Is my server getting attacked or is this normal behaviour?

Smaily

Well-Known Member
Sep 19, 2011
46
0
56
cPanel Access Level
Root Administrator
# netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n

1 Address (whats this?)
1 and (whats this?)
18 80.10.100.45 (one of my own server ip)
18 80.10.100.46 (one of my own server ip)
18 80.10.100.47 (one of my own server ip)
59 80.10.100.10 (one of my own server ip)
59 80.10.100.7 (one of my own server ip)
70 127.0.0.1 (70 connections is normal?)
76 80.10.100.2 (one of my own server ip and also ns1)
76 80.10.100.5 (one of my own server ip)
77 80.10.100.4 (one of my own server ip)
346 0.0.0.0 (346 connections is normal?)
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
You've improperly set the command and are getting bad data in the return. The same happens on my system when I run that command:

Code:
# netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
      1 Address
      1 and
      4 127.0.0.1
     29 0.0.0.0
But if I run a good command, I get good data:

Code:
# netstat -atun|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -n
      1 0.0.0.0
This is checking for traffic on port 80 rather than the full return of netstat including the topmost lines as your command is doing. If you want all tcp traffic, you can try:

Code:
netstat -atun|grep tcp|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -n
Replace tcp with udp for all udp traffic. Try just running "netstat -atun" without any modifiers to see what it is pulling the data from in order to understand the output.
 

Smaily

Well-Known Member
Sep 19, 2011
46
0
56
cPanel Access Level
Root Administrator
Thanks!

As I had CSF firewall I updated it and started using portflood protection as follows.
PORTFLOOD = "80;tcp;20;3,53;tcp;20;3"

Came to this solution since I seemed to get alot of connections to port 53 even tho apache wasnt running on thouse IP addresses. Used command netstat -ntulp to figure it out.

If this didnt helped, Ill get back asking. :)

But are connections like this normal?

on port 80:
39 127.0.0.1
166 0.0.0.0
 
Last edited:

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Did you run "netstat -atun" to check what those connections happen to be? I cannot answer the question on whether those are normal because there aren't enough details on what the connections happen to be. 127.0.0.1 is localhost, so any locally served connections would be using that IP.

As such, please run the command I'd indicated to see what the connections are to see if those are normal connections.
 

Smaily

Well-Known Member
Sep 19, 2011
46
0
56
cPanel Access Level
Root Administrator
udp 0 0 80.10.100.2:54244 80.10.100.2:27015 ESTABLISHED
udp 0 0 80.10.100.10:46820 80.10.100.10:27015 ESTABLISHED
udp 0 0 80.10.100.10:35300 80.10.100.10:27015 ESTABLISHED
udp 0 0 80.10.100.2:34148 80.10.100.2:27015 ESTA BLISHED
udp 4080 0 80.10.100.5:33636 80.10.100.5:27015 ESTA BLISHED
udp 4464 0 80.10.100.4:54245 80.10.100.4:27015 ESTA BLISHED
udp 0 0 80.10.100.7:46821 80.10.100.7:27015 ESTA BLISHED
udp 0 0 80.10.100.7:35301 80.10.100.7:27015 ESTA BLISHED
udp 0 0 80.10.100.7:33765 80.10.100.7:27015 ESTA BLISHED
udp 0 0 80.10.100.10:33637 80.10.100.10:27015 ESTA BLISHED
udp 4464 0 80.10.100.5:54246 80.10.100.5:27015 ESTA BLISHED
udp 0 0 80.10.100.2:46694 80.10.100.2:27015 ESTA BLISHED
udp 0 0 80.10.100.2:33510 80.10.100.2:27015 ESTA BLISHED
udp 0 0 80.10.100.10:54247 80.10.100.10:27015 ESTA BLISHED
udp 0 0 80.10.100.2:46951 80.10.100.2:27015 ESTA BLISHED
udp 0 0 80.10.100.2:41575 80.10.100.2:27015 ESTA BLISHED
udp 4080 0 80.10.100.4:33511 80.10.100.4:27015 ESTA BLISHED
udp 0 0 80.10.100.7:54248 80.10.100.7:27015 ESTA BLISHED
udp 4080 0 80.10.100.4:46952 80.10.100.4:27015 ESTA BLISHED
udp 4080 0 80.10.100.4:41576 80.10.100.4:27015 ESTA BLISHED
udp 0 0 80.10.100.10:35944 80.10.100.10:27015 ESTA BLISHED
udp 4080 0 80.10.100.5:33512 80.10.100.5:27015 ESTA BLISHED
udp 0 0 80.10.100.7:41321 80.10.100.7:27015 ESTA BLISHED
udp 4080 0 80.10.100.5:46953 80.10.100.5:27015 ESTA BLISHED
udp 4080 0 80.10.100.5:41577 80.10.100.5:27015 ESTA BLISHED
udp 0 0 80.10.100.7:35945 80.10.100.7:27015 ESTA BLISHED
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 80.10.100.10:46954 80.10.100.10:27015 ESTA BLISHED
udp 0 0 80.10.100.10:41578 80.10.100.10:27015 ESTA BLISHED
udp 0 0 80.10.100.10:33514 80.10.100.10:27015 ESTA BLISHED
udp 0 0 80.10.100.7:46955 80.10.100.7:27015 ESTA BLISHED
udp 0 0 80.10.100.7:41579 80.10.100.7:27015 ESTA BLISHED
udp 0 0 80.10.100.7:33515 80.10.100.7:27015 ESTA BLISHED
udp 0 0 80.10.100.2:41324 80.10.100.2:27015 ESTA BLISHED
udp 0 0 80.10.100.2:41580 80.10.100.2:27015 ESTA BLISHED
udp 0 0 80.10.100.2:33132 80.10.100.2:27015 ESTA BLISHED
udp 4464 0 80.10.100.5:41325 80.10.100.5:27015 ESTA BLISHED
udp 0 0 80.10.100.2:46957 80.10.100.2:27015 ESTA BLISHED
udp 4080 0 80.10.100.4:41581 80.10.100.4:27015 ESTA BLISHED
udp 4080 0 80.10.100.4:33133 80.10.100.4:27015 ESTA BLISHED
udp 0 0 80.10.100.10:41326 80.10.100.10:27015 ESTA BLISHED
udp 4080 0 80.10.100.4:46958 80.10.100.4:27015 ESTA BLISHED
udp 4080 0 80.10.100.5:41582 80.10.100.5:27015 ESTA BLISHED
udp 4080 0 80.10.100.5:33134 80.10.100.5:27015 ESTA BLISHED
udp 0 0 80.10.100.7:41327 80.10.100.7:27015 ESTA BLISHED
udp 4080 0 80.10.100.5:46959 80.10.100.5:27015 ESTA BLISHED
udp 0 0 80.10.100.10:41583 80.10.100.10:27015 ESTA BLISHED
udp 0 0 80.10.100.10:33135 80.10.100.10:27015 ESTA BLISHED
udp 0 0 80.10.100.10:46960 80.10.100.10:27015 ESTA BLISHED
udp 0 0 80.10.100.7:41584 80.10.100.7:27015 ESTA BLISHED
udp 0 0 80.10.100.2:35952 80.10.100.2:27015 ESTA BLISHED
udp 0 0 80.10.100.7:33136 80.10.100.7:27015 ESTA BLISHED
udp 0 0 80.10.101.150:4465 203.119.27.1:53 ESTA BLISHED
udp 0 0 80.10.100.2:42353 80.10.100.2:27015 ESTA BLISHED
udp 0 0 80.10.100.7:46961 80.10.100.7:27015 ESTA BLISHED
udp 0 0 80.10.100.2:41585 80.10.100.2:27015 ESTA BLISHED
udp 0 0 80.10.100.2:33521 80.10.100.2:27015 ESTA BLISHED
udp 4080 0 80.10.100.4:42354 80.10.100.4:27015 ESTA BLISHED
udp 0 0 80.10.101.150:45434 80.10.101.150:53 ESTA BLISHED
udp 0 0 :::32794 :::*
udp 0 0 :::5353 :::*
They seem to be counter-strike game connections to port 27015 if Im not mistaking?
anyhow what bothers me is that there is nothing else running on 80.10.101.150 then ns2.
yet there is connection from china.
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
Came to this solution since I seemed to get alot of connections to port 53 even tho apache wasnt running on thouse IP addresses. Used command netstat -ntulp to figure it out.
I guess if it works all well and good, but port 53 is DNS - although connections should probably be UDP rather than TCP.