Strange Network Connection when Whonix Gateway Virtualbox turned on (vps.simondevries.com)

WhonixManHelp · February 23, 2017, 9:01pm

I use the Whonix Gateway Virtual Box on a Windows 10 host machine. When I start up the Vbox, I can see a strange network connection when I check the Windows Resource Monitor. The connection is going to:

vps.simondevries.com

This connection only ever appears after the Whonix Gateway has booted up. It never appears with any other Virtual Boxes I have running on this host. I have also previously used the Whonix Gateway and have never seen this connection.

I can find virtually no information on what this connection is, other than on a website named simondevries.com, which just seems to consist of only a strange javascript maze. The fact that I can find no information on it alarms me.

Is anyone able to shed any light on what this connection is, and why it occurs? Any help would be greatly appreciated.

Thanks!

Ego · February 23, 2017, 9:12pm

Good day,

That’s very odd. I was sadly unable to reproduce this using the same set-up under similar conditions. May I recommend reimporting a fresh download of the Gateway? If that fixes this mysterious entry, it could mean that your system has been compromissed, with the “maze website” having been hijacked as a command and control or data-collection server, as has been known to happen in the past.

Have a nice day,

Ego

Patrick · February 23, 2017, 9:43pm

Wait a minute.

Patrick · February 23, 2017, 9:44pm

nslookup vps.simondevries.com

Shows.

Name:   vps.simondevries.com
Address: 185.66.250.141

And that IP runs a Tor server.

https://exonerator.torproject.org/?ip=185.66.250.141&timestamp=2017-02-23

Patrick · February 23, 2017, 9:46pm

Speculation: Windows Resource Monitor might have seen that IP and done a reverse lookup so it can show the hostname rather than IP. Sounds like a useful usability feature to show hostnames rather than IPs.

Windows Resource Monitor usually does not show any connections for VirtualBox.exe ever?

Patrick · February 23, 2017, 9:50pm

I wonder if this is a simple Tor entry guard connection.

https://exonerator.torproject.org/?ip=185.66.250.141&timestamp=2017-02-23 shows you the Identity fingerprint. Then you can check if you are using that Tor entry guard by looking at file /var/lib/tor/state.

WhonixManHelp · February 24, 2017, 8:15pm

@Ego, this was my next step, but decided I’d check what you guys thought first. Thanks for the suggestion

@Patrick, didnt know this tool even existed, this is quite handy and confirms what you state - this is a tor relay, which puts my mind at ease a little.

You mention that Windows Resource Monitor doesnt ever show network connections for Virtual Box. I had updated to the latest release the other day (though cant remember if this connection was present before or after). I thought the change log might indicate if this was a recent feature, but there’s nothing mentioned.

I’ve taken a look in /var/lib/tor/state, and this confirms that I am using this entry guard, so this all seems to tie up. The only ‘worry’, why is Virtual Box showing network usage for in the Windows Resource Monitor? I guess this is more a question with the Virtual Box community, not you guys.

Thanks for you’re help!

Patrick · February 24, 2017, 8:16pm

That was a question. Not a statement.

WhonixManHelp · February 24, 2017, 8:27pm

@Patrick, sorry, misunderstood.

I initial meant that I had never seen the connection to vps.simondevries.com. Otherwise, it’s fairly normal to see Virtual Box network connections via Resource Monitor (or atleast, I have seen them before on my host machine).