Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Server in accessible for 5 mins

Discussion in 'General Discussion' started by aingaranweb, May 4, 2005.

  1. aingaranweb

    aingaranweb Well-Known Member

    Joined:
    Mar 23, 2003
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Toronto, Ontario
    My server was inaccessible for about 5 mins. NO ssh, no browser, no ftp...Nothing else.


    I look in my logs, I see this. Can someon help me decypher it?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,470
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    IN_TCP DROP = inbound connection
    SRC=67.169.47.119 = the ip address connecting
    DST=67.18.183.244 = the servers ip address being connected to
    PROTO=TCP = its a TCP connection
    SPT=2966 = they're coming from port 2966
    DPT=1025 = they're trying to connect to port 1025 which is blocked and therefore APF is blocking the IP address
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. webhostnet

    webhostnet Member

    Joined:
    Apr 20, 2005
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    151
    (my 2cc)

    Those 3 lines do not justify any downtime. As you can see, they are just 3 attempts to connect (they have the SYN mark) and they are comming at a slow rate (second packets arrives after 3 seconds, third packet after 5 seconds). So, it's not a syn-flood case :)

    Due to the fact that customer name for source IP block (67.169.0.0/17) is "Comcast Cable Communications" I can speculate that packets are comming from a home user or an educational institution.

    Three attempts to connect to port 1025/tcp looks to me as a vulnerability scanner (or a worm) looking for some RPC / LSASS Windows exploit. Is your OS Windows? If not, smile :cool:

    The fact that you see those 3 attempts in your log means that the packets were stoped by firewall. So, no harm done.

    Bottom line: for the problem you described (=no TCP communications with your server) those lines are irrelevant. They are not signs of trouble. Maybe it was a problem with your ISP, or your server's ISP, or some upstream router going nuts for 5 mins. It happens.

    My 2cc? Relax a little, do the usual Tripwire/scan for rootkits/external Nessus scan/external NMAP scan (or whatever your forensic procedure is) and go grab a beer.

    And buy me one too :)
     
  4. aingaranweb

    aingaranweb Well-Known Member

    Joined:
    Mar 23, 2003
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Toronto, Ontario
    Thanks for the reassurance.

    As far as the beer goes, I'd buy you one but my gf has said I can't drink anymore. :(
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice