Strange website in system log (simple adblock)

Tommiefr · October 17, 2020, 9:51pm

For my nano-pi I use the snapshot from 15-10 and I see in my logs some strange behaviour.
Can this have to do with my Reolink 520 IP camera? Is this device sending info to strange sites?

Or is my adblocker causing this?
I see these adresses in /var/run/simple-adblock.servers.
there are a lot servers in here but in the logs it is mentioning only these (see under)

In simple adblock i use:

Blocked Domain URLs:
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://cdn.jsdelivr.net/gh/paulgb/BarbBlock/blacklists/domain-list.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt

Blocked Hosts URLs:
https://adaway.org/hosts.txt
https://cdn.jsdelivr.net/gh/hoshsadiq/adblock-nocoin-list/hosts.txt
https://www.malwaredomainlist.com/hostslist/hosts.txt
https://pgl.yoyo.org/as/serverlist.php?hostformat=hosts&showintro=1&mimetype=plaintext
https://winhelp2002.mvps.org/hosts.txt
https://someonewhocares.org/hosts/hosts
https://hosts.oisd.nl/

In system log:

Sat Oct 17 17:14:55 2020 daemon.info dnsmasq[15030]: using only locally-known addresses for domain [zzzysb.com.com](http://zzzysb.com.com/)
Sat Oct 17 17:14:55 2020 daemon.info dnsmasq[15030]: using only locally-known addresses for domain [zzztech.com](http://zzztech.com/)
Sat Oct 17 17:14:55 2020 daemon.info dnsmasq[15030]: using only locally-known addresses for domain [zzzrtrcm2.com](http://zzzrtrcm2.com/)
Sat Oct 17 17:14:55 2020 daemon.info dnsmasq[15030]: using only locally-known addresses for domain [zzznews.ru](http://zzznews.ru/)
Sat Oct 17 17:14:55 2020 daemon.info dnsmasq[15030]: using only locally-known addresses for domain zzzmhupdejyjybhk.top
Sat Oct 17 17:14:55 2020 daemon.info dnsmasq[15030]: using only locally-known addresses for domain [zzzha.com](http://zzzha.com/)
Sat Oct 17 17:14:55 2020 daemon.info dnsmasq[15030]: using only locally-known addresses for domain [zzzcv.com](http://zzzcv.com/)
Sat Oct 17 17:14:55 2020 daemon.info dnsmasq[15030]: using only locally-known addresses for domain [zzz888.com](http://zzz888.com/)

ergamus · October 17, 2020, 10:09pm

Unless you have a need for your IP camera to be web accessible, it might make sense to block all outbound traffic (LAN->WAN) from the camera in question. And also maybe add an expection for NTP UDP/123 destination, if your camera shows a timestamp on screen for time synchronization.

It could be multiple things, a botnet trying to chat with it's C&C server, a bad browser extensions trying to redirect traffic or leak back data, etc. Could be a random website trying to display dodgy malicious adverts. Who knows. You'll need to figure out what's causing those domain lookups. Dnsmasq has a logging option for this. You can also dump the traffic running over an interface and sift it for data.

Tommiefr · October 18, 2020, 5:44am

I am pretty new to this...how to see the log file?
It must say what ip adress is causing this, right?

hnyman · October 18, 2020, 5:50am

Tommiefr:

In system log:

Sat Oct 17 17:14:55 2020 daemon.info dnsmasq[15030]: using only locally-known addresses for domain [zzzysb.com.com](http://zzzysb.com.com/)
Sat Oct 17 17:14:55 2020 daemon.info dnsmasq[15030]: using only locally-known addresses for domain [zzztech.com](http://zzztech.com/)
Sat Oct 17 17:14:55 2020 daemon.info dnsmasq[15030]: using only locally-known addresses for domain [zzzrtrcm2.com](http://zzzrtrcm2.com/)

That looks like a block list domain list processed by the DHCP service demon. Likely just informative listing (caused by processing the blocklist).

Dnsmasq only lists a dozen addresses to avoid filling the whole log with the defined addresses. There is likely a summary line after that list.

Tommiefr · October 18, 2020, 5:56am

I changed this in the firewall settings (in the traffic rules): my ip camera has a static ip.

Now i see in the system log:

Sun Oct 18 07:49:42 2020 daemon.err uhttpd[966]: /usr/lib/lua/luci/dispatcher.lua:923: attempt to index local 'page' (a nil value)
Sun Oct 18 07:49:42 2020 daemon.err uhttpd[966]: stack traceback:
Sun Oct 18 07:49:42 2020 daemon.err uhttpd[966]: 	/usr/lib/lua/luci/dispatcher.lua:923: in function 'dispatch'
Sun Oct 18 07:49:42 2020 daemon.err uhttpd[966]: 	/usr/lib/lua/luci/dispatcher.lua:479: in function </usr/lib/lua/luci/dispatcher.lua:478>

Edit: i see these lines 3 or 4 times in my log. Now, some time later, these are gone.
Will test and see if these adresses will come back!

Edit 2: i reloaded the simple-adblock server list and i see the same messages (like OP) again! So it cannot be the camera...

hnyman · October 18, 2020, 7:14am

No, it is the informative list of the domains in the blocklist. Like I said above.
Harmless.

Tommiefr · October 18, 2020, 7:16am

Ok. But strange thing is only these adresses are mentioned but in the file are so many.