Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Kerio Connect Desktop Client - outgoing connections
  •  
flanta

Messages: 4
Karma: -1
Send a private message to this user
Hi,

the last days I 've been using the Kerio Connect Desktop Application the first time.
When I initially opened it, little snitch showed up and gave me some informations of servers that are connected.
Beside my mailserver and apple (I guess to prove the signed app?) it also connects to the CDN sites akamai and cloudfront.
Also one warning told me it tries to connect to - for me - unwanted domain (see screenshots)
this was kind of strange so i tested it on a different device (clean OS X install, nothing else installed expect little snitch and OS X server App)
but a similar result. little snitch showed up and gave the notice that the Kerio app is trying to contact another subdomain of the above mentioned unwanted domain
on other devices there was no connection to one of these domains but instead direct connections to cloudfront itself (Where both unwanted domains pointed to)
Unfortunatly I do not have the Ip it tried to connect to when the warning was there so I can not see if it maybe was just a wrong set up reverse dns record.

But the question is, what data exactly is transfered to or from these CDNs?
Thank you in advance!

here some open connections not to our mailserver, screenshots with the connections to the unwanted domains attached:
TCP 192.168.*.*:49256->a23-201-162-208.deploy.static.akamaitechnologies.com:https (ESTABLISHED)
TCP 192.168.*.*:49257->2.21.246.48:http (ESTABLISHED)
TCP 192.168.*.*:49259->server-52-85-173-254.fra6.r.cloudfront.net:https (ESTABLISHED)

PS: I didn't want to write the domains as text, they can be viewed within the screenshots.

  • Attachment: kc4.png
    (Size: 43.59KB, Downloaded 45 times)
  • Attachment: kc5.png
    (Size: 93.19KB, Downloaded 37 times)

[Updated on: Mon, 05 September 2016 23:39]

  •  
Petr Dobry (Kerio)

Messages: 772
Karma: 60
Send a private message to this user
Sounds like your Mac is "infected" with MacKeeper (http://www.imore.com/avoid-mackeeper).

Petr Dobry
Product Development Manager | Kerio

Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
Looking for help ? - http://kb.kerio.com
  •  
Carsten Maas (Kerio)

Messages: 247
Karma: 27
Send a private message to this user
Check your system with Malwarebytes Antimalware Tool
https://www.malwarebytes.com/antimalware/mac/

and also check your system for any other suspicious software with EtreCheck
http://www.etrecheck.com

Any further diagnostic hints should then be discussed in a dedicated Apple forum like for example apfeltalk
https://www.apfeltalk.de

Carsten Maas
Technical Marketing Engineer
Kerio Technologies

Kerio Deutschland youtube Channel
http://www.youtube.com/KerioDeutschland
  •  
flanta

Messages: 4
Karma: -1
Send a private message to this user
Hello Petyr, hello Carsten,

that 's what I also thought first. And that 's also why I immediately had a look at my Mac and Mackeeper is not installed. that 's why I tried it on a 2nd and 3rd Mac. One of them has only little snitch installed OS X server running no other connections and one was just reinstalled from scratch. the first one also had a warning that the Kerio connect app is trying to contact static-cdn. mackeeper .com
and it had opened https connections to akamai and cloudfront (the mackeeper domains also pointed to cloudfront)
also it wasn't 't a random process that tried to contact the mackeeper domains, it was "Kerio Connect.app" the new installed application. no other are trying to get in contact with those domains.
the tcp connection mentioned above where also from the process Kerio Connect.app
( lsof -i TCP|grep Kerio )

what I guess is that the hostname shown by little snitch was simply wrong. eventually wrong cached in their database or a wrong reverse dns record.
Disregarding this, I was wondering why there are open connections to cloudfront and what they are doing, even if the warning in little snitch is just a false.

Regards

[Updated on: Tue, 06 September 2016 07:22]

  •  
Carsten Maas (Kerio)

Messages: 247
Karma: 27
Send a private message to this user
I would run the EtreCheck anyway to see, if there is not something from MacKeeper respectively zeobit installed on those systems.

I have also LittleSnitch running and I have the Kerio Connect Client installed and I have never seen such requests.

Carsten Maas
Technical Marketing Engineer
Kerio Technologies

Kerio Deutschland youtube Channel
http://www.youtube.com/KerioDeutschland
  •  
flanta

Messages: 4
Karma: -1
Send a private message to this user
Hi Carsten,

I did and no adware was found.
What I did found was a post in the Little Snitch Forum from hagen

Quote:
Little Snitch wants to show the hostname recently entered by the user or used by a process, not the reverse lookup name returned by the Domain Name System (DNS) because the reverse lookup name is often very cryptic. It therefore watches all DNS requests and responses on UDP and TCP ports 53 and 5353, and remembers the names which led to a particular IP address.

If there are multiple names which resolve to a given address, it guesses the "best" name (usually the last one used) to present to the user. In the Connection Alert and in Little Snitch Network Monitor's connection list, you can view the other names by clicking the hostname.


https: //forums. obdev.at/viewtopic .php?t=8859
(Sorry for the link being cutted, but I need more than 5 posts to sent one)

so it seems that little snitch thought the connection to cloudfront was from MacKeeper. First it gave me a bad feeling about the client but this looks like a good explanation why mackeeper domains where the hostname in little snitch.

Anyways we do not know why they are connecting to these cloudfront IPs


btw. even if it was not necessary, I appreciate the help you give users that might have got a system full of adware and others.

Regards

[Updated on: Tue, 06 September 2016 09:21]

  •  
Petr Dobry (Kerio)

Messages: 772
Karma: 60
Send a private message to this user
Connect desktop application connects to Amazon AWS in order to check and download application updates.
It does not connect to Akamai and does not use "mackeeper.com" domains.

Petr Dobry
Product Development Manager | Kerio

Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
Looking for help ? - http://kb.kerio.com
  •  
flanta

Messages: 4
Karma: -1
Send a private message to this user
thank you petr.

as said it was only a mistake from little snitch that showed the wrong domain.
  •  
krandy

Messages: 2
Karma: 0
Send a private message to this user
I also find some suspicious connection attempts from connect client.
I have tried to install the client on two different systems, one newly installed and i get the following results from both systems.

connect client -> pancake.apple.com TCP/443 (http)
connect client -> gsp1.apple.com TCP/80 (http)
connect client -> 85lcyw4lt6.execute-api.us-west-2.amazonaws.com TCP/443 (http)

I don't want to risk my password leaking out on the internet so i am denying all connections other than to the connect server itself.
This results in a blank screen on the connect client.
Is connecting to apple and amazon a requirement for the connect client?

The server i am trying to connect to is version 9.1.1.

See screenshots for more info.

[img]./fa/4427/0/[/img]
[img]./fa/4428/0/[/img]

  •  
krandy

Messages: 2
Karma: 0
Send a private message to this user
Sorry to bump this thread but i think making a client lika this is greate.
Should it be possible to connect with the client to a connect server without allowing it to connect to other destinations?

[Updated on: Fri, 16 September 2016 07:56]

Previous Topic: Filtering/blocking external "most" access to mailing lists
Next Topic: Using DFS as a backup system.
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Dec 02 20:51:16 CET 2016

Total time taken to generate the page: 0.01139 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.