#StackBounty: #networking #server #firewall #traffic #nethogs NetHogs showing suspicious (outgoing) traffic to random ports from root o…

Bounty: 100

Using NetHogs on an Ubuntu 16.04 (web) server, i.e. on a machine where no consumer applications or web browsers are installed, besides traffic that is to be expected (HTTP and SSH)

 PID USER     PROGRAM                                           DEV        SENT      RECEIVED       
5266 www-data /usr/sbin/apache2                                 eth0      15.142       2.924 KB/sec
4698 <ME>     sshd: <ME>@pts/0                                  eth0       0.899       0.071 KB/sec

I’m also seeing quite a few suspicious connections that look like this:

 PID USER     PROGRAM                                           DEV        SENT      RECEIVED       
   ? root     <SERVER_IP_V4>:515-122.228.XXX.XXX:43652                     0.000       0.000 KB/sec
   ? root     <SERVER_IP_V4>:4946-92.118.XXX.XXX:44243                     0.000       0.000 KB/sec
   ? root     <SERVER_IP_V4>:1703-94.177.XXX.XXX:51820                     0.000       0.000 KB/sec
   ? root     <SERVER_IP_V4>:1433-123.207.XXX.XXX:45628                    0.000       0.000 KB/sec
   ? root     <SERVER_IP_V4>:34568-223.71.XXX.XXX:40922                    0.000       0.011 KB/sec
   ? root     <SERVER_IP_V4>:9444-51.91.XXX.XXX:46170                      0.000       0.000 KB/sec
   ? root     unknown TCP                                                  0.000       0.000 KB/sec

So they have no associated process ID [1], are all run by root, seem to be outgoing connections from random-looking ports to other random-looking ports (i.e. no outgoing HTTP requests [2] [3]), have no associated device, and all have little to no traffic [4].

The geographic origins of the destination addresses seem to be China, Russian Federation and Seychelles, among others, as per whois.

My firewall rules, as per ufw status verbose, should actually block any incoming traffic except for SSH and HTTP(S). So these outgoing connections would have to be caused by malicious programs running on the host, right?

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     LIMIT IN    Anywhere                  
80/tcp                     ALLOW IN    Anywhere                  
443/tcp                    ALLOW IN    Anywhere                  

Is this indeed suspicious or perhaps even evidence of malicious traffic, or are these some false positives (for some reason I may not be seeing)?

Or is the order of the two IP addresses in each pair not relevant [5] [6], so that these might in fact be incoming connections? If so, how can this happen if UFW has been configured to block such connections, and how can one of these connections even have data transferred?

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.