8 Replies Latest reply: Jul 23, 2013 7:20 AM by andyBall_uk
MrElvey Level 1 Level 1 (25 points)

I've seen https://discussions.apple.com/message/7701877#7701877

 

Little Snitch caught racoon trying to connect to  "secure.onavo.com". 


Interestingly, the process is running with the undocumented '-D' option.  (-d is documented, but options are case sensitive.)

 

I wonder what's going on.  Onavo is a company and product for iOS that compresses all data to reduce data costs when used over the mobile network.  Why the heck a Mac is trying to set up a VPN to it, I have NOT A CLUE! 

 

In general, it is running because of this

/System/Library/LaunchDaemons/com.apple.racoon.plist


MacBook Pro (15-inch Early 2008), OS X Mountain Lion (10.8.2), SSD, USB, FireWire, external drives
  • 1. Re: racoon "-D"?  "secure.onavo.com"?
    Kurt Lang Level 7 Level 7 (31,990 points)

    A .plist is just a preference file, not an app. It can't do anything by itself. The question is, what app is calling the UNIX command "racoon" to run?

     

    As far as the -D option, it's not necessarily undocumented. Often, a lowercase and uppercase switch mean the same thing, they just don't note it.

     

    It also appears to be a default part of Mountain Lion. The .plist file is in the /System/Library/LaunchDaemons/ folder so the OS reads it on each restart of the Mac. Part of the .plist tells the OS to RunAtLoad. What does it do? Got me, but I wouldn't worry about it. Apple must have it there for a reason.

     

    Where does "secure.onavo.com" come in? Can't say. My guess would be it's tied to iTunes. However, the text for racoon says (in part) this about it:

     

    The SPD (Security Policy Database) in the kernel usually triggers racoon.

     

    So much more likely, it's probably tied to the new security measures in Mountain Lion. Still doesn't explain why it would be trying to talk to Onavo.

  • 2. Re: racoon "-D"?  "secure.onavo.com"?
    Linc Davis Level 10 Level 10 (117,935 points)

    The domain "secure.onavo.com" is on a security blacklist:

     

    IP Blacklist Check Status: Suspicious, Comment Spammer | IP-Tracker.org

     

    and has been associated with rogue activity:

     

    Probable Picscout or Image scanner

     

    Someone from there tried to connect to your VPN server.

  • 3. Re: racoon "-D"?  "secure.onavo.com"?
    Onavo Level 1 Level 1 (0 points)

    racoon is OS X's VPN client and it runs whenever a user establishes a VPN connection.

     

    Onavo Extend and Onavo Count are iPhone only apps, which may establish a VPN connection to secure.onavo.com (from the phone). It looks like in your case you may have somehow installed the VPN configuration generated by one of the apps on your Mac, and therefore triggered the racoon process.

     

    The blacklisting referred to is old and was a result of a mis-identification (notice the date).

  • 4. Re: racoon "-D"?  "secure.onavo.com"?
    MrElvey Level 1 Level 1 (25 points)

    Hmm.  Three replies and I'm still no more enlightened.

     

    Kurt Lang wrote:

     

    A .plist is just a preference file, not an app. It can't do anything by itself.

     

     

    Sure, but by the same token, an app can't do anything by itself; it needs an OS to run on. :-)

     

     

    Later, you say,

    It also appears to be a default part of Mountain Lion.

    But I don't know what you mean by 'It'. 

    1. /System/Library/LaunchDaemons/com.apple.racoon.plist ?
    2. A /System/Library/LaunchDaemons/com.apple.racoon.plist that connects to "secure.onavo.com"?  or
    3. racoon itself? 

    Obviously, I already knew that racoon is part of OS X, as the page I said I'd read shows that to be true.


    As for your contention that

    Often, a lowercase and uppercase switch mean the same thing, they just don't note it.

    I think it's rare that options aren't case sensitive.  The last five commands I used are all case sensitive. 

    The few if any of the core UNIX commands aren't.

     

     

    Next,

    Linc Davis wrote:

     

    The domain "secure.onavo.com" is on a security blacklist:

     

    IP Blacklist Check Status: Suspicious, Comment Spammer | IP-Tracker.org

     

    and has been associated with rogue activity:

     

    Probable Picscout or Image scanner

     

    Someone from there tried to connect to your VPN server.

    secure.onavo.com has moved to another IP, but neither the new or old IP are currently blacklisted. (107.6.95.9 or 107.6.95.22)t

     

    On the other hand, ONAVO's IP space appears to be a rat's nest, according to Cisco! 

    http://www.senderbase.org/lookup?search_string=107.6.95.0/24 says all hosts sending mail claim to be secure.onavo.com, and either have no reputation, or a poor reputation.  For example:

     

    IP Address 107.6.95.102 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

    It was last detected at 2013-07-22 04:00 GMT (+/- 30 minutes), approximately 23 hours ago.

    This IP is infected (or NATting for a computer that is infected) with a spam-sending infection. In other words, it's participating in a botnet. If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.

     

    IP Address 107.6.95.58 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

    It was last detected at 2013-07-22 03:00 GMT (+/- 30 minutes), approximately 23 hours, 30 minutes ago.

     

    IP Address 107.6.95.55 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

    It was last detected at 2013-07-22 03:00 GMT (+/- 30 minutes), approximately 1 days, 29 minutes ago.

     

    IP Address 107.6.95.56 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

    It was last detected at 2013-07-22 14:00 GMT (+/- 30 minutes), approximately 13 hours ago.

     

    IP Address 107.6.95.57 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

    It was last detected at 2013-07-22 04:00 GMT (+/- 30 minutes), approximately 23 hours, 30 minutes ago.

     

    IP Address 107.6.95.102 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

    It was last detected at 2013-07-22 04:00 GMT (+/- 30 minutes), approximately 23 hours, 30 minutes ago.

     

     

    The last line,

    Someone from there tried to connect to your VPN server.


    doesn't seem justified.

     

    First, we don't have an active VPN server at the moment, and didn't have one when this error was coming up. 
    (We have one, but it's in a cardboard box, unplugged.)

     

    Secondly, Little Snitch caught an OUTGOING connection. 

     

    This applies also to the last comment, from one-time poster 'Onavo'.

     

    This alert came up on a Mac OS X client, not a server, and definitely not a VPN server.  And the client wasn't running an iOS simulator/VM .

     

    We have some iOS devices, but no Onavo apps on them.

     

    We have no reason to be running racoon - no legit VPN connections to establish, so for now, I did a

     

    sudo mv /System/Library/LaunchDaemons/com.apple.racoon.plist  /System/Library/LaunchDaemons-INACTIVE/com.apple.racoon.plist

     

    and so far so good.

     

    One possible exception is an Time Capsule I connect to remotely from time to time.  I don't use it as a VPN server, but perhaps the management protocols run over racoon.


    The rogue activity (March 26) wasn't very old, and there's current activity to boot. 


    The snitched on activity remains troubling and unexplained, IMO.

  • 5. Re: racoon "-D"?  "secure.onavo.com"?
    XENiCraft Level 2 Level 2 (265 points)

    Don't install Onavo. If you read their Terms they basically say they can do anything with the data that passes through their servers. What they are doing to "compress your data" is to redirect your request through their servers, collect the data, compress it and send it back to you. Not safe, and I stopped using it, and I warn everyone that uses it.

     

    On your question, I cannot find com.apple.racoon in my Launch Daemons so I would search up on it and delete it.


    That's what I would do, but it's your system and your choice, I am in no way responsible for damage to your system. Just needed to get that out there

  • 6. Re: racoon "-D"?  "secure.onavo.com"?
    Galed Level 1 Level 1 (5 points)

    Hello,

    I'm Galed and I'm the Head of Operations at Onavo. I'll try to explain some of the behaviours mentioned above although not all of them can be explained as they are not supposed to happen.

     

    Racoon

    Racoon is an open source VPN client/server, used by many operating systems and companies. Racoon is a built in VPN client used by iOS and this is the way Onavo creates a VPN connection from an iPhone to our servers. It is important to understand we do not install this process, it's there by default. Onavo sends as part of the installation flow of our apps a profile (known as mobileconfig) that only includes the configuration settings required to connect to our VPN servers.

     

    The behaviour mentioned in this thread

    The behaviour you mention here is something we do not understand because obviously our app is not supposed to be installed on Mac computers, we only support mobile devices. I can't really explain why you see a Racoon process trying to access our servers on your computer. Racoon is installed by default on all OS X operating systems, we did not install it there. The only explanation I can think of is either you, or someone else has installed our app on a simulator, or took the mobileconfig we generate for iPhone devices and ran it on a Mac. OS X is able to open and parse this mobileconfig and even try to initiate a Racoon connection - this is the only behaviour that may explain this.

     

    Further investigation

    @MrElvey - I will be happy to investigate this behaviour with you, if you wish to do that please send an email to our support team (support _AT_ onavo.com) and ask that the case will be sent to me (Galed).

     

    For any other questions you can also feel free to contact our support team and they will be happy to assist.

     

    Thank you,

    Galed.

  • 7. Re: racoon "-D"?  "secure.onavo.com"?
    Kurt Lang Level 7 Level 7 (31,990 points)

    Good to hear from someone at Onavo with detailed info on their process.

     

    Sure, but by the same token, an app can't do anything by itself; it needs an OS to run on. :-)

     

    The difference though is a .plist really can't do anything by itself. It's a preference file, and that's it.

     

    But I don't know what you mean by 'It'.

     

    "It" refers to racoon. As Galed noted, it's installed by the OS itself. It's a UNIX command you can run in Terminal. If you want to get an idea of what it does, open Terminal and type in:

     

    man racoon

     

    "man" stands for "manual". A listing of what the app does and it's options are shown. There may be more than a page worth. When you're done reading, press x.

     

    I think it's rare that options aren't case sensitive.

     

    Not really. It's only necessary to make an option case sensitive when you're using the same letter to do two different things. All depends on who wrote the command, but I have often run across Terminal commands that don't give a hoot which way you enter an argument.

  • 8. Re: racoon "-D"?  "secure.onavo.com"?
    andyBall_uk Level 7 Level 7 (20,320 points)

    >>undocumented '-D'

     

    It's not in the man page, but try an illegal option & you'll see :

     

    usage: racoon [-BdDFvs46] [-a (port)] [-f (file)] [-l (file)] [-p (port)]

    >> snip

       -d: debug level, more -d will generate more debug message.

       -D: started by LaunchD (implies daemon mode).

    ...