[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Strange Network Connection when Whonix Gateway Virtualbox turned on (vps.simondevries.com)

I use the Whonix Gateway Virtual Box on a Windows 10 host machine. When I start up the Vbox, I can see a strange network connection when I check the Windows Resource Monitor. The connection is going to:

vps.simondevries.com

This connection only ever appears after the Whonix Gateway has booted up. It never appears with any other Virtual Boxes I have running on this host. I have also previously used the Whonix Gateway and have never seen this connection.

I can find virtually no information on what this connection is, other than on a website named simondevries.com, which just seems to consist of only a strange javascript maze. The fact that I can find no information on it alarms me.

Is anyone able to shed any light on what this connection is, and why it occurs? Any help would be greatly appreciated.

Thanks!

Good day,

That’s very odd. I was sadly unable to reproduce this using the same set-up under similar conditions. May I recommend reimporting a fresh download of the Gateway? If that fixes this mysterious entry, it could mean that your system has been compromissed, with the “maze website” having been hijacked as a command and control or data-collection server, as has been known to happen in the past.

Have a nice day,

Ego

Wait a minute.

nslookup vps.simondevries.com

Shows.

Name:   vps.simondevries.com
Address: 185.66.250.141

And that IP runs a Tor server.

https://exonerator.torproject.org/?ip=185.66.250.141&timestamp=2017-02-23

Speculation: Windows Resource Monitor might have seen that IP and done a reverse lookup so it can show the hostname rather than IP. Sounds like a useful usability feature to show hostnames rather than IPs.

Windows Resource Monitor usually does not show any connections for VirtualBox.exe ever?

I wonder if this is a simple Tor entry guard connection.

https://exonerator.torproject.org/?ip=185.66.250.141&timestamp=2017-02-23 shows you the Identity fingerprint. Then you can check if you are using that Tor entry guard by looking at file /var/lib/tor/state.

@Ego, this was my next step, but decided I’d check what you guys thought first. Thanks for the suggestion

@Patrick, didnt know this tool even existed, this is quite handy and confirms what you state - this is a tor relay, which puts my mind at ease a little.

You mention that Windows Resource Monitor doesnt ever show network connections for Virtual Box. I had updated to the latest release the other day (though cant remember if this connection was present before or after). I thought the change log might indicate if this was a recent feature, but there’s nothing mentioned.

I’ve taken a look in /var/lib/tor/state, and this confirms that I am using this entry guard, so this all seems to tie up. The only ‘worry’, why is Virtual Box showing network usage for in the Windows Resource Monitor? I guess this is more a question with the Virtual Box community, not you guys.

Thanks for you’re help!

That was a question. Not a statement.

@Patrick, sorry, misunderstood.

I initial meant that I had never seen the connection to vps.simondevries.com. Otherwise, it’s fairly normal to see Virtual Box network connections via Resource Monitor (or atleast, I have seen them before on my host machine).

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]