Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Connections -- Help


  • Please log in to reply
1 reply to this topic

#1 LinuxPhreak

LinuxPhreak

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 11 August 2017 - 12:19 PM

Okay so I've been having some bizar things on my network. So I've been carefully monitoring and using netstat. I noticed when using netstat -tp with no programs that use the internet I get the following result.
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name 
Looks fine. However as soon as I start firefox I get the following.
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 localhost.localdo:59222 server-54-192-48-:https TIME_WAIT   -                   
tcp        0      0 localhost.localdo:59212 72.21.91.29:http        ESTABLISHED 1966/firefox        
tcp        0      0 localhost.localdo:56082 a23-215-130-83.dep:http ESTABLISHED 1966/firefox        
tcp        0      0 localhost.localdo:48066 ec2-54-148-180-13:https ESTABLISHED 1966/firefox        
tcp        0      0 localhost.localdo:33350 ec2-54-69-227-52.:https ESTABLISHED 1966/firefox        
tcp        0      0 localhost.localdo:59260 72.21.91.29:http        ESTABLISHED 1966/firefox        
tcp        0      0 localhost.localdo:48070 ec2-54-148-180-13:https ESTABLISHED 1966/firefox        
tcp        0      0 localhost.localdo:42548 ec2-54-69-100-200:https ESTABLISHED 1966/firefox        
tcp        0      0 localhost.localdo:54314 server-54-192-48-:https ESTABLISHED 1966/firefox        
tcp        0      0 localhost.localdo:46430 server-54-192-48-:https ESTABLISHED 1966/firefox        
tcp        0      0 localhost.localdo:54312 server-54-192-48-:https ESTABLISHED 1966/firefox        
tcp6       0      0 localhost.localdo:35428 2607:f188::dead:b:https TIME_WAIT   -                   
tcp6       0      0 localhost.localdo:59964 lga25s60-in-x0e.1:https ESTABLISHED 1966/firefox        
tcp6       0      0 localhost.localdo:48404 lga25s54-in-x0e.1e:http ESTABLISHED 1966/firefox        
tcp6       0      0 localhost.localdo:45748 lga34s15-in-x0e.1:https ESTABLISHED 1966/firefox        
tcp6       0      0 localhost.localdo:48406 lga25s54-in-x0e.1e:http TIME_WAIT   -                   
tcp6       0      0 localhost.localdo:35432 2607:f188::dead:b:https TIME_WAIT   -                   
tcp6       0      0 localhost.localdo:35434 2607:f188::dead:b:https TIME_WAIT   -                   
tcp6       0      0 localhost.localdo:48408 lga25s54-in-x0e.1e:http TIME_WAIT   -                   
tcp6       0      0 localhost.localdo:48416 lga25s54-in-x0e.1e:http ESTABLISHED 1966/firefox        
tcp6       0      0 localhost.localdo:52938 lga25s60-in-x0a.1:https ESTABLISHED 1966/firefox        
tcp6       0      0 localhost.localdo:57930 lga34s18-in-x03.1:https ESTABLISHED 1966/firefox        
tcp6       0      0 localhost.localdo:48402 lga25s54-in-x0e.1e:http ESTABLISHED
This shouldn't be. Since I don't have firefox configured to save history, and I have it to clear all data when I restart it. I also have firefox use about:blank for it's home page. So there should be no reason that I get this as soon as I start firefox.
 
I decided to install wireshark and see when I could get from that. I'm not an expert at wireshark but I think there are some issues with what I've got from it. I my browser may have been hooked. So I did
sudo dnf remove firefox -y
y
I then went through the entire system and did. I did this thinking my browser may have been hooked or had malicious code injected into it.
# rm -r -R mozilla
# rm -r -R firefox
Where everywhere I could find it. During the process of doing this I came accross suspicious files such as arpd which I would think would be an arp daemon. And other arp files. As well as scripts in cron directories and SSH scripts.
 
This is really kind of scary. And what makes it even scary is I reinstall firefox and the issue still happens. I've ran COMODO AV and nothing was found. I think one of my files I have on a drive is the problem, since every device on my network has the same type of problem. Even Windows as well as Linux.
 
 
Also when I look up some of the IP Addresses I'm getting I get this from Google. https://www.abuseipdb.com/check/192.0.73.2 Which is kind of concerning.
 
Anyone want to assist me in fixing this issue.

Edited by Al1000, 12 August 2017 - 08:23 AM.
moved from Linux & Unix


BC AdBot (Login to Remove)

 


#2 Mike_Walsh

Mike_Walsh

    Bleepin' 'Puppy' nut..!!


  • Members
  • 1,283 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:King's Lynn, UK
  • Local time:05:16 AM

Posted 15 August 2017 - 06:40 PM

I don't think it's actually an 'issue', as such. Each of those connections probably represents a single item on some of today's hugely crammed-full webpages...

 

You need to understand that modern web browsers are enormously complex chunks of code. When you fire 'em up, they all, without exception, tend to 'make' all sorts of connections during initialization. This is perfectly normal for a browser, and is 'hard-coded' into them. Nothing that you, as a user, can do will affect or even remotely alter this activity.

 

These links might give you some ideas as to what's actually going on:-

 

https://www.experts-exchange.com/questions/28274585/How-many-Browser-connections-should-there-be-Why-so-many-with-one-open-browser.html

 

http://www.dslreports.com/forum/r5583090-Netstat-shows-sooo-many-connections-Why (last post gives the clue)

 

http://www.zdnet.com/article/firefox-3-beta-5-how-many-connections-is-too-many/

 

Most of these are older articles and forum threads, it's true.....but the protocols involved are as relevant today as they were then. And it all seems to be centred around the HTTP regulations, as quoted here from the third link:-

 

"Most HTTP servers and browsers use a protocol called "keep-alive" that doesn't close the connection when the client is done with it. This makes sense; opening a remote connection is expensive so it's much faster to open one and download 20 small items than to open and close a connection 20 times. Unfortunately the server can't tell exactly when the client is done, so all these connections are kept alive and consume resources on the server for some time.

 

In previous versions of Firefox, the maximum number of persistent (keep-alive) connection was set to 2. The number 2 is recommended by the HTTP 1.1 spec which says:

 


 

Clients that use persistent connections SHOULD limit the number of simultaneous connections that they maintain to a given server. A single-user client SHOULD NOT maintain more than 2 connections with any server or proxy. A proxy SHOULD use up to 2*N connections to another server or proxy, where N is the number of simultaneously active users. These guidelines are intended to improve HTTP response times and avoid congestion.

The spec was written in 1999 when high-speed internet connections were just (if you'll pardon the pun) a pipe dream for most users. Recently, many browsers have begin to bump the limits.  Sylvian Pasche wrote a test (which you can run here) to find out the default settings for a number of major browsers. Here's what Sylvian found:

 


 

Firefox 2: 2 Firefox 3 beta 4: 2 Opera 9.26: 4 Opera 9.5 beta: 4 Safari 3.0.4 Mac/Windows: 4 IE 7: 2 IE 8: 6

A few hours after seeing that Firefox would have the smallest default value, Mozilla developers created a patch that increased the default to the same value used by IE8: 6 persistent connections."

 

------------------------------------

 

And this was 20 years ago, near enough. Use your imagination to figure out how the web 'landscape' has changed, and how much more vastly complex everything has become.....and you may be a wee bit closer to understanding why your browser opens so many connections. In simple terms, it needs them.

 

Run the linked test. It'll show you just how many connections are being made to the web-server for just that one, single page.....and it may surprise you.

 

If you're that worried by all this, there's always the ultimate solution, y'know.

 

It's called the 'OFF' switch..!! :P

 

 

Mike. :wink:


Edited by Mike_Walsh, 15 August 2017 - 06:51 PM.

Distros:- Multiple 'Puppies'..... and Anti-X 16.1

My Puppy BLOG ~~~  My Puppy PACKAGES

Compaq Presario SR1916UK; Athlon64 X2 3800+, 3 GB RAM, WD 500GB Caviar 'Blue', 32GB Kingspec PATA SSD, 3 TB Seagate 'Expansion' external HDD, ATI Radeon Xpress 200 graphics, Dell 15.1" pNp monitor (1024 x 768), TP-Link PCI-e USB 3.0 card, Logitech c920 HD Pro webcam, self-powered 7-port USB 2.0 hub

Dell Inspiron 1100; 2.6 GHz 400FSB P4, 1.5 GB RAM, 64GB KingSpec IDE SSD, Intel 'Extreme' graphics, 1 TB Seagate 'Expansion' external HDD, M$ HD-3000 'Lifecam'.

 

KXhaWqy.gifFQ8nrJ3.gif

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users