Unknown outgoing connections from port 21

[gramzon]

I was trying to debug an issue with my VPN, and upon running

tcpdump port 21

I saw a lot of strange connections:

14:43:44.633928 IP sub-131ip61.e-commercepark.com.49108 > myserver.example.com.ftp: Flags [S], seq 42960179, win 29200, length 0
14:43:44.634173 IP myserver.example.com.ftp > sub-131ip61.e-commercepark.com.49108: Flags [S.], seq 5694760, ack 42960180, win 29200, options [mss 1460], length 0
14:43:44.772061 IP sub-131ip61.e-commercepark.com.49108 > myserver.example.com.ftp: Flags [R], seq 42960180, win 16384, length 0
14:43:45.739854 IP sub-154ip242.e-commercepark.com.sstp-2 > myserver.example.com.ftp: Flags [S], seq 1908855066, win 29200, length 0
14:43:45.740420 IP myserver.example.com.ftp > sub-154ip242.e-commercepark.com.sstp-2: Flags [S.], seq 2789972490, ack 1908855067, win 29200, options [mss 1460], length 0
14:43:45.906939 IP sub-154ip242.e-commercepark.com.sstp-2 > myserver.example.com.ftp: Flags [R], seq 1908855067, win 16384, length 0
14:43:47.355173 IP sub-154ip243.e-commercepark.com.asnaacceler8db > myserver.example.com.ftp: Flags [S], seq 2807468610, win 29200, length 0
14:43:47.355333 IP myserver.example.com.ftp > sub-154ip243.e-commercepark.com.asnaacceler8db: Flags [S.], seq 2639113747, ack 2807468611, win 29200, options [mss 1460], length 0

I do not recognize this domain so I did

netstat --program --numeric-hosts --numeric-ports --extend | grep ":21"

tcp        0      0 my.ip:21         200.124.154.242:4111    SYN_RECV    root       0          -
tcp        0      0 my.ip:21         200.124.154.239:30913   SYN_RECV    root       0          -
tcp        0      0 my.ip:21         200.124.154.239:43513   SYN_RECV    root       0          -

So these connections are originating from the root user on my server, and have no process associated with them.
Can someone explain this to me?

 

[GOT]

Those are inbound connections to your FTP server, not outbound to someone else's ftp server. If you feel that is an attack you can block them with IPTables.

 

[cPanelLauren]

Those are indeed inbound connections to your FTP server, the TCPDump shows the communication back and forth which is where I think the confusion may lie. I'd definitely second GOT's suggestion. You may want to check to see if the IP's noted belong to one of your users. They all look to be in the same IP block and belong to the same company.