I have not made any attempt to identify who all these address belong to. I have attached a PDF of the analysis spreadheet.
The suggestion above from Paul to disable all plugins and repeat is a good one. If you do this and publish the log here I will analyse that one for you if you wish so can compare.
As an aside - I analysed your log using Excel which makes it very easy to parse the strings and identify what the traffic is and when it is being sent. The trick is to paste the log into Excel and use the split the text into columns feature. I have used this technique over very many years when I was employed as network security architect (before i retired).
I do havethe Excel version available but not attache MS Office document to avoid any security concerns you may (should) have with office documents.
134.119.143.231 that's Dominik's Site. so that seems fine.
however I detected that some of these hosts are related to malicious versions of KeePass distributed probably through fake sites like keepass.com
IP 151.101.8.133 seems to be Github, so it's likely to be reported as dodgy even if it's a plug-in with a legit update check.
IP 172.217.194.82 seems to be Google, so definitely spyware. ;)
fluky.org seems to be owned by Microsoft - more spyware!
cheers, Paul
p.s. please report when you have cross posted, especially when your questions have been answered elsewhere.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
Just wanted to check with every expert here. Not sure whether it is normal for keepass to connect to the following IP and sites
I have installed below plugins from keepass.info
Below is an output from PStool (Process Monitor)
10:06:46.9738011 PM KeePass.exe 16192 TCP Connect Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 0, mss: 1460, sackopt: 1, tsopt: 0, wsopt: 1, rcvwin: 262800, rcvwinscale: 8, sndwinscale: 9, seqnum: 0, connid: 0
10:06:46.9747633 PM KeePass.exe 16192 TCP Connect Jacobs:58636 -> ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https SUCCESS Length: 0, mss: 1436, sackopt: 1, tsopt: 0, wsopt: 1, rcvwin: 262788, rcvwinscale: 8, sndwinscale: 10, seqnum: 0, connid: 0
10:06:46.9824929 PM KeePass.exe 16192 TCP Send Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 181, startime: 8363498, endtime: 8363498, seqnum: 0, connid: 0
10:06:46.9836135 PM KeePass.exe 16192 TCP Receive Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 5, seqnum: 0, connid: 0
10:06:46.9836265 PM KeePass.exe 16192 TCP Receive Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 0, seqnum: 0, connid: 0
10:06:46.9836337 PM KeePass.exe 16192 TCP Receive Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 69, seqnum: 0, connid: 0
10:06:46.9836402 PM KeePass.exe 16192 TCP Receive Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 2846, seqnum: 0, connid: 0
10:06:46.9838640 PM KeePass.exe 16192 TCP Receive Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 341, seqnum: 0, connid: 0
10:06:46.9838710 PM KeePass.exe 16192 TCP Receive Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 314, seqnum: 0, connid: 0
10:06:46.9839407 PM KeePass.exe 16192 TCP Send Jacobs:58636 -> ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https SUCCESS Length: 166, startime: 8363498, endtime: 8363498, seqnum: 0, connid: 0
10:06:46.9839637 PM KeePass.exe 16192 TCP Receive Jacobs:58636 -> ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https SUCCESS Length: 5, seqnum: 0, connid: 0
10:06:46.9839795 PM KeePass.exe 16192 TCP Receive Jacobs:58636 -> ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https SUCCESS Length: 97, seqnum: 0, connid: 0
10:06:46.9839967 PM KeePass.exe 16192 TCP Receive Jacobs:58636 -> ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https SUCCESS Length: 2770, seqnum: 0, connid: 0
10:06:46.9840061 PM KeePass.exe 16192 TCP Receive Jacobs:58636 -> ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https SUCCESS Length: 634, seqnum: 0, connid: 0
10:06:47.0046599 PM KeePass.exe 16192 TCP Send Jacobs:58636 -> ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https SUCCESS Length: 93, startime: 8363500, endtime: 8363501, seqnum: 0, connid: 0
10:06:47.0046866 PM KeePass.exe 16192 TCP Receive Jacobs:58636 -> ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https SUCCESS Length: 5, seqnum: 0, connid: 0
10:06:47.0047077 PM KeePass.exe 16192 TCP Receive Jacobs:58636 -> ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https SUCCESS Length: 1, seqnum: 0, connid: 0
10:06:47.0047296 PM KeePass.exe 16192 TCP Receive Jacobs:58636 -> ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https SUCCESS Length: 45, seqnum: 0, connid: 0
10:06:47.0049692 PM KeePass.exe 16192 TCP Send Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 93, startime: 8363500, endtime: 8363501, seqnum: 0, connid: 0
10:06:47.0049901 PM KeePass.exe 16192 TCP Receive Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 5, seqnum: 0, connid: 0
10:06:47.0050050 PM KeePass.exe 16192 TCP Receive Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 253, seqnum: 0, connid: 0
10:06:47.0481527 PM KeePass.exe 16192 TCP Send Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 203, startime: 8363504, endtime: 8363505, seqnum: 0, connid: 0
10:06:47.0481816 PM KeePass.exe 16192 TCP Receive Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 5, seqnum: 0, connid: 0
10:06:47.0482004 PM KeePass.exe 16192 TCP Receive Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 0, seqnum: 0, connid: 0
10:06:47.0482193 PM KeePass.exe 16192 TCP Receive Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 902, seqnum: 0, connid: 0
10:06:47.0837980 PM KeePass.exe 16192 TCP Send Jacobs:58636 -> ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https SUCCESS Length: 194, startime: 8363504, endtime: 8363508, seqnum: 0, connid: 0
10:06:47.1233021 PM KeePass.exe 16192 TCP Connect Jacobs:58639 -> 172.217.194.82:http SUCCESS Length: 0, mss: 1460, sackopt: 1, tsopt: 0, wsopt: 1, rcvwin: 262800, rcvwinscale: 8, sndwinscale: 4, seqnum: 0, connid: 0
10:06:47.1263382 PM KeePass.exe 16192 TCP Send Jacobs:58639 -> 172.217.194.82:http SUCCESS Length: 186, startime: 8363512, endtime: 8363513, seqnum: 0, connid: 0
10:06:47.1292962 PM KeePass.exe 16192 TCP Receive Jacobs:58639 -> 172.217.194.82:http SUCCESS Length: 1418, seqnum: 0, connid: 0
10:06:47.1293228 PM KeePass.exe 16192 TCP Receive Jacobs:58639 -> 172.217.194.82:http SUCCESS Length: 349, seqnum: 0, connid: 0
10:06:47.2271485 PM KeePass.exe 16192 TCP Connect Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 0, mss: 1432, sackopt: 1, tsopt: 0, wsopt: 1, rcvwin: 263488, rcvwinscale: 8, sndwinscale: 8, seqnum: 0, connid: 0
10:06:47.3167636 PM KeePass.exe 16192 TCP Connect Jacobs:58642 -> prox.fluky.org:http SUCCESS Length: 0, mss: 1460, sackopt: 1, tsopt: 0, wsopt: 1, rcvwin: 262800, rcvwinscale: 8, sndwinscale: 4, seqnum: 0, connid: 0
10:06:47.3202964 PM KeePass.exe 16192 TCP Send Jacobs:58642 -> prox.fluky.org:http SUCCESS Length: 153, startime: 8363532, endtime: 8363532, seqnum: 0, connid: 0
10:06:47.3621710 PM KeePass.exe 16192 TCP Receive Jacobs:58636 -> ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https SUCCESS Length: 5, seqnum: 0, connid: 0
10:06:47.3621964 PM KeePass.exe 16192 TCP Receive Jacobs:58636 -> ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https SUCCESS Length: 1394, seqnum: 0, connid: 0
10:06:47.3622052 PM KeePass.exe 16192 TCP Receive Jacobs:58636 -> ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https SUCCESS Length: 355, seqnum: 0, connid: 0
10:06:47.3844250 PM KeePass.exe 16192 TCP Connect Jacobs:58643 -> vern.gendns.com:http SUCCESS Length: 0, mss: 1460, sackopt: 1, tsopt: 0, wsopt: 1, rcvwin: 262800, rcvwinscale: 8, sndwinscale: 4, seqnum: 0, connid: 0
10:06:47.3874913 PM KeePass.exe 16192 TCP Send Jacobs:58643 -> vern.gendns.com:http SUCCESS Length: 138, startime: 8363538, endtime: 8363539, seqnum: 0, connid: 0
10:06:47.4077876 PM KeePass.exe 16192 TCP Send Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 181, startime: 8363536, endtime: 8363541, seqnum: 0, connid: 0
10:06:47.4850111 PM KeePass.exe 16192 TCP Send Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 172, startime: 8363523, endtime: 8363549, seqnum: 0, connid: 0
10:06:47.4850319 PM KeePass.exe 16192 TCP Receive Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 5, seqnum: 0, connid: 0
10:06:47.4850405 PM KeePass.exe 16192 TCP Receive Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 87, seqnum: 0, connid: 0
10:06:47.4852910 PM KeePass.exe 16192 TCP Receive Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 5, seqnum: 0, connid: 0
10:06:47.4853025 PM KeePass.exe 16192 TCP Receive Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 2859, seqnum: 0, connid: 0
10:06:47.4853091 PM KeePass.exe 16192 TCP Receive Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 227, seqnum: 0, connid: 0
10:06:47.4856294 PM KeePass.exe 16192 TCP Receive Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 5, seqnum: 0, connid: 0
10:06:47.4856497 PM KeePass.exe 16192 TCP Receive Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 333, seqnum: 0, connid: 0
10:06:47.4856558 PM KeePass.exe 16192 TCP Receive Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 9, seqnum: 0, connid: 0
10:06:47.5841685 PM KeePass.exe 16192 TCP Connect Jacobs:58644 -> bh-50.webhostbox.net:http SUCCESS Length: 0, mss: 1460, sackopt: 1, tsopt: 0, wsopt: 1, rcvwin: 262800, rcvwinscale: 8, sndwinscale: 4, seqnum: 0, connid: 0
10:06:47.5867641 PM KeePass.exe 16192 TCP Send Jacobs:58644 -> bh-50.webhostbox.net:http SUCCESS Length: 153, startime: 8363558, endtime: 8363559, seqnum: 0, connid: 0
10:06:47.6060593 PM KeePass.exe 16192 TCP Connect Jacobs:58641 -> 134.119.143.231:https SUCCESS Length: 0, mss: 1460, sackopt: 1, tsopt: 0, wsopt: 1, rcvwin: 262800, rcvwinscale: 8, sndwinscale: 7, seqnum: 0, connid: 0
10:06:47.6635574 PM KeePass.exe 16192 TCP Receive Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 5, seqnum: 0, connid: 0
10:06:47.6636019 PM KeePass.exe 16192 TCP Receive Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 911, seqnum: 0, connid: 0
10:06:47.7447364 PM KeePass.exe 16192 TCP Send Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 126, startime: 8363549, endtime: 8363575, seqnum: 0, connid: 0
10:06:47.7450783 PM KeePass.exe 16192 TCP Receive Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 5, seqnum: 0, connid: 0
10:06:47.7451137 PM KeePass.exe 16192 TCP Receive Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 1, seqnum: 0, connid: 0
10:06:47.7451370 PM KeePass.exe 16192 TCP Receive Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 45, seqnum: 0, connid: 0
10:06:47.8136244 PM KeePass.exe 16192 TCP Receive Jacobs:58642 -> prox.fluky.org:http SUCCESS Length: 396, seqnum: 0, connid: 0
10:06:47.8812923 PM KeePass.exe 16192 TCP Receive Jacobs:58643 -> vern.gendns.com:http SUCCESS Length: 272, seqnum: 0, connid: 0
10:06:47.9470829 PM KeePass.exe 16192 TCP Send Jacobs:58641 -> 134.119.143.231:https SUCCESS Length: 177, startime: 8363561, endtime: 8363595, seqnum: 0, connid: 0
10:06:47.9671086 PM KeePass.exe 16192 TCP Receive Jacobs:58641 -> 134.119.143.231:https SUCCESS Length: 5, seqnum: 0, connid: 0
10:06:47.9671482 PM KeePass.exe 16192 TCP Receive Jacobs:58641 -> 134.119.143.231:https SUCCESS Length: 2915, seqnum: 0, connid: 0
10:06:47.9671718 PM KeePass.exe 16192 TCP Receive Jacobs:58641 -> 134.119.143.231:https SUCCESS Length: 1301, seqnum: 0, connid: 0
10:06:48.0168690 PM KeePass.exe 16192 TCP Send Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 174, startime: 8363575, endtime: 8363602, seqnum: 0, connid: 0
10:06:48.0169382 PM KeePass.exe 16192 TCP Receive Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 5, seqnum: 0, connid: 0
10:06:48.0169764 PM KeePass.exe 16192 TCP Receive Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 380, seqnum: 0, connid: 0
10:06:48.0170153 PM KeePass.exe 16192 TCP Receive Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 47, seqnum: 0, connid: 0
10:06:48.0201677 PM KeePass.exe 16192 TCP Receive Jacobs:58644 -> bh-50.webhostbox.net:http SUCCESS Length: 386, seqnum: 0, connid: 0
10:06:48.3159627 PM KeePass.exe 16192 TCP Send Jacobs:58641 -> 134.119.143.231:https SUCCESS Length: 126, startime: 8363597, endtime: 8363632, seqnum: 0, connid: 0
10:06:48.3160045 PM KeePass.exe 16192 TCP Receive Jacobs:58641 -> 134.119.143.231:https SUCCESS Length: 5, seqnum: 0, connid: 0
10:06:48.3160246 PM KeePass.exe 16192 TCP Receive Jacobs:58641 -> 134.119.143.231:https SUCCESS Length: 269, seqnum: 0, connid: 0
10:06:48.6682742 PM KeePass.exe 16192 TCP Send Jacobs:58641 -> 134.119.143.231:https SUCCESS Length: 175, startime: 8363633, endtime: 8363667, seqnum: 0, connid: 0
10:06:48.6683389 PM KeePass.exe 16192 TCP Receive Jacobs:58641 -> 134.119.143.231:https SUCCESS Length: 5, seqnum: 0, connid: 0
10:06:48.6683807 PM KeePass.exe 16192 TCP Receive Jacobs:58641 -> 134.119.143.231:https SUCCESS Length: 1310, seqnum: 0, connid: 0
10:06:53.6716420 PM KeePass.exe 16192 TCP Receive Jacobs:58641 -> 134.119.143.231:https SUCCESS Length: 31, seqnum: 0, connid: 0
10:06:54.0163472 PM KeePass.exe 16192 TCP Receive Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 31, seqnum: 0, connid: 0
10:07:47.3626007 PM KeePass.exe 16192 TCP Receive Jacobs:58636 -> ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https SUCCESS Length: 31, seqnum: 0, connid: 0
10:08:27.1522552 PM KeePass.exe 16192 TCP Disconnect Jacobs:58639 -> 172.217.194.82:http SUCCESS Length: 0, seqnum: 0, connid: 0
10:08:27.4181277 PM KeePass.exe 16192 TCP Disconnect Jacobs:58636 -> ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https SUCCESS Length: 0, seqnum: 0, connid: 0
10:08:27.6867648 PM KeePass.exe 16192 TCP Receive Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 31, seqnum: 0, connid: 0
10:08:27.6868012 PM KeePass.exe 16192 TCP Disconnect Jacobs:58637 -> 151.101.8.133:https SUCCESS Length: 0, seqnum: 0, connid: 0
10:08:27.8413253 PM KeePass.exe 16192 TCP Disconnect Jacobs:58642 -> prox.fluky.org:http SUCCESS Length: 0, seqnum: 0, connid: 0
10:08:27.9041520 PM KeePass.exe 16192 TCP Disconnect Jacobs:58643 -> vern.gendns.com:http SUCCESS Length: 0, seqnum: 0, connid: 0
10:08:28.0430582 PM KeePass.exe 16192 TCP Disconnect Jacobs:58638 -> s3-1.amazonaws.com:https SUCCESS Length: 0, seqnum: 0, connid: 0
10:08:28.0456736 PM KeePass.exe 16192 TCP Disconnect Jacobs:58644 -> bh-50.webhostbox.net:http SUCCESS Length: 0, seqnum: 0, connid: 0
10:08:28.6839395 PM KeePass.exe 16192 TCP Disconnect Jacobs:58641 -> 134.119.143.231:https SUCCESS Length: 0, seqnum: 0, connid: 0
Currently I have disabled the plugins. Just wanted to know again why keepass is connecting to the abve sites and whether those plugins are safe to use
Thank you,
J
Possibly update checks.
Turn off check for update and remove plug-ins, then test again.
We can't tell you if plug-ins are safe, only if anyone has reported problems.
cheers, Paul
Probably plugins, there's no approval process for plugins.
you're basically trusting a 3rd party.
Last edit: John Jones 2019-08-29
Your system is connecting to the following sites and sending/reading data from them
172.217.194.82:http
ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https
151.101.8.133:https
151.101.8.133:https
prox.fluky.org:http
vern.gendns.com:http
s3-1.amazonaws.com:https
bh-50.webhostbox.net:http
134.119.143.231:https
Most data transfers happen witin 1 minute of connecting but they do not disconnect until about 1.5 hours later.
One receives some data one hour after connecting.
ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com:https
One recives data immediately before disconnecting
151.101.8.133:https
Hostname N/A
IP 151.101.8.133
Domain N/A
Organization Fastly
Location Singapore, Singapore
I have not made any attempt to identify who all these address belong to. I have attached a PDF of the analysis spreadheet.
The suggestion above from Paul to disable all plugins and repeat is a good one. If you do this and publish the log here I will analyse that one for you if you wish so can compare.
As an aside - I analysed your log using Excel which makes it very easy to parse the strings and identify what the traffic is and when it is being sent. The trick is to paste the log into Excel and use the split the text into columns feature. I have used this technique over very many years when I was employed as network security architect (before i retired).
I do havethe Excel version available but not attache MS Office document to avoid any security concerns you may (should) have with office documents.
It looks malicious from what I can tell,no plugin would require such networking activity as far as I'm aware.
when looking just on a that single IP, you can find various reports and connected executables.
Make sure your host is clean, remove any plugins.
https://www.abuseipdb.com/check/151.101.8.133
https://www.virustotal.com/gui/ip-address/151.101.8.133/relations
https://www.virustotal.com/gui/file/484433242a3ec8edb9bbd87f09e203d30e532d703f19f7e2b441ef5995c1064f/details
134.119.143.231 that's Dominik's Site. so that seems fine.
however I detected that some of these hosts are related to malicious versions of KeePass distributed probably through fake sites like keepass.com
https://www.virustotal.com/gui/file/ebb07d60e08c8ff2e2376c4315ee983854afb57c91a1ede4e9e8939a0d6016e1/detection
Last edit: John Jones 2019-08-29
Please upload your KeePass.exe Hash into VT or HA or upload to sandbox for analysis.
*When looking at the unique signature for that specific KeePass file, it seems like a Expiro malware which infects regular executables.
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus:Win32/Expiro.G
Last edit: John Jones 2019-08-29
IP 151.101.8.133 seems to be Github, so it's likely to be reported as dodgy even if it's a plug-in with a legit update check.
IP 172.217.194.82 seems to be Google, so definitely spyware. ;)
fluky.org seems to be owned by Microsoft - more spyware!
cheers, Paul
p.s. please report when you have cross posted, especially when your questions have been answered elsewhere.