NGINX making external connections as nobody

Intekhab

Member
Apr 22, 2007
6
0
151
CSF is informing me of NGINX making external connections. The process is running as nobody.

Account: nobody
Uptime: 33945 seconds

Executable:
/usr/sbin/nginx

Command Line (often faked in exploits):
nginx: worker process

Network connections by the process (if any):
tcp: xx.xx.xx.xx:80 -> 213.226.121.9:55216
tcp: xx.xx.xx.xx:80 -> 185.119.81.101:53414
tcp: xx.xx.xx.xx:80 -> 185.119.81.101:55108
tcp: xx.xx.xx.xx:443 -> 66.249.70.129:42195
tcp:xx.xx.xx.xx:443 -> 66.249.70.132:45738

(these are examples from different notifications, its usually one at a time, not many connections at a time)

The IP here is one of the ips installed on the server. It's not the main server IP. Nor is an IP I am hosting any site on.

As it is showing user as nobody, any way to track what is actually causing this connection?
 

Intekhab

Member
Apr 22, 2007
6
0
151
Is it actually okay for nginx to make external connections? Specially from a server IP which is neither server main IP, nor serving any domain?

After I blocked that IP with CSF Deny Server IPs, this is now happening with another IP assigned to the server which is again not the main server IP.

Anyway to track which app is triggering it?