Using NetHogs on an Ubuntu 16.04 (web) server, i.e. on a machine where no consumer applications or web browsers are installed, besides traffic that is to be expected (HTTP and SSH)
PID USER PROGRAM DEV SENT RECEIVED
5266 www-data /usr/sbin/apache2 eth0 15.142 2.924 KB/sec
4698 <ME> sshd: <ME>@pts/0 eth0 0.899 0.071 KB/sec
I’m also seeing quite a few suspicious connections that look like this:
PID USER PROGRAM DEV SENT RECEIVED
? root <SERVER_IP_V4>:515-122.228.XXX.XXX:43652 0.000 0.000 KB/sec
? root <SERVER_IP_V4>:4946-92.118.XXX.XXX:44243 0.000 0.000 KB/sec
? root <SERVER_IP_V4>:1703-94.177.XXX.XXX:51820 0.000 0.000 KB/sec
? root <SERVER_IP_V4>:1433-123.207.XXX.XXX:45628 0.000 0.000 KB/sec
? root <SERVER_IP_V4>:34568-223.71.XXX.XXX:40922 0.000 0.011 KB/sec
? root <SERVER_IP_V4>:9444-51.91.XXX.XXX:46170 0.000 0.000 KB/sec
? root unknown TCP 0.000 0.000 KB/sec
So they have no associated process ID [1], are all run by root
, seem to be outgoing connections from random-looking ports to other random-looking ports (i.e. no outgoing HTTP requests [2] [3]), have no associated device, and all have little to no traffic [4].
The geographic origins of the destination addresses seem to be China, Russian Federation and Seychelles, among others, as per whois
.
My firewall rules, as per ufw status verbose
, should actually block any incoming traffic except for SSH and HTTP(S). So these outgoing connections would have to be caused by malicious programs running on the host, right?
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp LIMIT IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
Is this indeed suspicious or perhaps even evidence of malicious traffic, or are these some false positives (for some reason I may not be seeing)?
Or is the order of the two IP addresses in each pair not relevant [5] [6], so that these might in fact be incoming connections? If so, how can this happen if UFW has been configured to block such connections, and how can one of these connections even have data transferred?