Reply to topic

KDE Neon installation is communicating with strange servers

nunyabusiness
Registered Member
Posts
2
Karma
0
Hi there,
Yesterday I noticed that my computer had processes that were communicating with multiple servers in the Taiwan, Russia and the Netherlands under the root user and with no PID when being examined with nethogs.
Some of the nethogs output for the strange connections looked like this:

PID / USER / PROGRAM
? / root / 192.168.0.20:62406-31.135.240.103:17167

? / root / 192.168.0.20:62406-95.211.148.218:50064

? / root / 192.168.0.20:52313-140.123.91.103:47678


Not being able to find the cause of this with my limited knowledge I decided I would do a wipe of absolutely everything and have a fresh install of Neon.

Today however, with my fresh KDE Neon installation with updates I installed nethogs and didn't notice any activity so I started browsing the web with firefox and installed the add-ons Ublock Origin and VimFX and after a short while I noticed the strange connection was happening again. So I looked up the IP and it is owned by Google using port 443 (https). Data was being sent with or without Firefox being opened.

The output of nethogs looked like this:

PID / USER / PROGRAM
? / root / 192.168.0.20:57312-216.58.199.46:443

? / root / 192.168.0.20:47766-216.58.203.97:443

The main questions I have are;
1. Is this normal behavior for KDE Neon?
2. Why are these connections happening?
3. Why does nethogs show these connections running as root with no PID?

I would love an answer on the forum here, but I would also appreciate if anyone could point me in the right direction to find answers myself if an answer can't be given here.
User avatar fredhoud
Registered Member
Posts
111
Karma
1
OS
I'm curious as to how you found out that you were communicating with multiple servers, and how you did you find out the ip address?
Second question, if you install Gufw firewall do you still notice the communication?
cmacq2
Registered Member
Posts
3
Karma
0
I choose to try out 216.58.199.46 (assuming HTTPS judging by the port number). Chromium says the cert is a thing claiming to be *.google.com.
Probably not KDE Neon, but have you considered your browser/its addons doing something Google related?
alexsid
Registered Member
Posts
17
Karma
0
I really doubt that this is Neon - I have it on 4 PCs and never saw any suspicious traffic.

Regarding 216.58.199.46:

$ host 216.58.199.46
46.199.58.216.in-addr.arpa domain name pointer syd09s12-in-f14.1e100.net.
46.199.58.216.in-addr.arpa domain name pointer syd09s12-in-f46.1e100.net.

and see https://superuser.com/questions/75841/w ... open-to-it

Regarding root owner an no pid: usually this means kernel networking without any associated process. For example, if you mount NFS, your host communicates with NFS-server using subroutines without any PID. This is normal

I am not sure about Taiwan, Russia IPs though. I know that Chrome puts some threads into separate namespaces, so maybe nethogs cannot detect this and as a result reports root and no pid.

Regards,
Alex
cmacq2
Registered Member
Posts
3
Karma
0
Also, note that 1e100.net is Google.
nunyabusiness
Registered Member
Posts
2
Karma
0
Thanks to everyone for their replies. I really appreciate it. I have come to the conclusion that the "mysterious" traffic going to to google after the KDE Neon reinstall was indeed being caused by Firefox. It turns out it is normal for Firefox to send quite a lot of information to google services. I have since stopped using firefox and use Icecat (the GNU version of firefox) and there is no more of this traffic.

As to the communication with the servers in Russia, the Netherlands and Taiwan, I still don't know what the cause of that was, but it's not happening anymore.
arturasb
Registered Member
Posts
37
Karma
0
OS
nunyabusiness wrote:I have since stopped using firefox and use Icecat (the GNU version of firefox) and there is no more of this traffic.


How did you get Icecat ?
compatico
Registered Member
Posts
89
Karma
0
OS
arturasb wrote:How did you get Icecat ?

Probably at the website?

https://www.gnu.org/software/gnuzilla/
arturasb
Registered Member
Posts
37
Karma
0
OS
compatico wrote:Probably at the website?

https://www.gnu.org/software/gnuzilla/


Well, my question actually was - did you get DEB package ? If so - where did you get it ?
As far as I know Gnuzilla doesn't provide distro-specific packages ? Or am I wrong ?
User avatar alideda
Registered Member
Posts
201
Karma
0
OS
Disable safe browsing in Firefox, remove google search.
raddison
Registered Member
Posts
515
Karma
0
As long as Neon doesn't communicate with the Borg or Cortana, everything is just fine ;D


Proud to be powered by Plasma
User avatar alideda
Registered Member
Posts
201
Karma
0
OS
What is the difference between Firefox and IceCat, in a setting just off the options that I mentioned. As I recall the debian began to exceed the Firefox.
IceCat comes pre-loaded with blocker, https and has a smaller range of add-ons
@ Raddison what is the point of your writing? Neon is not Windows. ;D
raddison
Registered Member
Posts
515
Karma
0
alideda wrote:@ Raddison what is the point of your writing? Neon is not Windows. ;D


There's no point in it just purpose: to make people smile. Humour is beneficial to one's health. There's no telling whether it was funny or not. Seemed funny to me though. ;D


Proud to be powered by Plasma

 
Reply to topic

Bookmarks



Who is online

Registered users: Baidu [Spider], Bing [Bot], freddylegen, Google [Bot], grahm, jmacleod, Majestic-12 [Bot], nrykhe, paleo, rblackwell, Sogou [Bot], YaCy [Bot]