Periodic connections to 188.166.4.132:8001

buttle · April 6, 2020, 2:59am

Hi,

Looking at network traffic on the server I can see that there are periodic connections (every 10 seconds or so) made from the server to 188.166.4.132 on port 8001
https://ipinfo.io/188.166.132.40

My nextcloud installation is in a container by itself, no other services are installed there.

tcpdump -vv -i any -c10 -nn -A port 8001 reveals

05:12:10.504584 IP (tos 0x0, ttl 64, id 35143, offset 0, flags [DF], proto TCP (6), length 52)
    10.32.10.30.45956 > 188.166.4.132.8001: Flags [.], cksum 0xd58e (incorrect -> 0x626e), seq 1811974046, ack 2256938967, win 242, options [nop,nop,TS val 2210015066 ecr 1593229095], length 0
E..4.G@.@...
 
........Al.....'............
..'Z^..'
05:12:10.535594 IP (tos 0x0, ttl 50, id 59453, offset 0, flags [DF], proto TCP (6), length 52)
    188.166.4.132.8001 > 10.32.10.30.45956: Flags [.], cksum 0x6253 (correct), seq 1, ack 1, win 503, options [nop,nop,TS val 1593244199 ecr 2209999727], length 0
E..4.=@.2.......
 
..A....'.l.......bS.....
^..'...o
05:12:11.165590 IP (tos 0x0, ttl 50, id 59454, offset 0, flags [DF], proto TCP (6), length 52)
    188.166.4.132.8001 > 10.32.10.30.45956: Flags [.], cksum 0x5fde (correct), seq 0, ack 1, win 503, options [nop,nop,TS val 1593244829 ecr 2209999727], length 0
E..4.>@.2.......
 
..A....'.l......._......
^......o
05:12:11.165608 IP (tos 0x0, ttl 64, id 35144, offset 0, flags [DF], proto TCP (6), length 52)
    10.32.10.30.45956 > 188.166.4.132.8001: Flags [.], cksum 0xd58e (incorrect -> 0x24d8), seq 1, ack 1, win 242, options [nop,nop,TS val 2210015727 ecr 1593244199], length 0
E..4.H@.@...
 
........Al.....'............
..).^..'

Any ideas what this could be?

Thanks.

peteman52 · April 6, 2020, 3:19am

If you do

whois 188.166.4.132

you will see

% Information related to ‘188.166.0.0 - 188.166.127.255’

% Abuse contact for ‘188.166.0.0 - 188.166.127.255’ is ‘abuse@digitalocean.com’

inetnum: 188.166.0.0 - 188.166.127.255
netname: EU-DIGITALOCEAN-NL1
descr: Digital Ocean, Inc.
country: NL
org: ORG-DOI2-RIPE
admin-c: PT7353-RIPE
tech-c: PT7353-RIPE
status: ASSIGNED PA
mnt-by: digitalocean
mnt-lower: digitalocean
mnt-routes: digitalocean
mnt-domains: digitalocean
created: 2015-06-03T01:18:40Z
last-modified: 2015-11-20T14:46:27Z
source: RIPE # Filtered

organisation: ORG-DOI2-RIPE
org-name: DigitalOcean, LLC
org-type: LIR
address: 101 Avenue of the Americas, 10th Floor
address: New York
address: 10013
address: UNITED STATES
phone: +1 888 890 6714
mnt-ref: digitalocean
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
mnt-by: digitalocean
abuse-c: AD10778-RIPE
language: EN
created: 2012-11-29T14:59:01Z
last-modified: 2019-04-17T14:37:00Z
source: RIPE # Filtered

person: Network Operations
address: 101 Ave of the Americas, 10th Floor
address: New York, NY, 10013
address: United States of America
phone: +13478756044
nic-hdl: PT7353-RIPE
mnt-by: digitalocean
created: 2015-03-11T16:37:07Z
last-modified: 2019-04-17T14:37:51Z
source: RIPE # Filtered
org: ORG-DOI2-RIPE

buttle · April 6, 2020, 3:26am

Hi,

The connections are originating from my server, that’s the strange part.
I am trying to see what process on my machine is doing it.

buttle · April 6, 2020, 3:32am

Ah, amigo, false call.

lsof -i :8001

syncthing 432 syncthing   14u  IPv4 2912256      0t0  TCP nextcloud:45956->188.166.4.132:8001 (ESTABLISHED)

The syncthing I’ve got installed in the container had slipped my mind.
Guess that’s what happens when you wake up at 4.30am and decide to work. covid.

Thanks.