dmesg is reporting this:
It shows up dozens of times. Should I be worried? Could I have a bot on the server?

I have csf/lfd installed on my server - I also have owncloud, apache, mysql, phpmyadmin, an unsecured vsftpd server, mail (postfix, dovecot, amavis, spamassassin, openvpn, ssh - 3 bad logins block the ip permanently, named server).

This type of connection to port 2703 seems to be the only connection being blocked by iptables coming from my own server.

You certainly could have a bot on your server, but it's also possible that this is just innocuous traffic, Investigation is warranted. Have you looked at what process ID 25064 actually is (if it's a long running process)? Likewise who UID 989 is (is this a human user of the system, or a system account)? According to /etc/services on my machine, port 2703 is used by the sms-chat service. I'm not familiar with this, but is it something you would expect to have connections being made to? If not, you're going to have to dig down and figure out what the process(es) that are making this connection are actually doing and if it's potentially malicious. If it's lots of different processes, you'll need to see what's launching them (possibly use process accounting, if you have it enabled).

Also, you need to review tyour iptables configuration. Did you make it yourself or use something "pre-rolled" by your distro? It's possible that you're not seeing any other traffic being blocked because iptables is not configured to block it or not configured to report said block in the logs.

One other note here - you seem to have a bunch of services running on one system. If this is in any way possible, you should try to split them up between multiple systems (use VMs if possible). That way, problems with one service cannot affect other services, and it makes it much easier to track down potential incidents like this (since fewer things are running).

It didn't even cross my mind to check the UID and GID. Hadn't seen it in dmesg. Thank you for pointing it out. UID 989 and GID 985 are amavis' So I suppose it is related to "Vipul's Razor distributed, collaborative, spam-detection-and-filtering network uses port 2703 (TCP)." (according to speedguide.net)

I configured the firewall myself, using csf, but csf comes with some predefined rules too, such as syn flood protection, etc. which I'm quite certain they're fine. But I opened some ports, used portflood for ssh and so on.

I know running too many services isn't recommended. Unfortunately I cannot afford other vps for now. I'll probably try to buy myself a server later on which is capable of virtualization and so on.

If you could point me to some resources where I can search deeper for malware, that would be helpful. Or you could also suggest I should be searching for further in this particular case, even if I identified the 'culprit'. How could I have made a connection between dubious processes and the dubious network traffic?

Do you think I should just open port 2703? I'm thinking amavis is trying to download new information (spam lists, whatever).

Read the documentation for this product. It should spell out what ports it requires open and what they are used for.

I would ask you to post your rules so someone can take a look at them if you are not sure they are setup correctly.

Hi vincix,

the destination IP belongs to d302.cloudmark.com

cloudmark.com seems to be in the security/mail-protection business, got anything to do with them?

br
Florian

No. Never heard of them. Amavis might get some information from there (spam lists, whatever).

If you could trigger the amavis update manually, you could check the logs and know for sure.