Strange outbound connections
I have a web- and mail server that shows strange outbound connections.
If I
llserv:~# cat /proc/net/ip_conntrack
I get lines like this (one line, wraped by e-mail editor):
tcp 6 362459 ESTABLISHED src=my.server.s.ip dst=84.145.105.4
sport=80 dport=1575 [UNREPLIED] src=84.145.105.4 dst=my.server.s.ip
sport=1575 dport=80 use=1
This appears as an 'outbound connection on port 1575' on my firewall
gui. There are quite a few of those and they stay for days (probably
more than a week), untill they 'magically' disappear again. The port
numbers are all large, say larger than 1024 and up to about 60000 and
all different.
netstat -a --numeric
or netstat -plant
doesn't report anything on these connections.
lsof -i
doesn't neither.
I've run chkrootkit on the filesystem from a Knoppix CD and it found
nothing.
I've run ethereal for hours and it found nothing.
If I
llserv:~# grep "84.145.105.4" /var/log/apache2/access.log
I see some hits, but they are days old and all have a http status code
of 200 (OK), 304 (not modified) or 206 (partial content).
From all this I would guess, that nothing is wrong; however, I am still
slightly worried, why my server would initiate an outgoing connection on
non-standard ports to 'strange' IPs (ie. ones without dns entries).
How could I make *sure* that everything is ok?
How could I determine which process matches this connection?
Is there a way to set a limit on how long such connections remain open?
Thanks for any help and links!
Johannes
NB: I'm running debian sarge (stable) on this mail and web server.
Reply to: