I'm running a nextcloudpi image, htop was showing a process "curl icanhazip.com", I did not issue this command and couldn't find out why this was running so far. Some program is trying to get the external ip, I wonder why and whether this is somehow suspicious but could not find anything in the logs or configuration files and could't reproduce this after disconnecting the pi from the network. Any leads on how to find out why this is/was running and/or whether this is normal?
Thanks and regards
If your curl is still running (unlikely unless you have a network problem), you should be able to see it's PID. You can get all the parent processes with:
pstree -p -s <PID>
In general, there should not be much reason to get that address.
If you're really inquisitive, move curl to (for example) /usr/local/bin/curlcommand and create a script
#!/bin/bash
me=$(id -u)
date >> /tmp/curls.$me
pstree -p -s $$ >> /tmp/curls.$me
/usr/local/bin/curlcommand $@
and examine the files under tmp.
This is NOT a Pi Question. icanhazip is a website that returns your public IP Address (not my first choice). It is reportedly used by many applications to determine your public IP Address.
It is probably harmless, and would be started by some app you installed (which may or may not be benign).
NOTE that any (and ALL) websites you access know your your public IP Address!
