[arch-security] strange netstat connections after having opened Firefox
estellnb at elstel.org
Sat Dec 5 09:32:50 UTC 2015
On 04.12.2015 23:31, Jonathan Roemer wrote:
>> * What malware prevention service would connect to the IP of a
>> !!mobile device??!! - none!
> You are assuming that this whois lookup is reliable, which it very
> frequently is not. IP space is bought and sold all the time, and whois
> data may not be updated to reflect this.
A wrong entry in whois?
According to my knowledge there should not be any 'wrong' entries in
whois as every IP/domain is associated with a timespan and a real world
address which is tested to be valid by the domain registrar; f.i. the
whois data I provide for my own domain elstel.org was checked from time
to time; stating wrong data would lead to the withdrawal of my domain.
Can you show me any current and valid examples of wrong/outdated whois
>> * What has Amazon Technologies Inc. to do with all of that? - nothing!
Wikipedia: In 2013 it became public knowledge that AWS (Amazon Web
Services) has received a big work order directly from the CIA. I do not
want to be overduely paranoid but this does not appear to be one of the
most trustworthy places in the net.
> As mentioned by myself and others, Firefox, and possibly other
> applications, may be making these connections as well. All of those
> suggested tiles, favicons, OCSP responder servers, and other resources
> have to be loaded from somewhere, and these are opt-out within Firefox,
> not opt-in.
be it as it is; I can not examine every incident in detail; nonetheless
I know that from previous incidents that unnatural high and long CPU
load can point to intrusions.
* I will have to confess that it would be possible to state a wrong
address for the whois records without anyone obtaining knowledge about
that soon. Nonetheless such an incident would even more point to some
abnormal/ illegeal activity. Likely registrars do not have sufficient
rights or access to citizen data in order to verify each entry.
more important: IP and domains are regularely reassigned and
transferred but then so immediately is the whois data on completion of
such transfers; otherwise your resources are still 'in transfer' which
means that there is no way to access / get hold of them.
More information about the arch-security