Strange HTTPS connections to localhost6.localdomain in netstat

roarrr · 11-05-2009, 02:39 PM

Hi,

This may be a newbie question, i'm concerned about security on my box:

I started to see a lot of HTTPS connections from/to localhost6.localdomain6

I'm trying to find out where these could come from and why they are being established. How can I find out which processes, users, scripts or whatever are initiating these connections?

To my knowledge there are no users/websites on this server using https. Why would the box make so many HTTPS connection to itself?

I'm running 2.6.18-53.1.21.el5 (mockbuild@builder6.centos.org) with Direct Admin.

Code:

# netstat -T |grep https
tcp        0      0 localhost6.localdomain6:https localhost6.localdomain6:59683 TIME_WAIT
tcp        0      0 localhost6.localdomain6:https localhost6.localdomain6:59682 TIME_WAIT
tcp        0      0 localhost6.localdomain6:https localhost6.localdomain6:59684 TIME_WAIT
tcp        0      0 localhost6.localdomain6:https localhost6.localdomain6:59686 TIME_WAIT
tcp        0      0 localhost6.localdomain6:https localhost6.localdomain6:59689 TIME_WAIT
tcp        0      0 localhost6.localdomain6:https localhost6.localdomain6:59688 TIME_WAIT
tcp        0      0 localhost6.localdomain6:https localhost6.localdomain6:59690 TIME_WAIT
tcp        0      0 localhost6.localdomain6:https localhost6.localdomain6:59692 TIME_WAIT
tcp        0      0 localhost6.localdomain6:59667 localhost6.localdomain6:https TIME_WAIT
tcp        0      0 localhost6.localdomain6:59666 localhost6.localdomain6:https TIME_WAIT
tcp        0      0 localhost6.localdomain6:59664 localhost6.localdomain6:https TIME_WAIT
tcp        0      0 localhost6.localdomain6:59670 localhost6.localdomain6:https TIME_WAIT
tcp        0      0 localhost6.localdomain6:59675 localhost6.localdomain6:https TIME_WAIT
tcp        0      0 localhost6.localdomain6:59679 localhost6.localdomain6:https TIME_WAIT
tcp        0      0 localhost6.localdomain6:59678 localhost6.localdomain6:https TIME_WAIT
tcp        0      0 localhost6.localdomain6:59677 localhost6.localdomain6:https TIME_WAIT

(this is only a part of the connections, there's about 3 times as much of these)

Thanks in advance!

anomie · 11-05-2009, 02:52 PM

Use:

Code:

# netstat -tnp | egrep 'PID|:443\>'

Make a note of the PID(s). Then use:

Code:

# lsof -p pid_here

You can see what the processes are up to.

roarrr · 11-05-2009, 03:14 PM

Quote:

Originally Posted by anomie

Use:

Code:

# netstat -tnp | egrep 'PID|:443\>'

Make a note of the PID(s). Then use:

Code:

# lsof -p pid_here

You can see what the processes are up to.

Thanks, that was what I was looking for.

Unfortunately, netstat -tnp doesn't show any pid's. It just shows a - where the pid should be.

Code:

tcp        0      0 ::1:57956                   ::1:443                     TIME_WAIT   -
tcp        0      0 ::1:57957                   ::1:443                     TIME_WAIT   -
tcp        0      0 ::1:57958                   ::1:443                     TIME_WAIT   -
tcp        0      0 ::1:57959                   ::1:443                     TIME_WAIT   -
tcp        0      0 ::1:443                     ::1:57947                   TIME_WAIT   -
tcp        0      0 ::1:443                     ::1:57946                   TIME_WAIT   -
tcp        0      0 ::1:443                     ::1:57949                   TIME_WAIT   -
tcp        0      0 ::1:443                     ::1:57953                   TIME_WAIT   -

(again: there's about 40 of these in total)

anomie · 11-05-2009, 03:44 PM

I see. Just speculating, but maybe the TIME_WAIT status is a clue (the process itself could be long gone by now).

Do you have any service on the system (e.g. some web application served up by Apache) that you might expect to be connecting on loopback? If so, bounce that service and/or httpd and see if they go away.

zhjim · 11-05-2009, 04:40 PM

be root when you netstat. The - where the pid should be normally only shows when you are not root...

roarrr · 11-06-2009, 08:26 AM

Quote:

Originally Posted by zhjim

be root when you netstat. The - where the pid should be normally only shows when you are not root...

Thank for your comment, but I was root.

zhjim · 11-09-2009, 05:03 AM

Does direct admin has any monitoring included? Like check if a website is there or a certain program is running?
It could just be that it connects to HTTPS to check if the servers alive...
Just even more importent does server run anything on port 443?