I recently bought a brand new Macbook last week because my old one (running Yosemite 10.10.5) was compromised. After this event, I erased the hard drive and reinstalled the OS on that one and started using Little Snitch. However, while using Chrome on the Macbook that had been cleanly reinstalled, I got a connection alert to a random IP address while loading Gmail and I freaked out, thinking my machine was somehow still compromised (amongst other little things). It freaked me out because even while using LS on this old Macbook with the clean reinstall, I hadn't gotten a strange connection attempt like this before.
So, on this brand new Macbook with only four three-party applications all downloaded directly from the providers (Chrome, LS, Flux and Spotify) while using Chrome and doing regular things like checking Facebook or opening a new tab, Little Snitch lets me know Chrome is attempting to connect to random IP addresses via port 80. I got three connection alerts recently. The 54 IP addresses are Amazonaws servers. The 4 IP address belongs to Level 3 Communications, a random American ISP. I don't know why Chrome would attempt to connect to these addresses. I've been told that the IP addresses don't resolve anywhere, so does that mean Chrome's attempting to connect to a server of some sort rather than it being a browser hijack?
I took this as a sign that my system was somehow still compromised, so I went to the Genius Bar to erase my hard drive and have OS El Capitan installed on the new Macbook from a bootable drive. Set up the system as new. Downloaded Chrome, Flux, Spotify and LS and podcasts via iTunes using the Apple Store wifi. OK, so far so good. One day into this new system, I get a connection alert to another amazonaws IP address when loading Gmail.
I'm pretty sure it's not any of my extensions (Ghostery, Wot, Xkit, Xmarks and previously Adblock/Plus) attempting to download updates from servers. They have hostnames rather than IP addresses, e.g. d.ghostery.com. I thought it might've been Adblock as it's recently been sold and it's sneakily attempting to show ads but on the El Capitan OS, I still got a connection alert even without Adblock or Adblock Plus installed.
I've noticed that when I'm loading Gmail, the attempts to connect to the Amazonaws IP addresses occur. Apart from that Level 3 IP address, I haven't gotten any non-amazonaws connection alerts.
Also for some reason, Chrome also attempts to connect to Apple related pages, even if I'm not using anything Apple related that would prompt an alert. I would understand if a process would attempt to connect to an Apple page, but why Chrome? For example, Chrome attempted to connect to support-sp.apple.com, which is related to when you click About this Mac. I did check my Macbook's information around this time, and the IP address is the same IP address for other hostnames for sites I use. But Chrome was specifically attempting to connect to support-sp.apple.com. Why would it need to do that?
-
I guess the common factor in all setups (on the old Macbook with the clean reinstall, on the new Macbook with the original set up and then the new setup with El Capitan) is that this has happened while I'm using the home wi-fi network (secured with WPA2 but as far as I know I can't change the router password because my ISP is like that...). I haven't used the internet on any other wifi network just due to circumstance. I can't use Open DNS on the router/modem I use, but I've got it set up on my own Macbook and I haven't noticed any other suspicious browser behaviour like ad redirects etc. I haven't downloaded anything via a P2P network/anything cracked because I'm pretty sure that's what hosed my last Macbook in the first place.
Because it's IP addresses instead of actual hostnames with letters and because Chrome's attempted to connect to them while I'm doing things where there really would be no reason for Chrome to connect to them (loading Gmail, opening a new tab), I'm a little suspicious. Should I be worried or am I just being overly paranoid? Apart from browsing in incognito mode with extensions disabled to see if they come up again, what else can I do?
So, on this brand new Macbook with only four three-party applications all downloaded directly from the providers (Chrome, LS, Flux and Spotify) while using Chrome and doing regular things like checking Facebook or opening a new tab, Little Snitch lets me know Chrome is attempting to connect to random IP addresses via port 80. I got three connection alerts recently. The 54 IP addresses are Amazonaws servers. The 4 IP address belongs to Level 3 Communications, a random American ISP. I don't know why Chrome would attempt to connect to these addresses. I've been told that the IP addresses don't resolve anywhere, so does that mean Chrome's attempting to connect to a server of some sort rather than it being a browser hijack?
I took this as a sign that my system was somehow still compromised, so I went to the Genius Bar to erase my hard drive and have OS El Capitan installed on the new Macbook from a bootable drive. Set up the system as new. Downloaded Chrome, Flux, Spotify and LS and podcasts via iTunes using the Apple Store wifi. OK, so far so good. One day into this new system, I get a connection alert to another amazonaws IP address when loading Gmail.
I'm pretty sure it's not any of my extensions (Ghostery, Wot, Xkit, Xmarks and previously Adblock/Plus) attempting to download updates from servers. They have hostnames rather than IP addresses, e.g. d.ghostery.com. I thought it might've been Adblock as it's recently been sold and it's sneakily attempting to show ads but on the El Capitan OS, I still got a connection alert even without Adblock or Adblock Plus installed.
I've noticed that when I'm loading Gmail, the attempts to connect to the Amazonaws IP addresses occur. Apart from that Level 3 IP address, I haven't gotten any non-amazonaws connection alerts.
Also for some reason, Chrome also attempts to connect to Apple related pages, even if I'm not using anything Apple related that would prompt an alert. I would understand if a process would attempt to connect to an Apple page, but why Chrome? For example, Chrome attempted to connect to support-sp.apple.com, which is related to when you click About this Mac. I did check my Macbook's information around this time, and the IP address is the same IP address for other hostnames for sites I use. But Chrome was specifically attempting to connect to support-sp.apple.com. Why would it need to do that?
-
I guess the common factor in all setups (on the old Macbook with the clean reinstall, on the new Macbook with the original set up and then the new setup with El Capitan) is that this has happened while I'm using the home wi-fi network (secured with WPA2 but as far as I know I can't change the router password because my ISP is like that...). I haven't used the internet on any other wifi network just due to circumstance. I can't use Open DNS on the router/modem I use, but I've got it set up on my own Macbook and I haven't noticed any other suspicious browser behaviour like ad redirects etc. I haven't downloaded anything via a P2P network/anything cracked because I'm pretty sure that's what hosed my last Macbook in the first place.
Because it's IP addresses instead of actual hostnames with letters and because Chrome's attempted to connect to them while I'm doing things where there really would be no reason for Chrome to connect to them (loading Gmail, opening a new tab), I'm a little suspicious. Should I be worried or am I just being overly paranoid? Apart from browsing in incognito mode with extensions disabled to see if they come up again, what else can I do?