[colug-432] Why does CentOS want to talk to mail.panamacityobgyn.com?

[Rob Funk]

On Monday, March 6, 2017 3:13:30 PM EST, Rob Stampfli wrote:
> Recently I loaded a VM with CentOS 6 (x86_64 6.7 final) from an old CD
> image I happened to have laying around.  I noticed afterwards that the
> VM had established a connection to 75.76.84.26:http, which translates
> to mail.panamacityobgyn.com.  The connection is coming from the calendar
> widget on the desktop.  Delete it and the connection goes away.  Hmm,
> this didn't look kosher to me, so I pulled a copy of the latest CentOS
> 6.8 and loaded it instead.  This time the connection moved to 75.76.84.32
> (static-75-76-84-32.knology.net).  (Actually, simply booting the install
> disk is sufficient to observe this -- just bring up a shell on the desktop
> and type "ss".  "lsof" will point to the actual culprit: "clock-app")
>
> So what is going on here?  Why is this widget reaching out to these, well
> at best unusual, IPs?

I notice that both of those IP addresses are in the same class-C range. My 
guess is that they're both running time-related services controlled by 
whoever owns the network (Knology? WOW?). The reverse-DNS names you're 
getting don't mean much; the connection is probably being initiated through 
a different name. The thing that puzzles me is the http part; I'd expect 
"clock-app" to connect to some other port than http.

Of course, the real answer would be to find the clock-app source code and 
look for where it makes a port 80 network connection. I'll leave that as an 
exercise for someone who has easier access to CentOS/RHEL sources.

-Rob