Why does my PC talk unprompted to mandriva via tcp to ns2.moondrake.net.

Emmanuel_uk · 07-10-2005, 04:41 AM

Hi,

My PC dialogues with ns2.moondrake.net without me knowing why or requesting any data.
When this happens, I have no browser started, no special application either.
I use mandriva LE2005.

Does anybody know why? Has anybody noticed that?

The best way to see that happens is to have the network monitoring graph on,
while the cat5 cable from the cable modem is unplugged. There is only a udp chatter
between the router and PC. About 8 sec after plugging the cable I get this tcp connection
to madriva (see below) the chatter is relatively small, but why is it there?

I have a cable connection going to a router (with integrated firewall), then to eth0.
The PC also runs shorewall.

# nslookup 212.85.150.181
Non-authoritative answer:
181.150.85.212.in-addr.arpa name = ns2.moondrake.net.

shorewall monitor (example output)

tcp 6 105 TIME_WAIT src=192.myipaddress dst=212.85.150.181 sport=37876 dport=80 packets=4 bytes=216 src=212.85.150.181 dst=192.myipaddress sport=80 dport=37876 packets=3 bytes=168 [ASSURED] mark=0 use=1
tcp 6 75 TIME_WAIT src=192.myipaddress dst=212.85.150.181 sport=37870 dport=80 packets=4 bytes=216 src=212.85.150.181 dst=192.myipaddress sport=80 dport=37870 packets=3 bytes=168 [ASSURED] mark=0 use=1
tcp 6 115 TIME_WAIT src=192.myipaddress dst=212.85.150.181 sport=37878 dport=80 packets=4 bytes=216 src=212.85.150.181 dst=192.myipaddress sport=80 dport=37878 packets=3 bytes=168 [ASSURED] mark=0 use=1
tcp 6 90 TIME_WAIT src=192.myipaddress dst=212.85.150.181 sport=37873 dport=80 packets=4 bytes=216 src=212.85.150.181 dst=192.myipaddress sport=80 dport=37873 packets=3 bytes=168 [ASSURED] mark=0 use=1
tcp 6 71 TIME_WAIT src=192.myipaddress dst=212.85.150.181 sport=59669 dport=80 packets=4 bytes=216 src=212.85.150.181 dst=192.myipaddress sport=80 dport=59669 packets=3 bytes=168 [ASSURED] mark=0 use=1
tcp 6 110 TIME_WAIT src=192.myipaddress dst=212.85.150.181 sport=37877 dport=80 packets=4 bytes=216 src=212.85.150.181 dst=192.myipaddress sport=80 dport=37877 packets=3 bytes=168 [ASSURED] mark=0 use=1

Thanks
regards

tuxhdtv · 07-10-2005, 07:16 AM

They are reporting your user statistics directly to Microsoft, Inc. This will be used to make the Windows XP successor more like Linux.

jk

RoofRabbit · 07-10-2005, 10:08 PM

The site links to Mandriva NOT microsoft!

Emmanuel_uk · 07-11-2005, 01:02 AM

I thought the title of the email was clear

http://www.mandriva.com/ is aliased to
ns2.moondrake.net (or vice-versa depending how you see it)

I thought tuxhdtv you were just being funny/sarcastic.

Anyway, I have not even managed to tell which process
is doing the talking. I did a diff on ps -A, that was not enough to tell
which process does talk to mandriva. Maybe net_monitor (I have
the connection rate displayed in that window)?

tkedwards · 07-11-2005, 06:26 PM

Code:

netstat -np

Now look for the source port number (eg 37876 for your first one) that matches one of the lines of shorewall output

tuxhdtv · 07-17-2005, 09:05 AM

Sorry, I just couldn't keep my sarcasm to myself. I will attempt to refrain in the future.

Stumbes · 07-22-2005, 12:26 PM

I have the same question has emmanuel, my rather new installation (mandrake 10.1) start dialing
XXX.XXX.X.XX,37343 -> 212.85.150.181,www
as reported by my firewall (xxx stand for my private network address). I would have control of when and what call the Web and I'm suspicius about this kind of self communication.
But... I don't know how to stop it.

May I admit that what decided me to trow up the Window installation on this new PC was the constant unwanted web connexion ?.

THanks if anyone can help !

nafan · 07-23-2005, 04:17 AM

If you have the Mandriva/Mandrake online tools running it periodically tests your network connection (using a ping) and checks for updates. This will show up in your firewall logs as a connection to ns2.moondrake.net.

Stumbes · 07-23-2005, 06:13 AM

Could you tel me how I can check this (eventualy by way of a tutorial or a FAQ, I feel it's a typical newbie question)

I would stop these kind of unwanted connexion, and control updates....

tkedwards · 07-24-2005, 02:49 AM

Quote:

I would stop these kind of unwanted connexion, and control updates

Right click on the mandrivaonline icon in on your panel (ie. near the clock). Deselct the 'run at startup' type option. Right click it again and click exit.

Remember to use MandrakeUpdate (in the control centre) regularly so you get updates.

equinox · 07-24-2005, 10:37 AM

Quote:

They are reporting your user statistics directly to Microsoft, Inc. This will be used to make the Windows XP successor more like Linux.

jk

Hahah thats funny

Emmanuel_uk · 10-02-2005, 05:39 AM

Hi, the culprit is net_monitor

netstat -cpe -u --numeric-ports
gave me the pid of the perl code using the port I was monitoring.
I used ethereal to capture a few packets and check what was going on.

In short, I found that /usr/sbin/net_monitor was doing the pings to mandrakesoft.com
/usr/sbin/net_monitor uses a sub called test_connected
It was a bit difficult to find but
test_connected is in /usr/lib/libDrakX/network/tools.pm
and uses a sub called check_link_beat (this does the ping and mandrakesoft.com is in clear there)
Also there is
sub connected() { gethostbyname("mandrakesoft.com") ? 1 : 0 }
which is a very short sub

So it is not mandrivaonline (although it probably works the same)

What I want to do now is change the periodicity of the pings.
I could not find out in /usr/sbin/net_monitor what to change.
The code was not clear enough for a slow mind like mind.