Simple proxy queries wired France IPs

Sun May 1 13:27:44 UTC 2016

Hello

I was testing simpleproxy package
simpleproxy  -L 15439 -R myaddress.com:5439  -v -t /tmp/trace

while reading /tmp/trace I've spotted strange rows in its verbose logging
(it should contain "Read from: myaddres.com:5439")
It does querry some *abo.wanadoo.fr <http://abo.wanadoo.fr> *hosts

The 'strings /tmp/trace | less " log:
(...)
---------------- Read from: ANantes-655-1-144-239.w2-0.abo.wanadoo.fr:45039
---------------
SELECT character_value, version() FROM
INFORMATION_SCHEMA.SQL_IMPLEMENTATION_INFO WHERE implementation_info_id =
'17' or implementation_info_id = '18'
---------------- Read from: ANantes-157-1-186-63.w2-0.abo.wanadoo.fr:5439
---------------
character_value
version
(...)

*Package details:*
*Package: simpleproxy*
*Priority: optional*
*Section: universe/net*
*Installed-Size: 69*
*Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com
<ubuntu-devel-discuss at lists.ubuntu.com>>*
*Original-Maintainer: Andrew Pollock <apollock at debian.org
<apollock at debian.org>>*
*Architecture: amd64*
*Version: 3.4-5*
*Depends: libc6 (>= 2.15)*
*Filename: pool/universe/s/simpleproxy/simpleproxy_3.4-5_amd64.deb*
*Size: 16834*
*MD5sum: b1458997cde90a48f02e58a6dd97c71a*
*SHA1: 4695e3bf2637a957f686ff2c5e0543db469b80e2*
*SHA256: dcf773faa7a216745959505c9d4c1a62a854a359e40fe7de6a7df62652d65f38*
*Description-en: Simple TCP proxy*
* simpleproxy acts as a simple TCP proxy. It opens a listening socket on*
* the local machine and forwards any connection to a remote host. It can be*
* run as a daemon or through inetd.*
*Description-md5: df90d17ba3792463ed98517f2afe2512*
*Homepage: http://www.sourceforge.net/projects/simpleproxy
<http://www.sourceforge.net/projects/simpleproxy>*
*Bugs: https://bugs.launchpad.net/ubuntu/+filebug
<https://bugs.launchpad.net/ubuntu/+filebug>*
*Origin: Ubuntu*

I did look at tcpdump:

12:31:54.815380 IP 10.18.0.6.45062 > 10.118.0.19.15439: Flags [P.], seq
617:689, ack 1060, win 254, options [nop,nop,TS val 402986021 ecr
57180214], length 72
*12:31:54.815468 IP 10.118.0.19.58111 > 10.118.0.2.53: 10512+ PTR?
176.176.0.2.in-addr.arpa. (40)*
*12:31:54.815705 IP 10.118.0.2.53 > 10.118.0.19.58111: 10512 1/0/0 PTR
ANantes-650-1-45-6.w2-0.abo.wanadoo.fr
<http://ANantes-650-1-45-6.w2-0.abo.wanadoo.fr>. (92)*
12:31:54.815746 IP 10.118.0.19.34040 > myaddress.com.5439: Flags [P.], seq
617:689, ack 1060, win 254, options [nop,nop,TS val 57180227 ecr
896665995], length 72

12:31:54.836881 IP 10.118.0.19.34040 > myaddress.com.5439: Flags [.], ack
1152, win 254, options [nop,nop,TS val 57180233 ecr 896666014], length 0
*12:31:54.836932 IP 10.118.0.19.53146 > 10.118.0.2.53: 62285+ PTR?
63.21.0.2.in-addr.arpa. (40)*
*12:31:54.837177 IP 10.118.0.2.53 > 10.118.0.19.53146: 62285 1/0/0 PTR
ANantes-157-1-186-63.w2-0.abo.wanadoo.fr
<http://ANantes-157-1-186-63.w2-0.abo.wanadoo.fr>. (94)*
12:31:54.837216 IP 10.118.0.19.15439 > 10.18.0.6.45062: Flags [P.], seq
1060:1152, ack 689, win 243, options [nop,nop,TS val 57180233 ecr
402986021], length 92

*dig -t ptr 160.176.0.2.in-addr.arpa*
revils the same address

It seems that it is only DNS querry, just for l*oggin porpouse,* I
*haven't spot* any direct communication to *abo.wanadoo.fr hosts, but WHY
does it even querry that hosts?

*strings /usr/bin/simpleproxy  |grep 'Read from'*
---------------- Read from: %s ---------------

*grep /usr/bin/simpleproxy -e 63.21.0.2*
[nothing]

I did try to look for a source code to see what is wrong.

Could anyone take a look is this package secure?

Greetings
Sirkubax
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20160501/c250d9ec/attachment.html>