Groups | Search | Server Info | Login | Register

Groups > comp.security.unix > #219

Re: xpdf 4.03 connecting to unknown hosts??

From "David W. Hodgins" <dwhodgins@nomail.afraid.org>
Newsgroups comp.security.unix
Subject Re: xpdf 4.03 connecting to unknown hosts??
Date 2022-03-10 10:48 -0500
Organization A noiseless patient Spider
Message-ID <op.1itnjmf3a3w0dxdave@hodgins.homeip.net> (permalink)
References <slrnt2k4j4.6t6.dario@darioniedermann.it>

Show all headers | View raw

On Thu, 10 Mar 2022 09:59:40 -0500, Dario Niedermann <dario@darioniedermann.it> wrote:

> I just randomly found out that running xpdf instances are connecting via
> https to unknown internet hosts:
>
> -----
> $ lsof -i:https
> COMMAND   PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
> xpdf     4548  ndr   60u  IPv4 3240798      0t0  TCP myhost:60178->151.101.1.140:https (CLOSE_WAIT)
> xpdf     4548  ndr   62u  IPv4 3241136      0t0  TCP myhost:54798->151.101.193.140:https (CLOSE_WAIT)
> xpdf     4548  ndr   64u  IPv4 3241163      0t0  TCP myhost:59904->151.101.65.140:https (CLOSE_WAIT)
> xpdf     4548  ndr   66u  IPv4 3241168      0t0  TCP myhost:58196->151.101.114.49:https (CLOSE_WAIT)
> xpdf     4548  ndr   67u  IPv4 3242068      0t0  TCP myhost:37120->151.101.0.95:https (CLOSE_WAIT)
> xpdf     4548  ndr   68u  IPv4 3241177      0t0  TCP myhost:44826->151.101.66.49:https (CLOSE_WAIT)
> xpdf     4548  ndr   69u  IPv4 3242069      0t0  TCP myhost:60520->104.16.149.64:https (CLOSE_WAIT)
> xpdf     4548  ndr   78u  IPv4 3241196      0t0  TCP myhost:58432->104.16.19.94:https (CLOSE_WAIT)
> xpdf     4548  ndr   80u  IPv4 3241189      0t0  TCP myhost:60516->104.16.149.64:https (CLOSE_WAIT)
> [...]
> -----
>
> I can't think of a good, non-malicious explanation to this...
> What does everyone think?

Those ip addresses owned by Fastly and Cloudfare, so no easy way to find who's
site it's trying to contact.

I just tested xpdf on one of my Mageia 7 installs using strace and it is not
making any such calls. Also tested without strace using lsof.

Anything in the document that might be using resources from those sites?

It's unlikely to be an infected xpdf, more likely to be something in the document.

Regards, Dave Hodgins

Back to comp.security.unix | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

xpdf 4.03 connecting to unknown hosts?? Dario Niedermann <dario@darioniedermann.it> - 2022-03-10 15:59 +0100
  Re: xpdf 4.03 connecting to unknown hosts?? "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2022-03-10 10:48 -0500
    Re: xpdf 4.03 connecting to unknown hosts?? Dario Niedermann <dario@darioniedermann.it> - 2022-03-11 11:08 +0100
      Re: xpdf 4.03 connecting to unknown hosts?? "Carlos E. R." <robin_listas@es.invalid> - 2022-04-20 20:29 +0200
  Re: xpdf 4.03 connecting to unknown hosts?? "Carlos E.R." <robin_listas@es.invalid> - 2022-04-19 23:45 +0200

csiph-web