Unwanted secret outbound connection

Bug #944251 reported by Ralf Naujokat on 2012-03-01
This bug affects 21 people
Affects Status Importance Assigned to Milestone
Indicator Date and Time
indicator-datetime (Ubuntu)
ubuntu-geoip (Ubuntu)
unity-scope-video-remote (Ubuntu)

Bug Description

On my Precise box i found some unwanted connections.
I never told any process/programm to do that.

output of 'netstat -atulpen'

tcp 1 0 CLOSE_WAIT 1000 16447 2322/python
tcp 1 0 CLOSE_WAIT 1000 8846 2303/ubuntu-geoip-p

output of 'ps faux | grep 2322'

1000 2322 0.0 0.2 607636 17320 ? Sl 09:02 0:00 /usr/bin/python /usr/lib/unity-scope-video-remote/unity-scope-video-remote

output of 'ps faux | grep 2303'

1000 2303 0.0 0.0 160488 5220 ? S 09:02 0:00 /usr/lib/ubuntu-geoip/ubuntu-geoip-provider

output of ' whois':

inetnum: -
netname: AMAZON-EU-AWS
descr: Amazon Web Services, Elastic Compute Cloud, EC2, EU

output of ' whois':

inetnum: -
descr: Canonical Ltd

Whatever you are doing: Stop doing this things with _my_ computer without asking me!
If i want phone-home-stuff, i can watch ET or use M$ W!nd*ws.

description: updated
Marc Deslauriers (mdeslaur) wrote :

One is the geoip server query to properly set your timezone, the other is the unity video lens querying the server.

Changed in ubuntu:
status: New → Invalid
hannuko (hannu-kotipalo) wrote :

Well, I also think this is a valid bug. These connections seems to be on all time, regardless of the fact that I *do not* change my timezone several times in an hour and also I do not search for videos all the time on the machine.

I just blocked the ip's on the firewall to fix this. I also uninstalled the video packet doing this shit (well, first I uninstalled all ubuntu-one packets, I got a hint they could be causing this. Don't mind, do not need ubuntu-one). Unfortunately uninstalling the geoip would uninstall also some important packets. There should be a checkbox to disable this. Some people does not want their machines to upkeep the internet connection for nothing.

There should not be any this kind of all-time-on conenctions. As the original bug reporter says, that's not the linux way of working.

Neuroquila (neuroquilaf2) wrote :

Alerte générale, on m'espionne, j ai la CIA ou le FBI au fesses. Ils ont infiltré mon PC avec un backdoor pour voir si j allais sur les sites de trinettes payant.

neuroquila@neuroquila-MS-7681:~$ netstat -uta
Connexions Internet actives (serveurs et établies)
Proto Recv-Q Send-Q Adresse locale Adresse distante Etat
tcp 0 0 localhost:domain *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 1 0 neuroquila-MS-768:54435 alkes.canonical.co:http CLOSE_WAIT
tcp 1 0 neuroquila-MS-768:60931 mulberry.canonical:http CLOSE_WAIT
tcp 1 0 neuroquila-MS-768:54436 alkes.canonical.co:http CLOSE_WAIT
tcp6 0 0 [::]:http [::]:* LISTEN
tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN
udp 0 0 *:39166 *:*
udp 0 0 localhost:domain *:*
udp 0 0 *:bootpc *:*
udp 0 0 *:mdns *:*
udp6 0 0 [::]:57730 [::]:*
udp6 0 0 [::]:mdns [::]:*

tcp 1 0 neuroquila-MS-768:54435 alkes.canonical.co:http CLOSE_WAIT <<======== KEZAKO ??
tcp 1 0 neuroquila-MS-768:60931 mulberry.canonical:http CLOSE_WAIT <<======== KEZAKO ??
tcp 1 0 neuroquila-MS-768:54436 alkes.canonical.co:http CLOSE_WAIT <<======== KEZAKO ??

Andres Guerra (a123a654a789) wrote :

I agree with #2, that's not what linux users expect, please provide a simple way of disabling this!

Greg A (etulfetulf) on 2012-06-02
affects: ubuntu → unity-scope-video-remote (Ubuntu)
David Callé (davidc3) wrote :

To add some perspective to the report, what the unity-scope-video-remote package does is getting a list of video sources on a server managed by Canonical:
These video sources are then displayed in the filters of the Videos lens.

When you activate one of these filters and search the video lens, it queries the server again:

Currently, the simple way of disabling it is to remove the package, you obviously won't have the online video search in the lens anymore, but it shouldn't affect anything else.

Changed in unity-scope-video-remote (Ubuntu):
status: Invalid → Opinion
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu-geoip (Ubuntu):
status: New → Confirmed
mark baraco (mkbaraco) wrote :

I also agree with #2 [hannuko (hannu-kotipalo)]. Well said my friend!

I keep hearing all these "Windows haters" rant about how application-firewalls aren't needed on Linux. And if a Linux application is doing something the user doesn't want, then the user should configure that application accordingly or not run the software. This is a perfect example of why this argument doesn't hold water. Having phone-home connections with no way to disable is unbecoming of Canonical and the Ubuntu team. It's easy enough to fix the Unity-Scope problems: uninstall the crap software package. But the GeoIP connections are a serious bug because nothing can be done about it.

Be nice to see a fix issued for 12.04 so LTS users don't have to put up with this for 2 years.

Alroger Filho (alroger-cafe-ti) wrote :

Disabling privacy-invasive Zeitgeist, Geoclue, Whoopsie (and NTPD)

dude please!

Zdenek Dlauhy (e-tast-k) wrote :

Well, I think these connections should not stay up all the time and should be called just, when needed. For example when i search for something, when update manager is called and so on. Same thing is that gnome gvfs, which has really odd behavior.

mikewhatever (mikewhatever) wrote :

So, no open ports by default is no longer the statement relevant to Ubuntu.

SerP (serp2002) wrote :

today catch on my proxy request to http://videosearch.ubuntu.com/v0/sources

i'm on ubuntu from 2006.
and recently it less like to me.

Matthew Paul Thomas (mpt) wrote :

Using an Internet connection to guess your location is precisely and solely what ubuntu-geoip is for. So while this may be a bug in individual packages that use ubuntu-geoip, I don't see how this can possibly be a bug in ubuntu-geoip itself.

Charles Kerr (charlesk) wrote :

This bug appears to actually be several issues that are only thematically related. I'm moving the indicator-datetime geoclue/geoip issue to bug #1074999 where it can be handled separately from these other issues. For this reason, I'm marking indicator-datetime's component as "Invalid" in this ticket.

I'm also marking ubuntu-geoip's component as "Invalid" for the reasons stated by mpt in comment #12.

Changed in indicator-datetime:
status: New → Invalid
Changed in indicator-datetime (Ubuntu):
status: New → Invalid
Changed in ubuntu-geoip (Ubuntu):
status: Confirmed → Invalid
Adolfo Jayme (fitojb) on 2012-11-06
tags: added: bag-of-rants
mark (mwcombs) wrote :


Just block the traffic altogether. You should be doing that anyway. Its just good security practice.

On your ubuntu, linux, solaris server or whatever just blackhole all the traffic.


In Ubuntu just type the command:

sudo ip route add blackhole

You can verify this with the
route -n command. Now start blocking tons of traffic. There are different ways to block traffic but this is my favorite. No messages are sent back such as unreachables as with reject messages. Think about it for a second. If you send a reject message such as destination unreachable then didn't I just find out that there is a live device somewhere? Who cares if the icmp was successful or not. My whole point was network reconnaissance. So black hole all of your traffic and hide in the shadows :-)

Here in the US I block all IP subnets out side of my country such as Russia, China and so forth. If there is a specific need then you can simply unblock the traffic when desired.

icewater (a-ubuntu) on 2012-12-10
tags: added: privacy
Drey (drey) wrote :

Here's two more specific bugs i filed regarding ubuntu-geoip connections (everyone is welcome to set "Yes, it affects me" status):

#1120350 Add an option to disable geoip check

 #1120358 Reduce the dependency on the geoclue-ubuntu-geoip packages to a recommends

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers