To understand which program, do:
and see which pid will establish connections on the 80th port.
To see the traffic itself, try filtering it, for example, with tcpdump:
this way, in a basic form, you will see all traffic on the 80th port. Further it is possible to add keys for filtering superfluous.

What the hoster gave you is most likely a selection from the nginx log or another web server on a remote (not your) host.
Your server hits them on the http host at uri administrator/index.php and gets authorization denied (401 http response).
Those. most likely you have a script running (or run by cron) that initializes such connections.
You need to understand whether such connections are valid for you, or whether your server has been hacked and used by attackers for malicious purposes =))
Commands will come to the rescue:
Show current tcp / udp connections from / to the server, as well as their PID, if you run
you can still play it from the root with the team -
but in its output it is necessary to exclude the selection of requests for own hosts - I think you will figure it out yourself how to do it.
Well, I also recommend that you analyze all cron files (both user and system) for suspicious code and view the list of active processes for suspicious scripts.