New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Why does Prey connect to an IP owned by "Air Force Systems Networking"? #414

Closed
nathanongit opened this Issue Jan 10, 2019 · 3 comments

Comments

Projects
None yet
1 participant
@nathanongit
Copy link

nathanongit commented Jan 10, 2019

Hi all,

Curious about the following.

  1. On an OSX env running Prey, we see the following connection to 155.244.178.107 by PID 56604.

user:~ user$ netstat -anv | grep 155
tcp4 0 0 ${LOCAL}.49971 155.244.178.107..https ESTABLISHED 131152 131328 56604 0
tcp4 0 0 ${LOCAL}.49970 155.244.178.107..https ESTABLISHED 131152 131328 56604 0

  1. We confirm that PID 56604 belongs to prey.

user:~ user$ ps aux | grep -v grep | grep 56604
prey 56604 0.0 0.3 5048112 45228 ?? Ss Tue09AM 0:30.55 prx

  1. So who is 155.244.178.107?

Via ARIN WHOIS (https://whois.arin.net/rest/net/NET-155-244-0-0-1/pft?s=155.244.178.107):
Organization | Air Force Systems Networking (7ESG)

Would be grateful for a reaction.

@nathanongit nathanongit changed the title Why does Prey connect to an Air Force IP? Why does Prey connect to an IP owned by "Air Force Systems Networking"? Jan 10, 2019

@nathanongit

This comment has been minimized.

Copy link

nathanongit commented Jan 10, 2019

155.244.178.107.bc.googleusercontent.com takes me to login.

@nathanongit

This comment has been minimized.

Copy link

nathanongit commented Jan 10, 2019

I might have figured this out.

"155.244.178.107.." from the first netstat is probably truncated from "155.244.178.107.bc.googleusercontent.com". We could conclude the story here since it's a FQDN and not an IP. But it's still curious to see the Air Force Systems Networking IP.

As per the Google Group for Google App Engine (https://groups.google.com/forum/#!topic/google-appengine/7a4VapNerGg):

"Traffic from 'bc.googleusercontent.com' is originating from Compute Engine. The 'bc' subdomain of 'googleusercontent.com' is used for public hostnames of Compute Engine instances which have an external IP address. For example, if an instance has IP of 12.34.56.78, the public hostname would be '78.56.34.12.bc.googleusercontent.com'."

Therefore via inversion "155.244.178.107.." is "107.178.244.155". This makes sense, as via ARIN WHOIS (https://whois.arin.net/rest/net/NET-107-178-192-0-1/pft?s=107.178.244.155): Google LLC (GOOGL-2)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment