Network connection attempts from v2.20.4

[PhilRocks]

XMBC Version: v2.20.4
Installed or Portable version: Portable
Windows Version: 7
Did the problem occur after an upgrade of XMBC? (If so, from what version?): Yes, from v2.20.3
Did the problem occur after a Windows update/upgrade? (If so, from what version?): No
How long have you used XMBC?: Many years

Clear description of the problem:

First, many thanks to Phil for XMBC. I truly appreciate your hard work on this project.

Until v2.20.4, I have never experienced any unexpected network connections with XMBC. Version 2.20.4, however, is trying to establish outgoing TCP connections on port 80 to several different IP addresses. I have XMBC's update-checking disabled, but perhaps the new version is accidentally ignoring the state of this toggle? Or perhaps debugging code was added?

I downloaded v2.20.4 directly from dvps\.highrez\.co\.uk. The SHA256 hash of the zip file I downloaded (XMouseButtonControl 2.20.4 Portable\.zip) from that host is AE59ED29CC1F199F2BB640C7A5C66972DF905E143F3294C5CC9C2B414B5E7F80. I have added backslashes to the host name and file name so phpBB will allow my post to be submitted. Please ignore those backslashes.

[phil]

That’s odd the only thing that XMBC can establish tcp (port 80) for is bug trap crash reports (if a. It crashes and b. You say send report!) there should be nothing else in XMBC that attempts network connections with tcp!

Update checks use DNS (UDP) and ask the system dns cache so should not come from XMBC directly anyway…

The host you downloaded from is my own virtual private server so that should be fine. What are the IP addresses? It might help establish if its at least mine (I have a few vps’s all in the UK). I don’t believe I have changed any third party components for quite some time so I don’t expect anything I’m depending on is doing anything different in the latest build!

I’ll have to have a look, but I’m away this weekend!

[PhilRocks]

Hi Phil,

I hope you're having a good weekend. Enjoy yourself, and don't worry about this until you return!

I'll send you the IP addresses via PM. They are all Akamai IP addresses.

Did you happen to change compiler versions?

When you get home (no rush), if you can compute the SHA-256 hash of the file you intended to put on your server with the SHA-256 hash I provided, that will be helpful.

With v2.20.3 not having this issue, but v2.20.4 having it, I think there will be an "aha" moment where the difference is discovered.

We'll work together to figure it out.

[Dolmatov]

Tested on Windows 11 three varieties:
Installed version (x64);
x64 portable;
x86 portable.

At startup and for the next couple of minutes, no network connections were recorded. I checked it in two ways (debugging requests, displaying connections through the network filter filter).

Could you provide more details?
1. What bitness of the program is running?
2. What is the frequency of requests and is there a dependence on the actions of the program (starting, opening the interface, etc.)?
3. How did you check for connections?
4. Are you running the program from File Explorer or through additional tools (alternative file manager, anti-malware container, etc.)?
5. Are there any lines in the log file (without debugging) about checking for updates?

Code: Select all

There is a new beta version available!

Code: Select all

You are using the latest available version of X-Mouse Button Control.

[PhilRocks]

Could you provide more details?
1. What bitness of the program is running?
2. What is the frequency of requests and is there a dependence on the actions of the program (starting, opening the interface, etc.)?
3. How did you check for connections?
4. Are you running the program from File Explorer or through additional tools (alternative file manager, anti-malware container, etc.)?
5. Are there any lines in the log file (without debugging) about checking for updates?

Thank you for your excellent questions. Here are the answers:
1. XMBC 64-bit.
2. The requests were made immediately upon executing XMBC. No user actions were needed.
3. Connection attempts were blocked via a bidirectional firewall with real-time alerts and long-term logs.
4. XMBC was launched via FreeCommander XE (64-bit) (see freecommander\.com - please ignore the backslash).
5. The XMBC log contains no lines about checking for updates.

[phil]

Hi Phil,

I hope you're having a good weekend. Enjoy yourself, and don't worry about this until you return!

I'll send you the IP addresses via PM. They are all Akamai IP addresses.

Did you happen to change compiler versions?

When you get home (no rush), if you can compute the SHA-256 hash of the file you intended to put on your server with the SHA-256 hash I provided, that will be helpful.

With v2.20.3 not having this issue, but v2.20.4 having it, I think there will be an "aha" moment where the difference is discovered.

We'll work together to figure it out.

Nope, no compiler changes, still using Visual Studio 2015 which is old, out of support and therefore no sneaky updates from MS at any time!! And *very* little changed between 2.20.3 and 2.20.4, no external dependencies were changed. And I can so no reason (off the top of my head - I havn't had a chance to look at any code/change history yet) for any contact to akamai IP's that's very odd and a little concerning. I will have to the check the file hashes when I get home (probably not till this evening) - I'll look at the PM you sent with the addresses then too - maybe something will help explain it!

[PhilRocks]

Nope, no compiler changes, still using Visual Studio 2015 which is old, out of support and therefore no sneaky updates from MS at any time!! And *very* little changed between 2.20.3 and 2.20.4, no external dependencies were changed. And I can so no reason (off the top of my head - I havn't had a chance to look at any code/change history yet) for any contact to akamai IP's that's very odd and a little concerning. I will have to the check the file hashes when I get home (probably not till this evening) - I'll look at the PM you sent with the addresses then too - maybe something will help explain it!

That all sounds good Phil. Take your time... no rush from me... I have temporarily removed XMBC until we figure it out. I could have just downgraded to 2.20.3, but I wanted to miss XMBC a little... just like in any relationship, a little space apart can reveal how much you love each other!

[phil]

Well the first good thing, the hashes match up - so it is the correct, unmodified download... Now to try and find out what on earth XMBC is doing communicating out and to whom. How are you monitoring outgoing connections by the way, and how frequently does it happen/is there anything in particular that triggers it?

What are you using to monitor network activity per process? I suppose I could go all advanced and setup some wireguard logging on the router, but that wont be process specific. Maybe ProcessMonitor will be good enough...

[phil]

Also, having analysed XMBC 2.20.4 in VirusTotal, the behaviour tab does list communication with the CERTUM certificate signing services (which I presume is to validate the digital certificate) but I wouldn't expect that to be any different from 2.20.3 - its signed with the same certificate, and in any case...

Virustotal is quite handy in that regard... Heres what it lists:
https://www.virustotal.com/gui/file/ae5 ... 0/behavior

HTTP Requests
http://ccsca2021.ocsp-certum.com

http://crl.certum.pl/ctnca.crl

http://repository.certum.pl/ctnca.cer

http://subca.ocsp-certum.com/MFEwTz8NME ... 1%287Sc%3D

These addresses do appear to resolve to AKAMI addresses so it might make sense...

That wont be XMBC itself (as in explicit code in XMBC), but the Windows API's that verify the digital signature is valid (XMBC does check this now because I did find instances where someone had modified XMBC (presumably to try and avoid detection by anti-cheat) and caused crash reports that were useless to me because the EXE/DLL had been modified thus breaking any stack trace ability for the crashes. So now it checks and logs if it detects it has been modified (ie. the digital signature is invalid)... But again, 2.20.3 did that too.

Blocking it also shouldn't be a problem, but nor should allowing it.
I'll keep monitoring - so far nothing showing in process monitor for me...

[Dolmatov]

Considering what was previously written by the author of the topic.
The network filter ("bidirectional firewall") detects the connection when the program starts. The program itself does not write about updates, which means that the on / off function works properly. There is a digital signature verification and this verification is performed for many programs, although not all perform self-verification.

I think that the firewall, for some reason, began to determine the digital signature verification differently and began to report the presence of a connection. Either the firewall has received an update, or it doesn't know the new XMouse Button Control signature.

There is no cause for concern.

You can try to verify the domain and IP. Type nslookup on the command line for the specified domains (don't copy the link, just a domain).