Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Wednesday, May 8, 2013

The extra google domains

What is is a Google-owned domain name used to identify the servers in our network.
Following standard industry practice, we make sure each IP address has a corresponding hostname. In October 2009, we started using a single domain name to identify our servers across all Google products, rather than use different product domains such as,, and We did this for two reasons: first, to keep things simpler, and second, to proactively improve security by protecting against potential threats such as cross-site scripting attacks.
Most typical Internet users will never see, but we picked a Googley name for it just in case (1e100 is scientific notation for 1 googol).
The Google story of 1e100
What is the secret behind 1e100? Why is Google associated with Why such a wierd name "1e100"?
We represent 10 power or 10 raised to any number as 'e' followed by that number. Now, 1 e 100 means 10 100 or 1 * 10 ^ 100 or 1 followed by 100 zeros after it. When our internet giants Larry Page and Sergey Brin wanted to name their company, they thought of a name that would mean a number as large as 1 followed by 100 zeros. But, due a mishap, may a communication gap, the company was mistakenly registered or named as Google.
A googol is the large number 10 100, that is, the digit 1 followed by one hundred zeros in decimal representation. The term was coined in 1938 by Milton Sirotta (1929 - 1980), nephew of American mathematician Edward Kasner, when he was nine years old. Kasner popularized the concept in his book Mathematics and the Imagination. In binary it would take up 333 bits. A googol has no particular significance in mathematics, but is useful when comparing with other very large quantities such as the number of subatomic particles in the visible universe or the number of possible chess games. Edward Kasner created it to illustrate the difference between an unimaginably large number and infinity, and in this role it is sometimes used in teaching mathematics.
1 googol = 1*10 100 that is 1 e 100 or 1 ^ 100
For those of you who watch their incoming/outgoing internet connections closely, you may have noticed the domain pop up periodically for seemingly no reason, and in some instances you may have a persistent connection to it – even as soon as you start your computer.
What is It’s Google. A WHOIS lookup for that domain reveals it’s owned by them.
Why would Google use an "weird" domain name like It’s symbolic of a googol(10×10^100) which is where Google gets its name from.
Being that most people aren’t aware of this, the first reaction upon seeing this in a network management program, such as a software-based firewall, is to block it because they don’t know what it is. It further freaks people out if it shows up as a persistent connection that they can’t get rid of.
The domain will never show up by itself. It will always be a subdomain such as
Instances where you will see the connection
(By "see" I mean literally seeing this from a network utility that can closely monitor all network requests.)
Any web page that has embedded YouTube video
For YouTube itself (a Google property) or any other web site that has a YouTube video embedded in it, will show up even if the video isn’t loaded. When the Flash player first launches it makes a request to YouTube for the video thumbnail image and therefore requests for that data.
Firefox "safe browsing"This feature by default is enabled and uses a Google server to check web sites you load to see if they’re in the "bad" list.
This is located from Tools / Options / Security:
The two checkboxes "Block reported attack sites" and "Block reported web forgeries" enable Firefox to check every single web site you load against the "bad" list Google has.
Uncheck these two boxes if you don’t want where you surf to be checked against the Google list.
If you want to see the actual configuration data for this, load the address about:config in Firefox, then search for safebrowsing, like this:

You don’t have to necessarily do anything here, but if you wanted to know "How much Google is in my Firefox?", there’s your answer.
Google Earth / Google UpdaterBoth Earth and Updater (which Earth installs by default) will make connections to to check for updates.
You can instruct Updater not to do that if so desired.
Other places?
As far as I’m aware, the three above instances are where you will see appear. Now that you’re aware what it is and its purpose, you now know it’s not spyware or malware. It’s Google. Using a weird domain because.. um.. well.. it’s a really long (but not really) story and we’ll leave it at that
A normal application will show its properties, but TCPView will not show the properties for a System process:


C:\>nslookup yh-in-f120
Respuesta no autoritativa:
Nombre:  yh-in-f120

C:\>nslookup yh-in-f95
Respuesta no autoritativa:
Nombre:  yh-in-f95

*** no encuentra Non-existent domain

I already suggested Process Explorer. It sees all and tells all.

If you walk the process trees, you can find out about all active processes including any network sessions.
This persistent connection was driving me crazy. Online Armour (firewall) reported the persistent connections as coming from Avast! (antivirus). However, the source was from Firefox. I guess since the antivirus is hooked into the http traffic, that's how it goes out.

ashWebSv.exe/TCP to I also see,

I did some quick research and found that this persistent connection is from Firefox's safe browsing feature. The Mysterious

I unchecked the "Block reported attack sites" and "Block reported web forgeries" choices in the Security tab and most of the persistent connections went away.

In Firefox, do about:config and filter on safebrowsing to see how what Firefox is doing.

Interesting that Thunderbird also connects to when it checks for new mail from my gmail account (Google, is what I entered):

Thunderbird.exe/TCP to

Google is everywhere. Typing text in the search engine box (Google is default) fires up those persistent connections. httpFox showed queries to

In order to get more useful output, you need to use some parameters for netstat as explained in the documentation:
netstat -a -n -o
  • -a will include ports in state LISTENING,
  • -n will show the real ip-addresses instead of the DNS reverse lookup.
  • -o win include the process id (use the Windows Task manager to look it up).
Please keep in mind that in case your computer got infected, you cannot trust the output of netstat as the malicious program might have manipulated it.


No comments: