[arch-security] strange netstat connections after having opened Firefox

Elmar Stellnberger estellnb at elstel.org
Fri Dec 4 23:26:31 UTC 2015


Whois; why have I not thought about it at once!

---- 92.92.207.51 ---
inetnum:        92.92.0.0 - 92.95.255.255
netname:        SFR-USER-DATA
descr:          Pool for mobile data users
descr:          Dynamic IP
country:        FR

---- 195.154.59.140 ----
inetnum:        195.154.48.0 - 195.154.63.255
netname:        ISDNET-4
descr:          Tiscali France Backbone
country:        FR

---- 52.32.86.111 ----
NetRange:       52.32.0.0 - 52.63.255.255
CIDR:           52.32.0.0/11
NetName:        AT-88-Z
NetHandle:      NET-52-32-0-0-1
Parent:         NET52 (NET-52-0-0-0-0)
NetType:        Direct Allocation
OriginAS:
Organization:   Amazon Technologies Inc. (AT-88-Z)

---- 46.4.37.89 ----
inetnum:        46.4.37.64 - 46.4.37.127
netname:        HETZNER-RZ13
descr:          Hetzner Online AG
descr:          Datacenter 13
country:        DE

So from my point there is still something to be said:
* What malware prevention service would connect to the IP of a !!mobile 
device??!! - none!
* What has Amazon Technologies Inc. to do with all of that? - nothing!
* sometimes the kraken can also sit in a datacenter or a backbone and 
this is known
-> I had just opened the page of the router in my LAN and nothing else.

Last but not least the most unerring sign that something went wrong was 
in my mind the enduringly long and high CPU fan load (though it is a 
pity that I did not have a closer look at least by system utilities). It 
NEVER occurs with a Xi3650 unless it is put under 100% CPU load for 
pretty much time!

Sincerely,
Elmar


Am 2015-12-04 um 21:59 schrieb mal:
> You can figure out who owns IP addresses using `whois`. I assume that's
> what was used.
>
> CPU fan speed is a bad measure of CPU usage; try `top`, `htop`, etc.
>
> If you value privacy, you should consider using your own recursive resolver.
>
>
> On 12/04/2015 05:46 PM, Elmar Stellnberger wrote:
>> ok; fine to know Remi; then there was already everything good with the
>> configuration Jonathan had recommended me! (Qwant will have been there
>> because of the search machine status bar)
>>
>> However what I would find really interesting are the remaining servers
>> that there was a connection to when the '100% CPU fan' bug hit my
>> machine. I really did nothing at all when it heated up that much; - and
>> the desktop search should not have caused that, I would at least believe.
>>
>> Elmar
>>
>> P.S.: By the way which name server did you use for reverse lookup, Remi?
>> 208.67.222.222 (OpenDNS server) did not do that for me in case of the
>> Qwant search engine; even sites like ping.eu do not succeed in the
>> reverse lookup of the 194.187.168.xx addresses.
>>
>


More information about the arch-security mailing list