The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server in accessible for 5 mins

Discussion in 'General Discussion' started by aingaranweb, May 4, 2005.

  1. aingaranweb

    aingaranweb Well-Known Member

    Joined:
    Mar 23, 2003
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Toronto, Ontario
    My server was inaccessible for about 5 mins. NO ssh, no browser, no ftp...Nothing else.


    I look in my logs, I see this. Can someon help me decypher it?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    IN_TCP DROP = inbound connection
    SRC=67.169.47.119 = the ip address connecting
    DST=67.18.183.244 = the servers ip address being connected to
    PROTO=TCP = its a TCP connection
    SPT=2966 = they're coming from port 2966
    DPT=1025 = they're trying to connect to port 1025 which is blocked and therefore APF is blocking the IP address
     
  3. webhostnet

    webhostnet Member

    Joined:
    Apr 20, 2005
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    (my 2cc)

    Those 3 lines do not justify any downtime. As you can see, they are just 3 attempts to connect (they have the SYN mark) and they are comming at a slow rate (second packets arrives after 3 seconds, third packet after 5 seconds). So, it's not a syn-flood case :)

    Due to the fact that customer name for source IP block (67.169.0.0/17) is "Comcast Cable Communications" I can speculate that packets are comming from a home user or an educational institution.

    Three attempts to connect to port 1025/tcp looks to me as a vulnerability scanner (or a worm) looking for some RPC / LSASS Windows exploit. Is your OS Windows? If not, smile :cool:

    The fact that you see those 3 attempts in your log means that the packets were stoped by firewall. So, no harm done.

    Bottom line: for the problem you described (=no TCP communications with your server) those lines are irrelevant. They are not signs of trouble. Maybe it was a problem with your ISP, or your server's ISP, or some upstream router going nuts for 5 mins. It happens.

    My 2cc? Relax a little, do the usual Tripwire/scan for rootkits/external Nessus scan/external NMAP scan (or whatever your forensic procedure is) and go grab a beer.

    And buy me one too :)
     
  4. aingaranweb

    aingaranweb Well-Known Member

    Joined:
    Mar 23, 2003
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Toronto, Ontario
    Thanks for the reassurance.

    As far as the beer goes, I'd buy you one but my gf has said I can't drink anymore. :(
     
Loading...

Share This Page