Where are these connections coming from?

So I see regular, like ever 2 minutes or so, connections to kat.cr in the pi-hole query log.
Now kat.cr doesn’t exist nor work but I’m trying to find out where these requests are being made from.
I ran tcpview, wireshark and netstat -abf 5 > activity.txt but nowhere it shows which application or process is (trying to) connecting to kat.cr.
Any idea how I can find out?

Which client is querying this domain? I suppose you ran Wireshark on this particular client?

Others than that, a quick question to Google revealed that kat.cr is kickasstorrents so if your clients are making connection to this domain and you know that they should not than your device might have been hijacked by someone trying to abuse it for (maybe illegal) torrent purposes.

Having said that, typview may not be the optimal choice (as DNS queries are UDP packets) and netstat should have shown any outgoing connection.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.