Log Entry for Attempted Connection to Sever NOT on my list..

Feedback about snapshots

Log Entry for Attempted Connection to Sever NOT on my list..

Postby adcprod » Thu Apr 14, 2016 8:36 pm

We have some very restrictive firewall policies where I work. We block the default Mumble port in except to approved IPs. Anyway, we've observed attempted connections to:

tylerr.noip.me: 64738

Address lookup
canonical name tylerr.noip.me.
aliases
addresses 50.82.173.5

This appears to resolve to some guy's cable modem.

http://whatismyipaddress.com/ip/50.82.173.5

It also appears to be a valid Murmur/Mumble server:
======================================================================
:~$ openssl s_client -showcerts -connect tylerr.noip.me:64738
CONNECTED(00000003)
depth=0 CN = Murmur Autogenerated Certificate v2
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = Murmur Autogenerated Certificate v2
verify return:1
---
Certificate chain
0 s:/CN=Murmur Autogenerated Certificate v2
i:/CN=Murmur Autogenerated Certificate v2
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIBATANBgkqhkiG9w0BAQUFADAuMSwwKgYDVQQDEyNNdXJt
dXIgQXV0b2dlbmVyYXRlZCBDZXJ0aWZpY2F0ZSB2MjAeFw0xNTAzMDcyMTM5NDNa
Fw0zNTAzMDIyMTM5NDNaMC4xLDAqBgNVBAMTI011cm11ciBBdXRvZ2VuZXJhdGVk
IENlcnRpZmljYXRlIHYyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
2KuHbdeLC+xH3V84nRiqYG0ZHquqNigA1rwUlk+dTu7X0u1xIPuzQg+1/kn474DL
NI6YoXZbYNZEakAvKG1UJgEYn0vJS/oT/lIySoJP+/tIOuG0XM3DQqujdo8JfS+E
YQ3fw+RaFKpbnKb1VLzbkrZ7+V4AKa/CwGIdaw4KODMPsBvqLNF3w2yeR0aw909/
VVc3mU7gymsPn7tn1xFEbXBdlFRu25xwwi7T0ggRiGvBVAqXV4lsnQRNxjshzSfV
gUPUUkH4Aw+EuNTasZACPc5Q/OslKXa3LtaMMZKrOgP7j4Vm6eNBvDtWYEOl/G1U
dBM4InTIXPa+Nt9iTxpgJwIDAQABo3QwcjAMBgNVHRMBAf8EAjAAMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUgeuonJPk+uYLAyleE7jY
+By0lNkwJAYJYIZIAYb4QgENBBcWFUdlbmVyYXRlZCBmcm9tIG11cm11cjANBgkq
hkiG9w0BAQUFAAOCAQEArqRcf4nA4n+h/2yXIAMkicpBwjYi+5Bk+O6Q1FkUOWB6
jO/UNP9Tn4kY63sVvXwR6xaG5eSN9ZY+Z8/JfBN66hM0dAHq3EvV05xENJaLBcNM
ChNUq7pzz3VXs+9Q8xFXqxFS3z2Mb9pCdwwrLtkzCZ05ReEINCr4iuF4J1ftz2dI
Y5LA+Vb2hCp2G0at/CHvEHAgOqsKhJ3ebmx1xW+gJHb+GKO0QE4G/ZdUSl3OkIOc
mVw2pGgkB3NzpdB6v87sV1VZmQ5WF89xHn5Gf/HhY3edlVDfTFrL8m7m4Vs2jGJg
VpgZznGTeoMJm0uixcc4khfD89UHu95Z6QF3+6CtCA==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=Murmur Autogenerated Certificate v2
issuer=/CN=Murmur Autogenerated Certificate v2
---
No client certificate CA names sent
---
SSL handshake has read 1178 bytes and written 633 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: D99E7D0D1010F01835F927BC72CDA9144C1235A0929A9F9D9BA935B8D199AF48
Session-ID-ctx:
Master-Key: BF57F8696A3D0A05E65B8623B5461C2D78FC9B4323F71DCE8253608DEBE18B1BA49D59FD2601ABB23C85E68AA7CB16AC
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 09 52 f9 a3 54 f5 34 9f-20 d6 ee 19 50 d3 90 2f .R..T.4. ...P../
0010 - 7a 1e 85 ee b0 5c 23 91-0b d5 1e d2 8a b0 87 48 z....\#........H
0020 - 09 d6 b0 4f 88 5b 34 bc-d6 4e bc 7b fd d4 73 5c ...O.[4..N.{..s\
0030 - 64 d7 90 1f b5 0e d6 44-ad f5 f3 b1 37 35 3a ec d......D....75:.
0040 - 31 0b 91 88 5c 68 03 bc-f0 60 9e 9a 26 4a 2b 86 1...\h...`..&J+.
0050 - cd 05 2a 10 e1 52 1c bd-99 7f 6a f9 52 a1 c2 bc ..*..R....j.R...
0060 - ce d4 b1 85 d7 41 6a 69-84 48 61 00 bb fd 20 49 .....Aji.Ha... I
0070 - 1d be c0 8f e6 ab 3c 87-a8 51 ac 91 dc d4 5b 70 ......<..Q....[p
0080 - 2e 25 cf 95 cb ba f3 9c-39 22 01 d4 3c 2d 70 99 .%......9"..<-p.
0090 - 44 83 3b 78 9e ed f5 bb-a8 3c cd 53 c5 47 74 cf D.;x.....<.S.Gt.

Start Time: 1460664467
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
==========================================================================================
This seems to be the only automatic connection attempt from the Windows client software (outside of our own servers). Is this by design? If so, why? (BTW, I searched source code from github and did not find reference to this server. I did use pre-compiled binaries though and wonder if something else is stuffed in there.)

This was observed with the most stable Win client code. (I realize this is the snapshots thread, but I'm not sure where else to post this.)

Thanks!

P.S. By the way, I'm new here and this is hands-down the best audio VOIP software I've ever used. Thanks so much for your hard work! :D
adcprod
 
Posts: 1
Joined: Thu Apr 14, 2016 8:24 pm

Re: Log Entry for Attempted Connection to Sever NOT on my li

Postby hacst » Thu Jun 02, 2016 7:11 pm

That's none of ours. I am not quite sure I understand under what conditions this was seen but the public server list or a custom favourite would seem like obvious culprits that could trigger such an alert.

The name lookup could be a favourite or public server. Though for the public servers you should see much more than those depending on the locale you are in.

If you open Mumble for the first time or don't have any custom servers added the default setting for it is to retrieve the public server list from one of our hosts (*.mumble.hive.no or *.mumble.info). It then uses your locale to decide which country to display to you and expands the list in the connection dialog. To be able to display ping and populations on the servers the dialog displays we perform a name-lookup and send UDP ping (not an ICMP ping) packets to the mumble port (mostly 64738) of the hosts.

If you have one or more favorite servers the public list won't be retrieved. Unless you expand it all you should see is Mumble resolving and pinging your favourites.

In cooperate settings where you don't want to display the publist in the first place you can completely hide the point from the connection dialog by setting "disablepubliclist" to "true" in HKEY_CURRENT_USER\Software\Mumble\Mumble\ui .

Hope that helps
hacst
Team member
Team member
 
Posts: 338
Joined: Wed Sep 23, 2009 4:28 pm


Return to Snapshots

Who is online

Users browsing this forum: No registered users and 1 guest