Hello all,
According to the Wireshark record my computer connects to various services often, including Amazon, Hetzner, 1337 Services GmbH, Evanzo GmbH and ThomasFamilyInvestments. The most often were the connections to mail.my-mail.rocks which is a part of Netcup GmbH. I have a somewhat minimal distro and the attached recordings were made when no app was open including no browser. I can send the other screenshots showing other connections too. I’m suspecting of malware since some time ago but can you help me clarify these connections please?
But without “l”. This connections created as client I think:
ss -tupn
i only have these over long term but brave was closed when recording:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp ESTAB 0 0 192.168.1.100%wlan0:68 192.168.1.1:67 users:((“NetworkManager”,pid=1065,fd=27))
tcp ESTAB 0 0 192.168.1.100:57728 185.246.86.175:9001 users:((“tor”,pid=1143,fd=16))
tcp ESTAB 0 0 192.168.1.100:60406 54.36.178.108:443 users:((“brave”,pid=5153,fd=27))
tcp ESTAB 0 0 192.168.1.100:40606 89.58.56.112:587 users:((“tor”,pid=1143,fd=12))
If you are receiving data from tor, then you are most likely seeing these connections. They also change over time, so tor relay nodes change and can be located anywhere.
In addition, in the example you have port 9001, which means that relaying is most likely enabled in your client and you are a relay for other participants. Check the settings of the tor (relay/bridge).
Thanks for the informations. This clarifies a lot.
Also it seems that your browser is still active on your computer called brave?
No, it wasn’t at the time of recording. It was a confirmation later on that tor and network manager were the only apps using the ports with brave opened.