NGINX making external connections as nobody

[Intekhab]

CSF is informing me of NGINX making external connections. The process is running as nobody.

Account: nobody
Uptime: 33945 seconds

Executable:
/usr/sbin/nginx

Command Line (often faked in exploits):
nginx: worker process

Network connections by the process (if any):
tcp: xx.xx.xx.xx:80 -> 213.226.121.9:55216
tcp: xx.xx.xx.xx:80 -> 185.119.81.101:53414
tcp: xx.xx.xx.xx:80 -> 185.119.81.101:55108
tcp: xx.xx.xx.xx:443 -> 66.249.70.129:42195
tcp:xx.xx.xx.xx:443 -> 66.249.70.132:45738

(these are examples from different notifications, its usually one at a time, not many connections at a time)

The IP here is one of the ips installed on the server. It's not the main server IP. Nor is an IP I am hosting any site on.

As it is showing user as nobody, any way to track what is actually causing this connection?

 

[cPanelAnthony]

Hello! "Nobody" is the Apache user. In all likeliness, CSF is erroneously flagging legitimate nginx processes as "suspicious" which can happen. From this notification, I am fairly confident in saying this is a common false positive we see with CSF firewall.

 

[Intekhab]

Is it actually okay for nginx to make external connections? Specially from a server IP which is neither server main IP, nor serving any domain?

After I blocked that IP with CSF Deny Server IPs, this is now happening with another IP assigned to the server which is again not the main server IP.

Anyway to track which app is triggering it?

 

[cPanelAnthony]

Hello again! I will have to check regarding nginx specifically. However, you could use "top" to locate this nginx process. You could then press "c" on your keyboard to get more useful information. While you aren't having load issues, this might help.

Use top to troubleshoot