Mystery Wujie/UltraSurf router warnings—MAC spoofing?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Mystery Wujie/UltraSurf router warnings—MAC spoofing?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Mystery Wujie/UltraSurf router warnings—MAC spoofing?
Mystery Wujie/UltraSurf router warnings—MAC spoofing?
2020-09-24 17:40:41 - last edited 2021-06-06 04:16:01

 

My Deco M9 Plus system is creating a mystery that I can't solve.  Hoping others have seen this and have figured out the source.

 

Wujie/UltraSurf is getting requested by at least 2 laptops on my home network.  I know that it is a firewall bypass system that has it's own Chrome extension.  No one in my house has installed that extension.

 

I’ve created parental control profile for individual devices so I can track which device is making request that are getting flagged. Wujie/UltraSurf is still popping up even though none of the devices have that extension installed -- I have really reduced extensions to a minimum. One of the Devices is my own MacBook, so I know I am not trying to use that service intentionally.  

 

Is there a chance that some other extensions route through UltraSurf even if its own extension is not installed?  I've wondered if Netflix Party makes use of it.  But I don't have or use NP.

Could Deco Parental Controls be misreading some other service as UltraSurf?

 

Perhaps I should just uninstall ALL extensions, observe, and then turn them back on one by one to try and find the culprit.

 

Any help with this is greatly appreciated.
Thanks. 

  0      
  0      
#1
Options
1 Accepted Solution
Re:Mystery Wujie/UltraSurf router warnings—MAC spoofing?-Solution
2021-05-25 22:42:25 - last edited 2021-06-06 04:16:01

@HarlanPepper Not sure if you're still following this thread, but came across this thread when researching Wujie/UltraSurf online, and found it traced back to the Spotify app (the Microsoft Store version, though I doubt that matters). The app was reaching out to a spotify.com host, and the IP got flagged as Wujie/UltraSurf. 

 

Hopefully this solves the mystery, or at least narrows down the culprit? 

Recommended Solution
  5  
  5  
#11
Options
12 Reply
Re:Mystery Wujie/UltraSurf router warnings—MAC spoofing?
2020-09-26 14:53:10 - last edited 2020-09-26 20:09:59

@HarlanPepper 

UPDATE:

With all extensions disabled on all Chrome browsers, I'm still getting lots of warnings that " 'User X' attempted to visit Wujie/UltraSurf" from various devices.  iPhones, iPads, Fire Tablets.

 

If any folks with network security knowledge have any thoughts I'd be so grateful for the help.  I'm hoping that the Deco Parental Controls are misreading something.  But the fac that I'm getting hits from all my devices makes me think there is some IP spoofing going on.  Is this possible?  What would the point be?  What is the easiest solution?   

  0  
  0  
#2
Options
Re:Mystery Wujie/UltraSurf router warnings—MAC spoofing?
2020-09-27 09:41:14

@HarlanPepper 

 

Hi, can I have a screenshot showing these Wujie/UltraSurf request? You may try to install softwares like wireshark on one computer to capture the logs and analyze.

  0  
  0  
#3
Options
Re:Mystery Wujie/UltraSurf router warnings—MAC spoofing?
2020-09-27 18:54:34

@TP-Link_Deco 

I've attached both the message list and a sample log from the Deco app.  Please view this thread if you can and see if it makes some sense in diagnosing these likely false positives.  No one in the house is using Ultrasurf.  Seems likely that something fairly normal is making the controls think this is Ultrasurf.  

https://www.reddit.com/r/HomeNetworking/comments/j07rzy/mystery_wujieultrasurf_router_warningsmac_spoofing/

 

  0  
  0  
#4
Options
Re:Mystery Wujie/UltraSurf router warnings—MAC spoofing?
2020-09-29 02:15:07

@HarlanPepper 

 

Hi, thanks a lot for the screenshot on your Deco app.

 

We will follow it up via email, please check your email box and respond, thanks.

 

 

  0  
  0  
#5
Options
Re:Mystery Wujie/UltraSurf router warnings—MAC spoofing?
2020-10-15 20:09:34

@TP-Link_Deco I am having the same issue on my network. Also a Mac running the latest software update. I don't have Chrome installed (only Safari) so no extension. I also did a clean install three days ago hoping it would solve the issue. I have installed minimal additional software. So please post the answer here. 

  0  
  0  
#6
Options
Re:Mystery Wujie/UltraSurf router warnings—MAC spoofing?
2020-10-16 01:28:22

@Geowal 

 

Hello, thanks for bringing this up again.

 

HarlanPepper's case was previously escalated to our engineers, while we didn't get a response from him when the engineers tried to follow it up. Sorry about that.

 

For the issue you reported, our engineers actually assume it might be some applications on the local device, the Mac computer in your case, that attempts to visit the Wujie/Ultrasurf, and it may be hard to identify which app on the Mac causes this notification, do you remember when did you begin to see this notification, any changes on your Mac? Can you please also help verify the below?

 

Firstly, we want to check if the notification is caused by Parental Control settings or not. Would you please try to remove all the Parental Control settings, and check if you still receive the same notification on the Deco app?

If yes, try to disable the antivirus options on the Deco app, then check again.


Thanks a lot~

  0  
  0  
#7
Options
Re:Mystery Wujie/UltraSurf router warnings—MAC spoofing?
2020-10-23 19:25:24

@TP-Link_Deco 

Hi.  I just replied to the last email to the engineers regarding this problem.

 

Here is what I wrote:

I have removed the Wujie/UltraSurf App/Website option as a filter from all the profiles that were triggering the warnings. 

As a result, there are no more warnings on users, even with Teen and Adult settings still in place.

 

Would you like me to re-add the Wujie/UltraSurf filter to some profiles and then disable the Antivirus service in order to isolate the triggering service (PC vs AV)?

 

 

  0  
  0  
#8
Options
Re:Mystery Wujie/UltraSurf router warnings—MAC spoofing?
2020-10-27 01:58:35

@HarlanPepper 

 

Hi, thanks for the update. That means some of your devices or applications are visiting this Wujie/UltraSurf App/Website or some kind of extension, while we cannot tell you which application, as the Deco only record this visiting history.

 

Anyway, if you still have any inquiries, please respond to our engineer and she will try to help you out. Thanks.

  0  
  0  
#9
Options
Re:Mystery Wujie/UltraSurf router warnings—MAC spoofing?
2020-10-27 02:55:23

@TP-Link_Deco 

 

I appreciate the engineers time and research in investigating this issue.  I am, unfortunately, not satisfied with this explanation.  No one is using this Wujie service.  And the odds that virtually every device in my home is triggering visit warnings would have to mean that very basic services (Instagram, Twitter, TikTok, Safari/Chrome browsing, etc.) are using Wujie as some sort of backend relay (right?).  I don't think it can be a browser extension because mobile devices generate the warnings as often as Chrome browsing.  I am tech savvy-ish, but am not an IT expert by any means, so I am very open to a more creative explanation, but it seems most likely that these are false positives generated for some other reason.

 

I am also not going to give this any more thought as it is not legitimate to my network security since it does not accurately describe user behavior.  My advice to others who are inundated by these warnings is to just remove the service as a filter option.  

  1  
  1  
#10
Options
Re:Mystery Wujie/UltraSurf router warnings—MAC spoofing?-Solution
2021-05-25 22:42:25 - last edited 2021-06-06 04:16:01

@HarlanPepper Not sure if you're still following this thread, but came across this thread when researching Wujie/UltraSurf online, and found it traced back to the Spotify app (the Microsoft Store version, though I doubt that matters). The app was reaching out to a spotify.com host, and the IP got flagged as Wujie/UltraSurf. 

 

Hopefully this solves the mystery, or at least narrows down the culprit? 

Recommended Solution
  5  
  5  
#11
Options