5

Each time I bootup and login to Ubuntu 16.04, and before I launch any software/browser, I watch in Wireshark that Ubuntu has some requests to and from these IPs:

54.173.79.111 
54.231.40.234

Whois suggests they are Amazon EC2.

I know Ubuntu integrates with Amazon via Dash search these days, but that feature is turned off in my settings.

Does anyone else notice activity to these addresses? Should I be concerned that these are private EC2 instances and I have spyware logging to them or similar?

Thanks

fpghost
  • 283
  • 1
  • 5

2 Answers2

3

The gnome-software process contacts 54.173.79.111 for update purposes, as suggested in this forum thread. There's nothing inherently dodgy about these IPs, they both belong to the AWS cloud.

That said, you can't guarantee that the traffic is legitimate by looking at the IPs alone. That's because they only indicate that you're contacting some service hosted in the Amazon cloud (and apparently running on Red Hat OpenShift). 

$ dig +short -x 54.173.79.111                                                                                                           
ec2-54-173-79-111.compute-1.amazonaws.com.
$ dig +short -x 54.231.40.234
s3-1.amazonaws.com.

(There is also a maintained list of AWS IP ranges where you can look up the addresses.)

The reason why that doesn't verify anything is that 54.173.79.111 is associated with more than just one EC2 instance. For example, hospitalpadreze.org.br and subverticathegame.com also resolve to that same address:

$ dig +short hospitalpadreze.org.br                                                                                                     
54.173.79.111
$ dig +short subverticathegame.com                                                                                                  130 
sub-renderedturkey.rhcloud.com.
ex-std-node683.prod.rhcloud.com.
ec2-54-173-79-111.compute-1.amazonaws.com.
54.173.79.111

Verifying the CN of the SSL certificate at 54.173.79.111:443, as proposed by @thel3l, is also not a reliable technique. We don't know if you were actually connecting via SSL, over which ports and for which hostname. Here's a demonstration of how different certificates get served at the same IP:

$ openssl s_client -connect 54.173.79.111:443 -brief
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384
Peer certificate: C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc., CN = *.rhcloud.com
Hash used: SHA512
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Server Temp Key: ECDH, P-256, 256 bits

The certificate is valid for *.rhcloud.com. Now let's try with a different hostname:

$ openssl s_client-connect 54.173.79.111:443 -servername www.cristiansandu.ro -brief
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384
Peer certificate: CN = www.cristiansandu.ro
Hash used: SHA512
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Server Temp Key: ECDH, P-256, 256 bits

We're getting a certificate for www.cristiansandu.ro instead, although it's still the same IP. With Server Name Indication (SNI) it's expected that the presented certificate doesn't stay the same if you specify a different -servername.

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • The process name is called `gnome-software` and the SSL cert is issued to a `*rhcloud.com`. It's probably update traffic, but even otherwise it's definitely not malicious. – thel3l Jan 05 '17 at 16:31
  • @thel3l Your conclusion isn't correct. You can't conclude from the certificate you see when contacting the IP that the same certificate will be served for different hostnames on that same IP. – Arminius Jan 05 '17 at 16:34
  • I was talking specifically about `ec2-54-173-79-111.compute-1.amazonaws.com` – thel3l Jan 05 '17 at 16:36
  • @thel3l That doesn't matter. You can't conclude from the certificate served at an IP from the Amazon cloud that the owner an EC2 instance at that IP is legitimate. – Arminius Jan 05 '17 at 16:54
0

tl;dr: Nothing to worry about.

Going off just the data you've given us here, it's probably just the Gnome software making update calls. Shouldn't be anything to worry about.

Here's a breakdown:

  • netstat -atlp and a grep for that IP shows me that my system is connecting to a 54.173.79.111 on port 443

  • The PID/Program output for this command calls itself gnome-software. Dead giveaway.

The actual output:

tcp        0      0 ipaddr:53044      54.173.79.111:443       ESTABLISHED 2709/gnome-software

Additionally, visiting https://ec2-54-173-79-111.compute-1.amazonaws.com/app (the IP that you gave us - otherwise https://54.173.79.111/app ) and examining the certificate shows me that it's issued to *.rhcloud.com - Redhat Cloud - and at this point I'm almost certain that it's an update service.

thel3l
  • 3,384
  • 11
  • 24
  • 1
    Your reasoning is wrong. Not every EC2 instance at that IP is necessarily legitimate. You'd at least need to see the hostname to be sure what instance you're connecting to. – Arminius Jan 05 '17 at 17:03