Why is Google approaching my VPS machine?Network activity through port 17500iptables drops some packets on port 80 and i don't know the causeIPTables Logging a Flood of “TCP INCOMPLETE” MessagesIptables ESTABLISHED,RELATED chain problemsiptables: How to read this OPT string?Understanding log messages from iptablesWhy do some outgoing IP traffic not contain UID information?OpenVPN Access Server: Remote Subnet Cannot Access Client's ResourcesHow to ACCEPT multicast connection with iptables's rule?debian kvm server with iptables is dropping bridge packetsIPTables blocking port despite Allow rule

Possible executive assistant job scam

Check the validity of a 10-digit telephone number

CO₂ level is high enough that it reduces cognitive ability. Isn't that a reason to worry?

SD Card speed degrading and doesn't work on one of my cameras: can I do something?

Visiting a place in Brussels where Pink Floyd recorded a video

What is a good way to challenge a Warlock with the Agonizing Blast invocation?

Is it sportsmanlike to waste opponents' time by giving check at the end of the game?

What are these criss-cross patterns close to Cambridge Airport (UK)?

Should a middle class person emulate a very wealthy investor for % of cash hold?

How do I find the unknown program enabled during Start-Up?

Why do the US media keep claiming that Iran is violating their nuclear deal even though the deal was withdrawn by the US?

Why did Leia not want to tell Han about Luke being her twin brother?

What type of beer is best for beer battered fish?

When should we use "Got it?" and "Get it?"

An historical mystery : Poincaré’s silence on Lebesgue integral and measure theory?

Could you fly a Boeing 747 on Venus?

What is the difference between turbojet and turbofan engines?

Implement the Max-Pooling operation from Convolutional Neural Networks

Improving the observation skill & making less blunders

Do modern jet engines need igniters?

How do the Martian rebels defeat Earth when they're grossly outnumbered and outgunned?

How to avoid answering "what were you sick with"?

Can "marriage" be used as a verb?

Constraint of NDSolve with an integral of the solution



Why is Google approaching my VPS machine?


Network activity through port 17500iptables drops some packets on port 80 and i don't know the causeIPTables Logging a Flood of “TCP INCOMPLETE” MessagesIptables ESTABLISHED,RELATED chain problemsiptables: How to read this OPT string?Understanding log messages from iptablesWhy do some outgoing IP traffic not contain UID information?OpenVPN Access Server: Remote Subnet Cannot Access Client's ResourcesHow to ACCEPT multicast connection with iptables's rule?debian kvm server with iptables is dropping bridge packetsIPTables blocking port despite Allow rule






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









36

















I'm trying to track network activities on my machine running CentOS 7.



According to iptables logs, it seems that Google (74.125.133.108) is approaching my VPS many times.



I can see that source-port is always 993.



What is the reason for that?



16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=60 TOS=0x00 PREC=0xA0 TTL=107 ID=4587 PROTO=TCP SPT=993 DPT=47920 WINDOW=62392 RES=0x00 ACK SYN URGP=0
16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=4666 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=2767 TOS=0x00 PREC=0xA0 TTL=107 ID=4668 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=331 TOS=0x00 PREC=0xA0 TTL=107 ID=4704 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=150 TOS=0x00 PREC=0xA0 TTL=107 ID=4705 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=299 TOS=0x00 PREC=0xA0 TTL=107 ID=4733 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=4771 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=354 TOS=0x00 PREC=0xA0 TTL=107 ID=5026 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5094 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=128 TOS=0x00 PREC=0xA0 TTL=107 ID=5116 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5187 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=124 TOS=0x00 PREC=0xA0 TTL=107 ID=5189 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5195 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=339 TOS=0x00 PREC=0xA0 TTL=107 ID=5213 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=119 TOS=0x00 PREC=0xA0 TTL=107 ID=5214 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5229 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5257 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK FIN URGP=0





iptables







share|improve this question


































    36

















    I'm trying to track network activities on my machine running CentOS 7.



    According to iptables logs, it seems that Google (74.125.133.108) is approaching my VPS many times.



    I can see that source-port is always 993.



    What is the reason for that?



    16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=60 TOS=0x00 PREC=0xA0 TTL=107 ID=4587 PROTO=TCP SPT=993 DPT=47920 WINDOW=62392 RES=0x00 ACK SYN URGP=0
    16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=4666 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
    16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=2767 TOS=0x00 PREC=0xA0 TTL=107 ID=4668 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
    16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=331 TOS=0x00 PREC=0xA0 TTL=107 ID=4704 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
    16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=150 TOS=0x00 PREC=0xA0 TTL=107 ID=4705 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
    16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=299 TOS=0x00 PREC=0xA0 TTL=107 ID=4733 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
    16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=4771 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
    16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=354 TOS=0x00 PREC=0xA0 TTL=107 ID=5026 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
    16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5094 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
    16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=128 TOS=0x00 PREC=0xA0 TTL=107 ID=5116 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
    16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5187 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
    16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=124 TOS=0x00 PREC=0xA0 TTL=107 ID=5189 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
    16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5195 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
    16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=339 TOS=0x00 PREC=0xA0 TTL=107 ID=5213 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
    16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=119 TOS=0x00 PREC=0xA0 TTL=107 ID=5214 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
    16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5229 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
    16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5257 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK FIN URGP=0





    iptables







    share|improve this question






























      36












      36








      36


      6






      I'm trying to track network activities on my machine running CentOS 7.



      According to iptables logs, it seems that Google (74.125.133.108) is approaching my VPS many times.



      I can see that source-port is always 993.



      What is the reason for that?



      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=60 TOS=0x00 PREC=0xA0 TTL=107 ID=4587 PROTO=TCP SPT=993 DPT=47920 WINDOW=62392 RES=0x00 ACK SYN URGP=0
      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=4666 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=2767 TOS=0x00 PREC=0xA0 TTL=107 ID=4668 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=331 TOS=0x00 PREC=0xA0 TTL=107 ID=4704 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=150 TOS=0x00 PREC=0xA0 TTL=107 ID=4705 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=299 TOS=0x00 PREC=0xA0 TTL=107 ID=4733 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=4771 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=354 TOS=0x00 PREC=0xA0 TTL=107 ID=5026 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5094 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=128 TOS=0x00 PREC=0xA0 TTL=107 ID=5116 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
      16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5187 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
      16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=124 TOS=0x00 PREC=0xA0 TTL=107 ID=5189 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
      16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5195 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
      16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=339 TOS=0x00 PREC=0xA0 TTL=107 ID=5213 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
      16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=119 TOS=0x00 PREC=0xA0 TTL=107 ID=5214 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
      16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5229 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
      16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5257 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK FIN URGP=0





      iptables







      share|improve this question

















      I'm trying to track network activities on my machine running CentOS 7.



      According to iptables logs, it seems that Google (74.125.133.108) is approaching my VPS many times.



      I can see that source-port is always 993.



      What is the reason for that?



      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=60 TOS=0x00 PREC=0xA0 TTL=107 ID=4587 PROTO=TCP SPT=993 DPT=47920 WINDOW=62392 RES=0x00 ACK SYN URGP=0
      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=4666 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=2767 TOS=0x00 PREC=0xA0 TTL=107 ID=4668 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=331 TOS=0x00 PREC=0xA0 TTL=107 ID=4704 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=150 TOS=0x00 PREC=0xA0 TTL=107 ID=4705 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=299 TOS=0x00 PREC=0xA0 TTL=107 ID=4733 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=4771 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=354 TOS=0x00 PREC=0xA0 TTL=107 ID=5026 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5094 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
      16:22:11 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=128 TOS=0x00 PREC=0xA0 TTL=107 ID=5116 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
      16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5187 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
      16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=124 TOS=0x00 PREC=0xA0 TTL=107 ID=5189 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
      16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5195 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
      16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=339 TOS=0x00 PREC=0xA0 TTL=107 ID=5213 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
      16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=119 TOS=0x00 PREC=0xA0 TTL=107 ID=5214 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK PSH URGP=0
      16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5229 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK URGP=0
      16:22:12 kernel: ipt IN=eth0 OUT= MAC=... SRC=74.125.133.108 DST=... LEN=52 TOS=0x00 PREC=0xA0 TTL=107 ID=5257 PROTO=TCP SPT=993 DPT=47920 WINDOW=248 RES=0x00 ACK FIN URGP=0





      iptables




      iptables






      share|improve this question
















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jul 21 at 22:52









      Peter Mortensen

      2,1765 gold badges22 silver badges24 bronze badges




      2,1765 gold badges22 silver badges24 bronze badges










      asked Jul 17 at 13:34









      ishahakishahak

      3163 silver badges7 bronze badges




      3163 silver badges7 bronze badges























          2 Answers
          2






          active

          oldest

          votes


















          101


















          Notice the ACK SYN on the first packet in your dump? Those flags indicate the second stage of the three-way TCP handshake.



          Since this packet is coming from Google, it indicates that Google is not "approaching your VPS"; your VPS is connecting to Google on port 993, and Google is sending back an acknowledgement.



          To investigate this further, you can use the iptables command to view details (including process IDs) of connections that are currently active. You can also use the kernel audit subsystem to log outgoing connections as they happen.






          share|improve this answer





















          • 10





            Thanks for solving this mystery. Indeed I do have a process that downloads email from Google. Special thanks for suggesting the auditctl tool!

            – ishahak
            Jul 18 at 8:29


















          28


















          Port 993 is for encrypted IMAP traffic.



          Gmail has a feature where it can check external IMAP servers and bring those emails into your inbox.



          As such, I suspect your IP address was previously that of someone's email server, and they configured Gmail to check that server for their emails. (Alternatively, but less likely, that "someone" is you, and you forgot you did this.)






          share|improve this answer























          • 10





            This might plausibly explain why the destination port would be 993/tcp, but in OP's case, it's the source port. The destination port is 47920/tcp.

            – a CVn
            Jul 17 at 22:19






          • 6





            @aCVn Which suggests that the OP might be connecting to Google, instead of the other way around...

            – marcelm
            Jul 17 at 23:12






          • 4





            @marcelm That is indeed the case, as indicated by the ACK SYN flags on the first packet in the list. I've posted a more detailed explanation as an answer.

            – David
            Jul 17 at 23:31







          • 1





            @marcelm Maybe there is malware on the server attempting to send spam via gmail somehow.

            – Qwertie
            Jul 18 at 7:17






          • 2





            @Qwertie: Most malware sending spam would go for SMTP ports (25/465/587) and wouldn't bother with IMAP.

            – grawity
            Jul 18 at 13:20













          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "2"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );














          draft saved

          draft discarded
















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f975594%2fwhy-is-google-approaching-my-vps-machine%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown


























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          101


















          Notice the ACK SYN on the first packet in your dump? Those flags indicate the second stage of the three-way TCP handshake.



          Since this packet is coming from Google, it indicates that Google is not "approaching your VPS"; your VPS is connecting to Google on port 993, and Google is sending back an acknowledgement.



          To investigate this further, you can use the iptables command to view details (including process IDs) of connections that are currently active. You can also use the kernel audit subsystem to log outgoing connections as they happen.






          share|improve this answer





















          • 10





            Thanks for solving this mystery. Indeed I do have a process that downloads email from Google. Special thanks for suggesting the auditctl tool!

            – ishahak
            Jul 18 at 8:29















          101


















          Notice the ACK SYN on the first packet in your dump? Those flags indicate the second stage of the three-way TCP handshake.



          Since this packet is coming from Google, it indicates that Google is not "approaching your VPS"; your VPS is connecting to Google on port 993, and Google is sending back an acknowledgement.



          To investigate this further, you can use the iptables command to view details (including process IDs) of connections that are currently active. You can also use the kernel audit subsystem to log outgoing connections as they happen.






          share|improve this answer





















          • 10





            Thanks for solving this mystery. Indeed I do have a process that downloads email from Google. Special thanks for suggesting the auditctl tool!

            – ishahak
            Jul 18 at 8:29













          101














          101










          101









          Notice the ACK SYN on the first packet in your dump? Those flags indicate the second stage of the three-way TCP handshake.



          Since this packet is coming from Google, it indicates that Google is not "approaching your VPS"; your VPS is connecting to Google on port 993, and Google is sending back an acknowledgement.



          To investigate this further, you can use the iptables command to view details (including process IDs) of connections that are currently active. You can also use the kernel audit subsystem to log outgoing connections as they happen.






          share|improve this answer














          Notice the ACK SYN on the first packet in your dump? Those flags indicate the second stage of the three-way TCP handshake.



          Since this packet is coming from Google, it indicates that Google is not "approaching your VPS"; your VPS is connecting to Google on port 993, and Google is sending back an acknowledgement.



          To investigate this further, you can use the iptables command to view details (including process IDs) of connections that are currently active. You can also use the kernel audit subsystem to log outgoing connections as they happen.







          share|improve this answer













          share|improve this answer




          share|improve this answer










          answered Jul 17 at 23:30









          DavidDavid

          7161 gold badge5 silver badges5 bronze badges




          7161 gold badge5 silver badges5 bronze badges










          • 10





            Thanks for solving this mystery. Indeed I do have a process that downloads email from Google. Special thanks for suggesting the auditctl tool!

            – ishahak
            Jul 18 at 8:29












          • 10





            Thanks for solving this mystery. Indeed I do have a process that downloads email from Google. Special thanks for suggesting the auditctl tool!

            – ishahak
            Jul 18 at 8:29







          10




          10





          Thanks for solving this mystery. Indeed I do have a process that downloads email from Google. Special thanks for suggesting the auditctl tool!

          – ishahak
          Jul 18 at 8:29





          Thanks for solving this mystery. Indeed I do have a process that downloads email from Google. Special thanks for suggesting the auditctl tool!

          – ishahak
          Jul 18 at 8:29













          28


















          Port 993 is for encrypted IMAP traffic.



          Gmail has a feature where it can check external IMAP servers and bring those emails into your inbox.



          As such, I suspect your IP address was previously that of someone's email server, and they configured Gmail to check that server for their emails. (Alternatively, but less likely, that "someone" is you, and you forgot you did this.)






          share|improve this answer























          • 10





            This might plausibly explain why the destination port would be 993/tcp, but in OP's case, it's the source port. The destination port is 47920/tcp.

            – a CVn
            Jul 17 at 22:19






          • 6





            @aCVn Which suggests that the OP might be connecting to Google, instead of the other way around...

            – marcelm
            Jul 17 at 23:12






          • 4





            @marcelm That is indeed the case, as indicated by the ACK SYN flags on the first packet in the list. I've posted a more detailed explanation as an answer.

            – David
            Jul 17 at 23:31







          • 1





            @marcelm Maybe there is malware on the server attempting to send spam via gmail somehow.

            – Qwertie
            Jul 18 at 7:17






          • 2





            @Qwertie: Most malware sending spam would go for SMTP ports (25/465/587) and wouldn't bother with IMAP.

            – grawity
            Jul 18 at 13:20
















          28


















          Port 993 is for encrypted IMAP traffic.



          Gmail has a feature where it can check external IMAP servers and bring those emails into your inbox.



          As such, I suspect your IP address was previously that of someone's email server, and they configured Gmail to check that server for their emails. (Alternatively, but less likely, that "someone" is you, and you forgot you did this.)






          share|improve this answer























          • 10





            This might plausibly explain why the destination port would be 993/tcp, but in OP's case, it's the source port. The destination port is 47920/tcp.

            – a CVn
            Jul 17 at 22:19






          • 6





            @aCVn Which suggests that the OP might be connecting to Google, instead of the other way around...

            – marcelm
            Jul 17 at 23:12






          • 4





            @marcelm That is indeed the case, as indicated by the ACK SYN flags on the first packet in the list. I've posted a more detailed explanation as an answer.

            – David
            Jul 17 at 23:31







          • 1





            @marcelm Maybe there is malware on the server attempting to send spam via gmail somehow.

            – Qwertie
            Jul 18 at 7:17






          • 2





            @Qwertie: Most malware sending spam would go for SMTP ports (25/465/587) and wouldn't bother with IMAP.

            – grawity
            Jul 18 at 13:20














          28














          28










          28









          Port 993 is for encrypted IMAP traffic.



          Gmail has a feature where it can check external IMAP servers and bring those emails into your inbox.



          As such, I suspect your IP address was previously that of someone's email server, and they configured Gmail to check that server for their emails. (Alternatively, but less likely, that "someone" is you, and you forgot you did this.)






          share|improve this answer
















          Port 993 is for encrypted IMAP traffic.



          Gmail has a feature where it can check external IMAP servers and bring those emails into your inbox.



          As such, I suspect your IP address was previously that of someone's email server, and they configured Gmail to check that server for their emails. (Alternatively, but less likely, that "someone" is you, and you forgot you did this.)







          share|improve this answer















          share|improve this answer




          share|improve this answer








          edited Jul 21 at 22:52









          Peter Mortensen

          2,1765 gold badges22 silver badges24 bronze badges




          2,1765 gold badges22 silver badges24 bronze badges










          answered Jul 17 at 14:03









          ceejayozceejayoz

          28.3k6 gold badges70 silver badges97 bronze badges




          28.3k6 gold badges70 silver badges97 bronze badges










          • 10





            This might plausibly explain why the destination port would be 993/tcp, but in OP's case, it's the source port. The destination port is 47920/tcp.

            – a CVn
            Jul 17 at 22:19






          • 6





            @aCVn Which suggests that the OP might be connecting to Google, instead of the other way around...

            – marcelm
            Jul 17 at 23:12






          • 4





            @marcelm That is indeed the case, as indicated by the ACK SYN flags on the first packet in the list. I've posted a more detailed explanation as an answer.

            – David
            Jul 17 at 23:31







          • 1





            @marcelm Maybe there is malware on the server attempting to send spam via gmail somehow.

            – Qwertie
            Jul 18 at 7:17






          • 2





            @Qwertie: Most malware sending spam would go for SMTP ports (25/465/587) and wouldn't bother with IMAP.

            – grawity
            Jul 18 at 13:20













          • 10





            This might plausibly explain why the destination port would be 993/tcp, but in OP's case, it's the source port. The destination port is 47920/tcp.

            – a CVn
            Jul 17 at 22:19






          • 6





            @aCVn Which suggests that the OP might be connecting to Google, instead of the other way around...

            – marcelm
            Jul 17 at 23:12






          • 4





            @marcelm That is indeed the case, as indicated by the ACK SYN flags on the first packet in the list. I've posted a more detailed explanation as an answer.

            – David
            Jul 17 at 23:31







          • 1





            @marcelm Maybe there is malware on the server attempting to send spam via gmail somehow.

            – Qwertie
            Jul 18 at 7:17






          • 2





            @Qwertie: Most malware sending spam would go for SMTP ports (25/465/587) and wouldn't bother with IMAP.

            – grawity
            Jul 18 at 13:20








          10




          10





          This might plausibly explain why the destination port would be 993/tcp, but in OP's case, it's the source port. The destination port is 47920/tcp.

          – a CVn
          Jul 17 at 22:19





          This might plausibly explain why the destination port would be 993/tcp, but in OP's case, it's the source port. The destination port is 47920/tcp.

          – a CVn
          Jul 17 at 22:19




          6




          6





          @aCVn Which suggests that the OP might be connecting to Google, instead of the other way around...

          – marcelm
          Jul 17 at 23:12





          @aCVn Which suggests that the OP might be connecting to Google, instead of the other way around...

          – marcelm
          Jul 17 at 23:12




          4




          4





          @marcelm That is indeed the case, as indicated by the ACK SYN flags on the first packet in the list. I've posted a more detailed explanation as an answer.

          – David
          Jul 17 at 23:31






          @marcelm That is indeed the case, as indicated by the ACK SYN flags on the first packet in the list. I've posted a more detailed explanation as an answer.

          – David
          Jul 17 at 23:31





          1




          1





          @marcelm Maybe there is malware on the server attempting to send spam via gmail somehow.

          – Qwertie
          Jul 18 at 7:17





          @marcelm Maybe there is malware on the server attempting to send spam via gmail somehow.

          – Qwertie
          Jul 18 at 7:17




          2




          2





          @Qwertie: Most malware sending spam would go for SMTP ports (25/465/587) and wouldn't bother with IMAP.

          – grawity
          Jul 18 at 13:20






          @Qwertie: Most malware sending spam would go for SMTP ports (25/465/587) and wouldn't bother with IMAP.

          – grawity
          Jul 18 at 13:20



















          draft saved

          draft discarded















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f975594%2fwhy-is-google-approaching-my-vps-machine%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown









          -

          Popular posts from this blog

          Tamil (spriik) Luke uk diar | Nawigatjuun

          Image
          Fering ArtiikelDrawiidisk Spriiken SölringÖömrangFeringHalunderHalifreeskMooringWiringhiirderKarhiirderGooshiirderDrawiidisk SpriikTamil NaduIndienSri Lanka (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u003Eu003Cdiv class="mw-dismissable-notice-close"u003E[u003Ca tabindex="0" role="button"u003EFersteegu003C/au003E]u003C/divu003Eu003Cdiv class="mw-dismissable-notice-body"u003Eu003Cdiv id="localNotice" lang="frr" dir="ltr"u003Eu003Cdiv id="sitenotice"u003Enu003Ccenteru003Enu003Ctable class="rahmenfarbe4" style="border-style: solid; border-width: thin; width: 70%;"u003Ennu003Ctbodyu003Eu003Ctru003Enu003Ctd style="text-align:center;"u003Eu003Ca href="/wiki/Datei:Nordfriesischeflagge.svg" class="image"u003Eu003Cimg alt="Nordfriesische
          Read more

          Align equal signs while including text over equalitiesAMS align: left aligned text/math plus multicolumn alignmentMultiple alignmentsAligning equations in multiple placesNumbering and aligning an equation with multiple columnsHow to align one equation with another multline equationUsing \ in environments inside the begintabularxNumber equations and preserving alignment of equal signsHow can I align equations to the left and to the right?Double equation alignment problem within align enviromentAligned within align: Why are they right-aligned?

          Image
          Why didn't the Universal Translator speak whale? What is /dev/null and why can't I use hx on it? The work of mathematicians outside their professional environment Does the DOJ's declining to investigate the Trump-Zelensky call ruin the basis for impeachment? Are there any tricks to pushing a grand piano? Maintaining distance Does it require less energy to reach the Sun from Pluto's orbit than from Earth's orbit? Object Oriented Design: Where to place behavior that pertains to more than one type of object? Choice of solvent during thin layer chromatography How to catch creatures that can predict the next few minutes? Use floats or doubles when writing mobile games How come the Russian cognate for the Czech word "čerstvý" (fresh) means entirely the opposite thing (stale)? What are the limits on an impeached and not convicted president? How to calculate Limit of this sequence Bash-script as linux-service won't run, but executed
          Read more

          Where does the image of a data connector as a sharp metal spike originate from?Where does the concept of infected people turning into zombies only after death originate from?Where does the motif of a reanimated human head originate?Where did the notion that Dragons could speak originate?Where does the archetypal image of the 'Grey' alien come from?Where did the suffix '-Man' originate?Where does the notion of being injured or killed by an illusion originate?Where did the term “sophont” originate?Where does the trope of magic spells being driven by advanced technology originate from?Where did the term “the living impaired” originate?

          Image
          Automatically extend a Python list to N elements if it's too short? Fired for a policy I didnt know about, as well as another false reason Why isn't tilde recognised as home folder in this case? When does an Artillerist's Cannon have disadvantage? How large should a hole be for a bolt to go through? When is TeX better than LaTeX? How to determine if drill is suitable for concrete? Huygens Lander: Why The Short Battery Life? Why do people use bigger cassettes for lower gearing when they could instead use smaller chainrings? Is there a difference between downloading / installing a list of packages and downloading each packge by its own? Question about exercise 21.10 in The TeXbook How to publish a page using tridion core service client in sdl web 8.5 Can one get into trouble if one doesn't show up at the gate 30 minutes before departure (or whatever time window the boarding pass is indicating)? Does an action-reaction pair always contain the same
          Read more