FA software reaching out to an odd server

My router has started flagging my FlightAware RPi as periodically reaching out to a potential malware site with IP address 103.52.52.23. A reverse lookup came back to ns1.ficustelecom.com. I can’t see any reason for FA to reach out to that company or its name server so I wanted to see if this is executed or if there is an issue. The router blocks access so if this is something FA relies on I’ll have to make an exception.

Note: My FA has been running for years. I’m currently on 3.7.1 (SD card). My router uses data from Google and Threat Intelligence to flag sites.

1 Like

Is your pi accessible from outside your router in any way?

No, the network is locked down and outside access is only allowed via VPN.

Outbound request only?

Not sure precisely what you mean. The outbound request from FA is blocked by the router so there can be no response. If that server tried to contact my network it would simply be dropped.

I should mention I updated my router software a couple of days ago so FA might have been doing this for some time if the update is catching something it used to miss.

That’s not one of ours, but it could well be e.g. one of the Debian pool ntp servers. What’s the protocol & destination port?

Quite unfortunately the router doesn’t report that. It runs two packages. One triggers based on packet inspection and matches signatures from sites like CINS. That will provide details on source and destination ports and packet contents. The other package takes actions based on IPs (so is lightweight since it doesn’t have to do packet inspection). The latter is what is flagging this site. The packet inspector has not flagged this in the past - which could mean there is no threat signature for it or that it has just started happening.

If it isn’t breaking FA I’m happy to just leave it as a blocked site and see what happens. If it is for NTP I imagine Debian is configured to fallback to other sources so it will keep the time current.

Doesn’t seem to be a ntp server running there:

# ntpdate -q 103.52.52.23
 8 Aug 15:16:56 ntpdate[30710]: no server suitable for synchronization found

Also it would be unlikely for someone from the US to get assigned an ntp pool server half way around the world.

Seems like the domain name would suggest to be running a DNS server though :slight_smile:

nslookup heise.de 103.52.52.23
Server:		103.52.52.23
Address:	103.52.52.23#53

Non-authoritative answer:
Name:	heise.de
Address: 193.99.144.80

FWIW I found a database of threats which added this IP in February. Apparently it is the (apparent?) source of some SSH brute force attacks quite recently. Some details here.. No threat to me but this may be why the router has started blocking it.

DNS servers can be used for nefarious things, including directing all traffic to a single IP for DDoS attacks.

Make sure to clear DNS cache on a regular basis. Cache poisoning happens all too oftern