[arch-security] strange netstat connections after having opened Firefox

Elmar Stellnberger estellnb at elstel.org
Fri Dec 4 21:58:07 UTC 2015

Thanks for the provided material and info, Jonathan;

Unfortunately I can not prevent Firefox entirely from connecting to 
apparently random web addresses once I open it; not even with the 
settings (malware, phishing) you have recommended me to try; not even 
with disabling all addons. Three servers that were contacted while/upon 
an about:blank invocation:

 > nslookup       name = ocsp.comodoca.com.

 > nslookup
** server can't find NXDOMAIN

 > nslookup
** server can't find NXDOMAIN

Annoying; isn`t it? I`d simply wish a more trustworthy OSS browser.

In the meanwhile I have also tried to find about the servers in the 100% 
CPU load netstat list; however I could not find much useful information 
except two of the servers being Arch mirrors. I would have believed the 
phising and malware protection services to be publicly known mirrors, 
Google services or anything similar. I mean it must not connect to any 
unknown service randomly.

 > for i in; do nslookup $i 2>&1; done  | grep name      name = arch.tamcore.eu. 
   (French arch mirror, likely a relict of installing cups related 
software before using Firefox)       name = 
(no direct web search results, except for the term SFR)     name = ns1.polymorf.fr. 
     (polymorf.fr hosts some web pages about FreeBSD, never visited**)       name = pseudoform.org. 
     (German arch mirror, likely a relict of installing cups)       name = 
ec2-52-32-86-111.us-west-2.compute.amazonaws.com.            (Firefox 
can not access this site*) name = web.pluto.js-webcoding.de.           (no 
web searching results on this address)

*  similar site: Info ec2-50-18-20-244.us-west-1.compute.amazonaws.com
Alexa Rank: 	154
Title: 	ec2-50-18-20-244.us-west-1.compute.amazonaws.com
Description:		ec2-50-18-20-244.us-west-1.compute.amazonaws.com visitors, 
seo, traffic and competition. Website located in United States. Hosted 
in Seattle. With ip World rank is 154.
Visits per day: 	1,575,330
Daily Ads Revenue: 	$18,888.6
Creation Date: 	No info
Domain Age: 	N/A
Last update: 	
10-02-2013 00:55:59 (2 years ago)

** according to http://urlmetriques.co/www.polymorf.fr

SFR (an orphan acronym of Société française du radiotéléphone [4]) is a 
French telecommunications company that provides voice, video, data, and 
Internet ...

(my internet connection starts at the "3" (drei) provider for Austria)

Am 2015-12-04 um 20:10 schrieb Jonathan Roemer:
>> The only web page I have opened today with this machine is in deed
>> the page of my router ( as confirmed by
>> 'visited pages'. Could the remote web addresses which we saw in the
>> netstats belong to anything queried by some Firefox
> Note that Firefox makes a good number of network requests whenever it
> starts, unless you have modified it not to do so. These include:
> Heartbeat
> https://wiki.mozilla.org/Advocacy/heartbeat
> Google's safe browsing, malware, and phishing protection
> https://www.privacytools.io/#about_config
> And various Akamai servers to check for add-on updates.
> That's all that I can remember off the top of my head, but do not expect
> Firefox to not make network requests simply because you have not
> navigated to any websites.

More information about the arch-security mailing list