Skip to main content

Java 1.6.0_10 b25 installer: suspicious connection attempts?

2 replies [Last post]
davester
Offline
Joined: 2007-01-26

Hello Sun Java installer buildmeisters,

I just tried installing Java 1.6.0_10 b25 offline install distro, and ZoneAlarm alerted about some connection attempts that the installer was trying to make. I supposed that this being the offline installer, these connection attempts were perhaps malicious or sneaky, so I blocked them. The installation was able to complete without problems. Perhaps it's someone's debug code that was left on in the distro, but I wanted to call your attention to it.

Before any dialogs came up, the installer was attempting to connect to two different IP addresses that I did not recognize. One was a DNS call, and that might not be a big deal or might be expected. The other was an HTTP call, and that one looked suspicious.

Here are the addresses that Zoney caught your installer trying to hit:

74.125.15.98 : DNS
72.5.124.55 : HTTP

I think those addresses are hard coded into the installer, at least the HTTP one is, because I ran the installer many times and kept seeing it hit that same IP address.

I took the liberty of running some traceroutes on those addresses, neither address resolved to any name, but the traceroutes went far enough for me to raise an eyebrow or three.

Tracing route to 74.125.15.98 over a maximum of 30 hops

[snip]
4 17 ms 17 ms 15 ms 220.ge-0-1-0.cr2.sea1.speakeasy.net [69.17.83.233]
5 16 ms 15 ms 15 ms six.sea01.google.com [198.32.180.17]
6 16 ms 17 ms 17 ms 209.85.255.61
7 33 ms 22 ms 21 ms 72.14.239.12
8 178 ms 35 ms 88 ms 216.239.47.185
9 52 ms 50 ms 51 ms 209.85.249.143
10 50 ms 51 ms 51 ms 209.85.249.78
11 51 ms 49 ms 51 ms 74.125.15.98

Tracing route to 72.5.124.55 over a maximum of 30 hops

[snip]
6 27 ms 17 ms 18 ms ae-32-54.ebr2.Seattle1.Level3.net [4.68.105.126]
7 20 ms 18 ms 17 ms ae-1-100.ebr1.Seattle1.Level3.net [4.69.132.17]
8 33 ms 33 ms 33 ms ae-1-5.bar1.SanFrancisco1.Level3.net [4.69.140.149]
9 34 ms 33 ms 33 ms ae-0-11.bar2.SanFrancisco1.Level3.net [4.69.140.146]
10 33 ms 33 ms 33 ms ae-4-4.car2.SanFrancisco1.Level3.net [4.69.133.157]
11 35 ms 35 ms 35 ms INTERNAP-NE.car2.SanFrancisco1.Level3.net [4.71.44.6]
12 35 ms 35 ms 35 ms border2.te8-1-bbnet2.sfo002.pnap.net [63.251.63.82]
13 * * * Request timed out.
14 * * * Request timed out.

Ok, so, hits to someplace in Google and maybe someone's home/office PC in San Francisco? Seems very very fishy. Uncool! I declare possible shenanigans, even for a beta test since this is Java and not Corel Draw or something made by Microsoft! ;)

Sun, please tell us there's nothing to see here and tell us what these connections are for.

Thanks,
Dave Woldrich
http://CardMeeting.com

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
gmpassos
Offline
Joined: 2008-04-05

Use a sniffer and see what it is trying to access, and what it is sending (GET or POST data).

jkeatley
Offline
Joined: 2004-05-04

That was an attempt to access http://java.sun.com/. The first access to DNS was probably to look up java.sun.com. I know the online installer needs to go there to download cabs, etc. I wouldn't be so quick to attribute an evil motive to the developers, because that's a legitimate address. If you're worried about it, get the source code and study it. You can do that here.