I just randomly found out that running xpdf instances are connecting via https to unknown internet hosts:
-----
$ lsof -i:https
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
xpdf 4548 ndr 60u IPv4 3240798 0t0 TCP myhost:60178->151.101.1.140:https (CLOSE_WAIT)
xpdf 4548 ndr 62u IPv4 3241136 0t0 TCP myhost:54798->151.101.193.140:https (CLOSE_WAIT)
xpdf 4548 ndr 64u IPv4 3241163 0t0 TCP myhost:59904->151.101.65.140:https (CLOSE_WAIT)
xpdf 4548 ndr 66u IPv4 3241168 0t0 TCP myhost:58196->151.101.114.49:https (CLOSE_WAIT)
xpdf 4548 ndr 67u IPv4 3242068 0t0 TCP myhost:37120->151.101.0.95:https (CLOSE_WAIT)
xpdf 4548 ndr 68u IPv4 3241177 0t0 TCP myhost:44826->151.101.66.49:https (CLOSE_WAIT)
xpdf 4548 ndr 69u IPv4 3242069 0t0 TCP myhost:60520->104.16.149.64:https (CLOSE_WAIT)
xpdf 4548 ndr 78u IPv4 3241196 0t0 TCP myhost:58432->104.16.19.94:https (CLOSE_WAIT)
xpdf 4548 ndr 80u IPv4 3241189 0t0 TCP myhost:60516->104.16.149.64:https (CLOSE_WAIT)
[...]
-----
I can't think of a good, non-malicious explanation to this...
What does everyone think?
It's unlikely to be an infected xpdf, more likely to be something in
the document.
I just randomly found out that running xpdf instances are connecting via https to unknown internet hosts:
-----
$ lsof -i:https
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
xpdf 4548 ndr 60u IPv4 3240798 0t0 TCP myhost:60178->151.101.1.140:https (CLOSE_WAIT)
xpdf 4548 ndr 62u IPv4 3241136 0t0 TCP myhost:54798->151.101.193.140:https (CLOSE_WAIT)
xpdf 4548 ndr 64u IPv4 3241163 0t0 TCP myhost:59904->151.101.65.140:https (CLOSE_WAIT)
xpdf 4548 ndr 66u IPv4 3241168 0t0 TCP myhost:58196->151.101.114.49:https (CLOSE_WAIT)
xpdf 4548 ndr 67u IPv4 3242068 0t0 TCP myhost:37120->151.101.0.95:https (CLOSE_WAIT)
xpdf 4548 ndr 68u IPv4 3241177 0t0 TCP myhost:44826->151.101.66.49:https (CLOSE_WAIT)
xpdf 4548 ndr 69u IPv4 3242069 0t0 TCP myhost:60520->104.16.149.64:https (CLOSE_WAIT)
xpdf 4548 ndr 78u IPv4 3241196 0t0 TCP myhost:58432->104.16.19.94:https (CLOSE_WAIT)
xpdf 4548 ndr 80u IPv4 3241189 0t0 TCP myhost:60516->104.16.149.64:https (CLOSE_WAIT)
[...]
-----
I can't think of a good, non-malicious explanation to this...
What does everyone think?
David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:
It's unlikely to be an infected xpdf, more likely to be something in
the document.
I think you may be right. Looking more closely at the lsof output,
I later noted it was just one of the xpdf instances making those calls
(same PID). Now unfortunately I closed all instances, so I'm trying to
find again which file might have been guilty.
It's a bit troubling if a PDF file can do this, though. It can be used
at the very least as a tracking mechanism (that IP is reading this file)
or - who knows - maybe even download malicious content?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 75:42:15 |
Calls: | 6,657 |
Calls today: | 3 |
Files: | 12,203 |
Messages: | 5,332,646 |
Posted today: | 1 |