Yes, PureOS is a general purpose operating system, it is possible to install things on it that attempts to contact a certain IP number every time it boots.

Not sure what the user expects us to do here.

If it is a _pristine_ live install image, then it is a very different matter.

@jonas.smedegaard Yes, user starts PureOS live from a CD (they do not have disks in their computer), and this happens during bootup, before they even start desktop. (IIUC)

You were told that this is a pristine live image, or you are guessing?

I don't see in what you presented if it is a *pristine* *install* system or e.g. an installed system made into a CD install using some Ubuntu helper tool.

Assuming this _is_ a pristine image, then as I read it, the question boils down to "is it suspicious that your live installer makes web queries to (in my case) somewhere in Serbia as part of its routines?"

My answer to that question would be "no that does not seem alarming in itself - but would be interesting to know what that traffic contains, perhaps you discovered something there either in our system or in your use of it..."

no that does not seem alarming in itself

Whilst I might not use the term "alarming", I would be beyond interest in learning what it is doing talking to Serbia...

well, in my splitting-hairs mode it is factually alarming: It set off an alarm, of the cenventional blinkenlight type.

One wild guess at an explanation is that the user lives in or near Serbia too, and some systemd or network-manager am-I truly-online probe making a http lookup to Google gets resolved to a nearby proxy host.

• downloaded from pureos.net/download
• sha sum matched
• burned from win 7 operating system burning tool
• user is from Slovenia
• no VPN is used
• dns is encrypted by RATtrap firewall

here is another set of outgoing attempts:

5.22.191.144, port 80, Belgrade, Serbia 
5.22.191.138, port 80, Belgrade, Serbia 
52.32.77.100, port 443, Portland, United States 
46.51.179.90, port 443, Dublin, Ireland 
52.39.131.77, port 443, Portland, United States

Maybe they could run opensnitch to see if we can get more detail about the processes opening the ports? It looks like the web browser is doing this since they're 443 or port 80

https://www.opensnitch.io/

Thanks for those new details.

Let's aassume that "win 7 operating system burning tool" does only the equivalent of "cp $foo /dev/$bar" (or for those devoted to that, the equivalent of "dd if=$foo of=$bar") .

So the issue here is that a pristine PureOS installer live-system connects via http or https to unidentified hosts.

Again, I understand how a strongly sensitive measurement system may trigger alarms by that behavior, and can imagine that if such alarms use a red blinking indicator that be cause concern.
I have difficulty, however, seeing how it is a security concern, or more specifically how to conclude that it is an act of a virus or a hacking attempt.

I cannot rule out that it is a virus or a hacking attempt. But then again, I cannot rule out either that I am right now part of a secret government LSD experiment and hallucinating my computer screen - I just cannot make much use of such speculation.

Sorry, I don't know how to proceed any further here.

Perhaps ask the user to capture and examine the _contents_ of (the unencrypted parts of) that observed web traffic.

I cannot rule out that it is a virus or a hacking attempt. But then again, I cannot rule out either that I am right now part of a secret government LSD experiment and hallucinating my computer screen - I just cannot make much use of such speculation.

Hang on... what? :p

@mladen Indeed, please ask the user to try and see what (at least) the port 80 requests actually contain? Thanks.

One difference between us and Debian is that we modify Firefox with various privacy tools and add-ons. @jonas.smedegaard would you be able to determine if the patches we add might be the source of the web calls out? Perhaps there is a black list being downloaded at first run or similar.

And I hope you're feeling better Jonas.

What we do different with Firefox is _remove_ some functionality that Mozilla ships by default and then also force-include some WebExtensions which Debian ship as well but do offer for their users to freely decide if they want part of their Firefox experience.

No, I have no expertise if those WebExtensions might be the cause of these callouts. I just glued them on (technically: added a dependency).

Why do we expand these wild speculations to include how we ship a customized Firefox? If the scenario we are investigating here is *not* a system bootup, but instead a system where Firefox gets started then most certainly there will be *lots* of callouts left and right - Firefox is certainly not starting up without making network connections.

I am totally lost at what we are investigating here, and why we are investigating it.
Can someone please clue me in?

Indeed, this appears to have nothing to do with Firefox (?).

More info:

This is the ip from outgoing attack from google on port 443.
It was destined to Hamburg, Germany. Here is the ip 172.217.20.10 . Also
Amazon is taking part of this. Here is its ip address on the same port
79.125.105.113 destined to Dublin, Ireland.

• 79.125.105.113 is duckduckgo. I am not sure why this would load on /boot/
• Please re-ask the user to get the contents of these requests (ie. the port 80 ones as they won't be encrypted.

Also, could they provide more information, like actual log files or similar? Currently it is just port numbers and IP addresses which are no evidence of anything.

I asked, user said he is not able to install OpenSnitch manually (by compiling from source).

Also, could they provide more information, like actual log files or similar? Currently it is just port numbers and IP addresses which are no evidence of anything.

Could you clarify the difference between log files and the contents of the requets as requested https://tracker.pureos.net/T712#13385?

I asked, user said he is not able to install OpenSnitch manually (by compiling from source).

Don't see why openstich is required here. You could just use tcpdump or whatever; opensnitch is "just" a fancy UI of sorts if the user's goal is to log/find all outgoing connections.