The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is this an attack ? very rare at netstat.. please suggestions

Discussion in 'General Discussion' started by sh4ka, Apr 18, 2006.

  1. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    Look at this ??
    Is this an attack or what ? how can i have 300 connections form the primary server IP ??? and how can I stop that ?? i've never seen something like this...

    ## Just pasted the last lines from the output of the next command:
    netstat -an | grep :80 | awk '{ print $5 }' | awk -F: '{ print $1 }' | sort | uniq -c | sort -n

    4 201.226.99.61
    4 201.228.28.110
    4 71.122.139.171
    4 87.217.24.5
    5 200.72.163.226
    5 83.32.103.200
    17 200.121.185.120
    104 168.243.249.17
    301 [PRIMARY_SERVER_IP] ----------------> THIS LINE
     
  2. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Umm we see it all the time and there isnt much you can do apart from banning the ip.
     
  3. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    You ban your primary server ip? ;)
     
  4. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    are any of the hosted sites using php url_fopen() with a url set to the same server?
     
  5. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    Do you mean BANNING MY PRIMARY SERVER IP ?? that will cause some errors in the server i think, or i'm i wrong ?? and i will not be able to access to the server.. otherwise I ban only MY PRIMARY SERVER IP to the 80 PORT, and how can I do that using APF ??

    also, now after talking with datacenter techs one of them told me it may be some syn flood, to put a firewall and try to put off the keepalives in httpd.conf.... and already did keepalives, already have APF well configured, with anti-dos working, have eth0's suggestions about sysctl hardening...

    Load average is better after this changes, but running the netstat command i got 482 connections from the PRIMARY SERVER IP
     
  6. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I was asking jackie46 that question :) It doesn't seem like a good idea to me.
     
  7. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    I agree with that.. doesn't sound good to me..
    anway, doing a "netstat" i got LOT OF TIME_WAIT connections like this:

    tcp 0 0 server.myserver:http 200.122.153.38:27397 TIME_WAIT
    tcp 0 0 server.myserver:http cm96171.red83-165.mund:2897 TIME_WAIT
    tcp 0 0 server.myserver:http 179.red-82-158-84.user:4422 TIME_WAIT
    tcp 0 0 server.myserver:http server.myserver:38928 TIME_WAIT
    tcp 0 0 server.myserver:http 202.Red-217-126-253.s:53110 TIME_WAIT
    tcp 0 0 server.myserver:http server.myserver:38929 TIME_WAIT

    that may be the problem.. i don't see a solution for this :(
     
Loading...

Share This Page