Unknown process attempting to connect outbound to port 21

[elr325]

Hi,

CentOS 6.5 appears to be trying to connect outbound unattended to ftp (port 21) at Walla Walla University (192...), McClatchy Management Services (166...) and Indiana University (156...). Iptables setup is blocking these attempts.

Any ideas as to what process is causing this, or do I have a more serious problem ?

More details:
Seeing the following in syslog messages for the first time overnight, all occuring between Apr 11 01:03:51 and Apr 11 01:04:06. Nothing that I know of should have been trying to ftp out from the machine. Machine is in my home and at this time of the morning it is powered on but unattended.

9 Log Entries/attempts:
Apr 11 01:03:51 XPS400 kernel: blockedIN= OUT=eth0 SRC=192.168.1.122 DST=192.147.172.161 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44565 DF PROTO=TCP SPT=56547 DPT=21 WINDOW=14600 RES=0x00 SYN URGP=0

18 Entries/attempts:
Apr 11 01:03:51 XPS400 kernel: blockedIN= OUT=eth0 SRC=192.168.1.122 DST=166.108.30.22 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55561 DF PROTO=TCP SPT=55568 DPT=21 WINDOW=14600 RES=0x00 SYN URGP=0

9 Entries/attempts:
Apr 11 01:03:52 XPS400 kernel: blockedIN= OUT=eth0 SRC=192.168.1.122 DST=156.56.247.193 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29794 DF PROTO=TCP SPT=45659 DPT=21 WINDOW=14600 RES=0x00 SYN URGP=0
Apr 11 01:03:52 XPS40

Chron log for this time period
Apr 11 00:50:01 XPS400 CROND[9517]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Apr 11 01:00:01 XPS400 CROND[9537]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Apr 11 01:01:01 XPS400 CROND[9542]: (root) CMD (run-parts /etc/cron.hourly)
Apr 11 01:01:01 XPS400 run-parts(/etc/cron.hourly)[9542]: starting 0anacron
Apr 11 01:01:01 XPS400 anacron[9553]: Anacron started on 2014-04-11
Apr 11 01:01:01 XPS400 anacron[9553]: Jobs will be executed sequentially
Apr 11 01:01:01 XPS400 anacron[9553]: Normal exit (0 jobs run)
Apr 11 01:01:01 XPS400 run-parts(/etc/cron.hourly)[9555]: finished 0anacron
Apr 11 01:10:01 XPS400 CROND[9651]: (root) CMD (/usr/lib64/sa/sa1 1 1)

Iptables use a restrictive approach and drop everything which is not explicitly alllowed.
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any lo anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain
5909 555K ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:pop3
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:imap
8432 1477K ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:urd
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:submission
163 15898 ACCEPT tcp -- any any anywhere anywhere tcp dpt:imaps
107 9495 ACCEPT tcp -- any any anywhere anywhere tcp dpt:pop3s
825 53187 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
1 328 ACCEPT udp -- any any anywhere anywhere udp dpt:bootps
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:bootpc
220 16720 ACCEPT udp -- any any anywhere anywhere udp dpt:ntp
60 3600 LOGNDROP all -- any any anywhere anywhere

Chain LOGNDROP (3 references)
pkts bytes target prot opt in out source destination
789 46217 LOG all -- any any anywhere anywhere LOG level warning prefix `blocked'
789 46217 DROP all -- any any anywhere anywhere

Can't seem to find out anything from Google related to this.

If more information is needed please let me know.

Thanks in advance for your help.

[avij]

Those are CentOS mirrors. Check /var/log/yum.log to see if anything got installed/updated at that time.

[elr325]

Thank you for the fast reply.
Sounds like it's nothing to be worried about.
Nothing in /var/log/yum.log for the time in question.
If I see this again I'll open port 21 outbound so it can accomplish whatever it's trying to do.

Thanks again.