Groups | Search | Server Info | Login | Register

Groups > comp.security.unix > #221

Re: xpdf 4.03 connecting to unknown hosts??

From "Carlos E.R." <robin_listas@es.invalid>
Newsgroups comp.security.unix
Subject Re: xpdf 4.03 connecting to unknown hosts??
Date 2022-04-19 23:45 +0200
Message-ID <i4n3ji-8dr.ln1@Telcontar.valinor> (permalink)
References <slrnt2k4j4.6t6.dario@darioniedermann.it>

Show all headers | View raw

On 2022-03-10 15:59, Dario Niedermann wrote:
> I just randomly found out that running xpdf instances are connecting via
> https to unknown internet hosts:
> 
> -----
> $ lsof -i:https
> COMMAND   PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
> xpdf     4548  ndr   60u  IPv4 3240798      0t0  TCP myhost:60178->151.101.1.140:https (CLOSE_WAIT)
> xpdf     4548  ndr   62u  IPv4 3241136      0t0  TCP myhost:54798->151.101.193.140:https (CLOSE_WAIT)
> xpdf     4548  ndr   64u  IPv4 3241163      0t0  TCP myhost:59904->151.101.65.140:https (CLOSE_WAIT)
> xpdf     4548  ndr   66u  IPv4 3241168      0t0  TCP myhost:58196->151.101.114.49:https (CLOSE_WAIT)
> xpdf     4548  ndr   67u  IPv4 3242068      0t0  TCP myhost:37120->151.101.0.95:https (CLOSE_WAIT)
> xpdf     4548  ndr   68u  IPv4 3241177      0t0  TCP myhost:44826->151.101.66.49:https (CLOSE_WAIT)
> xpdf     4548  ndr   69u  IPv4 3242069      0t0  TCP myhost:60520->104.16.149.64:https (CLOSE_WAIT)
> xpdf     4548  ndr   78u  IPv4 3241196      0t0  TCP myhost:58432->104.16.19.94:https (CLOSE_WAIT)
> xpdf     4548  ndr   80u  IPv4 3241189      0t0  TCP myhost:60516->104.16.149.64:https (CLOSE_WAIT)
> [...]
> -----
> 
> I can't think of a good, non-malicious explanation to this...
> What does everyone think?

Well, I tried to reproduce this and could not.


cer@Telcontar:~> lsof -i:https | grep xpdf
cer@Telcontar:~>

We can find information about those IP you list with "whois".

The first two:

NetRange:       151.101.0.0 - 151.101.255.255
CIDR:           151.101.0.0/16
NetName:        SKYCA-3
NetHandle:      NET-151-101-0-0-1
Parent:         RIPE-ERX-151 (NET-151-0-0-0-0)
NetType:        Direct Allocation
OriginAS:
Organization:   Fastly (SKYCA-3)
RegDate:        2016-02-01
Updated:        2021-12-14
Ref:            https://rdap.arin.net/registry/ip/151.101.0.0


OrgName:        Fastly
OrgId:          SKYCA-3
Address:        PO Box 78266
City:           San Francisco
StateProv:      CA
PostalCode:     94107
Country:        US
RegDate:        2011-09-16
Updated:        2021-09-20
Ref:            https://rdap.arin.net/registry/entity/SKYCA-3


The last one:

NetRange:       104.16.0.0 - 104.31.255.255
CIDR:           104.16.0.0/12
NetName:        CLOUDFLARENET
NetHandle:      NET-104-16-0-0-1
Parent:         NET104 (NET-104-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS13335
Organization:   Cloudflare, Inc. (CLOUD14)
RegDate:        2014-03-28
Updated:        2021-05-26
Comment:        All Cloudflare abuse reporting can be done via 
https://www.cloudflare.com/abuse
Ref:            https://rdap.arin.net/registry/ip/104.16.0.0



OrgName:        Cloudflare, Inc.
OrgId:          CLOUD14
Address:        101 Townsend Street
City:           San Francisco
StateProv:      CA
PostalCode:     94107
Country:        US
RegDate:        2010-07-09
Updated:        2021-07-01
Ref:            https://rdap.arin.net/registry/entity/CLOUD14




-- 
Cheers, Carlos.

Back to comp.security.unix | Previous | NextPrevious in thread | Find similar

Thread

xpdf 4.03 connecting to unknown hosts?? Dario Niedermann <dario@darioniedermann.it> - 2022-03-10 15:59 +0100
  Re: xpdf 4.03 connecting to unknown hosts?? "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2022-03-10 10:48 -0500
    Re: xpdf 4.03 connecting to unknown hosts?? Dario Niedermann <dario@darioniedermann.it> - 2022-03-11 11:08 +0100
      Re: xpdf 4.03 connecting to unknown hosts?? "Carlos E. R." <robin_listas@es.invalid> - 2022-04-20 20:29 +0200
  Re: xpdf 4.03 connecting to unknown hosts?? "Carlos E.R." <robin_listas@es.invalid> - 2022-04-19 23:45 +0200

csiph-web