[arch-security] strange netstat connections after having opened Firefox
estellnb at elstel.org
Fri Dec 4 21:58:07 UTC 2015
Thanks for the provided material and info, Jonathan;
Unfortunately I can not prevent Firefox entirely from connecting to
apparently random web addresses once I open it; not even with the
settings (malware, phishing) you have recommended me to try; not even
with disabling all addons. Three servers that were contacted while/upon
an about:blank invocation:
> nslookup 18.104.22.168
22.214.171.124.in-addr.arpa name = ocsp.comodoca.com.
> nslookup 126.96.36.199
** server can't find 188.8.131.52.in-addr.arpa: NXDOMAIN
> nslookup 184.108.40.206
** server can't find 220.127.116.11.in-addr.arpa: NXDOMAIN
Annoying; isn`t it? I`d simply wish a more trustworthy OSS browser.
In the meanwhile I have also tried to find about the servers in the 100%
CPU load netstat list; however I could not find much useful information
except two of the servers being Arch mirrors. I would have believed the
phising and malware protection services to be publicly known mirrors,
Google services or anything similar. I mean it must not connect to any
unknown service randomly.
> for i in 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52
184.108.40.206 220.127.116.11; do nslookup $i 2>&1; done | grep name
18.104.22.168.in-addr.arpa name = arch.tamcore.eu.
(French arch mirror, likely a relict of installing cups related
software before using Firefox)
22.214.171.124.in-addr.arpa name = 126.96.36.199.rev.sfr.net.
(no direct web search results, except for the term SFR)
188.8.131.52.in-addr.arpa name = ns1.polymorf.fr.
(polymorf.fr hosts some web pages about FreeBSD, never visited**)
184.108.40.206.in-addr.arpa name = pseudoform.org.
(German arch mirror, likely a relict of installing cups)
220.127.116.11.in-addr.arpa name =
can not access this site*)
18.104.22.168.in-addr.arpa name = web.pluto.js-webcoding.de. (no
web searching results on this address)
* similar site: Info ec2-50-18-20-244.us-west-1.compute.amazonaws.com
Alexa Rank: 154
Description: ec2-50-18-20-244.us-west-1.compute.amazonaws.com visitors,
seo, traffic and competition. Website located in United States. Hosted
in Seattle. With ip 22.214.171.124. World rank is 154.
Visits per day: 1,575,330
Daily Ads Revenue: $18,888.6
Creation Date: No info
Domain Age: N/A
10-02-2013 00:55:59 (2 years ago)
** according to http://urlmetriques.co/www.polymorf.fr
SFR (an orphan acronym of Société française du radiotéléphone ) is a
French telecommunications company that provides voice, video, data, and
(my internet connection starts at the "3" (drei) provider for Austria)
Am 2015-12-04 um 20:10 schrieb Jonathan Roemer:
>> The only web page I have opened today with this machine is in deed
>> the page of my router (http://192.168.100.1:80) as confirmed by
>> 'visited pages'. Could the remote web addresses which we saw in the
>> netstats belong to anything queried by some Firefox
> Note that Firefox makes a good number of network requests whenever it
> starts, unless you have modified it not to do so. These include:
> Google's safe browsing, malware, and phishing protection
> And various Akamai servers to check for add-on updates.
> That's all that I can remember off the top of my head, but do not expect
> Firefox to not make network requests simply because you have not
> navigated to any websites.
More information about the arch-security