Is IP 34.196.229.25 related to virtuemart?

reggaebkk · May 06, 2017, 10:35:40 AM

Hi,

I'm having 2 of my 3 websites using virtuemart that try to connect constantly to IP 34.196.229.25
This IP belongs to Amazon.com... very strange...

But I don't see what on my server wants to connect to this IP, are there some Virtuemart plugins that are supposed to behave that way?

I get a tracking hit warning every 10mn or so for each website since I blocked Amazon IP ranges in my CSF firewall...

But maybe I blocked some auto update of some virtuemart plugin, or maybe some library that is fetched from the Amazon server...

Does anyone have the same problem? What is this IP used for?

If my websites are being exploited to hack the Amazon.com server, how to find the exploit? I run ClamAV and Maldet, nothing, I checked folders manually and all seems fine...

I try to run a very tight security on my tiny server, I run a tight CSF config and 3 modsec rulesets, check connections regularly... that one really bugs me and I can't find what it is.

I posted in the Joomla forum and implicated my (excellent) hosting support.. nothing. I even email the Amazon.com abuse department explaining that my server may be exploited by hackers to get to them, asking them what this IP is, but no reply.

Help please!!!

jjk · May 06, 2017, 11:10:21 AM

The only thing that comes into my mind is the 'Amazon Pay' plugin. Do you have that one enabled?

reggaebkk · May 06, 2017, 12:00:54 PM

They were disabled, I uninstalled them completely, still getting the tracking hits.
When I see the stats, it seems that the website that is visited much more often gets much more of these tracking hits, so it's probably generated upon each new visit. And always on this 34.196.229.25 Amazon IP ;(

Jörgen · May 06, 2017, 12:29:46 PM

What vm and joomla versions. If they are insecure you may have admins you do not know about.

Regards

Jörgen @ Kreativ Fotografi

reggaebkk · May 06, 2017, 12:43:14 PM

VM 3.2.1 / Joomla 3.7, I always update immediately after release.
by the way, here are examples:
lfd on server.rootshosting.net: UID 7675 (asdfasdf) Tracking Hit
Sample of port hits:
May 6 05:59:30 server kernel: [ 989.134535] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=216.246.99.58 DST=34.196.229.25 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61568 DF PROTO=TCP SPT=45192 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 UID=542 GID=542
May 6 05:59:31 server kernel: [ 990.133649] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=216.246.99.58 DST=34.196.229.25 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61569 DF PROTO=TCP SPT=45192 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 UID=542 GID=542
and so on...

GJC Web Design · May 06, 2017, 19:09:05 PM

maybe your host can trace the process calling this

Milbo · May 07, 2017, 08:42:56 AM

I just checked for the IP myself,

IP Address:   34.196.229.25
Host of this IP:   ec2-34-196-229-25.compute-1.amazonaws.com

Which is just the amazon cloud. My joomla update.php (the log) shows
2017-05-03T06:05:38+00:00   INFO 192.168.2.100   update   Downloading update file from http://joomla-official-downloads.s3.amazonaws.com/joomladownloads/joomla3/Joomla_3.7.0-Stable-Update_Package.zip?AWSAccessKeyId=AKIAIZ6S3Q3YQHG57ZRA&Expires=1493791607&Signature=PqzKcDuxS%2F6N9wXdR6gtK9nOVwg%3D.

So it can be your CDN (if you use Amazon), or some joomla thing checking for updates.

reggaebkk · May 12, 2017, 06:29:04 AM

Anybody has news about this problem?
My host can't help, and me I keep on getting tracking hits, don't know where that's coming from.
I purchased and installed CXS hoping it'd find some exploit but nothing.
Why am I the only one seeing this?? None of you guys ever spotted some dodgy outgoing connection to 34.196.229.25?

GJC Web Design · May 12, 2017, 11:15:49 AM

As Max pointed out it is the address of Joomla downloads Amazon cloud.. so one assumes it is their Joomla's updater

News:

Is IP 34.196.229.25 related to virtuemart?