Why so many established connection on booting dispVM? Hacked?

I open disposable and then I checked “ss -atpu”. What I got is more than 10 established connections, without even having visited a website or did anything.

For the past few years I have been constantly harassed and have no privacy at all. Meaning my devices were compromised.

Can somebody help me, telling me is there anything I should be concerned about?

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:hostmon 0.0.0.0:*
udp ESTAB 0 0 127.0.0.1:50811 127.0.0.1:domain
udp UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0:*
udp UNCONN 0 0 [::]:hostmon [::]:*
tcp LISTEN 0 4096 0.0.0.0:hostmon 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:domain 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:ipp 0.0.0.0:*
tcp ESTAB 0 0 10.138.25.204:38448 18.66.192.21:https users:((“firefox”,pid=854,fd=94))
tcp ESTAB 0 0 10.138.25.204:39062 34.210.132.84:https users:((“firefox”,pid=854,fd=114))
tcp ESTAB 0 0 10.138.25.204:44504 93.184.220.29:http users:((“firefox”,pid=854,fd=122))
tcp ESTAB 0 0 10.138.25.204:51430 34.107.221.82:http users:((“firefox”,pid=854,fd=84))
tcp TIME-WAIT 0 0 10.138.25.204:34010 44.236.110.253:https
tcp ESTAB 0 0 10.138.25.204:39902 18.66.192.15:https users:((“firefox”,pid=854,fd=123))
tcp ESTAB 0 0 10.138.25.204:39932 34.117.237.239:https users:((“firefox”,pid=854,fd=83))
tcp ESTAB 0 0 10.138.25.204:44488 93.184.220.29:http users:((“firefox”,pid=854,fd=103))
tcp ESTAB 0 0 10.138.25.204:57938 18.66.192.90:https users:((“firefox”,pid=854,fd=127))
tcp ESTAB 0 0 10.138.25.204:42462 35.83.182.199:https users:((“firefox”,pid=854,fd=61))
tcp ESTAB 0 0 10.138.25.204:39890 18.66.192.15:https users:((“firefox”,pid=854,fd=119))
tcp ESTAB 0 0 10.138.25.204:39892 18.66.192.15:https users:((“firefox”,pid=854,fd=118))
tcp ESTAB 0 0 10.138.25.204:51428 34.107.221.82:http users:((“firefox”,pid=854,fd=77))
tcp ESTAB 0 0 10.138.25.204:39882 18.66.192.15:https users:((“firefox”,pid=854,fd=99))
tcp ESTAB 0 0 10.138.25.204:41958 212.95.165.25:http users:((“firefox”,pid=854,fd=82))
tcp LISTEN 0 4096 [::]:hostmon [::]:*
tcp LISTEN 0 128 [::1]:ipp [::]:*

it is just firefox phone home…

Even IP like that one 93.184.220.29, which pops on many places as not good?

See also: Which IPs does Qubes 4.0.4 connect to on boot?

Indeed 93.184.220.29 and other IPs that have bad reputation originate from Firefox. You need to launch a Disposable without Firefox and monitor it. Firefox generates too much noise.

Run it in your disp template (dom0$ qvm-run fedora-34-dvm xterm) and change a few settings in firefox. First run brings up its privacy page, so if you really want to be carefull, you can run the terminal, set netvm to none, then start firefox and make your settings. set new window and tab to blank, disable pocket, search suggestions, etc. After shutting down the template, new dispvms shouldn’t make all those connections.

Not a recommended strategy, as it can lead to profile fingerprinting (all profiles will have the same name for example).

Check out this guide instead: [Guide] Automatically install extensions and configure new (dispvm) hardened Firefox profiles with arkenfox user.js and policies