Groups | Search | Server Info | Login | Register

Groups > comp.os.linux.security > #755

xpdf 4.03 connecting to unknown hosts??

Path csiph.com!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From Dario Niedermann <dario@darioniedermann.it>
Newsgroups comp.security.unix, comp.os.linux.security
Subject xpdf 4.03 connecting to unknown hosts??
Followup-To comp.security.unix
Date Thu, 10 Mar 2022 15:59:40 +0100
Organization Not speaking for any
Lines 26
Message-ID <slrnt2k4j4.6t6.dario@darioniedermann.it> (permalink)
Injection-Info reader02.eternal-september.org; posting-host="becb57118b33c6763adae3805cca843d"; logging-data="14952"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19ihpTssM12JFQ20sGIOBuG"
User-Agent slrn/1.0.3 (Linux)
Cancel-Lock sha1:75zjh26Sbb6+q+t/CkNaQfyh8xg=
X-Bogomips 4788.44
X-Linux-Distro Devuan ASCII
X-Text-Editor nvi-1.81.6 (2007-11-18)
Xref csiph.com comp.security.unix:218 comp.os.linux.security:755

Cross-posted to 2 groups.

Followups directed to: comp.security.unix

Show key headers only | View raw

I just randomly found out that running xpdf instances are connecting via
https to unknown internet hosts:

-----
$ lsof -i:https
COMMAND   PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
xpdf     4548  ndr   60u  IPv4 3240798      0t0  TCP myhost:60178->151.101.1.140:https (CLOSE_WAIT)
xpdf     4548  ndr   62u  IPv4 3241136      0t0  TCP myhost:54798->151.101.193.140:https (CLOSE_WAIT)
xpdf     4548  ndr   64u  IPv4 3241163      0t0  TCP myhost:59904->151.101.65.140:https (CLOSE_WAIT)
xpdf     4548  ndr   66u  IPv4 3241168      0t0  TCP myhost:58196->151.101.114.49:https (CLOSE_WAIT)
xpdf     4548  ndr   67u  IPv4 3242068      0t0  TCP myhost:37120->151.101.0.95:https (CLOSE_WAIT)
xpdf     4548  ndr   68u  IPv4 3241177      0t0  TCP myhost:44826->151.101.66.49:https (CLOSE_WAIT)
xpdf     4548  ndr   69u  IPv4 3242069      0t0  TCP myhost:60520->104.16.149.64:https (CLOSE_WAIT)
xpdf     4548  ndr   78u  IPv4 3241196      0t0  TCP myhost:58432->104.16.19.94:https (CLOSE_WAIT)
xpdf     4548  ndr   80u  IPv4 3241189      0t0  TCP myhost:60516->104.16.149.64:https (CLOSE_WAIT)
[...]
-----

I can't think of a good, non-malicious explanation to this...
What does everyone think?

-- 
Dario Niedermann   -:-   finger my email address for PGP key, etc.

Also on the Internet at:            <gopher://darioniedermann.it/>
                                 <https://www.darioniedermann.it/>

Back to comp.os.linux.security | Previous | Next | Find similar

Thread

xpdf 4.03 connecting to unknown hosts?? Dario Niedermann <dario@darioniedermann.it> - 2022-03-10 15:59 +0100

csiph-web