Hi everyone,

Well I see on my server some outgoing connections to a couple of IPs. But I wonder why is php-fpm process making these http outgoing connections? What are they for?

Should I be worried? Most of these connections are to this 95.130.169.114 IP. I mean they are not many connections, usually one or two connections but I don't know why.

Are any of my scripts making these connections?

Any help would be highly appreciated.

Thanks in Advance!!

Probably. Do you know what are the PHP scripts or PHP applications running on your server? You should be able to locate the files by using the lsof command (list opened files).

The two IP addresses listed seems to be part of a pool in Turkey; I don't know if you are expecting something coming from there, if not, that's suspicious.

Couple of things in random order:
- it's not the first time you've had trouble with servers. In the last thread we suggested you actively verify anything for changes. Unsure if you investigated anything yourself at this point. What did you inspect yourself? System and daemon logs? Docroot and user homes contents?
- A web service only requires outbound new TCP/80 or 443 connections if it needs to load external resources. If none of your scripts need to you know this is bad news.
- At least one of those remote servers was listed consistently from 2014 on as serving malware, scanning the 'net etc, etc.
- Given where (I think) your web server resides I would find it highly illogical for your web server to access resources on given servers as they're not your average jquery or other such popular resources.
- There are several ways to capture data like for example FPM debug settings (logging) or tcpdump (do use "-s 0" to capture whole payload).
- If unsure put up an outbound new TCP/80 or 443 block in your firewall and see what happens.

2 members found this post helpful.

I checked it today again and I find the following outgoing connections, again to a Turkish IP by php-fpm.

There is nothing in the logs. And the php-fpm doesn't show what php script it's running.

I suspect that it's the php-fpm script itself.

Also there are a lot of nginx incoming established connections to port 80 which doesn't show in the access logs of my 2 websites nor does it show in the main nginx access logs.

It's completely spooky. I shouldn't have anything to do with a Turkish ip. I don't!

What should be the right way to move ahead?

Note you started your thread in February. It is now May. The fact you're moving slower than glaciers either means you're busy doing Other Stuff (at wich point you should ponder handing over the reigns) or you're not giving it the priority it requires (at wich point you should ponder handing over the reigns too).


I've given you a lot of pointers, none of which you've used to gather and present information. Reread replies in this thread. Prepare information gathering configuration and apply. Do research. If unsure ask detailed questions.