How can I determine which kernel module is responsible for a specific connection showing in NetHogs?

Question

I currently rent a dedicated server from OVH, and I was looking at nethogs to see how much connection capacity a specific process was using. I ended up, however, finding a slew of processes there that I did not authorize that are communicating with IPs all over the world (so far the list includes China, Brazil, US (multiple states), Sweden, United Kingdom, and the Netherlands), based on their names. The full rows in the table for these processes take the form ? root <my server's ip>-<some other ip>. Running nethogs as root does not change this. Using netstat to try to figure out the PID of these results in it saying the PID/Command is equal to -. Some frantic googling, after thinking my server has been hacked, gave me the idea that these are kernel modules using the network in much the same way that NFS does. Looking in lsmod, I see a large number of legitimate-sounding names that I don't recognize, so that is not useful. Even so, a rogue module could call itself something else. As such, I would like to ask how I can tie these connections to specific kernel modules, and then do further research to figure out what is going on.

Thank you

Answer 1

The in-kernel NFS server does not subvert network reporting like this, nor do modules typically exhibit the kind of relationship with networking or reporting thereof that you describe. You may be describing not being able to see process details of privileged or secured commands, and this would be the result of not running your investigation as the root user or similar.

The dashes in your PID or command fields mean that while there is data to be seen there, you're not privy to it. Re-run your investigative commands as root and you should see those dashes replaced with usable data.

As far as determining if this kind of traffic is undesirable, knowing what the server is supposed to be doing in the first place would be helpful in eliminating red herrings.