Skip navigation

racoon "-D"?  "secure.onavo.com"?

1121 Views 8 Replies Latest reply: Jul 23, 2013 7:20 AM by andyBall_uk RSS
MrElvey Calculating status...
Currently Being Moderated
Apr 3, 2013 1:50 PM

I've seen https://discussions.apple.com/message/7701877#7701877

 

Little Snitch caught racoon trying to connect to  "secure.onavo.com". 


Interestingly, the process is running with the undocumented '-D' option.  (-d is documented, but options are case sensitive.)

 

I wonder what's going on.  Onavo is a company and product for iOS that compresses all data to reduce data costs when used over the mobile network.  Why the heck a Mac is trying to set up a VPN to it, I have NOT A CLUE! 

 

In general, it is running because of this

/System/Library/LaunchDaemons/com.apple.racoon.plist

MacBook Pro (15-inch Early 2008), OS X Mountain Lion (10.8.2), SSD, USB, FireWire, external drives
  • Kurt Lang Level 7 Level 7 (31,490 points)
    Currently Being Moderated
    Apr 3, 2013 2:25 PM (in response to MrElvey)

    A .plist is just a preference file, not an app. It can't do anything by itself. The question is, what app is calling the UNIX command "racoon" to run?

     

    As far as the -D option, it's not necessarily undocumented. Often, a lowercase and uppercase switch mean the same thing, they just don't note it.

     

    It also appears to be a default part of Mountain Lion. The .plist file is in the /System/Library/LaunchDaemons/ folder so the OS reads it on each restart of the Mac. Part of the .plist tells the OS to RunAtLoad. What does it do? Got me, but I wouldn't worry about it. Apple must have it there for a reason.

     

    Where does "secure.onavo.com" come in? Can't say. My guess would be it's tied to iTunes. However, the text for racoon says (in part) this about it:

     

    The SPD (Security Policy Database) in the kernel usually triggers racoon.

     

    So much more likely, it's probably tied to the new security measures in Mountain Lion. Still doesn't explain why it would be trying to talk to Onavo.

  • Linc Davis Level 10 Level 10 (107,770 points)
    Currently Being Moderated
    Apr 3, 2013 7:09 PM (in response to MrElvey)

    The domain "secure.onavo.com" is on a security blacklist:

     

    IP Blacklist Check Status: Suspicious, Comment Spammer | IP-Tracker.org

     

    and has been associated with rogue activity:

     

    Probable Picscout or Image scanner

     

    Someone from there tried to connect to your VPN server.

  • Onavo Calculating status...
    Currently Being Moderated
    Apr 10, 2013 6:02 AM (in response to MrElvey)

    racoon is OS X's VPN client and it runs whenever a user establishes a VPN connection.

     

    Onavo Extend and Onavo Count are iPhone only apps, which may establish a VPN connection to secure.onavo.com (from the phone). It looks like in your case you may have somehow installed the VPN configuration generated by one of the apps on your Mac, and therefore triggered the racoon process.

     

    The blacklisting referred to is old and was a result of a mis-identification (notice the date).

  • XENiCraft Level 2 Level 2 (210 points)
    Currently Being Moderated
    Jul 23, 2013 12:10 AM (in response to MrElvey)

    Don't install Onavo. If you read their Terms they basically say they can do anything with the data that passes through their servers. What they are doing to "compress your data" is to redirect your request through their servers, collect the data, compress it and send it back to you. Not safe, and I stopped using it, and I warn everyone that uses it.

     

    On your question, I cannot find com.apple.racoon in my Launch Daemons so I would search up on it and delete it.


    That's what I would do, but it's your system and your choice, I am in no way responsible for damage to your system. Just needed to get that out there

  • Galed Calculating status...
    Currently Being Moderated
    Jul 23, 2013 3:00 AM (in response to MrElvey)

    Hello,

    I'm Galed and I'm the Head of Operations at Onavo. I'll try to explain some of the behaviours mentioned above although not all of them can be explained as they are not supposed to happen.

     

    Racoon

    Racoon is an open source VPN client/server, used by many operating systems and companies. Racoon is a built in VPN client used by iOS and this is the way Onavo creates a VPN connection from an iPhone to our servers. It is important to understand we do not install this process, it's there by default. Onavo sends as part of the installation flow of our apps a profile (known as mobileconfig) that only includes the configuration settings required to connect to our VPN servers.

     

    The behaviour mentioned in this thread

    The behaviour you mention here is something we do not understand because obviously our app is not supposed to be installed on Mac computers, we only support mobile devices. I can't really explain why you see a Racoon process trying to access our servers on your computer. Racoon is installed by default on all OS X operating systems, we did not install it there. The only explanation I can think of is either you, or someone else has installed our app on a simulator, or took the mobileconfig we generate for iPhone devices and ran it on a Mac. OS X is able to open and parse this mobileconfig and even try to initiate a Racoon connection - this is the only behaviour that may explain this.

     

    Further investigation

    @MrElvey - I will be happy to investigate this behaviour with you, if you wish to do that please send an email to our support team (support _AT_ onavo.com) and ask that the case will be sent to me (Galed).

     

    For any other questions you can also feel free to contact our support team and they will be happy to assist.

     

    Thank you,

    Galed.

  • Kurt Lang Level 7 Level 7 (31,490 points)
    Currently Being Moderated
    Jul 23, 2013 6:33 AM (in response to MrElvey)

    Good to hear from someone at Onavo with detailed info on their process.

     

    Sure, but by the same token, an app can't do anything by itself; it needs an OS to run on. :-)

     

    The difference though is a .plist really can't do anything by itself. It's a preference file, and that's it.

     

    But I don't know what you mean by 'It'.

     

    "It" refers to racoon. As Galed noted, it's installed by the OS itself. It's a UNIX command you can run in Terminal. If you want to get an idea of what it does, open Terminal and type in:

     

    man racoon

     

    "man" stands for "manual". A listing of what the app does and it's options are shown. There may be more than a page worth. When you're done reading, press x.

     

    I think it's rare that options aren't case sensitive.

     

    Not really. It's only necessary to make an option case sensitive when you're using the same letter to do two different things. All depends on who wrote the command, but I have often run across Terminal commands that don't give a hoot which way you enter an argument.

  • andyBall_uk Level 6 Level 6 (17,515 points)
    Currently Being Moderated
    Jul 23, 2013 7:20 AM (in response to MrElvey)

    >>undocumented '-D'

     

    It's not in the man page, but try an illegal option & you'll see :

     

    usage: racoon [-BdDFvs46] [-a (port)] [-f (file)] [-l (file)] [-p (port)]

    >> snip

       -d: debug level, more -d will generate more debug message.

       -D: started by LaunchD (implies daemon mode).

    ...

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.