1

I have an external-facing ftp/webserver (with virtual hosts) running Ubuntu 12.04LTS, and I have some concerns about some network traffic I'm seeing.

Some background. I tried to be as preventive in setting up the computer as possible, perhaps relevant:

  1. It is directly connected to the internet and independent of our LAN, so that if it were ever compromised the damage can't spread,
  2. It runs ufw with a deny-first rule structure that only allows:
    1. Connections to any ports from the LAN IP address (for admin purposes)
    2. Connections to ports 21/80 from any IP address (for the services)
  3. apache2 is configured to only allow access to potentially 'dangerous' webpages, like admin.php or setup.php from the LAN IP address, and
  4. Other things like automatic updating, denyhosts, etc.

My concern is I was looking at the output of nethogs this morning and found a lot entries I don't understand (I've removed my server's IP address and cropped the list a bit):

PID   USER     PROGRAM                                             DEV        SENT      RECEIVED
?     root     server.address:80-180.126.248.132:56745                      11.879       0.454 KB/sec
?     root     server.address:80-180.126.248.132:56752                       9.568       0.354 KB/sec
8300  jon      sshd: jon@pts/0                                    bond0      5.597       0.323 KB/sec
?     root     server.address:80-180.126.248.132:56663                       6.690       0.185 KB/sec
?     root     server.address:80-180.126.248.132:56739                       5.242       0.170 KB/sec
?     root     server.address:80-180.126.248.132:56608                       4.658       0.170 KB/sec
?     root     server.address:80-180.126.248.132:56723                       5.242       0.162 KB/sec
?     root     server.address:80-180.126.248.132:56515                       4.658       0.150 KB/sec
[...]
3614  www-data /usr/sbin/apache2                                  bond0      0.292       0.000 KB/sec
3134  www-data /usr/sbin/apache2                                  bond0      0.292       0.000 KB/sec
3307  www-data /usr/sbin/apache2                                  bond0      0.292       0.000 KB/sec
3009  www-data /usr/sbin/apache2                                  bond0      0.292       0.000 KB/sec
3768  www-data /usr/sbin/apache2                                  bond0      0.000       0.000 KB/sec
3132  www-data /usr/sbin/apache2                                  bond0      0.000       0.000 KB/sec
3384  www-data /usr/sbin/apache2                                  bond0      0.000       0.000 KB/sec

So my question, and obvious concern, is what are these connections? Why are they owned by root and without a PID? Why are there so many?

Another answer suggested that similar entries in the other direction (i.e., from a random port to an external port 80 owned by root with no PID) signify connections to external websites, but I don't know if the reverse is the case as I also have listings for apache2... I'd like to think I'm pretty experienced with Linux at a user-level, but system administration is a little new to me. The system has chkrootkit and rkhunter installed, but running them didn't turn anything up. I would obviously like to know if I have a problem, but I'd also like to understand what's going on...

Appendix

For interest, the following is the result of my sudo ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW IN    lan.address
80                         ALLOW IN    Anywhere
21/tcp                     ALLOW IN    Anywhere
80                         ALLOW IN    Anywhere (v6)
21/tcp                     ALLOW IN    Anywhere (v6)
Community
  • 1
Jon
  • 111
  • 4

1 Answers1

2

Since all this traffic is connected to a computer in China (or so it seems concerning the whois output) I would recommend disallowing traffic from that network (180.96.0.0/19). As long as you don't have any specific interest in connection to that network, of course. Otherwise I would consider that traffic as malicious and therefore unwanted.

Connections to one ip address but several ports suggest incoming connections rather than outgoing connections since connection establishment for incoming traffic shows up on port 80.

% Information related to '180.96.0.0 - 180.127.255.255'
inetnum:        180.96.0.0 - 180.127.255.255
netname:        CHINANET-JS
descr:          Chinanet Jiangsu Province Network
descr:          China Telecom
descr:          No.31,jingrong street
descr:          Beijing 100032
 country:        CN
admin-c:        CH93-AP
tech-c:         CJ186-AP
remarks:        service provider
status:         ALLOCATED PORTABLE
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks:        This object can only be updated by APNIC hostmasters.
remarks:        To update this object, please contact APNIC
remarks:        hostmasters and include your organisation's account
remarks:        name in the subject line.
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed:        [email protected] 20090723
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CHINANET-JS
source:         APNIC

role:           CHINANET JIANGSU
address:        260 Zhongyang Road,Nanjing 210037
country:        CN
phone:          +86-25-86588231
phone:          +86-25-86588745
fax-no:         +86-25-86588104
e-mail:         [email protected]
remarks:        send anti-spam reports to [email protected]
remarks:        send abuse reports to [email protected]
remarks:        times in GMT+8
admin-c:        CH360-AP
tech-c:         CS306-AP
tech-c:         CN142-AP
nic-hdl:        CJ186-AP
remarks:        www.jsinfo.net
notify:         [email protected]
mnt-by:         MAINT-CHINANET-JS
changed:        [email protected] 20090831
changed:        [email protected] 20090831
changed:        [email protected] 20090901
source:         APNIC
changed:        [email protected] 20111114

person:         Chinanet Hostmaster
nic-hdl:        CH93-AP
e-mail:         [email protected]
address:        No.31 ,jingrong street,beijing
address:        100032
phone:          +86-10-58501724
fax-no:         +86-10-58501724
country:        CN
changed:        [email protected] 20070416
changed:        [email protected] 20140227
mnt-by:         MAINT-CHINANET
source:         APNIC
Raphael
  • 41
  • 4
  • I did consider blocking the IP address, but if something untoward is going on with the server, that's not going to fix anything... – Jon Mar 29 '14 at 02:06
  • That would stop the possible attack. However you might get additional infos with `netstat -tunap`. Also check apache logs (might be in /var/log/apache2) to see which files those connections are accessing. If you don't find enough you could set the log_level to more verbose in the apache config. – Raphael Mar 29 '14 at 13:12
  • Ok, that's a good point, but I guess that is fundamentally my first question: **Is this _definitely_ webserver traffic?** I'm less worried by the idea that they may be scraping our pages our even trying some sort of DoS than if it's a sign that the server is rooted... As a result, I hadn't thought to look at the `apache2` logs, but they show them scraping a media-heavy section of our site... I use `mrtg` and `awstats` pretty heavily (I like graphs), and I have this fun bandwidth plot showing the increase in traffic they caused from 6AM local until about noon... – Jon Mar 29 '14 at 14:34