Topic: What is this suspicious outgoing traffic?
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): - 1.3, downloadable
- Linux/BSD distribution name and version: debian stretch
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): ldap
- Web server (Apache or Nginx): nginx
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
I originally posted here and did not see the replies later, and the topic is closed.
https://forum.iredmail.org/topic17060-v … erver.html
Is there any reason I would see such traffic going out from an iredmail server? I don't see why in the older post I would see attempts to reach VPN or game ports?
Example traffic destinations (all source ports are 80):
54.37.244.206:4500
ns3114160.ip-54-37-244.eu
45.61.142.130:6672
amsterdam-premium-game-1.octovpn.net
195.62.46.92:25565
edge1.ger.enterprise.tcpmitigate.xyz
144.217.178.39:8081
ip39.ip-144-217-178.net
Today I'm seeing traffic from HTTP and SSH ports to random high number ports. Can anyone explain why this would be? Thank you.
Jul 11 12:09:43 MyInterface MyIP:22 182.131.30.53:58914 TCP:SA
Jul 11 12:09:27 MyInterface MyIP:22 182.131.30.53:58914 TCP:SA
Jul 11 12:09:19 MyInterface MyIP:22 182.131.30.53:58914 TCP:SA
Jul 11 12:09:15 MyInterface MyIP:22 182.131.30.53:58914 TCP:SA
Jul 11 12:09:13 MyInterface MyIP:22 182.131.30.53:58914 TCP:SA
Jul 11 11:44:37 MyInterface MyIP:22 61.177.172.160:44213 TCP:SA
Jul 11 11:44:21 MyInterface MyIP:22 61.177.172.160:44213 TCP:SA
Jul 11 11:44:13 MyInterface MyIP:22 61.177.172.160:44213 TCP:SA
Jul 11 11:44:09 MyInterface MyIP:22 61.177.172.160:44213 TCP:SA
Jul 11 11:44:07 MyInterface MyIP:22 61.177.172.160:44213 TCP:SA
Jul 11 11:20:00 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA
Jul 11 11:19:18 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA
Jul 11 11:18:58 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA
Jul 11 11:18:48 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA
Jul 11 11:18:43 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA
Jul 11 11:18:41 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA
Jul 11 11:18:39 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA
Jul 11 11:18:39 MyInterface MyIP:80 112.94.99.142:13807 TCP:FPA
Jul 11 11:17:49 MyInterface MyIP:22 141.98.11.113:54696 TCP:FA
Jul 11 11:16:53 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA
Jul 11 11:16:21 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA
Jul 11 11:16:04 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA
Jul 11 11:15:56 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA
Jul 11 11:15:52 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA
Jul 11 11:15:50 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA
Jul 11 11:15:49 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA
Jul 11 11:15:49 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA
Jul 11 11:15:48 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA
Jul 11 11:15:48 MyInterface MyIP:22 141.98.11.113:54696 TCP:PA
Jul 11 11:15:48 MyInterface MyIP:22 141.98.11.113:54696 TCP:A
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.