The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Explout scanning ports?

Discussion in 'Security' started by notero, Apr 9, 2013.

  1. notero

    notero Member

    Joined:
    Apr 9, 2013
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I am having issues with one of our servers. Sudenlly we have a high rate of loss packages to the server. When we ping the server we loss almost all packages.

    When i chack network activity i can see activity from/to random ports on my server from/to randon port of a unique ip.

    Then...

    *if i stop httpd the problem get resolved (but not a reasonable solution ;)

    * if i get this ip bloqued the issue get solved but then, in a few hours appears again with other ip

    I have run a complete scan with clamav and tehre isnt any virus.

    Any clue of what is happening and how can i debug this?

    Thanks
     
  2. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    It seems there is high no. of connections on port 80. It can be because of ddos attack on port 80 or any site hosted on your server.
    Have you checked the apache logs to determine the cause and source of the attack.
     
  3. notero

    notero Member

    Joined:
    Apr 9, 2013
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Coenctions are not to the 80 port of the servier. Conections are to random high ports of the server. That is the strange part. Why when the httpd stops all those conections disapear? Can apache open conections from the server on different port than 80?
    Thanks
     
  4. notero

    notero Member

    Joined:
    Apr 9, 2013
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Here is an example of what i am saying. I get this from iftop:

    Code:
    SERVER_IP:http                                                                                       => 66.249.76.192:53642                                                                                          0b   42.8kb  10.7kb
                                                                                                             <=                                                                                                              0b   1.29kb   329b
    SERVER_IP:13891                                                                                      => OTHER_IP:26675                                                                                         87.9kb  17.6kb  4.39kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:27462                                                                                      => ATACKER_IP:12617                                                                                         87.9kb  17.6kb  4.39kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:20528                                                                                      => ATACKER_IP:30291                                                                                         87.9kb  17.6kb  4.39kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:20047                                                                                      => ATACKER_IP:22103                                                                                         87.9kb  17.6kb  4.39kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:12373                                                                                      => ATACKER_IP:28504                                                                                         87.9kb  17.6kb  4.39kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:21574                                                                                      => ATACKER_IP:29286                                                                                         87.9kb  17.6kb  4.39kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:25161                                                                                      => ATACKER_IP:25457                                                                                         87.9kb  17.6kb  4.39kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:31090                                                                                      => ATACKER_IP:12911                                                                                         87.9kb  17.6kb  4.39kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:21043                                                                                      => ATACKER_IP:14410                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:25399                                                                                      => ATACKER_IP:19032                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:20274                                                                                      => ATACKER_IP:30029                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:19831                                                                                      => ATACKER_IP:14412                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:27477                                                                                      => ATACKER_IP:18498                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:19280                                                                                      => ATACKER_IP:28225                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:22106                                                                                      => ATACKER_IP:14439                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:23091                                                                                      => ATACKER_IP:19065                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:19822                                                                                      => ATACKER_IP:27959                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:26984                                                                                      => ATACKER_IP:18771                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:17761                                                                                      => ATACKER_IP:31314                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:22616                                                                                      => ATACKER_IP:20596                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:30582                                                                                      => ATACKER_IP:16968                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:28243                                                                                      => ATACKER_IP:18035                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:22646                                                                                      => ATACKER_IP:26697                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:18518                                                                                      => ATACKER_IP:27513                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:13679                                                                                      => ATACKER_IP:31082                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:29043                                                                                      => ATACKER_IP:24898                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:23137                                                                                      => ATACKER_IP:24942                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    SERVER_IP:27498                                                                                      => ATACKER_IP:21619                                                                                         82.0kb  16.4kb  4.10kb
                                                                                                             <=                                                                                                              0b      0b      0b
    - - - Updated - - -

    There you can see that the source and destimation port seems to be random
     
  5. Phincy

    Phincy Member

    Joined:
    Feb 11, 2012
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    The following command should show the number of connections and the corresponding IP addresses

    ---
    netstat -plane | grep :80| cut -d: -f1 | sort| uniq -c | sort -nr
    ---

    If you see large number of connections from any IP addresses(usually thousands+), I suggest to block them in firewall. Another options is to instal CSF

    ConfigServer Security & Firewall

    The CSF has very nice features to track such connections using CT_LIMIT parameter and block the IP addresses automatically if they appear to be offending. A reasonable value for CT_LIMIT would be around 300
     
Loading...
Similar Threads - Explout scanning ports
  1. keat63
    Replies:
    4
    Views:
    129
  2. Mr_Kings
    Replies:
    5
    Views:
    654
  3. frigid
    Replies:
    12
    Views:
    754

Share This Page