mIRC Home    About    Download    Register    News    Help

Print Thread
Joined: Jun 2008
Posts: 28
S
Ameglian cow
OP Offline
Ameglian cow
S
Joined: Jun 2008
Posts: 28
Tonight, I was alerted by my firewall to an unexpected
connection attempt.

mIRC was attempting to connect on port 80 to 199.7.71.190,
which appears to belong to Verisign.

I thought at first that this might have been an update
check. However, I don't have automatic updates checked,
and a manual attempt at checking for updates does not
produce any firewall alert. I was on a normal connection
and not using SSL.

Anybody else seeing this behavior?

Regards;

Thomas

Joined: Oct 2003
Posts: 3,918
A
Hoopy frood
Offline
Hoopy frood
A
Joined: Oct 2003
Posts: 3,918
A quick google of the resolved hostname for that IP (crl.verisign.net) explains what is going on. It's not specific to mIRC-- in fact, it's probably coming directly from Windows, prior to mIRC making SSL connections using the SSL libraries:

http://www.dslreports.com/faq/7998

Note that the other google results are just as interesting, and hint that this is also baked into .NET (probably through the same libraries mIRC uses).


- argv[0] on EFnet #mIRC
- "Life is a pointer to an integer without a cast"
Joined: Jan 2004
Posts: 2,127
Hoopy frood
Offline
Hoopy frood
Joined: Jan 2004
Posts: 2,127
* Dns resolved 199.7.71.190 to CRL.VERISIGN.NET

When i google for keywords: verisign port 80

I get links related to this kind of issue, but they're from 2004.

It might also help to paste here the output from this to verify nothing's funky with your mirc:

//echo -a $os $version $md5($mircexe,2) $file($mircexe).sig $alias(0) $script(0) $dll(0) $com(0)

Joined: Jun 2008
Posts: 28
S
Ameglian cow
OP Offline
Ameglian cow
S
Joined: Jun 2008
Posts: 28
Okay, here's the output from the echo statement:

XP 7.22 912dfaee60f144853a33231688312686 ok 5 7 0 0

I don't have mIRC's MD5 handy, so I can't speak to that
issue, but everything else looks okay to me.

Now for the weird part. Twice, when I ran your //echo
statement, my firewall again alerted me to connections
to port 80 at Verisign. After the second round, there
were no further alerts or firewall log entries. You can
call that coincidence or call it what you will, but that's
what actually happened.

I do have the SSL .dlls in my mIRC directory, but I was
not on an SSL connection at the time this occured. As a
matter of fact, I can't remember the last time I used an
SSL enabled connection on IRC.

What baffles me is why this has never occured prior to
today. Nothing has changed in my mIRC setup.. no scripts
updated, nothing downloaded, no add-ons installed..
essentially zero recent changes.

I might try to remove the SSL libraries and see if it still
occurs. I will report back if I make any new discoveries.

Regards;

Thomas



Joined: Oct 2003
Posts: 3,918
A
Hoopy frood
Offline
Hoopy frood
A
Joined: Oct 2003
Posts: 3,918
Oh, it's probably the signature, then.

mIRC 7.22 (and possibly some other recent versions) is a cryptographically signed executable. This means if you right click mirc.exe in explorer and go to Digital Signatures, you will see the details of the digital signature. The important part to note is that all signatures work via SSL certificates provided by verisign, so this would be where Windows, not mIRC, would be updating the certificate lists in the OS. Calling $file($mircexe).sig probably wakes up this little bit of signature checking code that does the lookup.

You can confirm this hypothesis: try restarting mIRC and first testing that echoing that same line again pops up the connection in your firewall. Then, restart mIRC one last time and type in the same line minus the $file($mircexe).sig check. If it does not pop up, there's your culprit. Note that mIRC occasionally checks the validity of this signature at runtime, which is why it might seem random to you and might not have happened before. It would also explain how this check would activate even in the absence of SSL based IRC connections.

FYI, Microsoft explains what digital signatures are here: http://windows.microsoft.com/en-US/windows-vista/What-is-a-digital-signature

Either way, this is something you really should not be worrying about. Accessing the CRL is valid regardless of where the connection is coming from. I'd say you should open your firewall to allow outgoing connecting to that host, as other parts of your system might need it anyway.


- argv[0] on EFnet #mIRC
- "Life is a pointer to an integer without a cast"
Joined: Jun 2008
Posts: 28
S
Ameglian cow
OP Offline
Ameglian cow
S
Joined: Jun 2008
Posts: 28
Yep.. that's it!!! We have found the culprit!
Echoing $file($mircexe).sig does indeed produce
the alert, even with the SSL libraries removed.

Maybe this is just starting to happen because
we're into a new month, it being December 1st.

So it appears this connection might actually
have a good purpose, and perhaps I should add
a firewall rule to allow it access to port 80.

You guys are great! I'll sleep better tonight!

Regards;

Thomas

Joined: Dec 2002
Posts: 5,412
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,412
As the previous posts have mentioned, this is due to the digitally signed mIRC executable. mIRC is digitally signed to ensure that the mIRC you are running is authentic and has not been modified. mIRC itself does not connect to Verisign - this is actually performed by Windows and it does this for digitally signed executables whenever it wants to verify their authenticity.


Link Copied to Clipboard