Forensic to link DNS queries to process

Hi folks!

I have been playing with dnstop monitoring the top FQDN my system consumes and weirdly the World Health Organization (www.who.int) is on the top 5 all the time. I have dumped some packets on Wireshark to find the source port and ran
while true; do ss -anpu|grep 1.1.1.1; sleep .1; done
to catch the short living UDP stream and link the source port to the process. So I realize this was coming from the nscd daemon, which is a DNS cache service for the system.

The next step was to run strace as below trying to find some information from where the requests are coming and the PID 25390 was returned.

strace -f -e trace=network -s 10000 -p 25383

[**pid 25390**] sendto(20, "\2\0\0\0\1\0\0\0\4\0\0\0(\0\0\0\37\0\0\0\0\0\0\0h\22\233\25h\22\234\25&\6G\0\0\0\0\0\0\0\0\0h\22\233\25&\6G\0\0\0\0\0\0\0\0\0h\22\234\25\2\2\n\n**www.who.int.cdn.cloudflare.ne**t\0", 99, MSG_NOSIGNAL, NULL, 0 <unfinished ...>
[pid 25393] <... recvfrom resumed>"\205\350\201\200\0\1\0\3\0\0\0\0\3www\3who\3int\0\0\34\0\1\300\f\0\5\0\1\0\0\3\204\0 \3www\3who\3int\3cdn\ncloudflare\3net\0\300)\0\34\0\1\0\0\1,\0\20&\6G\0\0\0\0\0\0\0\0\0h\22\233\25\300)\0\34\0\1\0\0\1,\0\20&\6G\0\0\0\0\0\0\0\0\0h\22\234\25", 65536, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("1.1.1.1")}, [28 => 16]) = 129
[pid 25390] <... sendto resumed>)       = 99
[pid 25393] sendto(18, "\2\0\0\0\1\0\0\0\4\0\0\0(\0\0\0\37\0\0\0\0\0\0\0h\22\233\25h\22\234\25&\6G\0\0\0\0\0\0\0\0\0h\22\233\25&\6G\0\0\0\0\0\0\0\0\0h\22\234\25\2\2\n\nwww.who.int.cdn.cloudflare.net\0", 99, MSG_NOSIGNAL, NULL, 0) = 99

But when I filtered by this PID just a coincidence of the VSZ column of Firefox was matched. So is not the PID informed by strace a PID used in the process tree? Can you guys help me how to find why the hell my system is always querying for www.who.int? (maybe it has a virus :joy:)

 ps aux|grep 25390
neo      26768  0.0  1.3 **25390**56 188584 ?      Sl   20:07   0:04 /usr/lib64/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 40322 -prefMapSize 238244 -jsInitLen 235336 -parentBuildID 20231019122658 -greomni /usr/lib64/firefox/omni.ja -appomni /usr/lib64/firefox/browser/omni.ja -appDir /usr/lib64/firefox/browser {601d7e0f-4bd1-4682-86a6-11f1750af710} 26406 true tab

Can you monitor your system to find out if this symptom is your Tumbleweed too?

The image below is from Wireshark:

If the request is from “firefox” (or from any browser), it might be from an advertisement showing in that browser.

I guessed it was from firefox, but that was not its PID! STRACE informs 25390, but this number doesn’t exist.

Might be a temp process that dies when its work is complete.