Fresh downloads of each. Run netstat on both and get an ‘established’ TCP connection (outside vpn) to 18.104.22.168 which a ‘whois’ search says is related to US Air Force, USAISC (United States Army Intelligence and Security Command) (and google).
Something more you could check is to find out which process on your computer is responsible for the suspicious TCP connection.
There are probably many ways to do that, here is one command I have used for it:
sudo ss -tp
The output from that ss command should include a “Process” column that tells you which process is handling that specific TCP connection.
For example. when I ran it on my computer just now, it tells me there are a few TCP connections related to firefox, two connections for thunderbird and one for ssh (because of an ongoing ssh connection that I have initiated myself). In my case I think all shown TCP connections are okay, I can understand why they are there. And if I close the corresponding programs, those TCP connections are also closed.
If you run that command (or something else that gives the same info), what process does it show for the TCP connection you are insterested in?
There is also a mozilla domain pointing to that IP address (22.214.171.124):
$ host 126.96.36.199.bc.googleusercontent.com
188.8.131.52.bc.googleusercontent.com has address 184.108.40.206
$ host push.services.mozilla.com
push.services.mozilla.com is an alias for autopush.prod.mozaws.net.
autopush.prod.mozaws.net has address 220.127.116.11
Thanks @Skalman and @fralb5. Yes I noticed the IP came out in reverse in the whois lookups but I don’t know why.
If you use google maps and go to the physical address given is shows a Google data center.
Running: sudo ss -tp
gives this output:
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
ESTAB 0 0 10.98.0.2:54426 18.104.22.168:https users:((“firefox-esr”,pid=1777,fd=144))
Killing the relevant process with:
killed the running Firefox browser.
Starting the browser again brought the connection back which netstat says is:
and ss -tp says is:
I have no idea what’s going on re. the reverse order of the IP address but the point is you’re correct it definitely seems to be Firefox that’s bringing it up, and this is esr 115.3.1 with strict custom cookie controls in place.
So it’s about trying to get rid of that or using a different browser.
By the way, after all that I ran:
lsof -i tcp:54148 , which produced this:
└──╼ $lsof -i tcp:54148
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
firefox-e 3558 user 106u IPv4 127333 0t0 TCP 10.98.0.2:54148->22.214.171.124.bc.googleusercontent.com:https (ESTABLISHED)
@code9n in my opinion there is no better tool than OpenSnitch to control which program is allowed to talk to which IP address.
AFAIK you should be able to install it on almost every Linux system.
I use it on all my devices to keep the programs in check, and keep certain connections i don’t want form happening.
Maybe you can also use it to keep Firefox from making that connection.
That googevil connection must be related to Safe Browsing (or rather, “safe” browsing /s): Security/Safe Browsing - MozillaWiki
Do you have “Block dangerous and deceptive content” enabled in FF settings?
For shock value, go to about:config and type in “google.”
By the way, have you removed Google search engine from Settings yet?
That “Block dangerous and deceptive content” was enabled but tuning it off doesn’t make a lot of difference.
With it off:
ss -tp shows the menacing IP address as 126.96.36.199 and netstat shows it as
How that putting the IP address in reverse order is a thing I don’t understand, not how IPv4 works that I ever heard.
The search engine is set to DuckDuckGo but Google is still in the available search engines drop down list. I’ll try to get rid of it . . .
The only thing that works is closing Firefox. I’ve put Mullvad browser on there and that has no such issues but I’m sure you’ll know it’s more limited in what it can do - like uploading pictures to this forum - not possible with standard Mullvad settings.
And of course you don’t want to change them because it’s meant to have the same fingerprint for everyone if we all leave it alone.
That’s not reverse DNS that I know of, DNS is where you have a domain name and look up the IPv4 address. Reverse DNS is where you have the IP address and want the domain name.
Isn’t it? All the docs I can find say it is . . .
netstat by default is showing you the results of a reverse DNS lookup of the IP address rather than the actual IP address. netstat -n should show the IP address only.
The server in this case contains the reverse of it’s IPv4 address in it’s DNS name. A common trend today when coming up with unique indentifiers is to reverse the domain name, you’ll quite often see “com.apple.blah.blah…”, “com.google.blah.blah…” etc,. in file names, package names config settings etc,. What you are seeing is the reverse DNS of the IP which is a machine name that contains the IP in reverse notation, which is probably some scheme being used to make listing, sorting and identifing machines a little easier on their end.
These connections you are seeing are accessing/using Firefox services that are hosted on rented servers from google. It used to be the case that if you set the Firefox home page preference to “Blank” that was enough to stop any connections, I have no idea if that’s still the case tho.
Didnt I see a link here on Purism forums that pointed to an article indicating that 80-90% of all Firefox revenue comes from “a single company” in return for “setting the default search engine” which basically means Firefox is admitting to being a Google-sponsored browser?
So, I do also get the feeling that we live in a world where the controls are gradually getting tighter so that only Chromium and Firefox sucessfully function on websites people need, and both are sponsored by Google even if they sometimes claim independence.
The more you know, the more paranoid we become. It’s a problem with my Librem 5 that I haven’t quite figured out how to solve yet. Even doing host duckduckgo.com and then doing a whois on the IP address returned shows that it’s actually Microsoft. A lot of the things that we think are in opposition to the system might actually only be sponsored opposition, for all I can tell.
Edit: All this being said, I still want my Librem 5 to be my only phone as a matter of principle to believe I was trying even if I don’t succeed. The convergence and other natures of the device are more enjoyable to me than Android, even if I assume that I will never be safe from world governments because to be honest they have more money and power than I do and they always will.
After DuckDuckGo, I used Gigablast for quite a while, but it looks like it was recently shutdown without any announcement or notice. After using several search engines, including Startpage, SearX(NG) and LibreX, I started using Mojeek for the last few months, but very recently decided to go back to Startpage for now. It is one of the few ties I have with Google, even though the relationship is indirect.