Secret behaviour of Opera 10.53

My network admin told me that my computer have some unexpected access to 192.168.0.1 which is not in my subnet. After Installation of Wireshark to capture those "secret" packets. They come from the opera browsers installed in my computer. In order to investigate what's going on, I have set up a virtual pc with the ip 192.168.0.1 and capture all the tcp communication with the virtual pc.

I found out that my opera will send a request to 192.168.0.1 requesting a file called "/get/root.xml". And this will repeat again within 1 hour.

Here is the request header from the opera web browser:

GET /get/root.xml HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.5.24 Version/10.53
Host: 192.168.0.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Connection: Keep-Alive

I don't understand what's the purpose of this behaviour. Did anyone know about that?

Cloudgen

After seeing your message, I checked my work machine, where I have been running 10.53 since its release.

I loaded up Wireshark and the Proxomitron, then loaded Opera 10.53. No attempt at any contact. Left the machine for more than an hour; still none.

I then verified that, when I tried to ping or HTTP 192.168.*.*, the attempt would be recorded in the office's firewall logs, and then I checked the last two weeks of firewall logs for any attempt to access any IP in that range from my machine. There was none.

This shows, to my satisfaction at least, that 10.53 isn't doing this in general.

My suspicion is that maybe you have something enabled in Opera that is forcing the access. My first thought, especially since it's every hour, is a misconfigured RSS feed. Maybe check your Feeds menu and see whether you have one pointing to 192.168.*. If not, are you using mail, links, Turbo, Unite, or some widget that may be trying to get information?

Actually, I've installed the 10.53 yesterday. This strange behaviour should started some versions before. One of my colleague's computer have similar behaviour, too. I've download 10.53 from http://mirror.worria.com/opera/win/1053/en/Opera_1053_en_Setup.exe

I have scanned the window's registry, and I cannot find any things relevant to http://192.168.0.1/get/root.xml . I didn't install any widgets and haven't turn on the unite. I haven't set any proxy. I haven't set any RSS feed. However, there are quick-time, office, flash plugins installed under the opera directory.

Here is my setup:

I start the Wireshark which bind to my only real network card using the following filter
"host 192.168.0.1 and tcp port http"
I have installed a Microsoft loopback Adapter as part of the virtual network (with ip 192.168.0.2 and gateway 192.168.0.1)
I have installed Microsoft Virtual PC 2007 using the same loopback Adapter and the Virtual PC has been installed with Lighttpd as a web browser. The Virtual PC is configured with ip 192.168.0.1 with gateway 192.168.0.2
I have configure the Window Firewall to allow the Virtual PC listening to port 80.

The last record form the Wireshark was GMT 9:53 GMT before I leaved my office at 10:00 GMT. I've left my computer running in my office. Use the "follow TCP stream" I obtained the following request to my virtual PC (I've setup a Lighttpd webserver there) from the Opera:

GET /get/root.xml HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.5.24 Version/10.53
Host: 192.168.0.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Connection: Keep-Alive

HTTP/1.1 404 Not Found
Content-Type: text/html
Content-Length: 345
Date: Fri, 14 May 2010 09:53:21 GMT
Server: LightTPD/1.4.22 (Win32) PHP/5.2.9-1 OpenSSL/0.9.8j - [WLMP/1.1.6.1171]
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

</head>
<body>

404 - Not Found

</body>
</html>

Now, 1:25 GMT, I don't have anything caught in the Wireshark. I've no idea on the pattern causing this. I'll keep monitoring until I find out the real cause of this.

As I am posting this message using Firefox, the Wireshark caught the following again (Note: this time with the TE heading in the request header, though every parts of the header is a real opera request header):

GET /get/root.xml HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.5.24 Version/10.53
Host: 192.168.0.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Connection: Keep-Alive, TE
TE: deflate, gzip, chunked, identity, trailers

HTTP/1.1 404 Not Found
Content-Type: text/html
Content-Length: 345
Date: Sat, 15 May 2010 01:27:46 GMT
Server: LightTPD/1.4.22 (Win32) PHP/5.2.9-1 OpenSSL/0.9.8j - [WLMP/1.1.6.1171]
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

</head>
<body>

404 - Not Found

</body>
</html>

The time record for subsequent request:
Date: Sat, 15 May 2010 01:57:26 GMT
Date: Sat, 15 May 2010 02:12:16 GMT

... Maybe I should setup a clean Virtual PC, installing only windows, Opera, and Wireshark inside a virtual network for further inspection. By the way, do anyone knows what's the purpose of /get/root.xml, it looks like Tomcat's configuration file rather than rss. Any idea?

My main concern for this strange behaviour is that most of the router uses 192.168.0.1 as default ip address, if some hackers have successful inject a backdoor in the router. Any compromised software for the backdoor should try to communicate the 192.168.0.1 notifying the router for successfully "hackjacked" the computer.

I've occasionally scared myself into thinking that something nefarious was going on on my computer, so I understand your paranoia! But it usually turns out to be quite innocent.

I doubt if the plugins are doing anything by themselves, so that seems ruled out.

The other thing that occurs to me is that the request could also be a UPnP request to a router that isn't there (anymore?), which fits if I switch my thinking to the point of view that the IP isn't a mistake. But if so I doubt it would be coming from Opera. How exactly did you establish that the request came from Opera? If you leave Opera off for an hour, does the request still happen?

Google tells me, for example, that the Zyxel X-550 uses /get/root.xml for its description (http://www.dslreports.com/forum/r18029713-Zyxel-X550-Firmware-15 bottom of page)

Unite uses UPnP Discovery, which sounds like what root.xml is

Thanks spantham and mgillespie,

It's a UPnP Discovery request. It can be switched off by unselecting following:

type the url: opera:config#WebServer|UPnPServiceDiscoveryEnabled
you will see and uncheck --> UPnP Service Discovery Enabled

Yes, thanks Vectronic

lol, yer welcome... sometimes I wish the ability to "Edit" wasn't there... that's happened a few times.