The gnome-software
process contacts 54.173.79.111
for update purposes, as suggested in this forum thread. There's nothing inherently dodgy about these IPs, they both belong to the AWS cloud.
That said, you can't guarantee that the traffic is legitimate by looking at the IPs alone. That's because they only indicate that you're contacting some service hosted in the Amazon cloud (and apparently running on Red Hat OpenShift).
$ dig +short -x 54.173.79.111
ec2-54-173-79-111.compute-1.amazonaws.com.
$ dig +short -x 54.231.40.234
s3-1.amazonaws.com.
(There is also a maintained list of AWS IP ranges where you can look up the addresses.)
The reason why that doesn't verify anything is that 54.173.79.111
is associated with more than just one EC2 instance. For example, hospitalpadreze.org.br
and subverticathegame.com
also resolve to that same address:
$ dig +short hospitalpadreze.org.br
54.173.79.111
$ dig +short subverticathegame.com 130
sub-renderedturkey.rhcloud.com.
ex-std-node683.prod.rhcloud.com.
ec2-54-173-79-111.compute-1.amazonaws.com.
54.173.79.111
Verifying the CN of the SSL certificate at 54.173.79.111:443
, as proposed by @thel3l, is also not a reliable technique. We don't know if you were actually connecting via SSL, over which ports and for which hostname. Here's a demonstration of how different certificates get served at the same IP:
$ openssl s_client -connect 54.173.79.111:443 -brief
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384
Peer certificate: C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc., CN = *.rhcloud.com
Hash used: SHA512
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Server Temp Key: ECDH, P-256, 256 bits
The certificate is valid for *.rhcloud.com
. Now let's try with a different hostname:
$ openssl s_client-connect 54.173.79.111:443 -servername www.cristiansandu.ro -brief
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384
Peer certificate: CN = www.cristiansandu.ro
Hash used: SHA512
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Server Temp Key: ECDH, P-256, 256 bits
We're getting a certificate for www.cristiansandu.ro
instead, although it's still the same IP. With Server Name Indication (SNI) it's expected that the presented certificate doesn't stay the same if you specify a different -servername
.