When Opera Calls Form China – Some Apache Log File Fun

Selfoss-chinaLooking through various log files for suspicious activities in my home cloud is part of my security routine. Recently, I found some interesting entries in the Apache web server log file on the server I run Owncloud and Selfoss, my RSS server. Every 7 days I get a couple of http requests from China. What!?

O.k. I am in China every now and then but not every 7 days. So since it's my private server and runs on a non-standard tcp port to keep crawlers and script kiddies away that is quite suspicious. Digging a bit deeper and having had a look at the requests before and after the requests coming from China I finally found the reason for those requests: On my mobile devices I use “Opera Mobile” for web browsing which includes accessing my RSS feed aggregated by Selfoss. For quick access I've added a shortcut to the speed dial screen. On this screen, shortcuts are represented with a thumbnail of the web page. It seems the thumbnails are updated every 7 days but the thumbnail is not created by the smartphone itself but by a server on the Opera backend that tries to fetch the webpage, creates a new thumbnail, which is then downloaded to the phone. And it seems that this server is in China as the requests are always coinciding with me accessing my Selfoss RSS web page via Opera from my smartphone. How interesting! The picture on the left shows the temporal correlation.

In my case the web page is http digest password protected so there is no real thumbnail. And that's a good thing because if there were that would mean that Opera would send my password to their backend. But they don't so that's at least something.

And just to make sure the IP address reported by the tool being in China really is in China, I ran a traceroute:


 5 (  32.988 ms  33.312 ms  33.885 ms
 6 (  233.826 ms  223.837 ms  223.892 ms
 7 (  222.172 ms  219.059 ms  240.293 ms
 8 (  243.943 ms  249.146 ms  250.505 ms
 9  * * *
10  bj141-130-74.bjtelecom.net (  301.600 ms * *
11  bj141-147-82.bjtelecom.net (  320.768 ms bj141-131-162.bjtelecom.net (  320.731 ms bj141-147-82.bjtelecom.net (  320.721 ms
12 (  306.327 ms  320.606 ms  320.585 ms
13 (  325.090 ms (  221.285 ms  223.845 ms
14 (  228.515 ms  268.986 ms  270.306 ms
15 (  270.648 ms  273.096 ms  275.106 ms
16 (  274.853 ms  287.711 ms  292.621 ms

Hop 5 is the last leg of the route to the destination IP address in Europe before the packets hop into a transit link to China. The delay of hop 6 already shows the other end of the tunnel is quite far away and a Whois lookup reveals that this is a transit link of China Telecom. Hop 16 is the IP address from which Opera's requests have originated and Whois reveals that the IP address is assigned to 21ViaNet in Beijing.

One thought on “When Opera Calls Form China – Some Apache Log File Fun”

  1. So much about European products and “Security made in Europe” … they don’t give a sh.t. I’d bet meanwhile most of the code is also done outside of Europe.

Comments are closed.