I run a program called Little Snitch on my mac that monitors all incoming and
outgoing network activity. I have the screws tightened down pretty hard on it,
so it always asks before it allows an incoming or outgoing connection from a
program to a new address.
But in the interim, I have figured it out ... I dig a little deeper, and found
DSimmons-Pro:client dsimmons$ dig raw.githubusercontent.com
; <<>> DiG 9.8.3-P1 <<>> raw.githubusercontent.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37344
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;raw.githubusercontent.com. IN A
;; ANSWER SECTION:
raw.githubusercontent.com. 6 IN CNAME github.map.fastly.net.
github.map.fastly.net. 687 IN CNAME prod.github.map.fastlylb.net.
prod.github.map.fastlylb.net. 6 IN A 220.127.116.11
So apparently github is using a shared-hosting or load-balancer that resolves
to the same address as a bunch of other websites. Like andyshora.com
<http://andyshora.com/> and deladdiogames.com <http://deladdiogames.com/> and
I'm guessing that TCPDump doesn't attempt to resolve the host name for the IP
address, but LittleSnitch does, and gets a (seemingly random) hostname back
from the shared host/load balancer and therein lies the issue.
> On Oct 12, 2016, at 12:25 PM, Christopher Collins <ccoll...@apache.org> wrote:
> On Wed, Oct 12, 2016 at 09:16:00AM -0400, David G. Simmons wrote:
>> Good morning,
>> I'm a bit of a security wonk about some things, so I watch what my machine
>> is doing -- network wise -- pretty carefully. This morning, I was doing a
>> brand-new newt install and came across something odd.
>> For some reason, newt tries to make a connection to andyshora.com
>> <http://andyshora.com/> on port 443.
>> andyshora.com -> 18.104.22.168
>> Server Name: ETHEREUMCLASIC.COM
>> IP Address: 22.214.171.124
>> Registrar: GOOGLE INC.
>> Whois Server: whois.google.com
>> Referral URL: http://domains.google.com
>> Why on earth would Newt be attempting this connection? If I deny the
>> connection request, newt fails.
> I don't see that same behavior. While running tcpdump, I executed the
> following commands (latest develop branch of newt):
> newt new myproj3
> cd myproj3
> newt install
> The only peer I see newt connecting to is github (a variety of IP
> Which branch of newt are you using? Also, out of curiosity, how did you
> determine that it is newt that tries to connect to that domain?
David G. Simmons
Web <https://davidgs.com/> • Blog <https://davidgs.com/davidgs_blog> • Linkedin
<http://linkedin.com/in/davidgsimmons> • Twitter
<http://twitter.com/TechEvangelist1> • GitHub <http://github.com/davidgs>
/** Message digitally signed for security and authenticity.
* If you cannot read the PGP.sig attachment, please go to
* http://www.gnupg.com/ <http://www.gnupg.com/> Secure your email!!!
* Public key available at keyserver.pgp.com <http://keyserver.pgp.com/>
♺ This email uses 100% recycled electrons. Don't blow it by printing!
There are only 2 hard things in computer science: Cache invalidation, naming
things, and off-by-one errors.