[arch-security] strange netstat connections after having opened Firefox

Elmar Stellnberger estellnb at elstel.org
Sat Dec 5 09:32:50 UTC 2015 


On 04.12.2015 23:31, Jonathan Roemer wrote:
>> * What malware prevention service would connect to the IP of a
>> !!mobile device??!! - none!
>
> You are assuming that this whois lookup is reliable, which it very
> frequently is not. IP space is bought and sold all the time, and whois
> data may not be updated to reflect this.

A wrong entry in whois?
According to my knowledge there should not be any 'wrong' entries in 
whois as every IP/domain is associated with a timespan and a real world 
address which is tested to be valid by the domain registrar; f.i. the 
whois data I provide for my own domain elstel.org was checked from time 
to time; stating wrong data would lead to the withdrawal of my domain.
Can you show me any current and valid examples of wrong/outdated whois 
entries *?

>
>> * What has Amazon Technologies Inc. to do with all of that? - nothing!
>
> AWS

Wikipedia: In 2013 it became public knowledge that AWS (Amazon Web 
Services) has received a big work order directly from the CIA. I do not 
want to be overduely paranoid but this does not appear to be one of the 
most trustworthy places in the net.


> As mentioned by myself and others, Firefox, and possibly other
> applications, may be making these connections as well. All of those
> suggested tiles, favicons, OCSP responder servers, and other resources
> have to be loaded from somewhere, and these are opt-out within Firefox,
> not opt-in.
>
be it as it is; I can not examine every incident in detail; nonetheless 
I know that from previous incidents that unnatural high and long CPU 
load can point to intrusions.


* I will have to confess that it would be possible to state a wrong 
address for the whois records without anyone obtaining knowledge about 
that soon. Nonetheless such an incident would even more point to some 
abnormal/ illegeal activity. Likely registrars do not have sufficient 
rights or access to citizen data in order to verify each entry.
   more important: IP and domains are regularely reassigned and 
transferred but then so immediately is the whois data on completion of 
such transfers; otherwise your resources are still 'in transfer' which 
means that there is no way to access / get hold of them.

More information about the arch-security mailing list