MozillaZine

Losing settings in NoScript (solved ; update)

Discuss various technical topics not related to Mozilla.
Grumpus

User avatar
 
Posts: 12136
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Post Posted April 8th, 2019, 11:12 am

With some of the last two updates has anyone lost the listings in NoScript.
Specifically, normally blocked urls changed to trusted or removed from the listings.
Also has anyone been experiencing a high volumn of hits from a range starting with 99.x.x.x and found a features folder replaced after being removed. Additionally having webcompat.com replaced after removal and fxmonitor replaced, not only in the replaced features folder but in about:config after having been editied out. Usually these reappear after some hit from an IP in either the 99; 52 and 54. ranges.
This used to be identified as Edgecast and is now just a plain amazon cloud server.
This also seems to me to be not only bad manners and a breach of security, doing so without notice and having opted out of stuies and experiments and auto updates of anything. :-k
Last edited by Grumpus on April 17th, 2019, 7:22 am, edited 2 times in total.
Cashless society sacrifices independence, privacy and lastly liberty, encouraged by ignorance and villainy.

kerft
 
Posts: 161
Joined: January 30th, 2019, 9:38 am

Post Posted April 8th, 2019, 12:13 pm

Many extensions are having their data migrated from one database to another, as discussed here https://blog.mozilla.org/addons/2018/08 ... local-api/
Temporarily setting extensions.webextensions.ExtensionStorageIDB.enabled to false may recover the old settings, or the above link gives a longer process. However this is only temporary, the new database has to be used eventually. I believe noscript has an export your settings function that you could try.

Webcompat and fxmonitor I have only noticed being reinstalled during an upgrade, but I can't say that it doesn't happen at other times. People sometimes don't like it, but for things like these and plugins you don't like, etc., removing them is often worse than disabling them. Since if you remove them, the program will put them back and enable them. But if you just disable them they often stay disabled forever.

Grumpus

User avatar
 
Posts: 12136
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Post Posted April 9th, 2019, 4:41 am

@kerft - Thanks for the clarification. The file in question was in the browser extension data folder and was marked storage.js.migrated.
What apparently they did was to diminish the listings and conditions during the migration, this is a bad thing and I'm thinking it's wrong to push any agenda, technological or otherwise, without full disclosure up front. A[pparently the fxmonitor is re-installed during a system compromise by a listed aws cloud source, thinking it's Mozilla.
I was able to change the file properties and do an import which restored the previous conditions. During the process apparently there was also a NoScript update. Nothing changed after the update.
I'm experimenting with the extensions.webextensions.ExtensionStorageIDB.enabled as false, will see what happens.
What I had been doing is editng the extensions.webextensions.uuids and extensions.systemAddonSetto remove webcompat and fxmonitor parts but they keep returning.
Until I disabled the webcompat.com connection.

This is one of the lesser issues, on one system NoScript was completely removed and on another rkhunter removed and some of the security files edited to allow improper connection.
Cashless society sacrifices independence, privacy and lastly liberty, encouraged by ignorance and villainy.

Grumpus

User avatar
 
Posts: 12136
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Post Posted April 12th, 2019, 10:13 am

Update: it does not appear using the extensions.webextensions.ExtensionStorageIDB.enabled stops the installation of unwanted extensions like the fxmonitor. It does appear some extensions not installed by Mozilla do hold once changed, as in the NoScript issue.
It's unfortunate but you have to watch the features folder and the default storage to maintain them while online.
There is a complete lack of security and bollixing the system security this morning allowed a Russian IP to access and dump Timeshift, the system recovery program.
Mozilla need to stop being so empirical as it's only causing damages to systems now.
the rascals used the dolls method - through open providers.
64.31.0.0/18
64.31.6.154
64.210.128.0/19
64.210.158.70
66.254.96.0/19
66.254.99.246
There's also an increase in garbage from 192.168.3.4 - appears static and maybe local
Cashless society sacrifices independence, privacy and lastly liberty, encouraged by ignorance and villainy.

kerft
 
Posts: 161
Joined: January 30th, 2019, 9:38 am

Post Posted April 12th, 2019, 1:14 pm

I don't know the recommended way to prevent system add-ons from reinstalling themselves. On windows they are in program files\mozilla firefox\browser\features, as xpi files. Linux has similar, I guess. Deleting them does not prevent them from coming back. Can the features directory be set as read only, would that fix it? Maybe some dummy files in place of the xpis?

As for rkhunter or timeshift being disabled or removed. You are concluding that hackers or malware are getting in and disabling these features. On Linux, security flaws are pretty rare. I would think it is much more likely there is another explanation. Something silly like installing the programs to a temporary directory that is automatically deleted, or to another user's account. Setting their service to start once, but not auto-start on every boot, so they disappear when you restart. Or, updating them or auto-updating them, and during the update config files are automatically overwritten by the maintainer's default config files.

Noscript disappearing, again, I would think is more likely to be a profile getting switched to a different users profile, or corrupted by a bad shutdown, or accidentally clicking remove, than a hacker removing it.

Brummelchen
 
Posts: 4125
Joined: March 19th, 2005, 10:51 am

Post Posted April 13th, 2019, 12:06 am

192.168...

is ONLY local...
for 64...
http://rdpguard.com/free-whois.aspx?ip=64.210.137.110
where is 64.210.128.0/19 only needed when using 64.210...
66.254 same als 64.210...
users using outdated and vulnerable software probably never will get an answer from me - sticked with the past? stay alone.

Grumpus

User avatar
 
Posts: 12136
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Post Posted April 15th, 2019, 4:56 am

@kerft - no user error or misguided install. All installs go through default repositories or secure Debian packages.
I'm not completely sure how this happened yet but have several ideas. I am dealing with each one, one at a time.
It has never happened before, leastwise where it was as noticeable.
Timeshift apparently is connected to github somehow but RKhunter is either standalone or in the latest repositories for Ubuntu as a Debian all.

@Brummelchen - both the 64 and 66 ips showed up while on-line, logged into 'zine and were not connected to image display or other shown link.
Since I block all advertising that also was not the source.
As to 192.168.3.4, best guess is local jackass (within a couple of hundred yards using ham radio to access internet) or possibly an unseen connection through them.

No final on this but will see.
Not to cast dispersions but there was a possible compromise of the Snap system reported in the Register a few weeks back, maybe a month or more, and am also looking at the possibility of flatpak having same/similar issues, some of this could also be signon remnants.
Also, removed the link in the signature which went to Upenn books online as there were occasional grouped hits coming through the link which interfered with connections and display.
Cashless society sacrifices independence, privacy and lastly liberty, encouraged by ignorance and villainy.

Grumpus

User avatar
 
Posts: 12136
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Post Posted Yesterday, 7:23 am

Hypo-thesis (drug induced supposition)
Looks like the issue loss of timeshift stems from a search for a printer problem and coming across a page which was an attempt to resolve a printer issue with an Epson printer, the solution recovery made with Timeshift. However it may have been a bad page or corrupted and modified a systems printer settings, quite invisibly, until an attempt to use the printer showed a change in default printer, quality of print and an indication of an attempt to send whatever was being printed to a remote IP. What indicated the IP was a large number of hits against the 445, 123, 23, 139 from Searchguide in the software's attempt to find the address.
This is also noticed when performing a page setup if on-line and the system again tries to reach out to the remote address and triggering the Searchguide software again. This traces through New York ISP of he.net (multiple derivations).
Best guess it's an attempt to steal information through sending of information to the remote IPs when a printers is trying to print on line. For Firefox look at the printer-printer and make sure it's the default printer (do this off-line).
In Thunderbird, performing the page setup and selecting the printer should alter the item in the config editor.
At first it appeared to be relative to the HP checking your printer nuisance while on-line but this modified things when the printer was off-line and powered down.
Cashless society sacrifices independence, privacy and lastly liberty, encouraged by ignorance and villainy.

Brummelchen
 
Posts: 4125
Joined: March 19th, 2005, 10:51 am

Post Posted Yesterday, 8:50 am

what i wanted to say - i dont have here "Reflected Networks".
when tracing MZ i dont have any of those IP in range.
your provider? DNS?

As to 192.168.3.4, best guess is local jackass

its a local device, you know best which one. 192.168.3.x is very uncommon, your local network? Proxy?
Searchguide software

is adware/malware/browser hijacker, do not matter which OS.
users using outdated and vulnerable software probably never will get an answer from me - sticked with the past? stay alone.

Grumpus

User avatar
 
Posts: 12136
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Post Posted Yesterday, 10:31 am

@Brummelchen -
What was perceived as local network is some form of Sprint exploit originating in Italy or someone local n the Sprint network connected to Italy or possibly spoofing ID.
Your guess is as good as anyone's. There are two originating physical sources for the Sourceguide, one is Santa Monica, California; the other Colorado.
Why they show up when on an East Coast network can only be related to some internally installed or corrupted software.
The others; the 66.x.x.x range appears to be the Reflective network

The one below is the egregious one which may have corrupted the print settings.

The IP range 64.31.0.0/18 - 64.31.6.154 - Limestone Networks

NetRange: 64.31.6.152 - 64.31.6.155
CIDR: 64.31.6.152/30
NetName: LSN-DLLSTX-1
NetHandle: NET-64-31-6-152-1
Parent: LSN-DLLSTX-6 (NET-64-31-0-0-1)
NetType: Reassigned
OriginAS:
Customer: Private Customer (C07286054)
RegDate: 2019-01-29
Updated: 2019-01-29
Ref: https://rdap.arin.net/registry/ip/64.31.6.152
CustName: Private Customer
Address: Private Residence
City: Moscow
StateProv: AG
PostalCode: 125040
Country: RU
RegDate: 2019-01-29
Updated: 2019-01-29
Ref: https://rdap.arin.net/registry/entity/C07286054

OrgAbuseHandle: ABUSE1804-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-214-242-3600
OrgAbuseEmail: abuse@limestonenetworks.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE1804-ARIN

It seems to me folks should limit or be cautious their on-line printing with Thunderbird and Firefox until the establish if the have been left with an "Any Printer" setting instead of Firefox picking up on the system printer and allowing it to be the default printer. In some cases, least with the Linux setup, this may be default until someone directly sets the printer.
There also appears to be some automatic setting which is with newer versions of the OS that doesn't allow manual setup when the printer is turned on and automatically resets all values and resets the default printer without any restriction. Best guess someone trying to be helpful, the usual road paved with good intention
Cashless society sacrifices independence, privacy and lastly liberty, encouraged by ignorance and villainy.

Return to MozillaZine Tech


Who is online

Users browsing this forum: No registered users and 1 guest