Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Is this an attack ? very rare at netstat.. please suggestions

Discussion in 'General Discussion' started by sh4ka, Apr 18, 2006.

  1. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    444
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Uruguay
    cPanel Access Level:
    DataCenter Provider
    Look at this ??
    Is this an attack or what ? how can i have 300 connections form the primary server IP ??? and how can I stop that ?? i've never seen something like this...

    ## Just pasted the last lines from the output of the next command:
    netstat -an | grep :80 | awk '{ print $5 }' | awk -F: '{ print $1 }' | sort | uniq -c | sort -n

    4 201.226.99.61
    4 201.228.28.110
    4 71.122.139.171
    4 87.217.24.5
    5 200.72.163.226
    5 83.32.103.200
    17 200.121.185.120
    104 168.243.249.17
    301 [PRIMARY_SERVER_IP] ----------------> THIS LINE
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    166
    Umm we see it all the time and there isnt much you can do apart from banning the ip.
     
  3. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    168
    You ban your primary server ip? ;)
     
  4. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    769
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    /dev/null
    are any of the hosted sites using php url_fopen() with a url set to the same server?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    444
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Uruguay
    cPanel Access Level:
    DataCenter Provider
    Do you mean BANNING MY PRIMARY SERVER IP ?? that will cause some errors in the server i think, or i'm i wrong ?? and i will not be able to access to the server.. otherwise I ban only MY PRIMARY SERVER IP to the 80 PORT, and how can I do that using APF ??

    also, now after talking with datacenter techs one of them told me it may be some syn flood, to put a firewall and try to put off the keepalives in httpd.conf.... and already did keepalives, already have APF well configured, with anti-dos working, have eth0's suggestions about sysctl hardening...

    Load average is better after this changes, but running the netstat command i got 482 connections from the PRIMARY SERVER IP
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    168
    I was asking jackie46 that question :) It doesn't seem like a good idea to me.
     
  7. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    444
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Uruguay
    cPanel Access Level:
    DataCenter Provider
    I agree with that.. doesn't sound good to me..
    anway, doing a "netstat" i got LOT OF TIME_WAIT connections like this:

    tcp 0 0 server.myserver:http 200.122.153.38:27397 TIME_WAIT
    tcp 0 0 server.myserver:http cm96171.red83-165.mund:2897 TIME_WAIT
    tcp 0 0 server.myserver:http 179.red-82-158-84.user:4422 TIME_WAIT
    tcp 0 0 server.myserver:http server.myserver:38928 TIME_WAIT
    tcp 0 0 server.myserver:http 202.Red-217-126-253.s:53110 TIME_WAIT
    tcp 0 0 server.myserver:http server.myserver:38929 TIME_WAIT

    that may be the problem.. i don't see a solution for this :(
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice