adcprod Posted April 14, 2016 Share Posted April 14, 2016 We have some very restrictive firewall policies where I work. We block the default Mumble port in except to approved IPs. Anyway, we've observed attempted connections to:tylerr.noip.me: 64738Address lookupcanonical name tylerr.noip.me.aliases addresses 50.82.173.5This appears to resolve to some guy's cable modem.http://whatismyipaddress.com/ip/50.82.173.5It also appears to be a valid Murmur/Mumble server:======================================================================:~$ openssl s_client -showcerts -connect tylerr.noip.me:64738CONNECTED(00000003)depth=0 CN = Murmur Autogenerated Certificate v2verify error:num=18:self signed certificateverify return:1depth=0 CN = Murmur Autogenerated Certificate v2verify return:1---Certificate chain 0 s:/CN=Murmur Autogenerated Certificate v2 i:/CN=Murmur Autogenerated Certificate v2-----BEGIN CERTIFICATE-----MIIDSzCCAjOgAwIBAgIBATANBgkqhkiG9w0BAQUFADAuMSwwKgYDVQQDEyNNdXJtdXIgQXV0b2dlbmVyYXRlZCBDZXJ0aWZpY2F0ZSB2MjAeFw0xNTAzMDcyMTM5NDNaFw0zNTAzMDIyMTM5NDNaMC4xLDAqBgNVBAMTI011cm11ciBBdXRvZ2VuZXJhdGVkIENlcnRpZmljYXRlIHYyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2KuHbdeLC+xH3V84nRiqYG0ZHquqNigA1rwUlk+dTu7X0u1xIPuzQg+1/kn474DLNI6YoXZbYNZEakAvKG1UJgEYn0vJS/oT/lIySoJP+/tIOuG0XM3DQqujdo8JfS+EYQ3fw+RaFKpbnKb1VLzbkrZ7+V4AKa/CwGIdaw4KODMPsBvqLNF3w2yeR0aw909/VVc3mU7gymsPn7tn1xFEbXBdlFRu25xwwi7T0ggRiGvBVAqXV4lsnQRNxjshzSfVgUPUUkH4Aw+EuNTasZACPc5Q/OslKXa3LtaMMZKrOgP7j4Vm6eNBvDtWYEOl/G1UdBM4InTIXPa+Nt9iTxpgJwIDAQABo3QwcjAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUgeuonJPk+uYLAyleE7jY+By0lNkwJAYJYIZIAYb4QgENBBcWFUdlbmVyYXRlZCBmcm9tIG11cm11cjANBgkqhkiG9w0BAQUFAAOCAQEArqRcf4nA4n+h/2yXIAMkicpBwjYi+5Bk+O6Q1FkUOWB6jO/UNP9Tn4kY63sVvXwR6xaG5eSN9ZY+Z8/JfBN66hM0dAHq3EvV05xENJaLBcNMChNUq7pzz3VXs+9Q8xFXqxFS3z2Mb9pCdwwrLtkzCZ05ReEINCr4iuF4J1ftz2dIY5LA+Vb2hCp2G0at/CHvEHAgOqsKhJ3ebmx1xW+gJHb+GKO0QE4G/ZdUSl3OkIOcmVw2pGgkB3NzpdB6v87sV1VZmQ5WF89xHn5Gf/HhY3edlVDfTFrL8m7m4Vs2jGJgVpgZznGTeoMJm0uixcc4khfD89UHu95Z6QF3+6CtCA==-----END CERTIFICATE--------Server certificatesubject=/CN=Murmur Autogenerated Certificate v2issuer=/CN=Murmur Autogenerated Certificate v2---No client certificate CA names sent---SSL handshake has read 1178 bytes and written 633 bytes---New, TLSv1/SSLv3, Cipher is AES256-SHAServer public key is 2048 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONESSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: D99E7D0D1010F01835F927BC72CDA9144C1235A0929A9F9D9BA935B8D199AF48 Session-ID-ctx: Master-Key: BF57F8696A3D0A05E65B8623B5461C2D78FC9B4323F71DCE8253608DEBE18B1BA49D59FD2601ABB23C85E68AA7CB16AC Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 09 52 f9 a3 54 f5 34 9f-20 d6 ee 19 50 d3 90 2f .R..T.4. ...P../ 0010 - 7a 1e 85 ee b0 5c 23 91-0b d5 1e d2 8a b0 87 48 z....\#........H 0020 - 09 d6 b0 4f 88 5b 34 bc-d6 4e bc 7b fd d4 73 5c ...O.[4..N.{..s\ 0030 - 64 d7 90 1f b5 0e d6 44-ad f5 f3 b1 37 35 3a ec d......D....75:. 0040 - 31 0b 91 88 5c 68 03 bc-f0 60 9e 9a 26 4a 2b 86 1...\h...`..&J+. 0050 - cd 05 2a 10 e1 52 1c bd-99 7f 6a f9 52 a1 c2 bc ..*..R....j.R... 0060 - ce d4 b1 85 d7 41 6a 69-84 48 61 00 bb fd 20 49 .....Aji.Ha... I 0070 - 1d be c0 8f e6 ab 3c 87-a8 51 ac 91 dc d4 5b 70 ......<..Q....[p 0080 - 2e 25 cf 95 cb ba f3 9c-39 22 01 d4 3c 2d 70 99 .%......9"..<-p. 0090 - 44 83 3b 78 9e ed f5 bb-a8 3c cd 53 c5 47 74 cf D.;x.....<.S.Gt. Start Time: 1460664467 Timeout : 300 (sec) Verify return code: 18 (self signed certificate)==========================================================================================This seems to be the only automatic connection attempt from the Windows client software (outside of our own servers). Is this by design? If so, why? (BTW, I searched source code from github and did not find reference to this server. I did use pre-compiled binaries though and wonder if something else is stuffed in there.)This was observed with the most stable Win client code. (I realize this is the snapshots thread, but I'm not sure where else to post this.)Thanks!P.S. By the way, I'm new here and this is hands-down the best audio VOIP software I've ever used. Thanks so much for your hard work! :D Quote Link to comment Share on other sites More sharing options...
Administrators hacst Posted June 2, 2016 Administrators Share Posted June 2, 2016 That's none of ours. I am not quite sure I understand under what conditions this was seen but the public server list or a custom favourite would seem like obvious culprits that could trigger such an alert.The name lookup could be a favourite or public server. Though for the public servers you should see much more than those depending on the locale you are in.If you open Mumble for the first time or don't have any custom servers added the default setting for it is to retrieve the public server list from one of our hosts (*.mumble.hive.no or *.mumble.info). It then uses your locale to decide which country to display to you and expands the list in the connection dialog. To be able to display ping and populations on the servers the dialog displays we perform a name-lookup and send UDP ping (not an ICMP ping) packets to the mumble port (mostly 64738) of the hosts.If you have one or more favorite servers the public list won't be retrieved. Unless you expand it all you should see is Mumble resolving and pinging your favourites.In cooperate settings where you don't want to display the publist in the first place you can completely hide the point from the connection dialog by setting "disablepubliclist" to "true" in HKEY_CURRENT_USER\Software\Mumble\Mumble\ui .Hope that helps Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.