Hundreds of strange connections in iftop

OS is Debian. I'm running nginx as a webserver. I am not running Wordpress. Logging is enabled in the http block with: access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; Seeing hundreds of connections in iftop from my webserver at port 443 to 191-242.x.x.alivenet.com.br, for a few hundred different ips. The strange things are: * None of the ip addresses listed by iftop show up in my nginx logs, which I have been retaining since server creation. * These connections show up in iftop even if nginx isn't running. How is that possible? I tried stopping nginx, then confirmed with netstat that nothing is listening on ports 80 or 443, but I still see hundreds of these connections listed in iftop. How can iftop show these connections if nothing is listening on those ports? I even tried disabling nginx and then rebooting my server, but they still show up. * lsof -a -i4 -i6 -itcp doesn't show any of these connections somehow. * In nethogs, I see a line: ? root :443-191.242.x.x:. Running as root? Question mark for the pid? This seems absolutely crazy to me. Does this mean there is some process running on my system that somehow isn't assigned a pid, running as root, somehow listening on port 443 despite nginx supposedly currently using that port, that's sending traffic to one of these Brazilian ips? What exactly is going on here? Do I need to be concerned? Has my server been hacked? What else should I check to confirm the server is ok? Do I need to block these ips via iptables? How do I separate hack attempts from legitimate web server traffic? (ie, someone in Brazil is trying to visit my website) How can nethogs not show a pid? How can iftop show connetions on ports that aren't listening? How can these connections not show up in the nginx logs?