Strange connections after update

November 2, 2017

I updated my self-hosted confluence site on 2017-10-30 14:00 GMT to 6.4.3 using the binary installer.

At 01.11.2017 04:02 GMT, my rkhunter reported the following:

Warning: Network TCP port 47018 is being used by /opt/atlassian/confluence/jre/bin/java. Possible rootkit: Possible Universal Rootkit (URK) component
         Use the 'lsof -i' or 'netstat -an' command to check this.

I could not find that connection when I checked manually on 02.11.2017 16:20 GMT, but several connections from the confluence user's JAVA to some Amazon AWS and Cloudfront resources:

17:17 root@tango003:~# lsof -i | grep confluence 
java      12560            confluence   36u  IPv6 142164877      0t0  TCP *:opsmessaging (LISTEN) 
java      12560            confluence   83u  IPv6 142178417      0t0  TCP localhost.localdomain:irdmi (LISTEN) 
java      12560            confluence   84u  IPv6 147577281      0t0  TCP localhost.localdomain:45026->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence   85u  IPv6 147575636      0t0  TCP localhost.localdomain:45052->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence   87u  IPv6 147575640      0t0  TCP localhost.localdomain:45056->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence   89u  IPv6 147574776      0t0  TCP localhost.localdomain:45060->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence   91u  IPv6 147576307      0t0  TCP localhost.localdomain:45016->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence   92u  IPv6 147577301      0t0  TCP localhost.localdomain:45064->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence   93u  IPv6 147574783      0t0  TCP localhost.localdomain:45066->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence   94u  IPv6 147575650      0t0  TCP localhost.localdomain:45072->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence   95u  IPv6 147577305      0t0  TCP localhost.localdomain:45076->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence   96u  IPv6 147576378      0t0  TCP localhost.localdomain:45118->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence   97u  IPv6 147575654      0t0  TCP localhost.localdomain:45080->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence   98u  IPv6 147577870      0t0  TCP localhost.localdomain:45114->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence   99u  IPv6 147577318      0t0  TCP localhost.localdomain:45122->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  100u  IPv6 147575669      0t0  TCP localhost.localdomain:45126->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  101u  IPv6 147577322      0t0  TCP localhost.localdomain:45130->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  102u  IPv6 147577859      0t0  TCP localhost.localdomain:45084->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  104u  IPv6 147575658      0t0  TCP localhost.localdomain:45088->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  105u  IPv6 147577860      0t0  TCP localhost.localdomain:45092->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  106u  IPv6 147577311      0t0  TCP localhost.localdomain:45096->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  107u  IPv6 147575659      0t0  TCP localhost.localdomain:45100->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  108u  IPv6 147577351      0t0  TCP localhost.localdomain:45174->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  109u  IPv6 147577891      0t0  TCP localhost.localdomain:45176->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  110u  IPv6 147577352      0t0  TCP localhost.localdomain:45180->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  113u  IPv6 147575625      0t0  TCP localhost.localdomain:45030->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  114u  IPv6 147572727      0t0  TCP tango003.zen-net.de:54620->tango003.zen-net.de:https (ESTABLISHED) 
java      12560            confluence  115u  IPv6 147575624      0t0  TCP localhost.localdomain:45024->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  116u  IPv6 147575660      0t0  TCP localhost.localdomain:45104->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  117u  IPv6 147577326      0t0  TCP localhost.localdomain:45134->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  118u  IPv6 147577895      0t0  TCP localhost.localdomain:45192->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  122u  IPv6 147577340      0t0  TCP localhost.localdomain:45146->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  124u  IPv6 147577341      0t0  TCP localhost.localdomain:45150->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  126u  IPv6 147577342      0t0  TCP localhost.localdomain:45152->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  129u  IPv6 147577357      0t0  TCP localhost.localdomain:45188->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  131u  IPv6 147575630      0t0  TCP localhost.localdomain:45036->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  132u  IPv6 142226712      0t0  TCP tango003.zen-net.de:50776->ec2-34-236-196-175.compute-1.amazonaws.com:https (CLOSE_WAIT) 
java      12560            confluence  133u  IPv6 147573016      0t0  TCP tango003.zen-net.de:58588->ec2-34-225-62-19.compute-1.amazonaws.com:https (CLOSE_WAIT) 
java      12560            confluence  136u  IPv6 147575661      0t0  TCP localhost.localdomain:45108->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  137u  IPv6 142236296      0t0  TCP tango003.zen-net.de:45350->server-52-222-157-149.fra53.r.cloudfront.net:https (CLOSE_WAIT) 
java      12560            confluence  138u  IPv6 147577343      0t0  TCP localhost.localdomain:45158->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  139u  IPv6 147575692      0t0  TCP localhost.localdomain:45162->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  143u  IPv6 147573939      0t0  TCP tango003.zen-net.de:58978->ec2-34-225-62-19.compute-1.amazonaws.com:https (CLOSE_WAIT) 
java      12560            confluence  144u  IPv6 147577327      0t0  TCP localhost.localdomain:45136->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  148u  IPv6 147572340      0t0  TCP tango003.zen-net.de:58984->ec2-34-225-62-19.compute-1.amazonaws.com:https (CLOSE_WAIT) 
java      12560            confluence  149u  IPv6 142236292      0t0  TCP tango003.zen-net.de:48364->ec2-34-192-77-223.compute-1.amazonaws.com:https (CLOSE_WAIT) 
java      12560            confluence  153u  IPv6 147574852      0t0  TCP tango003.zen-net.de:58986->ec2-34-225-62-19.compute-1.amazonaws.com:https (CLOSE_WAIT) 
java      12560            confluence  157u  IPv6 147573221      0t0  TCP tango003.zen-net.de:58972->ec2-34-225-62-19.compute-1.amazonaws.com:https (CLOSE_WAIT) 
java      12560            confluence  158u  IPv6 147576425      0t0  TCP localhost.localdomain:45190->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  161u  IPv6 147574851      0t0  TCP tango003.zen-net.de:58970->ec2-34-225-62-19.compute-1.amazonaws.com:https (CLOSE_WAIT) 
java      12560            confluence  162u  IPv6 147573222      0t0  TCP tango003.zen-net.de:58982->ec2-34-225-62-19.compute-1.amazonaws.com:https (CLOSE_WAIT) 
java      12560            confluence  163u  IPv6 147572339      0t0  TCP tango003.zen-net.de:58976->ec2-34-225-62-19.compute-1.amazonaws.com:https (CLOSE_WAIT) 
java      12560            confluence  166u  IPv6 147576309      0t0  TCP localhost.localdomain:45020->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  167u  IPv6 147251053      0t0  TCP tango003.zen-net.de:60206->ec2-34-225-62-19.compute-1.amazonaws.com:https (CLOSE_WAIT) 
java      12560            confluence  168u  IPv6 147577328      0t0  TCP localhost.localdomain:45138->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12560            confluence  171u  IPv6 142233532      0t0  TCP tango003.zen-net.de:46726->ec2-34-192-77-223.compute-1.amazonaws.com:https (CLOSE_WAIT) 
java      12560            confluence  177u  IPv6 147573779      0t0  TCP tango003.zen-net.de:52934->tango003.zen-net.de:https (CLOSE_WAIT) 
java      12560            confluence  918u  IPv6 142178328      0t0  TCP localhost.localdomain:58080->localhost.localdomain:jamlink (ESTABLISHED) 
java      12560            confluence  935u  IPv6 147573009      0t0  TCP tango003.zen-net.de:53318->tango003.zen-net.de:https (CLOSE_WAIT) 
java      12997            confluence   60u  IPv6 147575158      0t0  TCP localhost.localdomain:43750->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12997            confluence   61u  IPv6 142169448      0t0  TCP *:jamlink (LISTEN) 
java      12997            confluence   62u  IPv6 142175978      0t0  TCP localhost.localdomain:jamlink->localhost.localdomain:58080 (ESTABLISHED) 
java      12997            confluence   65u  IPv6 147531691      0t0  TCP localhost.localdomain:55622->localhost.localdomain:pyrrho (ESTABLISHED) 
java      12997            confluence   66u  IPv6 147530446      0t0  TCP localhost.localdomain:55862->localhost.localdomain:pyrrho (ESTABLISHED) 
17:26 root@tango003:~#

I'm a bit concerned about that - could you please tell me if this is expected behavior or not?

Forums

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

Strange connections after update

1 answer

Suggest an answer

Was this helpful?

Thanks!

TAGS

Atlassian Community Events