From owner-freebsd-security@freebsd.org Mon Jan 22 17:47:17 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 71EBEECC5E6 for ; Mon, 22 Jan 2018 17:47:17 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 66E281CCA for ; Mon, 22 Jan 2018 17:47:17 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 412E54DF18 for ; Mon, 22 Jan 2018 09:41:35 -0800 (PST) Date: Mon, 22 Jan 2018 09:41:35 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org Subject: Malicious URL ? https://[::]/ Message-ID: MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jan 2018 17:47:17 -0000 Not necessarily BSD-related though this was discovered via a proxy server jail's process table. Source of the requests was a recently installed Firefox add-on. Not sure how to escape the pattern for search engines but nothing is found >From queries wrapped in double quotes. The absense of previous log entries or search results raises a number of questions. Is this IPv6-related? Neither the client nor the proxy have IPv6 enabled. Is it potentially malicious? If so by what mechanism? The Intel IME backdoor vector is a primary suspect for obvious reasons but am curious if anyone else has seen this? Roger Marquis