Strange connections after update

I updated my self-hosted confluence site on 2017-10-30 14:00 GMT to 6.4.3 using the binary installer.

At 01.11.2017 04:02 GMT, my rkhunter reported the following:

Warning: Network TCP port 47018 is being used by /opt/atlassian/confluence/jre/bin/java. Possible rootkit: Possible Universal Rootkit (URK) component
         Use the 'lsof -i' or 'netstat -an' command to check this.

 I could not find that connection when I checked manually on 02.11.2017 16:20 GMT, but several connections from the confluence user's JAVA to some Amazon AWS and Cloudfront resources:

17:17 root@tango003:~# lsof -i | grep confluence 
java      12560            confluence   36u  IPv6 142164877      0t0  TCP *:opsmessaging (LISTEN)
java      12560            confluence   83u  IPv6 142178417      0t0  TCP localhost.localdomain:irdmi (LISTEN)
java      12560            confluence   84u  IPv6 147577281      0t0  TCP localhost.localdomain:45026->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence   85u  IPv6 147575636      0t0  TCP localhost.localdomain:45052->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence   87u  IPv6 147575640      0t0  TCP localhost.localdomain:45056->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence   89u  IPv6 147574776      0t0  TCP localhost.localdomain:45060->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence   91u  IPv6 147576307      0t0  TCP localhost.localdomain:45016->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence   92u  IPv6 147577301      0t0  TCP localhost.localdomain:45064->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence   93u  IPv6 147574783      0t0  TCP localhost.localdomain:45066->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence   94u  IPv6 147575650      0t0  TCP localhost.localdomain:45072->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence   95u  IPv6 147577305      0t0  TCP localhost.localdomain:45076->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence   96u  IPv6 147576378      0t0  TCP localhost.localdomain:45118->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence   97u  IPv6 147575654      0t0  TCP localhost.localdomain:45080->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence   98u  IPv6 147577870      0t0  TCP localhost.localdomain:45114->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence   99u  IPv6 147577318      0t0  TCP localhost.localdomain:45122->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  100u  IPv6 147575669      0t0  TCP localhost.localdomain:45126->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  101u  IPv6 147577322      0t0  TCP localhost.localdomain:45130->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  102u  IPv6 147577859      0t0  TCP localhost.localdomain:45084->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  104u  IPv6 147575658      0t0  TCP localhost.localdomain:45088->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  105u  IPv6 147577860      0t0  TCP localhost.localdomain:45092->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  106u  IPv6 147577311      0t0  TCP localhost.localdomain:45096->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  107u  IPv6 147575659      0t0  TCP localhost.localdomain:45100->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  108u  IPv6 147577351      0t0  TCP localhost.localdomain:45174->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  109u  IPv6 147577891      0t0  TCP localhost.localdomain:45176->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  110u  IPv6 147577352      0t0  TCP localhost.localdomain:45180->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  113u  IPv6 147575625      0t0  TCP localhost.localdomain:45030->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  114u  IPv6 147572727      0t0  TCP tango003.zen-net.de:54620->tango003.zen-net.de:https (ESTABLISHED)
java      12560            confluence  115u  IPv6 147575624      0t0  TCP localhost.localdomain:45024->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  116u  IPv6 147575660      0t0  TCP localhost.localdomain:45104->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  117u  IPv6 147577326      0t0  TCP localhost.localdomain:45134->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  118u  IPv6 147577895      0t0  TCP localhost.localdomain:45192->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  122u  IPv6 147577340      0t0  TCP localhost.localdomain:45146->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  124u  IPv6 147577341      0t0  TCP localhost.localdomain:45150->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  126u  IPv6 147577342      0t0  TCP localhost.localdomain:45152->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  129u  IPv6 147577357      0t0  TCP localhost.localdomain:45188->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  131u  IPv6 147575630      0t0  TCP localhost.localdomain:45036->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  132u  IPv6 142226712      0t0  TCP tango003.zen-net.de:50776->ec2-34-236-196-175.compute-1.amazonaws.com:https (CLOSE_WAIT)
java      12560            confluence  133u  IPv6 147573016      0t0  TCP tango003.zen-net.de:58588->ec2-34-225-62-19.compute-1.amazonaws.com:https (CLOSE_WAIT)
java      12560            confluence  136u  IPv6 147575661      0t0  TCP localhost.localdomain:45108->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  137u  IPv6 142236296      0t0  TCP tango003.zen-net.de:45350->server-52-222-157-149.fra53.r.cloudfront.net:https (CLOSE_WAIT)
java      12560            confluence  138u  IPv6 147577343      0t0  TCP localhost.localdomain:45158->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  139u  IPv6 147575692      0t0  TCP localhost.localdomain:45162->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  143u  IPv6 147573939      0t0  TCP tango003.zen-net.de:58978->ec2-34-225-62-19.compute-1.amazonaws.com:https (CLOSE_WAIT)
java      12560            confluence  144u  IPv6 147577327      0t0  TCP localhost.localdomain:45136->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  148u  IPv6 147572340      0t0  TCP tango003.zen-net.de:58984->ec2-34-225-62-19.compute-1.amazonaws.com:https (CLOSE_WAIT)
java      12560            confluence  149u  IPv6 142236292      0t0  TCP tango003.zen-net.de:48364->ec2-34-192-77-223.compute-1.amazonaws.com:https (CLOSE_WAIT)
java      12560            confluence  153u  IPv6 147574852      0t0  TCP tango003.zen-net.de:58986->ec2-34-225-62-19.compute-1.amazonaws.com:https (CLOSE_WAIT)
java      12560            confluence  157u  IPv6 147573221      0t0  TCP tango003.zen-net.de:58972->ec2-34-225-62-19.compute-1.amazonaws.com:https (CLOSE_WAIT)
java      12560            confluence  158u  IPv6 147576425      0t0  TCP localhost.localdomain:45190->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  161u  IPv6 147574851      0t0  TCP tango003.zen-net.de:58970->ec2-34-225-62-19.compute-1.amazonaws.com:https (CLOSE_WAIT)
java      12560            confluence  162u  IPv6 147573222      0t0  TCP tango003.zen-net.de:58982->ec2-34-225-62-19.compute-1.amazonaws.com:https (CLOSE_WAIT)
java      12560            confluence  163u  IPv6 147572339      0t0  TCP tango003.zen-net.de:58976->ec2-34-225-62-19.compute-1.amazonaws.com:https (CLOSE_WAIT)
java      12560            confluence  166u  IPv6 147576309      0t0  TCP localhost.localdomain:45020->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  167u  IPv6 147251053      0t0  TCP tango003.zen-net.de:60206->ec2-34-225-62-19.compute-1.amazonaws.com:https (CLOSE_WAIT)
java      12560            confluence  168u  IPv6 147577328      0t0  TCP localhost.localdomain:45138->localhost.localdomain:pyrrho (ESTABLISHED)
java      12560            confluence  171u  IPv6 142233532      0t0  TCP tango003.zen-net.de:46726->ec2-34-192-77-223.compute-1.amazonaws.com:https (CLOSE_WAIT)
java      12560            confluence  177u  IPv6 147573779      0t0  TCP tango003.zen-net.de:52934->tango003.zen-net.de:https (CLOSE_WAIT)
java      12560            confluence  918u  IPv6 142178328      0t0  TCP localhost.localdomain:58080->localhost.localdomain:jamlink (ESTABLISHED)
java      12560            confluence  935u  IPv6 147573009      0t0  TCP tango003.zen-net.de:53318->tango003.zen-net.de:https (CLOSE_WAIT)
java      12997            confluence   60u  IPv6 147575158      0t0  TCP localhost.localdomain:43750->localhost.localdomain:pyrrho (ESTABLISHED)
java      12997            confluence   61u  IPv6 142169448      0t0  TCP *:jamlink (LISTEN)
java      12997            confluence   62u  IPv6 142175978      0t0  TCP localhost.localdomain:jamlink->localhost.localdomain:58080 (ESTABLISHED)
java      12997            confluence   65u  IPv6 147531691      0t0  TCP localhost.localdomain:55622->localhost.localdomain:pyrrho (ESTABLISHED)
java      12997            confluence   66u  IPv6 147530446      0t0  TCP localhost.localdomain:55862->localhost.localdomain:pyrrho (ESTABLISHED)
17:26 root@tango003:~#

 I'm a bit concerned about that - could you please tell me if this is expected behavior or not?

1 answer

0 vote
Ann Worley Atlassian Team Nov 02, 2017

The connections are for add-on management - the Universal Plugin Manager (UPM) checks for updates, etc.

To make sure this is what the connections are, please switch your UPM to offline mode and run the lsof -i again to see if the connections persist. I look forward to hearing what you find.

Hey Ann,

thanks a lot for jumping in and explaining!

I can confirm that switching UPM to offline mode makes those AWS sockets to disappear.

Noteworthy, they seem to not be teared down actively by that, which makes it take a few minutes ( <5 ) to have those sockets switched from ESTABLISHED to CLOSE_WAIT state; they never disappear completely and remain in CLOSE_WAIT, which is fine, but maybe important for someone not that familiar with how sockets work, so I'm adding it here.

Thanks for that hint!

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Kesha Thillainayagam
Posted Friday in Confluence

We want to hear how your non-technical teams are using Confluence!

Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...

281 views 11 10
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you