webmailhttps connected? What does this mean?

[noimad1]

Ok, so our server has just been crashing multiple times over the past few days for no apparent reason at all.

I am trying to look through the log files for any indicatino of fowl play. I'm not seeing much, but I do see a bunch of these:

Apr 29 21:42:47 h1 stunnel[13977]: webmailhttps connected from 68.231.82.107:2032
Apr 29 21:42:47 h1 stunnel[13977]: Connection closed: 5703 bytes sent to SSL, 636 bytes sent to socket
Apr 29 21:42:48 h1 stunnel[13980]: webmailhttps connected from 68.231.82.107:2033
Apr 29 21:42:48 h1 stunnel[13983]: webmailhttps connected from 68.231.82.107:2034
Apr 29 21:43:02 h1 stunnel[13980]: Connection closed: 1639 bytes sent to SSL, 8012 bytes sent to socket
Apr 29 21:43:02 h1 stunnel[13983]: Connection closed: 1490 bytes sent to SSL, 7428 bytes sent to socket
Apr 29 21:43:02 h1 stunnel[13991]: webmailhttps connected from 68.231.82.107:2035
Apr 29 21:43:03 h1 stunnel[13991]: Connection closed: 887 bytes sent to SSL, 762 bytes sent to socket
Apr 29 21:43:04 h1 stunnel[13994]: webmailhttps connected from 68.231.82.107:2036
Apr 29 21:43:04 h1 stunnel[13995]: webmailhttps connected from 68.231.82.107:2037
Apr 29 21:43:04 h1 stunnel[13994]: Connection closed: 0 bytes sent to SSL, 627 bytes sent to socket
Apr 29 21:43:04 h1 stunnel[13995]: Connection closed: 714 bytes sent to SSL, 777 bytes sent to socket
Apr 29 21:43:04 h1 stunnel[13999]: webmailhttps connected from 68.231.82.107:2038
Apr 29 21:43:04 h1 stunnel[14002]: webmailhttps connected from 68.231.82.107:2039
Apr 29 21:43:04 h1 stunnel[13999]: Connection closed: 3177 bytes sent to SSL, 776 bytes sent to socket
Apr 29 21:43:04 h1 stunnel[14005]: webmailhttps connected from 68.231.82.107:2040
Apr 29 21:43:04 h1 stunnel[14005]: Connection closed: 2967 bytes sent to SSL, 704 bytes sent to socket
Apr 29 21:43:05 h1 stunnel[14002]: Connection closed: 6153 bytes sent to SSL, 761 bytes sent to socket
Apr 29 21:43:05 h1 stunnel[14009]: webmailhttps connected from 68.231.82.107:2041
Apr 29 21:43:05 h1 stunnel[14010]: webmailhttps connected from 68.231.82.107:2042
Apr 29 21:43:05 h1 stunnel[14010]: Connection closed: 149 bytes sent to SSL, 757 bytes sent to socket
Apr 29 21:43:05 h1 stunnel[14009]: Connection closed: 149 bytes sent to SSL, 754 bytes sent to socket
Apr 29 21:43:05 h1 stunnel[14013]: webmailhttps connected from 68.231.82.107:2043
Apr 29 21:43:05 h1 stunnel[14014]: webmailhttps connected from 68.231.82.107:2044
Apr 29 21:43:05 h1 stunnel[14013]: Connection closed: 149 bytes sent to SSL, 761 bytes sent to socket
Apr 29 21:43:05 h1 stunnel[14014]: Connection closed: 149 bytes sent to SSL, 769 bytes sent to socket
Apr 29 21:43:05 h1 stunnel[14017]: webmailhttps connected from 68.231.82.107:2045
Apr 29 21:43:05 h1 stunnel[14018]: webmailhttps connected from 68.231.82.107:2046
Apr 29 21:43:05 h1 stunnel[14017]: Connection closed: 149 bytes sent to SSL, 761 bytes sent to socket
Apr 29 21:43:05 h1 stunnel[14018]: Connection closed: 149 bytes sent to SSL, 757 bytes sent to socket
Apr 29 21:43:06 h1 stunnel[14021]: webmailhttps connected from 68.231.82.107:2047
Apr 29 21:43:06 h1 stunnel[14021]: Connection closed: 149 bytes sent to SSL, 756 bytes sent to socket
Apr 29 21:43:06 h1 stunnel[14023]: webmailhttps connected from 68.231.82.107:2048
Apr 29 21:43:06 h1 stunnel[14023]: Connection closed: 0 bytes sent to SSL, 627 bytes sent to socket
Apr 29 21:43:08 h1 stunnel[14025]: webmailhttps connected from 68.231.82.107:2049
Apr 29 21:43:09 h1 stunnel[14025]: Connection closed: 699 bytes sent to SSL, 1138 bytes sent to socket
Apr 29 21:43:09 h1 stunnel[14030]: webmailhttps connected from 68.231.82.107:2050
Apr 29 21:43:12 h1 stunnel[14030]: Connection closed: 6151 bytes sent to SSL, 709 bytes sent to socket
Apr 29 21:43:19 h1 stunnel[14042]: webmailhttps connected from 68.231.82.107:2051
Apr 29 21:43:19 h1 stunnel[14042]: Connection closed: 644 bytes sent to SSL, 785 bytes sent to socket
Apr 29 21:43:20 h1 stunnel[14045]: webmailhttps connected from 68.231.82.107:2052
Apr 29 21:43:21 h1 stunnel[14045]: Connection closed: 40225 bytes sent to SSL, 726 bytes sent to socket


To me it looks like someone is trying to connect to webmail through different ports?

Does anyone know what this is?

Thanks
Damion

[abnormis]

We're having this same problem. All services become unavailable and the server needs a hard reboot. Last entries in the logs are:

Sep 13 08:57:34 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63395
Sep 13 08:57:34 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63394
Sep 13 08:57:34 zeus stunnel[2983]: Connection closed: 564 bytes sent to SSL, 621 bytes sent to socket
Sep 13 08:57:34 zeus stunnel[2983]: webmailhttps connected from 136.159.43.78:4761
Sep 13 08:57:34 zeus stunnel[2983]: Connection closed: 952 bytes sent to SSL, 617 bytes sent to socket
Sep 13 08:57:34 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 607 bytes sent to socket
Sep 13 08:57:34 zeus stunnel[2983]: cpanelhttps connected from 24.0.88.175:1354
Sep 13 08:57:34 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63396
Sep 13 08:57:34 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 604 bytes sent to socket
Sep 13 08:57:34 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 605 bytes sent to socket
Sep 13 08:57:34 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63397
Sep 13 08:57:35 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 610 bytes sent to socket
Sep 13 08:57:35 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 609 bytes sent to socket
Sep 13 08:57:35 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63401
Sep 13 08:57:36 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63402
Sep 13 08:57:36 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 613 bytes sent to socket
Sep 13 08:57:36 zeus stunnel[2983]: Connection closed: 2688 bytes sent to SSL, 1194 bytes sent to socket
Sep 13 08:57:36 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 611 bytes sent to socket
Sep 13 08:57:36 zeus stunnel[2983]: cpanelhttps connected from 24.0.88.175:1355
Sep 13 08:57:36 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63403
Sep 13 08:57:36 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63404
Sep 13 08:57:36 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 612 bytes sent to socket
Sep 13 08:57:37 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 612 bytes sent to socket
Sep 13 08:57:37 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63405
Sep 13 08:57:37 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 610 bytes sent to socket
Sep 13 08:57:37 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63398
Sep 13 08:57:37 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63399
Sep 13 08:57:38 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 598 bytes sent to socket
Sep 13 08:57:38 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 613 bytes sent to socket
Sep 13 08:57:43 zeus stunnel[2983]: Connection closed: 5401 bytes sent to SSL, 3442 bytes sent to socket
Sep 13 08:57:46 zeus stunnel[2983]: Connection closed: 1499 bytes sent to SSL, 1297 bytes sent to socket

etc..etc..

Is this some form of DoS attack? I've even checked ip_conntrack_max.

root@zeus [~]# cat /proc/sys/net/ipv4/ip_conntrack_max
34576

root@zeus [~]# wc -l /proc/net/ip_conntrack
790 /proc/net/ip_conntrack

Anyone have any ideas?

-Marc

[niatech]

I had a similar issue last night. I'm still trying to find out what was wrong. Do you have more information on this?

What OS are you running?