Hi Chris, I run a program called Little Snitch on my mac that monitors all incoming and outgoing network activity. I have the screws tightened down pretty hard on it, so it always asks before it allows an incoming or outgoing connection from a program to a new address.
But in the interim, I have figured it out ... I dig a little deeper, and found this: DSimmons-Pro:client dsimmons$ dig raw.githubusercontent.com ; <<>> DiG 9.8.3-P1 <<>> raw.githubusercontent.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37344 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;raw.githubusercontent.com. IN A ;; ANSWER SECTION: raw.githubusercontent.com. 6 IN CNAME github.map.fastly.net. github.map.fastly.net. 687 IN CNAME prod.github.map.fastlylb.net. prod.github.map.fastlylb.net. 6 IN A 151.101.32.133 So apparently github is using a shared-hosting or load-balancer that resolves to the same address as a bunch of other websites. Like andyshora.com <http://andyshora.com/> and deladdiogames.com <http://deladdiogames.com/> and probably others. I'm guessing that TCPDump doesn't attempt to resolve the host name for the IP address, but LittleSnitch does, and gets a (seemingly random) hostname back from the shared host/load balancer and therein lies the issue. dg > On Oct 12, 2016, at 12:25 PM, Christopher Collins <[email protected]> wrote: > > On Wed, Oct 12, 2016 at 09:16:00AM -0400, David G. Simmons wrote: >> Good morning, >> >> I'm a bit of a security wonk about some things, so I watch what my machine >> is doing -- network wise -- pretty carefully. This morning, I was doing a >> brand-new newt install and came across something odd. >> >> For some reason, newt tries to make a connection to andyshora.com >> <http://andyshora.com/> on port 443. >> andyshora.com -> 151.101.32.133 >> Server Name: ETHEREUMCLASIC.COM >> IP Address: 151.101.32.133 >> Registrar: GOOGLE INC. >> Whois Server: whois.google.com >> Referral URL: http://domains.google.com >> >> >> Why on earth would Newt be attempting this connection? If I deny the >> connection request, newt fails. > > I don't see that same behavior. While running tcpdump, I executed the > following commands (latest develop branch of newt): > > newt new myproj3 > cd myproj3 > newt install > > The only peer I see newt connecting to is github (a variety of IP > addresses). > > Which branch of newt are you using? Also, out of curiosity, how did you > determine that it is newt that tries to connect to that domain? > > Thanks, > Chris -- David G. Simmons (919) 534-5099 Web <https://davidgs.com/> • Blog <https://davidgs.com/davidgs_blog> • Linkedin <http://linkedin.com/in/davidgsimmons> • Twitter <http://twitter.com/TechEvangelist1> • GitHub <http://github.com/davidgs> /** Message digitally signed for security and authenticity. * If you cannot read the PGP.sig attachment, please go to * http://www.gnupg.com/ <http://www.gnupg.com/> Secure your email!!! * Public key available at keyserver.pgp.com <http://keyserver.pgp.com/> **/ ♺ This email uses 100% recycled electrons. Don't blow it by printing! There are only 2 hard things in computer science: Cache invalidation, naming things, and off-by-one errors.
