Menu
What's new
By:
Filters Better Search

wred process - what is it?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

A

anon imous

New Around Here
I've found some interesting connections on my router in the output of netstat:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 80.x.x.x:46751 91.x.x.x:80 ESTABLISHED 17888/wred
tcp 0 0 80.x.x.x:52799 91.x.x.x:80 ESTABLISHED 17888/wred
tcp 1 0 80.x.x.x:46883 91.x.x.x:80 CLOSE_WAIT 17888/wred
tcp 0 0 80.x.x.x:41592 91.x.x.x:80 ESTABLISHED 17888/wred

The foreign addresses are the same two or three IPs, they are belonging to my ISP.
Could you tell me, what is it?
Why wred connects to an unkown server on the port 80?
(as far as I know, wred=weighted random early detection, but I'm not sure if it is and if it is, then what does it do on the internet)
 
ColinTaylor said:
wred is a component of the TrendMicro DPI. Do a reverse lookup on the external IP address, my guess is that it will belong to TrendMicro.
Click to expand...
Thanks, the reverse lookup looks if they were private clients of my ISP (but my ISP's naming conventions... no comment... it could be anything...)
 
Last edited:
wred is related to the malicious website detection system from AiProtection (Website Reputation).
 
Lookup the hostname ntd-asus-2014b-en.fbs20.trendmicro.com and see if it resolves to the same IP in your netstat output. A reverse lookup by IP will probably only tell you it's amazonaws.com.
 
dave14305 said:
Lookup the hostname ntd-asus-2014b-en.fbs20.trendmicro.com and see if it resolves to the same IP in your netstat output. A reverse lookup by IP will probably only tell you it's amazonaws.com.
Click to expand...
I've tried it:
Non-authoritative answer:
ntd-asus-2014b-en.fbs20.trendmicro.com canonical name = gslb6.fbs.trendmicro.com.akadns.net.
gslb6.fbs.trendmicro.com.akadns.net canonical name = aws-prod.fbs25.trendmicro.com.
aws-prod.fbs25.trendmicro.com canonical name = fbs.prod.spn.a1q7.net.
Name: fbs.prod.spn.a1q7.net
Address: 44.233.140.104
Name: fbs.prod.spn.a1q7.net
Address: 44.233.111.149
Name: fbs.prod.spn.a1q7.net
Address: 2600:1f14:9ae:ce01:bbc0:b480:5075:accd
Name: fbs.prod.spn.a1q7.net
Address: 2600:1f14:9ae:ce03:1f7:61cc:2a3b:1b41


But... Fortunately I keep the logs of my local DNS, and I've found those IPs in there: a771.dscq.akamai.net
It's IPs are changing with the ISP. I've tested it with some VPNs asking DNS 8.8.8.8 and I got different results.
 
You must log in or register to reply here.

Similar threads

T
Web GUI is not working
Replies
3
Views
7K
ColinTaylor
C
H
Solved Bug Open TCP Ports 5152 / 7788 / 18017 [User Error]
Replies
11
Views
6K
tomaskcz
T
L
A victim of prolonged hacks, intimidation and disruption
2
Replies
26
Views
11K
airgap
A
I
ec2-13-229-99-199.ap
Replies
3
Views
630
itpp20
I
C
What is sso.anbtr.com?
Replies
14
Views
1K
thelonelycoder
thelonelycoder

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 837 (members: 21, guests: 816)
Top