Looking through various log files for suspicious activities in my home cloud is part of my security routine. Recently, I found some interesting entries in the Apache web server log file on the server I run Owncloud and Selfoss, my RSS server. Every 7 days I get a couple of http requests from China. What!?
O.k. I am in China every now and then but not every 7 days. So since it's my private server and runs on a non-standard tcp port to keep crawlers and script kiddies away that is quite suspicious. Digging a bit deeper and having had a look at the requests before and after the requests coming from China I finally found the reason for those requests: On my mobile devices I use “Opera Mobile” for web browsing which includes accessing my RSS feed aggregated by Selfoss. For quick access I've added a shortcut to the speed dial screen. On this screen, shortcuts are represented with a thumbnail of the web page. It seems the thumbnails are updated every 7 days but the thumbnail is not created by the smartphone itself but by a server on the Opera backend that tries to fetch the webpage, creates a new thumbnail, which is then downloaded to the phone. And it seems that this server is in China as the requests are always coinciding with me accessing my Selfoss RSS web page via Opera from my smartphone. How interesting! The picture on the left shows the temporal correlation.
In my case the web page is http digest password protected so there is no real thumbnail. And that's a good thing because if there were that would mean that Opera would send my password to their backend. But they don't so that's at least something.
And just to make sure the IP address reported by the tool being in China really is in China, I ran a traceroute:
5 22.214.171.124 (126.96.36.199) 32.988 ms 33.312 ms 33.885 ms
6 188.8.131.52 (184.108.40.206) 233.826 ms 223.837 ms 223.892 ms
7 220.127.116.11 (18.104.22.168) 222.172 ms 219.059 ms 240.293 ms
8 22.214.171.124 (126.96.36.199) 243.943 ms 249.146 ms 250.505 ms
9 * * *
10 bj141-130-74.bjtelecom.net (188.8.131.52) 301.600 ms * *
11 bj141-147-82.bjtelecom.net (184.108.40.206) 320.768 ms bj141-131-162.bjtelecom.net (220.127.116.11) 320.731 ms bj141-147-82.bjtelecom.net (18.104.22.168) 320.721 ms
12 242.88.202.1.static.bjtelecom.net (22.214.171.124) 306.327 ms 320.606 ms 320.585 ms
13 126.96.36.199 (188.8.131.52) 325.090 ms 184.108.40.206 (220.127.116.11) 221.285 ms 223.845 ms
14 18.104.22.168 (22.214.171.124) 228.515 ms 268.986 ms 270.306 ms
15 126.96.36.199 (188.8.131.52) 270.648 ms 273.096 ms 275.106 ms
16 184.108.40.206 (220.127.116.11) 274.853 ms 287.711 ms 292.621 ms
Hop 5 is the last leg of the route to the destination IP address in Europe before the packets hop into a transit link to China. The delay of hop 6 already shows the other end of the tunnel is quite far away and a Whois lookup reveals that this is a transit link of China Telecom. Hop 16 is the IP address from which Opera's requests have originated and Whois reveals that the IP address is assigned to 21ViaNet in Beijing.