I am on a quest to analyze high egress traffic from my VM. Analyzing iftop logs, I noticed that a lot of traffic is conducted from different ports of my VM such as :42272, :42292, :42294, :55166 etc.
Below is the capture of iftop -P -t -L 10000 | grep "=>" |grep -v https
I have masked my ip address as xx.xxx.x.x
1 xx.xxx.x.x:ssh => 142KB 67.8KB 67.8KB 542KB
561 xx.xxx.x.x:42272 => 688B 172B 172B 1.34KB
562 xx.xxx.x.x:42292 => 688B 172B 172B 1.34KB
563 xx.xxx.x.x:42294 => 687B 172B 172B 1.34KB
564 xx.xxx.x.x:55166 => 0B 172B 172B 1.34KB
565 xx.xxx.x.x:42322 => 686B 172B 172B 1.34KB
566 xx.xxx.x.x:42234 => 0B 171B 171B 1.34KB
567 xx.xxx.x.x:42306 => 684B 171B 171B 1.33KB
568 xx.xxx.x.x:42340 => 684B 171B 171B 1.33KB
569 xx.xxx.x.x:55276 => 0B 171B 171B 1.34KB
570 xx.xxx.x.x:42336 => 683B 171B 171B 1.33KB
571 xx.xxx.x.x:42194 => 0B 171B 171B 1.33KB
572 xx.xxx.x.x:55280 => 0B 171B 171B 1.33KB
573 xx.xxx.x.x:42282 => 681B 170B 170B 1.33KB
574 xx.xxx.x.x:55178 => 0B 170B 170B 1.33KB
575 xx.xxx.x.x:42274 => 680B 170B 170B 1.33KB
576 xx.xxx.x.x:42196 => 0B 170B 170B 1.32KB
I dont know what this traffic is. I think all the traffic to my VM should be through apache server (port 443) and a little bit from :22 for my ssh.
When I count the bytes sent through above ports, it is not much .. about 32KB/s but still if it is an attack, i would like to fix it.
So is this traffic for these suspicious ports legitimate? If not, what should be my next steps..
