Rocksolid Light

News from da outaworlds

mail  files  register  groups  login

Message-ID:  

You will always get the greatest recognition for the job you least like.

comp / comp.security.unix / Re: xpdf 4.03 connecting to unknown hosts??

SubjectAuthor
* xpdf 4.03 connecting to unknown hosts??Dario Niedermann
+* Re: xpdf 4.03 connecting to unknown hosts??David W. Hodgins
|`* Re: xpdf 4.03 connecting to unknown hosts??Dario Niedermann
| `- Re: xpdf 4.03 connecting to unknown hosts??Carlos E. R.
`- Re: xpdf 4.03 connecting to unknown hosts??Carlos E.R.

1
Subject: xpdf 4.03 connecting to unknown hosts??
From: Dario Niedermann
Newsgroups: comp.security.unix, comp.os.linux.security
Followup: comp.security.unix
Organization: Not speaking for any
Date: Thu, 10 Mar 2022 14:59 UTC
Path: eternal-september.org!news.eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: dario@darioniedermann.it (Dario Niedermann)
Newsgroups: comp.security.unix,comp.os.linux.security
Subject: xpdf 4.03 connecting to unknown hosts??
Followup-To: comp.security.unix
Date: Thu, 10 Mar 2022 15:59:40 +0100
Organization: Not speaking for any
Lines: 26
Message-ID: <slrnt2k4j4.6t6.dario@darioniedermann.it>
Injection-Info: reader02.eternal-september.org; posting-host="becb57118b33c6763adae3805cca843d";
logging-data="14952"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19ihpTssM12JFQ20sGIOBuG"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:75zjh26Sbb6+q+t/CkNaQfyh8xg=
X-Bogomips: 4788.44
X-Linux-Distro: Devuan ASCII
X-Text-Editor: nvi-1.81.6 (2007-11-18)
View all headers

I just randomly found out that running xpdf instances are connecting via
https to unknown internet hosts:

-----
$ lsof -i:https
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
xpdf 4548 ndr 60u IPv4 3240798 0t0 TCP myhost:60178->151.101.1.140:https (CLOSE_WAIT)
xpdf 4548 ndr 62u IPv4 3241136 0t0 TCP myhost:54798->151.101.193.140:https (CLOSE_WAIT)
xpdf 4548 ndr 64u IPv4 3241163 0t0 TCP myhost:59904->151.101.65.140:https (CLOSE_WAIT)
xpdf 4548 ndr 66u IPv4 3241168 0t0 TCP myhost:58196->151.101.114.49:https (CLOSE_WAIT)
xpdf 4548 ndr 67u IPv4 3242068 0t0 TCP myhost:37120->151.101.0.95:https (CLOSE_WAIT)
xpdf 4548 ndr 68u IPv4 3241177 0t0 TCP myhost:44826->151.101.66.49:https (CLOSE_WAIT)
xpdf 4548 ndr 69u IPv4 3242069 0t0 TCP myhost:60520->104.16.149.64:https (CLOSE_WAIT)
xpdf 4548 ndr 78u IPv4 3241196 0t0 TCP myhost:58432->104.16.19.94:https (CLOSE_WAIT)
xpdf 4548 ndr 80u IPv4 3241189 0t0 TCP myhost:60516->104.16.149.64:https (CLOSE_WAIT)
[...]
-----

I can't think of a good, non-malicious explanation to this...
What does everyone think?

--
Dario Niedermann -:- finger my email address for PGP key, etc.

Also on the Internet at: <gopher://darioniedermann.it/>
<https://www.darioniedermann.it/>

Subject: Re: xpdf 4.03 connecting to unknown hosts??
From: David W. Hodgins
Newsgroups: comp.security.unix
Organization: A noiseless patient Spider
Date: Thu, 10 Mar 2022 15:48 UTC
References: 1
Path: eternal-september.org!news.eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: dwhodgins@nomail.afraid.org (David W. Hodgins)
Newsgroups: comp.security.unix
Subject: Re: xpdf 4.03 connecting to unknown hosts??
Date: Thu, 10 Mar 2022 10:48:48 -0500
Organization: A noiseless patient Spider
Lines: 34
Message-ID: <op.1itnjmf3a3w0dxdave@hodgins.homeip.net>
References: <slrnt2k4j4.6t6.dario@darioniedermann.it>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
Content-Transfer-Encoding: 8bit
Injection-Info: reader02.eternal-september.org; posting-host="29edcdcef7c04038110598e6c4d41673";
logging-data="13554"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18cpqgFeyvqmbIKOl8aou4byFceD9s+yds="
User-Agent: Opera Mail/12.16 (Linux)
Cancel-Lock: sha1:xB017/PrlOr+U7oQ471uJrN+TE8=
View all headers

On Thu, 10 Mar 2022 09:59:40 -0500, Dario Niedermann <dario@darioniedermann.it> wrote:

> I just randomly found out that running xpdf instances are connecting via
> https to unknown internet hosts:
>
> -----
> $ lsof -i:https
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> xpdf 4548 ndr 60u IPv4 3240798 0t0 TCP myhost:60178->151.101.1.140:https (CLOSE_WAIT)
> xpdf 4548 ndr 62u IPv4 3241136 0t0 TCP myhost:54798->151.101.193.140:https (CLOSE_WAIT)
> xpdf 4548 ndr 64u IPv4 3241163 0t0 TCP myhost:59904->151.101.65.140:https (CLOSE_WAIT)
> xpdf 4548 ndr 66u IPv4 3241168 0t0 TCP myhost:58196->151.101.114.49:https (CLOSE_WAIT)
> xpdf 4548 ndr 67u IPv4 3242068 0t0 TCP myhost:37120->151.101.0.95:https (CLOSE_WAIT)
> xpdf 4548 ndr 68u IPv4 3241177 0t0 TCP myhost:44826->151.101.66.49:https (CLOSE_WAIT)
> xpdf 4548 ndr 69u IPv4 3242069 0t0 TCP myhost:60520->104.16.149.64:https (CLOSE_WAIT)
> xpdf 4548 ndr 78u IPv4 3241196 0t0 TCP myhost:58432->104.16.19.94:https (CLOSE_WAIT)
> xpdf 4548 ndr 80u IPv4 3241189 0t0 TCP myhost:60516->104.16.149.64:https (CLOSE_WAIT)
> [...]
> -----
>
> I can't think of a good, non-malicious explanation to this...
> What does everyone think?

Those ip addresses owned by Fastly and Cloudfare, so no easy way to find who's
site it's trying to contact.

I just tested xpdf on one of my Mageia 7 installs using strace and it is not
making any such calls. Also tested without strace using lsof.

Anything in the document that might be using resources from those sites?

It's unlikely to be an infected xpdf, more likely to be something in the document.

Regards, Dave Hodgins

Subject: Re: xpdf 4.03 connecting to unknown hosts??
From: Dario Niedermann
Newsgroups: comp.security.unix
Organization: Not speaking for any
Date: Fri, 11 Mar 2022 10:08 UTC
References: 1 2
Path: eternal-september.org!news.eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: dario@darioniedermann.it (Dario Niedermann)
Newsgroups: comp.security.unix
Subject: Re: xpdf 4.03 connecting to unknown hosts??
Date: Fri, 11 Mar 2022 11:08:58 +0100
Organization: Not speaking for any
Lines: 19
Message-ID: <slrnt2m7tq.6t6.dario@darioniedermann.it>
References: <slrnt2k4j4.6t6.dario@darioniedermann.it>
<op.1itnjmf3a3w0dxdave@hodgins.homeip.net>
Injection-Info: reader02.eternal-september.org; posting-host="64d9f1c91449051e6468dc042cc51e7d";
logging-data="14802"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+YtziHXNiN5haQ1pfEDLJV"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:TilQvXYGA8hBnlYcCZQst4Xxr88=
X-Bogomips: 4788.44
X-Linux-Distro: Devuan ASCII
X-Text-Editor: nvi-1.81.6 (2007-11-18)
View all headers

David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:

> It's unlikely to be an infected xpdf, more likely to be something in
> the document.

I think you may be right. Looking more closely at the lsof output,
I later noted it was just one of the xpdf instances making those calls
(same PID). Now unfortunately I closed all instances, so I'm trying to
find again which file might have been guilty.

It's a bit troubling if a PDF file can do this, though. It can be used
at the very least as a tracking mechanism (that IP is reading this file)
or - who knows - maybe even download malicious content?

--
Dario Niedermann -:- finger my email address for PGP key, etc.

Also on the Internet at: <gopher://darioniedermann.it/>
<https://www.darioniedermann.it/>

Subject: Re: xpdf 4.03 connecting to unknown hosts??
From: Carlos E.R.
Newsgroups: comp.security.unix
Date: Tue, 19 Apr 2022 21:45 UTC
References: 1
Path: eternal-september.org!news.eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.szaf.org!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: robin_listas@es.invalid (Carlos E.R.)
Newsgroups: comp.security.unix
Subject: Re: xpdf 4.03 connecting to unknown hosts??
Date: Tue, 19 Apr 2022 23:45:22 +0200
Lines: 91
Message-ID: <i4n3ji-8dr.ln1@Telcontar.valinor>
References: <slrnt2k4j4.6t6.dario@darioniedermann.it>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: individual.net kpRYeIQpNicj/y6oy8nxbQuo5twzORMdNKHuwez153+yCsloOT
X-Orig-Path: Telcontar.valinor!not-for-mail
Cancel-Lock: sha1:8vYr8LR7BIMXwE6cTOuxhEsOUtA=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.8.0
Content-Language: en-CA
In-Reply-To: <slrnt2k4j4.6t6.dario@darioniedermann.it>
View all headers

On 2022-03-10 15:59, Dario Niedermann wrote:
> I just randomly found out that running xpdf instances are connecting via
> https to unknown internet hosts:
>
> -----
> $ lsof -i:https
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> xpdf 4548 ndr 60u IPv4 3240798 0t0 TCP myhost:60178->151.101.1.140:https (CLOSE_WAIT)
> xpdf 4548 ndr 62u IPv4 3241136 0t0 TCP myhost:54798->151.101.193.140:https (CLOSE_WAIT)
> xpdf 4548 ndr 64u IPv4 3241163 0t0 TCP myhost:59904->151.101.65.140:https (CLOSE_WAIT)
> xpdf 4548 ndr 66u IPv4 3241168 0t0 TCP myhost:58196->151.101.114.49:https (CLOSE_WAIT)
> xpdf 4548 ndr 67u IPv4 3242068 0t0 TCP myhost:37120->151.101.0.95:https (CLOSE_WAIT)
> xpdf 4548 ndr 68u IPv4 3241177 0t0 TCP myhost:44826->151.101.66.49:https (CLOSE_WAIT)
> xpdf 4548 ndr 69u IPv4 3242069 0t0 TCP myhost:60520->104.16.149.64:https (CLOSE_WAIT)
> xpdf 4548 ndr 78u IPv4 3241196 0t0 TCP myhost:58432->104.16.19.94:https (CLOSE_WAIT)
> xpdf 4548 ndr 80u IPv4 3241189 0t0 TCP myhost:60516->104.16.149.64:https (CLOSE_WAIT)
> [...]
> -----
>
> I can't think of a good, non-malicious explanation to this...
> What does everyone think?

Well, I tried to reproduce this and could not.

cer@Telcontar:~> lsof -i:https | grep xpdf
cer@Telcontar:~>

We can find information about those IP you list with "whois".

The first two:

NetRange: 151.101.0.0 - 151.101.255.255
CIDR: 151.101.0.0/16
NetName: SKYCA-3
NetHandle: NET-151-101-0-0-1
Parent: RIPE-ERX-151 (NET-151-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Fastly (SKYCA-3)
RegDate: 2016-02-01
Updated: 2021-12-14
Ref: https://rdap.arin.net/registry/ip/151.101.0.0

OrgName: Fastly
OrgId: SKYCA-3
Address: PO Box 78266
City: San Francisco
StateProv: CA
PostalCode: 94107
Country: US
RegDate: 2011-09-16
Updated: 2021-09-20
Ref: https://rdap.arin.net/registry/entity/SKYCA-3

The last one:

NetRange: 104.16.0.0 - 104.31.255.255
CIDR: 104.16.0.0/12
NetName: CLOUDFLARENET
NetHandle: NET-104-16-0-0-1
Parent: NET104 (NET-104-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS13335
Organization: Cloudflare, Inc. (CLOUD14)
RegDate: 2014-03-28
Updated: 2021-05-26
Comment: All Cloudflare abuse reporting can be done via
https://www.cloudflare.com/abuse
Ref: https://rdap.arin.net/registry/ip/104.16.0.0

OrgName: Cloudflare, Inc.
OrgId: CLOUD14
Address: 101 Townsend Street
City: San Francisco
StateProv: CA
PostalCode: 94107
Country: US
RegDate: 2010-07-09
Updated: 2021-07-01
Ref: https://rdap.arin.net/registry/entity/CLOUD14

--
Cheers, Carlos.

Subject: Re: xpdf 4.03 connecting to unknown hosts??
From: Carlos E. R.
Newsgroups: comp.security.unix
Date: Wed, 20 Apr 2022 18:29 UTC
References: 1 2 3
Path: eternal-september.org!news.eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.freedyn.de!speedkom.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: robin_listas@es.invalid (Carlos E. R.)
Newsgroups: comp.security.unix
Subject: Re: xpdf 4.03 connecting to unknown hosts??
Date: Wed, 20 Apr 2022 20:29:29 +0200
Lines: 23
Message-ID: <jcb1o9FqemcU1@mid.individual.net>
References: <slrnt2k4j4.6t6.dario@darioniedermann.it>
<op.1itnjmf3a3w0dxdave@hodgins.homeip.net>
<slrnt2m7tq.6t6.dario@darioniedermann.it>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Trace: individual.net GHyBEOFG3zJWw3SAlfjHCwiXxfKup4sYuW0TRkUFsZxZEFGseg
Cancel-Lock: sha1:zTZBA0Ip6OnR9qUOgufnrC5ImDo=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.8.0
Content-Language: en-US
In-Reply-To: <slrnt2m7tq.6t6.dario@darioniedermann.it>
View all headers

On 2022-03-11 11:08, Dario Niedermann wrote:
> David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:
>
>> It's unlikely to be an infected xpdf, more likely to be something in
>> the document.
>
> I think you may be right. Looking more closely at the lsof output,
> I later noted it was just one of the xpdf instances making those calls
> (same PID). Now unfortunately I closed all instances, so I'm trying to
> find again which file might have been guilty.
>
> It's a bit troubling if a PDF file can do this, though. It can be used
> at the very least as a tracking mechanism (that IP is reading this file)
> or - who knows - maybe even download malicious content?

This has been known for long (used typically for tracking who reads a
document, or for authorizations), but I thought xpdf was not capable of
doing it. I thought it needed the scripting in adobe reader.

--
Cheers,
Carlos E.R.

1

rocksolid light 0.9.8
clearnet tor