I was reviewing something on the RPi which is running OpenHAB (and only OpenHAB AFAIK) and saw that it had an open connection to a lighting company in the US.
root@openhab:~# netstat -atn |grep 443
tcp 0 0 10.10.50.15:37818 199.62.84.94:443 ESTABLISHED
root@openhab:~#
I put a sniff on it and there is a lot of chatter going on
As far as I know there is nothing else installed on this so what could this be? There is also a connection open on port 80 to an akamai address which is less suspicious.
I’m going to play around with sslstrip and see if I can get it to reveal itself but in the meantime, anyone know what this could be?
All IP addresses in the 10.0.0.0 to 10.255.255.255 are reserved for internal use as in behind a NAT for example. You will never find a 10.x.x.x address on the open Internet. I don’t know how you determined it was a US lighting company. I ran nslookup on it and, as I expected, it was not found.
is 10.10.50.15 the internal ip address of your RPi? If you add an “p” to the netstat options (e.g. “netstat -anp|grep 443”, it will show to you in an additional column which process has opened the connection. If you do a "ps -ef|grep " you can see some details of the process…
Well, insomnia allowed to to spend some more time on it this morning.
Most odd, you stick that IP into a browser and it’s most definitely Honeywell. I’m at work now and from home, it gave me nothing. I wonder if they block it for VPN’d traffic?
Sorry, for clarity - I know 10/8 is a private range Yes, .15 is the RPi
Anyhow, I got sslstrip working and can see a bit of chatter coming. WeatherUnderground. I could not get sslstrip to work properly with the honeywell traffic. Will try again.
I do have an evohome kit and control it from OH2 so makes perfect sense now. /Takes off tinfoil hat/
Yes, .15 is the RPi 