Explout scanning ports?

notero · Apr 9, 2013

I am having issues with one of our servers. Sudenlly we have a high rate of loss packages to the server. When we ping the server we loss almost all packages.

When i chack network activity i can see activity from/to random ports on my server from/to randon port of a unique ip.

Then...

*if i stop httpd the problem get resolved (but not a reasonable solution

* if i get this ip bloqued the issue get solved but then, in a few hours appears again with other ip

I have run a complete scan with clamav and tehre isnt any virus.

Any clue of what is happening and how can i debug this?

Thanks

storminternet · Apr 9, 2013

It seems there is high no. of connections on port 80. It can be because of ddos attack on port 80 or any site hosted on your server.
Have you checked the apache logs to determine the cause and source of the attack.

notero · Apr 9, 2013

Coenctions are not to the 80 port of the servier. Conections are to random high ports of the server. That is the strange part. Why when the httpd stops all those conections disapear? Can apache open conections from the server on different port than 80?
Thanks

notero · Apr 10, 2013

Here is an example of what i am saying. I get this from iftop:

Code:

SERVER_IP:http                                                                                       => 66.249.76.192:53642                                                                                          0b   42.8kb  10.7kb
                                                                                                         <=                                                                                                              0b   1.29kb   329b
SERVER_IP:13891                                                                                      => OTHER_IP:26675                                                                                         87.9kb  17.6kb  4.39kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:27462                                                                                      => ATACKER_IP:12617                                                                                         87.9kb  17.6kb  4.39kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:20528                                                                                      => ATACKER_IP:30291                                                                                         87.9kb  17.6kb  4.39kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:20047                                                                                      => ATACKER_IP:22103                                                                                         87.9kb  17.6kb  4.39kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:12373                                                                                      => ATACKER_IP:28504                                                                                         87.9kb  17.6kb  4.39kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:21574                                                                                      => ATACKER_IP:29286                                                                                         87.9kb  17.6kb  4.39kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:25161                                                                                      => ATACKER_IP:25457                                                                                         87.9kb  17.6kb  4.39kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:31090                                                                                      => ATACKER_IP:12911                                                                                         87.9kb  17.6kb  4.39kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:21043                                                                                      => ATACKER_IP:14410                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:25399                                                                                      => ATACKER_IP:19032                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:20274                                                                                      => ATACKER_IP:30029                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:19831                                                                                      => ATACKER_IP:14412                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:27477                                                                                      => ATACKER_IP:18498                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:19280                                                                                      => ATACKER_IP:28225                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:22106                                                                                      => ATACKER_IP:14439                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:23091                                                                                      => ATACKER_IP:19065                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:19822                                                                                      => ATACKER_IP:27959                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:26984                                                                                      => ATACKER_IP:18771                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:17761                                                                                      => ATACKER_IP:31314                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:22616                                                                                      => ATACKER_IP:20596                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:30582                                                                                      => ATACKER_IP:16968                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:28243                                                                                      => ATACKER_IP:18035                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:22646                                                                                      => ATACKER_IP:26697                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:18518                                                                                      => ATACKER_IP:27513                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:13679                                                                                      => ATACKER_IP:31082                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:29043                                                                                      => ATACKER_IP:24898                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:23137                                                                                      => ATACKER_IP:24942                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b
SERVER_IP:27498                                                                                      => ATACKER_IP:21619                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                         <=                                                                                                              0b      0b      0b

- - - Updated - - -

There you can see that the source and destimation port seems to be random

Phincy · Apr 12, 2013

Hi,

The following command should show the number of connections and the corresponding IP addresses

---
netstat -plane | grep :80| cut -d: -f1 | sort| uniq -c | sort -nr
---

If you see large number of connections from any IP addresses(usually thousands+), I suggest to block them in firewall. Another options is to instal CSF

ConfigServer Security & Firewall

The CSF has very nice features to track such connections using CT_LIMIT parameter and block the IP addresses automatically if they appear to be offending. A reasonable value for CT_LIMIT would be around 300

Thread starter	Similar threads	Forum	Replies	Date
H	Cpanel hosting malware scanning not detecting trojan	Security	3	Jul 22, 2022
S	Apple Mail client constantly blocked for port scanning	Security	19	Apr 20, 2022
	ip address scanning opened port alert	Security	2	Feb 16, 2021
	Scanning Zipfiles with AV	Security	3	Jun 19, 2019
F	cxs ModSecurity Scanning (disabled)	Security	2	Jul 27, 2017

Search

Search

Explout scanning ports?

notero

Member

storminternet

Well-Known Member

notero

Member

notero

Member

Phincy

Member