I was wondering if someone could help me out with this problem.
We have a webservice that is available only through https:// port 443.
Using netstat I see that there is particular ip that tries to connect to the server.
For example, all the other connections connect to the server from their port to the server's 443 port (normal https behaviour).
This particular ip: 192.0.73.2, tries to open connection from remote port 443 to a local port. (Its state is always TIME_WAIT, it goes away and then it comes back as TIME_WAIT after minute or so.
I am reporting this ip in the open because it has been reported here before:
https://www.abuseipdb.com/check/192.0.73.2
There is a CISCO firewall that protects the company network and my system admin told me that he could not find any hits from that ip to the server.
But the netstat tool reports otherwise.
Can you offer me any suggestions? Or tell me what is going on? Thank you!
That is what the netstat command shows:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 server_ip:32884 192.0.73.2:443 TIME_WAIT
tcp6 0 69000 server_ip:443 remote_ip:65045 ESTABLISHED
tcp6 0 0 server_ip:443 remote_ip:20467 TIME_WAIT
tcp6 0 0 server_ip:443 remote_ip:55430 TIME_WAIT
tcp6 0 0 server_ip:443 remote_ip:65248 ESTABLISHED
Thank you all for helping me out solve this problem. It was a call to gravatar after all
Best Answer
A normal hit to 192.0.73.2 redirects to https://en.gravatar.com/. This is definitely not MITM attack.
Your website is using a module of gravatar and it is trying to connect to its server to gather data i.e the User avatar to be used for comments. You need not worry about it and since it dies after TIMED_WAIT it is not able to connect to the server.
You should not be worried since the IP is not detected from the firewall. It would be best to fix the module trying to access gravatar and allow access to it.