What files and folders in tmp/ folder

Hi,

My linode got restricted as there was the support has detected an Outbound Denial of Service attack on my linode.
I follow the guide from the linode support team (https://www.linode.com/community/questions/467/ive-noticed-some-suspicious-activity-on-my-linode-what-do-i-do) and checked the tmp folder. My tmp folder has the follwing files and folders

drwxrwxrwt 10 root root 4096 Jun 17 06:09 .
drwxr-xr-x 23 root root 4096 Jun 15 08:58 ..
drwxrwxrwt  2 root root 4096 Jun 17 00:14 .font-unix
drwxrwxrwt  2 root root 4096 Jun 17 00:14 .ICE-unix
drwx------  3 root root 4096 Jun 17 00:14 systemd-private-f57a05ef2a9745cf9b69a07c1aea6d1e-apache2.service-gJEK6L
drwx------  3 root root 4096 Jun 17 00:14 systemd-private-f57a05ef2a9745cf9b69a07c1aea6d1e-systemd-resolved.service-orElVv
drwx------  3 root root 4096 Jun 17 00:14 systemd-private-f57a05ef2a9745cf9b69a07c1aea6d1e-systemd-timesyncd.service-cndLea
drwxrwxrwt  2 root root 4096 Jun 17 00:14 .Test-unix
drwxrwxrwt  2 root root 4096 Jun 17 00:14 .X11-unix
drwxrwxrwt  2 root root 4096 Jun 17 00:14 .XIM-unix

Are those folder looking good or should I delelte some of them, and if so which ones?

I appreciate everyone's help. Thank you.

Katharina

5 Replies

@katharinahasselbach --

You write:

My tmp folder has the follwing files and folders

ARRRGGGGHHH!! There are no "folders"…there are "directories"! I digress…

drwxrwxrwt 10 root root 4096 Jun 17 06:09 .
drwxr-xr-x 23 root root 4096 Jun 15 08:58 ..
drwxrwxrwt 2 root root 4096 Jun 17 00:14 .font-unix
drwxrwxrwt 2 root root 4096 Jun 17 00:14 .ICE-unix
drwx------ 3 root root 4096 Jun 17 00:14 systemd-private-f57a05ef2a9745cf9b69a07c1aea6d1e-apache2.service-gJEK6L
drwx------ 3 root root 4096 Jun 17 00:14 systemd-private-f57a05ef2a9745cf9b69a07c1aea6d1e-systemd-resolved.service-orElVv
drwx------ 3 root root 4096 Jun 17 00:14 systemd-private-f57a05ef2a9745cf9b69a07c1aea6d1e-systemd-timesyncd.service-cndLea
drwxrwxrwt 2 root root 4096 Jun 17 00:14 .Test-unix
drwxrwxrwt 2 root root 4096 Jun 17 00:14 .X11-unix
drwxrwxrwt 2 root root 4096 Jun 17 00:14 .XIM-unix

Are those folder looking good or should I delelte some of them, and if so which ones?

Theres that word again!

All the directories matching the pattern *service* belong to systemd -- the Linux system service management daemon. See:

https://www.linode.com/docs/quick-answers/linux-essentials/what-is-systemd/

All the directories matching the pattern *-unix$ belong to the X Window System.

All of these are perfectly normal. If your Linode does not run a desktop environment that requires X11, you can delete all the *-unix$ directories. Your system will go seriously haywire if you delete the *service* directories!

-- sw

[@stevewi] (/community/user/stevewi)
Thank you very much for your fast reply and the correction, I appricate it.

As I'm not so much familiar with the whole server side, as I usually take care of the front end, can I ask you one or two more questions?

Do the running processes look okay?

root@localhost:~# ps aux
USER  PID %CPU %MEM    VSZ   RSS TTY   STAT START   TIME COMMAND
root   1   0.0  0.8 159784  8908 ?     Ss   Jun17   0:25 /sbin/init
root   2   0.0  0.0      0     0 ?     S    Jun17   0:00 [kthreadd]
root   4   0.0  0.0      0     0 ?     I<   Jun17   0:00 [kworker/0:0H]
root   6   0.0  0.0      0     0 ?     I<   Jun17   0:00 [mm_percpu_wq]
root   7   0.0  0.0      0     0 ?     S    Jun17   0:04 [ksoftirqd/0]
root   8   0.0  0.0      0     0 ?     I    Jun17   0:19 [rcu_sched]
root   9   0.0  0.0      0     0 ?     I    Jun17   0:00 [rcu_bh]
root   10  0.0  0.0      0     0 ?     S    Jun17   0:00 [migration/0]
root   11  0.0  0.0      0     0 ?     S    Jun17   0:00 [watchdog/0]
root   12  0.0  0.0      0     0 ?     S    Jun17   0:00 [cpuhp/0]
root   13  0.0  0.0      0     0 ?     S    Jun17   0:00 [kdevtmpfs]
root   14  0.0  0.0      0     0 ?     I<   Jun17   0:00 [netns]
root   15  0.0  0.0      0     0 ?     S    Jun17   0:00[rcu_tasks_kthr
root   16  0.0  0.0      0     0 ?     S    Jun17   0:00 [kauditd]
root   17  0.0  0.0      0     0 ?     S    Jun17   0:00 [khungtaskd]
root   18  0.0  0.0      0     0 ?     S    Jun17   0:00 [oom_reaper]
root   19  0.0  0.0      0     0 ?     I<   Jun17   0:00 [writeback]
root   20  0.0  0.0      0     0 ?     S    Jun17   0:00 [kcompactd0]
root   21  0.0  0.0      0     0 ?     SN   Jun17   0:00 [ksmd]
root   22  0.0  0.0      0     0 ?     SN   Jun17   0:00 [khugepaged]
root   23  0.0  0.0      0     0 ?     I<   Jun17   0:00 [crypto]
root   24  0.0  0.0      0     0 ?     I<   Jun17   0:00 [kintegrityd]
root   25  0.0  0.0      0     0 ?     I<   Jun17   0:00 [kblockd]
root   26  0.0  0.0      0     0 ?     I<   Jun17   0:00 [ata_sff]
root   27  0.0  0.0      0     0 ?     I<   Jun17   0:00 [md]
root   28  0.0  0.0      0     0 ?     I<   Jun17   0:00 [edac-poller]
root   29  0.0  0.0      0     0 ?     I<   Jun17   0:00 [devfreq_wq]
root   30  0.0  0.0      0     0 ?     I<   Jun17   0:00 [watchdogd]
root   34  0.0  0.0      0     0 ?     S    Jun17   0:00 [kswapd0]
root   35  0.0  0.0      0     0 ?     I<   Jun17   0:00 [kworker/u3:0]
root   36  0.0  0.0      0     0 ?     S    Jun17   0:00 [ecryptfs-kthre
root   78  0.0  0.0      0     0 ?     I<   Jun17   0:00 [kthrotld]
root   79  0.0  0.0      0     0 ?     I<   Jun17   0:00 [acpi_thermal_p
root   83  0.0  0.0      0     0 ?     I<   Jun17   0:00 [ipv6_addrconf]
root   92  0.0  0.0      0     0 ?     I<   Jun17   0:00 [kstrp]
root   109 0.0  0.0      0     0 ?     I<   Jun17   0:00 [charger_manage
root   148 0.0  0.0      0     0 ?     S    Jun17   0:00 [scsi_eh_0]
root   149 0.0  0.0      0     0 ?     I<   Jun17   0:00 [scsi_tmf_0]
root   151 0.0  0.0      0     0 ?     S    Jun17   0:00 [scsi_eh_1]
root   152 0.0  0.0      0     0 ?     I<   Jun17   0:00 [scsi_tmf_1]
root   153 0.0  0.0      0     0 ?     I<   Jun17   0:01 [kworker/0:1H]
root   155 0.0  0.0      0     0 ?     S    Jun17   0:00 [scsi_eh_2]
root   156 0.0  0.0      0     0 ?     I<   Jun17   0:00 [scsi_tmf_2]
root   157 0.0  0.0      0     0 ?     S    Jun17   0:00 [scsi_eh_3]
root   158 0.0  0.0      0     0 ?     I<   Jun17   0:00 [scsi_tmf_3]
root   160 0.0  0.0      0     0 ?     S    Jun17   0:00 [scsi_eh_4]
root   161 0.0  0.0      0     0 ?     I<   Jun17   0:00 [scsi_tmf_4]
root   165 0.0  0.0      0     0 ?     S    Jun17   0:00 [scsi_eh_5]
root   171 0.0  0.0      0     0 ?     I<   Jun17   0:00 [scsi_tmf_5]
root   172 0.0  0.0      0     0 ?     S    Jun17   0:00 [scsi_eh_6]
root   173 0.0  0.0      0     0 ?     I<   Jun17   0:00 [scsi_tmf_6]
root   174 0.0  0.0      0     0 ?     S    Jun17   0:00 [scsi_eh_7]
root   175 0.0  0.0      0     0 ?     I<   Jun17   0:00 [scsi_tmf_7]
root   274 0.0  0.0      0     0 ?     I<   Jun17   0:00 [raid5wq]
root   327 0.0  0.0      0     0 ?     S    Jun17   0:02 [jbd2/sda-8]
root   328 0.0  0.0      0     0 ?     I<   Jun17   0:00 [ext4-rsv-conve
root   385 0.0  3.8 152176 38884 ?     S<s  Jun17   0:00 /lib/systemd/sy
root   386 0.0  0.0      0     0 ?     I<   Jun17   0:00 [iscsi_eh]
root   402 0.0  0.1  97708  1744 ?     Ss   Jun17   0:00 /sbin/lvmetad -
root   404 0.0  0.3  45284  3848 ?     Ss   Jun17   0:00 /lib/systemd/sy
root   405 0.0  0.0      0     0 ?     I<   Jun17   0:00 [ib-comp-wq]
root   406 0.0  0.0      0     0 ?     I<   Jun17   0:00 [ib_mcast]
root   407 0.0  0.0      0     0 ?     I<   Jun17   0:00 [ib_nl_sa_wq]
root   409  0.0  0.0     0     0 ?     I<   Jun17   0:00 [rdma_cm]
systemd+450 0.0  0.4  71844  4940 ?    Ss   Jun17   0:37 /lib/systemd/sy
systemd+480 0.0  0.4  70624  4976 ?    Ss   Jun17   0:41 /lib/systemd/sy
root    561 0.0  0.1 161076  1612 ?    Ssl  Jun17   0:00 /usr/bin/lxcfs
message+571 0.0  0.4  50036  4116 ?    Ss   Jun17   0:00 /usr/bin/dbus-d
root    581 0.0  1.6 170380 16468 ?    Ssl  Jun17   0:00 /usr/bin/python
root    587 0.0  0.5  70636  5796 ?    Ss   Jun17   0:00 /lib/systemd/sy
root    589 0.0  0.6 287544  6356 ?    Ssl  Jun17   0:01 /usr/lib/accoun
syslog  594 0.0  0.4 263036  4044 ?    Ssl  Jun17   0:00 /usr/sbin/rsysl
daemon  596 0.0  0.2  28332  2212 ?    Ss   Jun17   0:00 /usr/sbin/atd -
root    597 24.0 0.0  26592   660 ?    Ssl  Jun17 385:08 route -n
root    629 0.0  0.6 288880  6324 ?    Ssl  Jun17   0:00 /usr/lib/policy
root    647 0.0  0.1  16180  1584 tty1 Ss+  Jun17   0:00 /sbin/agetty -o
root    672 0.0  0.5  72296  5420 ?    Ss   Jun17   0:00 /usr/sbin/sshd
root    677 0.0  1.8 187216 18852 ?    Ssl  Jun17   0:00 /usr/bin/python
mysql   742 0.0 17.4 1154780 176304 ?  Sl   Jun17   0:34 /usr/sbin/mysql
root    752 0.0  2.3 491392 23988 ?    Ss   Jun17   0:03 /usr/sbin/apach
www-data765 0.0  1.5 493772 15240 ?    S    Jun17   0:00 /usr/sbin/apach
www-data766 0.0  1.5 493772 15244 ?    S    Jun17   0:00 /usr/sbin/apach
www-data767 0.0  1.5 493772 15244 ?    S    Jun17   0:00 /usr/sbin/apach
www-data768 0.0  1.5 493772 15244 ?    S    Jun17   0:00 /usr/sbin/apach
www-data769 0.0  1.5 493772 15244 ?    S    Jun17   0:00 /usr/sbin/apach
systemd+913 0.0  0.3 141924  3064 ?    Ssl  Jun17   0:00 /lib/systemd/sy
root    991 0.0  0.6  27392  6380 ?    S    Jun17   0:00 rsync
root   1017 0.0  0.5  40160  5200 ?    Ssl  Jun17   0:04 ./kswapd0
root   1649 0.0  0.0      0     0 ?    I    02:54   0:00 [kworker/u2:2]
root   1766 0.0  0.6  76636  6980 ?    Ss   02:54   0:00 /lib/systemd/sy
root   1767 0.0  0.2 191468  2484 ?    S    02:54   0:00 (sd-pam)
root   1777 0.0  0.4  22652  5024 ttyS0 S    02:54   0:00 -bash
root   1922 0.0  0.1   1468  1040 ?    Ss   02:55   0:00 ifconfig
root   1927 0.0  0.1   1468  1036 ?    Ss   02:55   0:00 ifconfig eth0
root   1928 0.0  0.1   1468  1040 ?    Ss   02:55   0:00 who
root   1930 0.0  0.1   1468  1040 ?    Ss   02:55   0:00 pwd
root   1931 0.0  0.1   1468  1044 ?    Ss   02:55   0:00 id
root   1932 0.0  0.3  39664  3420 ttyS0 R+   02:55   0:00 ps aux
www-data6661 0.0 1.5 493772 15256 ?    S    Jun17   0:00 /usr/sbin/apach
root  10243 0.0  0.3  81740  4012 ttyS0 Ss   Jun17   0:00 /bin/login -p -
root  27877 0.0  0.0      0     0 ?     I    02:21   0:00 [kworker/u2:1]
root  30141 0.0  0.0      0     0 ?     I    02:34   0:00 [kworker/u2:0]
root  30295 0.0  0.0      0     0 ?     I    02:34   0:00 [kworker/0:2]
root  31605 0.0  0.0      0     0 ?     I    Jun17   0:00 [kworker/0:0]

Do the connections look okay?

root@localhost:~# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address        Foreign Address       State
tcp   0      0      127.0.0.1:3306       0.0.0.0:*             LISTEN
tcp   0      0      127.0.0.53:53        0.0.0.0:*             LISTEN
tcp   0      0      0.0.0.0:22           0.0.0.0:*             LISTEN
tcp   0      1      xxx.xx.xxx.xxx:57286 xx.x.xxx.xx:443       SYN_SENT
tcp   0      1      xxx.xx.xxx.xxx:46692 xxx.xxx.xxx.xxx:3307  SYN_SENT
tcp6  0      0      :::80                :::*                  LISTEN
tcp6  0      0      :::22                :::*                  LISTEN
udp   0      0      127.0.0.53:53        0.0.0.0:*
raw6  0      0      :::58                :::*                  7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags   Type      State     I-Node   Path
unix  2      [ ]     DGRAM               1240037  /run/user/0/systemd/n
otify
unix  2      [ ACC ] SEQPACKET LISTENING 13939    /run/udev/control
unix  2      [ ACC ] STREAM    LISTENING 1240040  /run/user/0/systemd/p
rivate
unix  2      [ ACC ] STREAM    LISTENING 1240044  /run/user/0/gnupg/S.g
pg-agent.ssh
unix  2      [ ACC ] STREAM    LISTENING 1240045  /run/user/0/gnupg/S.d
irmngr
unix  2      [ ACC ] STREAM    LISTENING 1240046  /run/user/0/gnupg/S.g
pg-agent
unix  2      [ ACC ] STREAM    LISTENING 1240047  /run/user/0/gnupg/S.g
pg-agent.browser
unix  2      [ ACC ] STREAM    LISTENING 1240048  /run/user/0/gnupg/S.gpg-agent.extra
unix  2      [ ACC ] STREAM    LISTENING 15859    /var/lib/lxd/unix.socket
unix  2      [ ACC ] STREAM    LISTENING 15865    /run/snapd.socket
unix  2      [ ACC ] STREAM    LISTENING 15867    /run/snapd-snap.socket
unix  3      [ ]     DGRAM               13456    /run/systemd/notify
unix  2      [ ACC ] STREAM    LISTENING 15874    /var/run/dbus/system_bus_socket
unix  2      [ ACC ] STREAM    LISTENING 15887    /run/uuidd/request
unix  2      [ ACC ] STREAM    LISTENING 15889    /run/acpid.socket
unix  2      [ ACC ] STREAM    LISTENING 13459    /run/systemd/private
unix  2      [ ]     DGRAM               13469    /run/systemd/journal/syslog
unix  6      [ ]     DGRAM               13477    /run/systemd/journal/dev-log
unix  2      [ ACC ] STREAM    LISTENING 13479    /run/lvm/lvmpolld.socket
unix  2      [ ACC ] STREAM    LISTENING 13481    /run/lvm/lvmetad.socket
unix  2      [ ACC ] STREAM    LISTENING 15864    @ISCSIADM_ABSTRACT_NAMESPACE
unix  2      [ ACC ] STREAM    LISTENING 13483    /run/systemd/fsck.progress
unix  2      [ ACC ] STREAM    LISTENING 13486    /run/systemd/journal/stdout
unix  9      [ ]     DGRAM               13488    /run/systemd/journal/socket
unix  2      [ ACC ] STREAM    LISTENING 20123    /var/run/mysqld/mysqld.sock
unix  2      [ ]     DGRAM                1240000
unix  3      [ ]     STREAM    CONNECTED  18380
unix  3      [ ]     STREAM    CONNECTED  18215
unix  3      [ ]     DGRAM                15260
unix  3      [ ]     STREAM    CONNECTED  19718    /var/run/dbus/system_bus_socket
unix  3      [ ]     STREAM    CONNECTED  16198
unix  3      [ ]     STREAM    CONNECTED  16278    /run/systemd/journal/stdout
unix  2      [ ]     DGRAM                15252
unix  3      [ ]     DGRAM                1240039
unix  2      [ ]     DGRAM                16190
unix  3      [ ]     STREAM    CONNECTED  16197
unix  3      [ ]     DGRAM                15261
unix  3      [ ]     STREAM    CONNECTED  19717
unix  3      [ ]     STREAM    CONNECTED  16277
unix  3      [ ]     DGRAM                15262
unix  3      [ ]     STREAM    CONNECTED  19757    /var/run/dbus/system_bus_socket
unix  3      [ ]     STREAM    CONNECTED  15876
unix  3      [ ]     STREAM    CONNECTED  15421
unix  3      [ ]     STREAM    CONNECTED  18485    /run/systemd/journal/stdout
unix  3      [ ]     STREAM    CONNECTED  16200    /var/run/dbus/system_bus_socket
unix  2      [ ]     DGRAM                20242
unix  3      [ ]     STREAM    CONNECTED  16199    /var/run/dbus/system_bus_socket
unix  3      [ ]     STREAM    CONNECTED  15422    /run/systemd/journal/stdout
unix  3      [ ]     STREAM    CONNECTED  15877
unix  3      [ ]     STREAM    CONNECTED  20630
unix  3      [ ]     STREAM    CONNECTED  16591    /run/systemd/journal/stdout
unix  2      [ ]     DGRAM                1240013
unix  3      [ ]     DGRAM                15263
unix  3      [ ]     STREAM    CONNECTED  16590
unix  3      [ ]     STREAM    CONNECTED  18261
unix  3      [ ]     STREAM    CONNECTED  20631    /run/systemd/journal/stdout
unix  3      [ ]     STREAM    CONNECTED  16752    /run/systemd/journal/stdout
unix  2      [ ]     DGRAM                14254
unix  3      [ ]     STREAM    CONNECTED  14191
unix  3      [ ]     DGRAM                20535
unix  3      [ ]     STREAM    CONNECTED  19756
unix  3      [ ]     STREAM    CONNECTED  18381    /run/systemd/journal/stdout
unix  3      [ ]     STREAM    CONNECTED  15225
unix  3      [ ]     STREAM    CONNECTED  14905    /run/systemd/journal/stdout
unix  3      [ ]     STREAM    CONNECTED  14908    /run/systemd/journal/stdout
unix  3      [ ]     STREAM    CONNECTED  15226    /run/systemd/journal/stdout
unix  3      [ ]     STREAM    CONNECTED  14251
unix  3      [ ]     STREAM    CONNECTED  16750
unix  3      [ ]     STREAM    CONNECTED  17199
unix  2      [ ]     DGRAM                17236
unix  2      [ ]     DGRAM                1239895
unix  3      [ ]     STREAM    CONNECTED  17200    /var/run/dbus/system_bus_socket
unix  2      [ ]     DGRAM                15654
unix  3      [ ]     DGRAM                13457
unix  3      [ ]     STREAM    CONNECTED  1240011  /run/systemd/journal/stdout
unix  3      [ ]     STREAM    CONNECTED  16142
unix  3      [ ]     STREAM    CONNECTED  15973
unix  3      [ ]     DGRAM                13458
unix  3      [ ]     DGRAM                14340
unix  3      [ ]     STREAM    CONNECTED  1239992
unix  3      [ ]     STREAM    CONNECTED  18483
unix  3      [ ]     STREAM    CONNECTED  15974    /run/systemd/journal/stdout
unix  3      [ ]     DGRAM                14339
unix  3      [ ]     DGRAM                1240038
unix  3      [ ]     STREAM    CONNECTED  16145    /run/systemd/journal/stdout
unix  3      [ ]     DGRAM                20536
unix  3      [ ]     DGRAM                20694
unix  2      [ ]     DGRAM                18252
unix  3      [ ]     DGRAM                20695
unix  3      [ ]     DGRAM                20696
unix  3      [ ]     STREAM    CONNECTED  16143
unix  3      [ ]     STREAM    CONNECTED  18262    /var/run/dbus/system_bus_socket
unix  3      [ ]     DGRAM                20693
unix  2      [ ]     DGRAM                14316
unix  3      [ ]     STREAM    CONNECTED  16201    /var/run/dbus/system_bus_socket
unix  3      [ ]     STREAM    CONNECTED  18216    /var/run/dbus/system_bus_socket
unix  2      [ ]     DGRAM                20690

I get the following when I check the ports

lsof -i tcp:3306 -P -R
COMMAND PID PPID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
mysqld  742    1 mysql   26u  IPv4  20122      0t0  TCP localhost:3306 (LISTEN)
COMMAND   PID PPID     USER   FD   TYPE DEVICE SIZE/OFF NODE   NAME
systemd-r 480 1 systemd-resolve 13u  IPv4  15671    0t0  TCP localhost:53 (LISTEN)

lsof -i tcp:57286 -P -R and lsof -i tcp:46692 -P -R
nothing

@katharinahasselbach --

You write:

Thank you very much for your fast reply and the correction, I appreciate it.

You're welcome…

As I'm not so much familiar with the whole server side, as I usually take care of the front end, can I ask you one or two more questions?

Of course…

Do the running processes look okay?
 
root@localhost:~# ps aux

Just as a practical note… When you have screen output like this, enclose it between lines consisting of 3 backquotes (```). Doing so will present the text between as "code" and make your post a lot more readable. That being said, the only processes you presented in your list that aren't normally there were these:

root 1777 0.0 0.4 22652 5024 ttyS0 S 02:54 0:00 -bash
root 1922 0.0 0.1 1468 1040 ? Ss 02:55 0:00 ifconfig
root 1927 0.0 0.1 1468 1036 ? Ss 02:55 0:00 ifconfig eth0
root 1928 0.0 0.1 1468 1040 ? Ss 02:55 0:00 who
root 1930 0.0 0.1 1468 1040 ? Ss 02:55 0:00 pwd
root 1931 0.0 0.1 1468 1044 ? Ss 02:55 0:00 id
root 1932 0.0 0.3 39664 3420 ttyS0 R+ 02:55 0:00 ps aux

But this is you doing your ps -aux command…

Do the connections look okay?

Just as another practical matter, it's not a very good idea to publish your IP address(es) or domain name(s) in an open forum like this (you never know who might be scanning the posts here for such information):

tcp 0 1 178.79.181.108:57286 45.9.148.99:443 SYN_SENT
tcp 0 1 178.79.181.108:46692 104.223.142.164:3307 SYN_SENT

The first of these is an https connection from 45.9.148.99 (registered in the Netherlands). I don't recognize the second one. It's a TCP connection on port 3307 to your Linode from an IP address in the US. According to /etc/services, port 3307 is listed as:

opsession-prxy    3307/udp    # OP Session Proxy
opsession-prxy    3307/tcp    # OP Session Proxy

I don't know what OP Session Proxy is…maybe someone else can explain. I'd investigate this further…

The rest of the TCP connections and all of the UDP connections are normal (DNS, ICMP, ssh, http, etc).

The connections labeled unix never go outside the boundaries of your system ("unix" is shorthand for "unix-domain sockets"…these were named when TCP/IP was the province of Unix systems only…since about the mid-1980s or so, the proper term for them is "local-domain sockets" to reflect that TCP/IP no longer belongs to Unix exclusively and communication over them is always local). These are all related to normal system/application services.

I get the following when I check the ports

lsof -i tcp:3306 -P -R

Port 3306 is the well-known port for mysql. This is normal.

lsof -i tcp:53 -P -R   (n.b., this command was implied from context)

Port 53 is DNS…also normal

lsof -i tcp:57286 -P -R and lsof -i tcp:46692 -P -R

Ports 57286 and 46692 are temporary ports the system has allocated to handle the inbound TCP connections from IP addresses 45.9.148.99 and 104.223.142.164 respectively that I discussed above. Provided the communication is legitimate, these are legitimate as well.

As I said before, I would investigate the use of port 3307 further. It may be innocuous but, not knowing anything about what your system does, I just can't tell. If it's not legitimate, you can close access to the port in your firewall with relative ease.

-- sw

@stevewi

You write:

You're welcome…

Thank you again for you help. I really do appreciate the time you spend on look into it and the knowdledge you share.

Just as a practical note… When you have screen output like this, enclose it between lines consisting of 3 backquotes (```). Doing so will present the text between as "code" and make your post a lot more readable.

And this

Just as another practical matter, it's not a very good idea to publish your IP address(es) or domain name(s) in an open forum like this (you never know who might be scanning the posts here for such information)

Thanks for the notes, have just update my posts :)

I don't know what OP Session Proxy is…maybe someone else can explain. I'd investigate this further…

I will look into it, and hopefully will find some valuable information.

Thank you again for your help :)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct