this post was submitted on 03 Sep 2025
75 points (96.3% liked)

Privacy

42260 readers
785 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
k_o_t@lemmy.ml
tmpod@lemmy.pt
Yayannick@lemmy.ml
ranok@sopuli.xyz
75
Why does my pc make so many connections? (lemmy.ml)
submitted 1 month ago* (last edited 1 month ago) by Clark@lemmy.ml to c/privacy@lemmy.ml
38 comments fedilink hide all child comments
 

Hello all,

According to the Wireshark record my computer connects to various services often, including Amazon, Hetzner, 1337 Services GmbH, Evanzo GmbH and ThomasFamilyInvestments. The most often were the connections to mail.my-mail.rocks which is a part of Netcup GmbH. I have a somewhat minimal distro and the attached recordings were made when no app was open including no browser. I can send the other screenshots showing other connections too. I'm suspecting of malware since some time ago but can you help me clarify these connections please?

all 40 comments
sorted by: hot top controversial new old
[–] MangoPenguin@lemmy.blahaj.zone 34 points 1 month ago (2 children)

Do you have any apps open in the foreground or background while doing the packet capture? Check with top or htop and make sure all your apps are truly closed.

Amazon, Hetzner, and the others are VPS providers among other services, so seeing connections to those by apps could be fairly normal as they often check for updates or download supporting items to make the app work.

[–] Clark@lemmy.ml 4 points 1 month ago (4 children)

Thank you for the informations. There were nothing in the foreground but tor was apparently running in the background. But I'm still not sure if these services were all due to Tor. I need to run another record I guess

[–] MangoPenguin@lemmy.blahaj.zone 14 points 1 month ago

Tor creates a ton of connections to all kinds of places, so that might have been the source.

[–] eldavi@lemmy.ml 8 points 1 month ago

it sounds like you'll need a better handle on what's running on your computer.

if this matters to you enough: you can start with pruning the systemd services that are running to remove the ones you don't want so that you can know for certain what is supposed to be running and then run another capture to see where it's calling out to.

[–] iglou@programming.dev 6 points 1 month ago

Per its nature, tor is definitely going to create a lot of noise in your capture. Shut it down and try again, see if you still have so many connections.

It is highly unlikely that you have malware that you can't see, so if you still see them after shutting down tor, use tools that tell you which app has established connections.

[–] rumba@lemmy.zip 4 points 4 weeks ago* (last edited 4 weeks ago)

Yeah, * Tor. Its primary job is to make and destroy tons of connections to keep you private.

Edit: Still getting used to FUTO keyboard. It doesn't need me to say comma

[–] anon5621@lemmy.ml 18 points 1 month ago (1 children)

Just open sudo ss -tulpn u will see all programs with opened port and u will killing disabling until u will find source of network noise

[–] nitrolife@rekabu.ru 8 points 1 month ago (1 children)

But without "l". This connections created as client I think:

ss -tupn

[–] Clark@lemmy.ml 1 points 1 month ago* (last edited 1 month ago) (1 children)

i only have these over long term but brave was closed when recording:

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp ESTAB 0 0 192.168.1.100%wlan0:68 192.168.1.1:67 users:(("NetworkManager",pid=1065,fd=27))
tcp ESTAB 0 0 192.168.1.100:57728 185.246.86.175:9001 users:(("tor",pid=1143,fd=16))
tcp ESTAB 0 0 192.168.1.100:60406 54.36.178.108:443 users:(("brave",pid=5153,fd=27))
tcp ESTAB 0 0 192.168.1.100:40606 89.58.56.112:587 users:(("tor",pid=1143,fd=12))

[–] nitrolife@rekabu.ru 10 points 1 month ago* (last edited 1 month ago) (2 children)

If you are receiving data from tor, then you are most likely seeing these connections. They also change over time, so tor relay nodes change and can be located anywhere.

In addition, in the example you have port 9001, which means that relaying is most likely enabled in your client and you are a relay for other participants. Check the settings of the tor (relay/bridge).

[–] Clark@lemmy.ml 2 points 1 month ago* (last edited 1 month ago)

Thanks for the informations. This clarifies a lot.

[–] melroy@kbin.melroy.org 1 points 1 month ago (1 children)

Also it seems that your browser is still active on your computer called brave?

[–] Clark@lemmy.ml 1 points 1 month ago

No, it wasn't at the time of recording. It was a confirmation later on that tor and network manager were the only apps using the ports with brave opened.

[–] habitualTartare@lemmy.world 17 points 1 month ago* (last edited 1 month ago) (1 children)

That mail/[.]my-mail/[.]rocks maps to the tor network.

https://metrics.torproject.org/rs.html#details/E3F16EEB32F9C0B28325891F7BAACA8EC212343D

[–] Clark@lemmy.ml 4 points 1 month ago (1 children)

so am i running a relay in the background although tor browser is closed?

[–] habitualTartare@lemmy.world 6 points 1 month ago

If it's like a vpn interface, it's still running as a deamon in the background even if the browsers are closed.

Like others have said you can check what application is using each open port. You can also check running processes (ps | grep keywords) and interfaces (ip a).

[–] Zerush@lemmy.ml 15 points 4 weeks ago (1 children)

Use Portmaster

[–] Harvey656@lemmy.world 2 points 4 weeks ago (1 children)

This is the way

[–] Zerush@lemmy.ml 7 points 4 weeks ago* (last edited 4 weeks ago) (1 children)

Portmaster is mandatory nowadays, like also InviZible Pro in Android

[–] Harvey656@lemmy.world 1 points 4 weeks ago

Oooooo I haven't seen that one before, thanks!

[–] Fijxu@programming.dev 9 points 1 month ago (1 children)

Use bandwhich to see which programs are using traffic ;)

[–] Clark@lemmy.ml 2 points 1 month ago

I will try it, thank you :)

[–] stupid_asshole69@hexbear.net 5 points 1 month ago (1 children)

That screenshot just looks like a computer (.100, is that you?) dialing the upstream device (a zyxel!), it doesn’t seem to show what the intended recipient is. If you’re running windows then the start menu ads do crazy stuff. Also I asked if that last local ip octet is you because wireshark will show you other computers traffic coming across its wireless interface.

From a high port to a low port makes me think it’s someone else on your network doing piracy.

[–] Clark@lemmy.ml 3 points 1 month ago (1 children)

Yes, .100 is me. I have a Zyxel router, should it show the intended recipient? I'm running Linux. What do you mean by a high port to a low port? I also think there is a malware.

[–] stupid_asshole69@hexbear.net 3 points 1 month ago (1 children)

If you think there’s malware then just wipe and reinstall.

If you wanna find out what the computer is connecting to, post the wireshark logs.

Amazon, hetzner and Evanzo are hosting providers, krebs seems to think 1337 services is a scammy site/company and thomas is a shell company. My-mail.rocks has some tor nodes.

[–] melroy@kbin.melroy.org 1 points 1 month ago (1 children)

Exactly my point. Just share the actual wireshark log. You record a few seconds and then stop. And then share the log.

[–] Clark@lemmy.ml 1 points 1 month ago* (last edited 1 month ago) (2 children)

I'm not just trying to get rid of the malware but also understand what it's doing. Besides, wiping the system doesn't help as some viruses can permanently corrupt bios. So before wiping out, I think it's a good idea to know what's going on my pc and where do my data go, if there is a malware. I'm a rookie with network monitoring, that's why I'm trying to learn from more experienced users. Here is the part of the original capture: https://limewire.com/?referrer=pq7i8xx7p2. I will disable tor and close all apps along with some serviced and record again. I will let you know, thanks for your help

[–] krolden@lemmy.ml 4 points 1 month ago (1 children)

You will probably get better answers if you ask in a networking forum rather than u/privacy.

https://forum.level1techs.com/

.

[–] Clark@lemmy.ml 1 points 1 month ago

The answers are good enough for me here

[–] stupid_asshole69@hexbear.net 3 points 4 weeks ago (2 children)

I can’t see that link. Just drop the log in a paste bin or something.

You’re probably not in a position to figure out what the malware is doing, or even if you have malware running.

If you brought me your computer and said “I think I have malware and I want to understand what’s happening” I would remove the drive, image it using an appliance instead of a computer and put the image in a forensic environment so I could observe it safely.

[–] Clark@lemmy.ml 1 points 4 weeks ago* (last edited 4 weeks ago)

I wish I could bring it to an expert. Do you know how to find one? Here is the file: https://paste.centos.org/view/5df16fbe Sorry for the delay

[–] Clark@lemmy.ml 1 points 4 weeks ago

I wish I can bring it to an expert. Do you know how to find one? Here is the result: https://paste.centos.org/view/c992ba88 Sorry for the delay

[–] krolden@lemmy.ml -1 points 1 month ago (1 children)

Because you're on the internet

[–] Clark@lemmy.ml 3 points 1 month ago* (last edited 1 month ago) (1 children)

Does also your computer connect to Amazon, Hetzner, 1337 Services GmbH, Evanzo GmbH and ThomasFamilyInvestments without a reason?

[–] krolden@lemmy.ml -2 points 1 month ago

Everything has a reason