of these IP addresses:
>> > 52.222.171.21
>> > 52.222.171.33
>> >
> How are y'all discovering these IPs are Amazon Cloudfront? Or anything
> at all?
>

Using the WHOIS servers tells us who owns the IP ranges. It does not
explain how the OP's browser lands there.
A DNS lookup returns a failure, which is what FF does to find a host.
FF should give up at this point.
As the OP noted, apparently one of his add-ons is being bizarrely
helpful by offering a default IP when the DNS lookup fails. TBD.