Running Centos 4.9 (Upgrading soon)

After doing a lsof I noticed something strange

[root@ns2 init.d]# lsof -i -U |grep comedy
portmap 2883 rpc 7u IPv4 43383506 TCP comedy-planet.com:sunrpc->109.162.198.249:784 (ESTABLISHED)

So I dug into the process..

This 109.162.198.249 is an Iranian IP..
I don't see anything in portmapper.. How can I find where these are being crested on the system..

[root@ns2 init.d]# lsof +p 2883
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
portmap 2883 rpc cwd DIR 8,1 4096 2 /
portmap 2883 rpc rtd DIR 8,1 4096 2 /
portmap 2883 rpc txt REG 8,1 31360 32256 /sbin/portmap
portmap 2883 rpc mem REG 8,1 240629 /lib/tls/libc-2.3.4.so (path inode=247665)
portmap 2883 rpc mem REG 8,1 240520 /lib/ld-2.3.4.so (path inode=247416)
portmap 2883 rpc mem REG 8,1 240541 /lib/libnss_files-2.3.4.so (path inode=246858)
portmap 2883 rpc mem REG 8,1 246958 /lib/libnsl-2.3.4.so (path inode=247668)
portmap 2883 rpc 0u CHR 1,3 489 /dev/null
portmap 2883 rpc 1u CHR 1,3 489 /dev/null
portmap 2883 rpc 2u CHR 1,3 489 /dev/null
portmap 2883 rpc 3u IPv4 6934 UDP *:sunrpc
portmap 2883 rpc 4u IPv4 6937 TCP *:sunrpc (LISTEN)
portmap 2883 rpc 5u IPv4 43383503 TCP ns2.superhosting.ca:sunrpc->109.162.198.249:773 (ESTABLISHED)
portmap 2883 rpc 6u IPv4 43383505 TCP 69.90.83.200:sunrpc->109.162.198.249:783 (ESTABLISHED)
portmap 2883 rpc 7u IPv4 43383506 TCP comedy-planet.com:sunrpc->109.162.198.249:784 (ESTABLISHED)
portmap 2883 rpc 8u IPv4 43383507 TCP 69.90.83.201:sunrpc->109.162.198.249:787 (ESTABLISHED)
portmap 2883 rpc 9u IPv4 43383510 TCP 69.90.83.203:sunrpc->109.162.198.249:794 (ESTABLISHED)
portmap 2883 rpc 10u IPv4 43383511 TCP 69.90.83.204:sunrpc->109.162.198.249:803 (ESTABLISHED)
portmap 2883 rpc 11u IPv4 229558425 TCP ns2.superhosting.ca:sunrpc->204.51.112.137:33996 (ESTABLISHED)
portmap 2883 rpc 12u IPv4 85031497 TCP 69.90.83.205:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:643 (ESTABLISHED)
portmap 2883 rpc 13u IPv4 43383522 TCP 69.90.83.208:sunrpc->109.162.198.249:806 (ESTABLISHED)
portmap 2883 rpc 14u IPv4 43383525 TCP 69.90.83.209:sunrpc->109.162.198.249:807 (ESTABLISHED)
portmap 2883 rpc 15u IPv4 43383538 TCP 69.90.83.211:sunrpc->109.162.198.249:810 (ESTABLISHED)
portmap 2883 rpc 16u IPv4 43383541 TCP 69.90.83.213:sunrpc->109.162.198.249:811 (ESTABLISHED)
portmap 2883 rpc 17u IPv4 85031500 TCP 69.90.83.204:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:644 (ESTABLISHED)
portmap 2883 rpc 18u IPv4 43383543 TCP 69.90.83.215:sunrpc->109.162.198.249:813 (ESTABLISHED)
portmap 2883 rpc 19u IPv4 43383559 TCP 69.90.83.216:sunrpc->109.162.198.249:826 (ESTABLISHED)
portmap 2883 rpc 20u IPv4 43383560 TCP 69.90.83.217:sunrpc->109.162.198.249:837 (ESTABLISHED)
portmap 2883 rpc 21u IPv4 43383568 TCP 69.90.83.219:sunrpc->109.162.198.249:838 (ESTABLISHED)
portmap 2883 rpc 22u IPv4 43383588 TCP 69.90.83.220:sunrpc->109.162.198.249:848 (ESTABLISHED)
portmap 2883 rpc 23u IPv4 85031515 TCP 69.90.83.206:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:645 (ESTABLISHED)
portmap 2883 rpc 24u IPv4 43628042 TCP 69.90.179.18:sunrpc->109.162.198.249:19777 (ESTABLISHED)
portmap 2883 rpc 25u IPv4 43628047 TCP 69.90.179.20:sunrpc->109.162.198.249:19782 (ESTABLISHED)
portmap 2883 rpc 26u IPv4 85031517 TCP 69.90.83.207:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:646 (ESTABLISHED)
portmap 2883 rpc 27u IPv4 43628060 TCP 69.90.179.21:sunrpc->109.162.198.249:19787 (ESTABLISHED)
portmap 2883 rpc 28u IPv4 43628061 TCP 69.90.179.23:sunrpc->109.162.198.249:19789 (ESTABLISHED)
portmap 2883 rpc 29u IPv4 43628100 TCP 69.90.179.26:sunrpc->109.162.198.249:19794 (ESTABLISHED)
portmap 2883 rpc 30u IPv4 43628122 TCP 69.90.179.27:sunrpc->109.162.198.249:19797 (ESTABLISHED)
portmap 2883 rpc 31u IPv4 43628125 TCP 69.90.179.28:sunrpc->109.162.198.249:19799 (ESTABLISHED)
portmap 2883 rpc 32u IPv4 43628133 TCP 69.90.179.29:sunrpc->109.162.198.249:19801 (ESTABLISHED)
portmap 2883 rpc 33u IPv4 43628137 TCP 69.90.179.30:sunrpc->109.162.198.249:19805 (ESTABLISHED)
portmap 2883 rpc 34u IPv4 687552138 TCP ns2.superhosting.ca:sunrpc->204.197.186.145:62182 (ESTABLISHED)
portmap 2883 rpc 35u IPv4 85031529 TCP 69.90.83.210:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:650 (ESTABLISHED)
portmap 2883 rpc 36u IPv4 85031530 TCP 69.90.83.212:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:651 (ESTABLISHED)
portmap 2883 rpc 37u IPv4 85031531 TCP 69.90.83.213:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:652 (ESTABLISHED)
portmap 2883 rpc 38u IPv4 85031580 TCP 69.90.83.221:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:656 (ESTABLISHED)
portmap 2883 rpc 39u IPv4 85031588 TCP 69.90.83.209:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:647 (ESTABLISHED)
portmap 2883 rpc 40u IPv4 85031589 TCP 69.90.83.222:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:657 (ESTABLISHED)
portmap 2883 rpc 41u IPv4 85031594 TCP 69.90.83.215:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:653 (ESTABLISHED)
portmap 2883 rpc 42u IPv4 687552179 TCP ns2.superhosting.ca:sunrpc->204.197.186.145:62186 (ESTABLISHED)
portmap 2883 rpc 43u IPv4 85343190 TCP 69.90.179.19:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:724 (ESTABLISHED)
portmap 2883 rpc 44u IPv4 85343191 TCP 69.90.179.20:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:725 (ESTABLISHED)
portmap 2883 rpc 45u IPv4 85343192 TCP 69.90.179.21:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:726 (ESTABLISHED)
portmap 2883 rpc 46u IPv4 85343196 TCP 69.90.179.23:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:727 (ESTABLISHED)
portmap 2883 rpc 47u IPv4 85343200 TCP 69.90.179.26:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:728 (ESTABLISHED)
portmap 2883 rpc 48u IPv4 85343201 TCP 69.90.179.27:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:729 (ESTABLISHED)
portmap 2883 rpc 49u IPv4 85343206 TCP 69.90.179.28:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:730 (ESTABLISHED)
portmap 2883 rpc 50u IPv4 85343208 TCP 69.90.179.29:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:731 (ESTABLISHED)
portmap 2883 rpc 51u IPv4 85343210 TCP 69.90.179.30:sunrpc->adsl-68-123-243-147.dsl.irvnca.pacbell.net:732 (ESTABLISHED)
portmap 2883 rpc 52u IPv4 687556804 TCP ns2.superhosting.ca:sunrpc->204.197.186.145:62543 (ESTABLISHED)
portmap 2883 rpc 53u IPv4 687556835 TCP ns2.superhosting.ca:sunrpc->204.197.186.145:62549 (ESTABLISHED)
portmap 2883 rpc 54u IPv4 687557100 TCP ns2.superhosting.ca:sunrpc->204.197.186.145:62643 (ESTABLISHED)
portmap 2883 rpc 55u IPv4 713925416 TCP ns2.superhosting.ca:sunrpc->host69-53-78-41.birch.net:59627 (ESTABLISHED)
portmap 2883 rpc 56u IPv4 713925435 TCP 69.90.83.200:sunrpc->host69-53-78-41.birch.net:59632 (ESTABLISHED)
portmap 2883 rpc 57u IPv4 713925445 TCP 69.90.83.205:sunrpc->host69-53-78-41.birch.net:59635 (ESTABLISHED)
portmap 2883 rpc 58u IPv4 713925446 TCP 69.90.83.206:sunrpc->host69-53-78-41.birch.net:59637 (ESTABLISHED)
portmap 2883 rpc 59u IPv4 713925447 TCP 69.90.83.207:sunrpc->host69-53-78-41.birch.net:59639 (ESTABLISHED)
portmap 2883 rpc 60u IPv4 713925448 TCP 69.90.83.208:sunrpc->host69-53-78-41.birch.net:59640 (ESTABLISHED)
portmap 2883 rpc 61u IPv4 713925451 TCP 69.90.83.211:sunrpc->host69-53-78-41.birch.net:59642 (ESTABLISHED)
portmap 2883 rpc 62u IPv4 713925457 TCP 69.90.83.213:sunrpc->host69-53-78-41.birch.net:59644 (ESTABLISHED)
portmap 2883 rpc 63u IPv4 713925464 TCP 69.90.83.215:sunrpc->host69-53-78-41.birch.net:59646 (ESTABLISHED)
portmap 2883 rpc 64u IPv4 713925470 TCP 69.90.83.216:sunrpc->host69-53-78-41.birch.net:59648 (ESTABLISHED)
portmap 2883 rpc 65u IPv4 713925476 TCP 69.90.83.218:sunrpc->host69-53-78-41.birch.net:59650 (ESTABLISHED)
portmap 2883 rpc 66u IPv4 713925482 TCP 69.90.83.222:sunrpc->host69-53-78-41.birch.net:59652 (ESTABLISHED)

Run the following command set: This will give you a process tree, list of open files, and a list of network connections along with the PID and file paths that you can use to correlate and identify the location and owner of the suspicious process.

From your output below, it looks like you are using sunrpc, left it exposed to the internet, and it may now be being exploited.

Thanks for that

I stopped portmapper (I had no idea it was on) and those connections went away...

I think you need to do a strict audit to determine what functions and or resources you have exposed. For example, were you exposing part of your file system via NFS? I am not familiar enough with portmapper and it's functions to give you clear advice here, but the impression I get is that a lot of parasitic systems may have been leeched on to you and %diety only knows what they have been doing.