[arch-security] strange netstat connections after having opened Firefox

Elmar Stellnberger estellnb at elstel.org
Fri Dec 4 21:58:07 UTC 2015 

Thanks for the provided material and info, Jonathan;

Unfortunately I can not prevent Firefox entirely from connecting to 
apparently random web addresses once I open it; not even with the 
settings (malware, phishing) you have recommended me to try; not even 
with disabling all addons. Three servers that were contacted while/upon 
an about:blank invocation:

 > nslookup 178.255.83.1
1.83.255.178.in-addr.arpa       name = ocsp.comodoca.com.

 > nslookup 194.187.168.99
** server can't find 99.168.187.194.in-addr.arpa: NXDOMAIN

 > nslookup 194.187.168.106
** server can't find 106.168.187.194.in-addr.arpa: NXDOMAIN

Annoying; isn`t it? I`d simply wish a more trustworthy OSS browser.

In the meanwhile I have also tried to find about the servers in the 100% 
CPU load netstat list; however I could not find much useful information 
except two of the servers being Arch mirrors. I would have believed the 
phising and malware protection services to be publicly known mirrors, 
Google services or anything similar. I mean it must not connect to any 
unknown service randomly.

 > for i in 5.196.185.225 92.92.207.51 195.154.59.140 178.63.62.19 
52.32.86.111 46.4.37.89; do nslookup $i 2>&1; done  | grep name
225.185.196.5.in-addr.arpa      name = arch.tamcore.eu. 
   (French arch mirror, likely a relict of installing cups related 
software before using Firefox)
51.207.92.92.in-addr.arpa       name = 51.207.92.92.rev.sfr.net. 
(no direct web search results, except for the term SFR)
140.59.154.195.in-addr.arpa     name = ns1.polymorf.fr. 
     (polymorf.fr hosts some web pages about FreeBSD, never visited**)
19.62.63.178.in-addr.arpa       name = pseudoform.org. 
     (German arch mirror, likely a relict of installing cups)
111.86.32.52.in-addr.arpa       name = 
ec2-52-32-86-111.us-west-2.compute.amazonaws.com.            (Firefox 
can not access this site*)
89.37.4.46.in-addr.arpa name = web.pluto.js-webcoding.de.           (no 
web searching results on this address)

*  similar site: Info ec2-50-18-20-244.us-west-1.compute.amazonaws.com
Alexa Rank: 	154
Title: 	ec2-50-18-20-244.us-west-1.compute.amazonaws.com
Description:		ec2-50-18-20-244.us-west-1.compute.amazonaws.com visitors, 
seo, traffic and competition. Website located in United States. Hosted 
in Seattle. With ip 50.18.20.244. World rank is 154.
Visits per day: 	1,575,330
Daily Ads Revenue: 	$18,888.6
Creation Date: 	No info
Domain Age: 	N/A
Ip: 	50.18.20.244
Last update: 	
10-02-2013 00:55:59 (2 years ago)

** according to http://urlmetriques.co/www.polymorf.fr

SFR (an orphan acronym of Société française du radiotéléphone [4]) is a 
French telecommunications company that provides voice, video, data, and 
Internet ...

(my internet connection starts at the "3" (drei) provider for Austria)

Am 2015-12-04 um 20:10 schrieb Jonathan Roemer:
>> The only web page I have opened today with this machine is in deed
>> the page of my router (http://192.168.100.1:80) as confirmed by
>> 'visited pages'. Could the remote web addresses which we saw in the
>> netstats belong to anything queried by some Firefox
>
> Note that Firefox makes a good number of network requests whenever it
> starts, unless you have modified it not to do so. These include:
>
> Heartbeat
> https://wiki.mozilla.org/Advocacy/heartbeat
>
> Google's safe browsing, malware, and phishing protection
> https://www.privacytools.io/#about_config
>
> And various Akamai servers to check for add-on updates.
>
> That's all that I can remember off the top of my head, but do not expect
> Firefox to not make network requests simply because you have not
> navigated to any websites.
>

More information about the arch-security mailing list