The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem with ssl or a trojan ?

Discussion in 'General Discussion' started by 4u123, Mar 3, 2008.

  1. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    This is a very straneg thing. One of our staff is connecting to our site as normal but over the last couple of days she keeps getting blocked by the firewall for too many connections. The connection limit is set to 500.

    She is logging into our billing system and processing orders , doing support tickets etc as normal.

    If I connect to do this I see only one connection in netstat

    If she connects - this happens.....

    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3121 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3110 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3111 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3108 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3109 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3106 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3107 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3104 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3105 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3118 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3119 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3116 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3117 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3114 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3115 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3112 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3113 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3094 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3095 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3092 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3093 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3090 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3091 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3088 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3089 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3102 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3103 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3100 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3101 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3098 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3099 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3096 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3097 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3079 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3086 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3087 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3084 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3085 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3083 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3080 TIME_WAIT
    tcp 0 0 SERVER.DOMAIN.COM:https ip-ip-ip-ip.cable.ubr03:3081 TIME_WAIT

    On friday I installed a new SSL cert on our site - so I'm not sure if this is a problem with SSL - or if she has some kind of virus / trojan on her computer.

    Any ideas ?
     
  2. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    This is still going on - it seems to happen more when she views a large list of orders or registered domains, 300 or so down the page. I could whitelist her IP but I'd like to know why this happens.

    Any advice would be greatly appreciated.
     
  3. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    does she use firefox and the fasterfox extension by chance?
     
  4. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    No, shes using IE7.

    Her activity is purely just web browsing - shes simply approving orders so shed view a list down the page, click on an entry to approve it, wait for the page to refresh, then click the next one. She's not doing that 500 times - maybe 10 or 20, one after the next.

    I guess that the server is not dropping her connections and they keep adding up until she gets blocked ?

    CSF says this...

    Time: Thu Mar 6 13:16:16 2008
    IP: ip.ip.ip.ip (ip-ip-ip-ip.cable.ubr03.gate.domain.co.uk)
    Connections: 518
    Blocked: temporarily

    Connections:
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1562 SYN_RECV
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1566 SYN_RECV
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1571 SYN_RECV
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1565 SYN_RECV
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1568 SYN_RECV
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1564 SYN_RECV
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1567 SYN_RECV
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1569 SYN_RECV
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1570 SYN_RECV
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1563 SYN_RECV
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1142 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1398 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1399 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1143 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1394 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1395 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1136 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1392 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1393 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1137 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1406 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:4991 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1407 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1151 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1148 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1404 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1405 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1149 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1146 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1402 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1403 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1147 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1400 TIME_WAIT
    tcp 0 1 ip.ip.ip.ip:443 ip.ip.ip.ip:1401 CLOSING
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1126 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1382 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1383 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1127 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1124 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1380 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1381 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1378 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1379 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1123 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1120 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1376 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1377 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1121 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1390 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1391 TIME_WAIT
    tcp 0 0 ip.ip.ip.ip:443 ip.ip.ip.ip:1135 TIME_WAIT
     
  5. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    how many images/other media are on the page?

    what is your apache keepalive setting at?
     
  6. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    There is an image on each line but it is the same image so should be cached. In some cases when shes viewing the page there can be 300 or so lines of information, so 300 or more of the same image would be displayed on the page. Apart from that one "submit" image there are only a dozen or so other images.

    I notice inside the virtualhost entry for our domain this...

     
Loading...

Share This Page