You have already received two good answers to your question, so I apologize for adding a new one which addresses something which I read between the lines of your post. My answer is intended to complement
the other two answers, not to substitute them.
From the output of netstat
it is not possible to determine whether the connection was started by your own machine or by the remote machine. The simple fact that you are asking this question makes me worry, and what makes me worry even more is another strange fact in that output: the use of high
ports, (which means > 10,000) for both sides of the connection.
Let me explain. PCs provide services to other pcs, in a client/sever
model: for instance, the Web server listens for requests of Web pages on a specified port (actually, two: 80 and 443) from a remote client. Likewise for ssh,ftp,dns
, and so on. All essential services listen on well-known ports (see Wikipedia for instance) some of which are so important to be carved in stone: their assignment is regulated by none less than IANA. Many other ports, though their use is not regulated by IANA, have become traditional for certain applications. What all of the listening
ports have in common is that they are below 10000. High ports (those above 10,000) are traditionally reserved for outgoing
connections, not for listening.
So, how come you see a connection between ports 39922 and 29842? Because someone has setup a service on a very non standard port, either on your machine or on the remote machine. Is your machine the listening server
? The command
sudo ss -lntp
will tell you that: it lists all ports on which your machine listens for incoming (TCP, the -t
option) connections, and the associated processes. So you may now look to see which process, if any, is listening on port 39922.
Now let us suppose this does indeed turn out to be the case, i.e.
that a service which you did not setup is listening on port 39922. Who does that? Hackers, which use a tool (netcat
or nc
, the Swiss Army knife of TCP connections) that allows them to connect easily over high ports between their pc and a p0wned
pc. This is why I am worried.
Nor am I assuaged by learning that 23.82.16.66 belongs to Nobis Technology, a company which owns several data centers providing cloud server solutions. And, icing on the cake, as I ran thru Google the info above, I stumbled upon this Post by a sysadmin relating how Nobis Technology is a well-known spammer, and found out that the address above, 23.82.16.66, falls squarely inside one of the ranges the poor guy is trying to block; and, lo and behold, your local IP address, 192.99.202.17, is reported by whatismyipaddress.com to be your mail server.
In the end, what do I make of it? A connection from a well-known spammer to your mail server, over high-ports only, of which you know nothing. It seems likely your system has been somehow violated. That's why I am writing this post.