Unknown outgoing connections from port 21

Operating System & Version
CentOS 7.7
cPanel & WHM Version
11.86.0.18

gramzon

Member
Dec 4, 2017
23
3
3
Croatia
cPanel Access Level
Root Administrator
I was trying to debug an issue with my VPN, and upon running
Code:
tcpdump port 21
I saw a lot of strange connections:

Code:
14:43:44.633928 IP sub-131ip61.e-commercepark.com.49108 > myserver.example.com.ftp: Flags [S], seq 42960179, win 29200, length 0
14:43:44.634173 IP myserver.example.com.ftp > sub-131ip61.e-commercepark.com.49108: Flags [S.], seq 5694760, ack 42960180, win 29200, options [mss 1460], length 0
14:43:44.772061 IP sub-131ip61.e-commercepark.com.49108 > myserver.example.com.ftp: Flags [R], seq 42960180, win 16384, length 0
14:43:45.739854 IP sub-154ip242.e-commercepark.com.sstp-2 > myserver.example.com.ftp: Flags [S], seq 1908855066, win 29200, length 0
14:43:45.740420 IP myserver.example.com.ftp > sub-154ip242.e-commercepark.com.sstp-2: Flags [S.], seq 2789972490, ack 1908855067, win 29200, options [mss 1460], length 0
14:43:45.906939 IP sub-154ip242.e-commercepark.com.sstp-2 > myserver.example.com.ftp: Flags [R], seq 1908855067, win 16384, length 0
14:43:47.355173 IP sub-154ip243.e-commercepark.com.asnaacceler8db > myserver.example.com.ftp: Flags [S], seq 2807468610, win 29200, length 0
14:43:47.355333 IP myserver.example.com.ftp > sub-154ip243.e-commercepark.com.asnaacceler8db: Flags [S.], seq 2639113747, ack 2807468611, win 29200, options [mss 1460], length 0
I do not recognize this domain so I did
Code:
netstat --program --numeric-hosts --numeric-ports --extend | grep ":21"
Code:
tcp        0      0 my.ip:21         200.124.154.242:4111    SYN_RECV    root       0          -
tcp        0      0 my.ip:21         200.124.154.239:30913   SYN_RECV    root       0          -
tcp        0      0 my.ip:21         200.124.154.239:43513   SYN_RECV    root       0          -
So these connections are originating from the root user on my server, and have no process associated with them.
Can someone explain this to me?
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,760
314
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
Those are inbound connections to your FTP server, not outbound to someone else's ftp server. If you feel that is an attack you can block them with IPTables.
 
  • Like
Reactions: cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Those are indeed inbound connections to your FTP server, the TCPDump shows the communication back and forth which is where I think the confusion may lie. I'd definitely second GOT's suggestion. You may want to check to see if the IP's noted belong to one of your users. They all look to be in the same IP block and belong to the same company.