The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suddenly Many similiar connections to my server?

Discussion in 'General Discussion' started by jacksony, Jan 30, 2006.

  1. jacksony

    jacksony Well-Known Member
    PartnerNOC

    Joined:
    Nov 30, 2005
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    I need help.. normally there is only like 10 connections when i typed netstat but recently, it suddenly shows alot of connections and even the same ones everyday. I am not sure what are these connection doing but they are eating up some of my cpu processes which cause some problem with my VPS. The support desk informed me someone is running a Perl scripts to do internal DDOS but I can't see any trace of that script's name when I view 'top' or check up my 'CPU Usage' under cpanel WHM.

    Could anyone help me? Many thanks in advance! (the connection output is below)

    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 apc.sg:http ca.monitoringserv:46239 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http ti122110a081-8527:46345 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http ti122110a081-8527:46346 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost:57682 c213-200-175-249.c:6915 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http gprs7.orange.pl:10932 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http acc2-235-6.dialup.:3337 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http acc2-235-6.dialup.:3339 FIN_WAIT2
    tcp 0 0 eu.biblos.com.ua:http acc2-235-6.dialup.:3338 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http acc2-235-6.dialup.:3333 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http acc2-235-6.dialup.:3332 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 194.23.183.1:30465 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http gprs7.orange.pl:15786 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 194.23.183.1:30464 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http gprs7.orange.pl:10152 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 194.23.183.1:30466 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 194.23.183.1:30461 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 194.23.183.1:30460 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 194.23.183.1:30463 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 194.23.183.1:30462 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 84-217-22-44.tn.g:19897 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 194.23.183.1:30458 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http gprs7.orange.pl:14403 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http ti311110a080-4607:61472 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http crawl-66-249-64-3:52638 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 81-234-94-120-no91.:ica TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 81-232-157-99-no2:60674 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http gprs7.orange.pl:17693 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http gprs7.orange.pl:11020 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http gprs7.orange.pl:15627 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http gprs7.orange.pl:11063 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http gprs7.orange.pl:15627 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http gprs7.orange.pl:11063 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http gprs7.orange.pl:15417 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost:57672 81-234-94-120-no9:15106 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http gprs7.orange.pl:14888 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http crawl-66-249-65-2:61024 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http h248n2fls302o291.:17276 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http crawl-66-249-65-2:60779 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 217.116.239.152:1338 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 217.116.239.152:1339 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 81-229-114-197-no3:1130 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 34.80-203-77.next:56662 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 213.151.148.83:1968 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http crawl-66-249-65-2:60254 TIME_WAIT
    tcp 0 0 localhost:57718 localhost:http TIME_WAIT
    tcp 0 0 ns1.myvirtualhost:57685 84-217-22-44.tn.gl:7010 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http c83-253-111-69.bre:1462 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http gprs7.orange.pl:16916 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http crawl-66-249-64-3:52638 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 81-234-94-120-no91.:ica TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 81-232-157-99-no2:60674 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http gprs7.orange.pl:17693 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http gprs7.orange.pl:15627 TIME_WAIT
    tcp 0 0 localhost:57720 localhost:783 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http gprs7.orange.pl:15417 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost:57672 81-234-94-120-no9:15106 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http gprs7.orange.pl:14888 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http crawl-66-249-65-2:61024 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http h248n2fls302o291.:17276 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http crawl-66-249-65-2:60779 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 217.116.239.152:1339 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 81-229-114-197-no3:1130 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http ti541210a080-0003.:4259 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost:57725 c-f813e353.09-59-:13565 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 213.151.148.83:1968 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http h253n3c1o285.bred:11106 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http crawl-66-249-65-2:61223 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http e212-54-8-87.elisa:4592 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost:57681 81-233-221-250-no:19785 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 17.80-202-198.nex:59280 TIME_WAIT
    tcp 0 0 apc.sg:http msnbot.msn.com:30056 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost:57736 c-97bce455.93-0066:9769 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http ti541210a080-0003.:4259 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost:57725 c-f813e353.09-59-:13565 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 213.151.148.83:1968 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http h253n3c1o285.bred:11106 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http crawl-66-249-65-2:61223 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http e212-54-8-87.elisa:4592 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http crawl-66-249-65-2:61223 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http e212-54-8-87.elisa:4592 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost:57681 81-233-221-250-no:19785 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 17.80-202-198.nex:59280 TIME_WAIT
    tcp 0 0 apc.sg:http msnbot.msn.com:30056 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost:57694 h248n2fls302o291.:16323 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http 47.208.216.81.or.s:3239 TIME_WAIT
    tcp 0 0 apc.sg:http msnbot.msn.com:32080 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost:57701 e212-54-8-87.elis:18721 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http dsl220-199.adsl.n:27894 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http c-f813e353.09-59-:62813 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http crawl-66-249-65-2:60956 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost:57674 81-229-114-197-no:25838 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http crawl-66-249-65-2:60898 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http crawl-66-249-65-2:60898 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost:57695 47.208.216.81.or.:57993 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http crawl-66-249-65-2:61177 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http c-97bce455.93-0066:4447 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http fj9016.inktomisea:36884 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost:57730 x1-6-00-0d-60-fb-:56544 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http crawl-66-249-65-2:61119 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http crawl-66-249-64-6:45788 TIME_WAIT
    tcp 0 0 eu.biblos.com.ua:http crawl-66-249-65-2:61064 TIME_WAIT
    tcp 0 0 ns1.myvirtualhost.:http x1-6-00-0d-60-fb-f:1085 TIME_WAIT
    CUT DOWN

    Active UNIX domain sockets (w/o servers)
    Proto RefCnt Flags Type State I-Node Path
    unix 8 [ ] DGRAM 32796006 /dev/log
    unix 3 [ ] STREAM CONNECTED 41562285
    unix 3 [ ] STREAM CONNECTED 41562284
    unix 2 [ ] DGRAM 40520666
    unix 3 [ ] STREAM CONNECTED 38693503
    unix 3 [ ] STREAM CONNECTED 38693502
    unix 2 [ ] STREAM CONNECTED 36235196
    unix 2 [ ] DGRAM 32853325
    unix 3 [ ] STREAM CONNECTED 32801711 /var/lib/mysql/mysql.sock
    unix 3 [ ] STREAM CONNECTED 32801710
    unix 2 [ ] STREAM CONNECTED 32799053
    unix 2 [ ] DGRAM 32797548
    unix 2 [ ] DGRAM 32797499
    unix 2 [ ] DGRAM 32797291
    unix 2 [ ] DGRAM 32796052
     
  2. madaboutlinux

    madaboutlinux Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    1,052
    Likes Received:
    2
    Trophy Points:
    38
    Location:
    Earth
    Always type netstat -alntp. That will show you the exact Ip addressess rather than hostnames having connections to your server. It is much easier to trace any ips having too many connections to the server.
    If there are too many connections from a single Ip block it using apf firewall or if its not installed, block it using iptables.
     
  3. jacksony

    jacksony Well-Known Member
    PartnerNOC

    Joined:
    Nov 30, 2005
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    thank you very much. :) but i see one whole list of ips really don't know what script is running the internal connections or what ips to ban.. guess its better to leave it?
     
  4. celliott

    celliott Well-Known Member

    Joined:
    Jan 2, 2006
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    I have also had a simular problem on my server recetly. I would certainly not just leave it. I would deny/all to any ip with excessive connections to the server. If something like this persists it will lead to high server load and a number of problems.

    If you have APF, which you should in ssh just type "apf -d xx.xx.xx.xx.xx" replacing the x's with the IP or hostname then reload apf. Be careful when banning hostnames though as this could potentially block the wrong ones from your server.
     
  5. madaboutlinux

    madaboutlinux Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    1,052
    Likes Received:
    2
    Trophy Points:
    38
    Location:
    Earth
    As "celliott" said, dont just leave it. As per the output of the first post, it seems there are many connections which causing server load. So the best way is block the Ips having too many connections listed in 'netstat -alntp' output using iptables or install APF firewall and block it using the same.

    The APF installation is very simple.
     
  6. jacksony

    jacksony Well-Known Member
    PartnerNOC

    Joined:
    Nov 30, 2005
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    yeah but this vps i on can't install ARF firewall because of the kernal issue.. :(
     
  7. madaboutlinux

    madaboutlinux Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    1,052
    Likes Received:
    2
    Trophy Points:
    38
    Location:
    Earth
    Try installing APF and if you have any problems contact your Hosting company, see if they helps you. If not you have the option to block Ips using iptables.
     
Loading...

Share This Page