0

OS is Debian. I'm running nginx as a webserver. I am not running Wordpress. Logging is enabled in the http block with:

 access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log;

Seeing hundreds of connections in iftop from my webserver at port 443 to 191-242.x.x.alivenet.com.br, for a few hundred different ips.

The strange things are:

  • None of the ip addresses listed by iftop show up in my nginx logs, which I have been retaining since server creation.

  • These connections show up in iftop even if nginx isn't running. How is that possible? I tried stopping nginx, then confirmed with netstat that nothing is listening on ports 80 or 443, but I still see hundreds of these connections listed in iftop. How can iftop show these connections if nothing is listening on those ports? I even tried disabling nginx and then rebooting my server, but they still show up.

  • lsof -a -i4 -i6 -itcp doesn't show any of these connections somehow.

  • In nethogs, I see a line: ? root <ip of my web server>:443-191.242.x.x:<random port>. Running as root? Question mark for the pid? This seems absolutely crazy to me. Does this mean there is some process running on my system that somehow isn't assigned a pid, running as root, somehow listening on port 443 despite nginx supposedly currently using that port, that's sending traffic to one of these Brazilian ips?

What exactly is going on here? Do I need to be concerned? Has my server been hacked? What else should I check to confirm the server is ok? Do I need to block these ips via iptables? How do I separate hack attempts from legitimate web server traffic? (ie, someone in Brazil is trying to visit my website) How can nethogs not show a pid? How can iftop show connetions on ports that aren't listening? How can these connections not show up in the nginx logs?

Improve this question
1

1 Answer 1

Reset to default
1

What exactly is going on here?

Sounds like some botnet is flooding you with TCP connection attempts

Do I need to be concerned?

You tell us: is this posing a problem to your server's operation so far?

The reason the botnet might be doing that can be various, but the reasons they might be doing that:

  • simply putting significant load on your server to bring it down (DDoS attack), maybe for fun, maybe to extort money (that's what the Mirai botnet was meant for, extorting money from kids running minecraft servers. People in technology are not universally great), maybe to keep your website offline.
    • Maybe because the attackers actually tried to implement a distributed web server scanner, but messed up the implementation.
  • hiding some other specific access patterns in the log noise

(and I'm sure people can think of more reasons).

Now, if you don't have data on a public web server that you don't want to be public, if the scanning doesn't create significant load on your server, and if you keep the web applications and server platform up to date: you're probably fine. Scanning servers is a very common thing to happen, so are TCP SYN floods, sadly.

Improve this answer
1
  • Thank you! So if nothing is listening on port 443 on my server, a TCP connection attempt to port 443 will still show up in iftop but will not show up in lsof? Commented Dec 29, 2024 at 20:45

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.