Very strange IP ( 0.0.0.4) making many connections

Rodrigo Gomes

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
128
29
78
Brazil
cPanel Access Level
Root Administrator
Hello guys,

Today I received the alert below in my email. This is very strange!

The port 0.0.0.4:80 responds but does not seem to recognize HTTP requests.

Does anyone have any idea what this might be?

I use NGINX as a proxy in front of Apache, and recently I activated IPv6 on my server.

Code: 
lfd on myserver.com: 0.0.0.4 (-/-/-) blocked with too many connections

Time:        Sat Jun 24 09:42:50 2017 -0300
IP:          0.0.0.4 (-/-/-)
Connections: 437
Blocked:     Permanent Block

Connections:
tcp6: 0.0.0.4:39360 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39568 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39976 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39668 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:40048 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:40226 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:38570 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:40302 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39372 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:40176 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39684 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:38666 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:38552 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39848 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:38566 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:40128 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:80 -> 0.0.0.4:39308 (TIME_WAIT)
tcp6: 0.0.0.4:40014 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39656 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:40330 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:38974 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39762 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39748 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:40106 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39886 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:38662 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:38792 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39336 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:38902 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:40294 -> 0.0.0.4:80 (TIME_WAIT)
......
Code: 
[~]# wget -p http://0.0.0.4
--2017-06-24 15:03:53--  http://0.0.0.4/
Connecting to 0.0.0.4:80... Failed: Invalid argument.
Note that in the list it says tcp6, but 0.0.0.4 is not a valid IPv6.
 
Last edited by a moderator:
Rodrigo Gomes

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
128
29
78
Brazil
cPanel Access Level
Root Administrator
After some research and testing, I discovered that the tcp6 protocol also responds ipv4.

And that any server with cPanel, returns wget -p http://0.0.0.4 with:
Connecting to 0.0.0.4:80... Failed: Invalid argument.

What I can not imagine what it could be doing that number of requests. Anyone have any suggestions?
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,260
463
Hello,

Have you reviewed /usr/local/apache/logs/access_log and /usr/local/apache/logs/error_log to see what access attempts are occurring when you notice those connection attempts?

Thank you.
 
Rodrigo Gomes

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
128
29
78
Brazil
cPanel Access Level
Root Administrator
Hello Michael!

I did not find this IP anywhere in the logs.

What I see in "/usr/local/apache/logs/access_log" at the same time of the problem is this. But it seems to be something common within this log:
Code: 
::1 - - [24/Jun/2017:09:42:23 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:42:41 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:07 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:08 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:09 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:10 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:11 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:12 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:13 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:14 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:15 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:16 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:17 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:18 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:19 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:20 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:21 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:22 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:23 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:24 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:25 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:26 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:27 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:28 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:29 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:30 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:31 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:32 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:33 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:34 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:35 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:36 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:37 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:40 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:57 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:44:38 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
127.0.0.1 - - [24/Jun/2017:09:45:06 -0300] "GET /whm-server-status?auto HTTP/1.1" 200 1210 "-" "munin/2.0.25 (libwww-perl/6.15)"
127.0.0.1 - - [24/Jun/2017:09:45:08 -0300] "GET /whm-server-status?auto HTTP/1.1" 200 1210 "-" "munin/2.0.25 (libwww-perl/6.15)"
::1 - - [24/Jun/2017:09:45:09 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
127.0.0.1 - - [24/Jun/2017:09:45:10 -0300] "GET /whm-server-status?auto HTTP/1.1" 200 1210 "-" "munin/2.0.25 (libwww-perl/6.15)"
::1 - - [24/Jun/2017:09:45:10 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:45:11 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:45:12 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:45:13 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:45:28 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:45:29 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:45:32 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:45:37 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:45:44 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:45:49 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:46:01 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
127.0.0.1 - - [24/Jun/2017:09:46:22 -0300] "GET / HTTP/1.0" 400 10067 "-" "-"
::1 - - [24/Jun/2017:09:46:32 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:46:33 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:46:34 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:46:43 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:07 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:08 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:09 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:10 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:11 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:12 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:13 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:14 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:15 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:16 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:17 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
Judging by the status of the connections (TIME_WAIT), I believe that none could connect to port 80 with this IP.

The only different things that were done on this server recently was the installation of IPv6 and KernelCare.
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,260
463
  • Like
Reactions: Rodrigo Gomes
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,260
463
Hello,

You may also want to reach out to the developer of the Nginx plugin you are using to see if additional information about those connections is available. Note that it's also a common topic on the CSF forums:

0.0.0.0 Block - ConfigServer Community Forum

Thank you.
 
  • Like
Reactions: Rodrigo Gomes
Rodrigo Gomes

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
128
29
78
Brazil
cPanel Access Level
Root Administrator
Hello Michael!

I use NGINX a long time, and this only started to appear after I activated IPv6.

Note that the connection uses the tcp6 protocol.
I'm pretty sure it's something related to IPv6, I just do not know what!
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,260
463
Hello,

Feel free to open a support ticket using the link in my signature if you'd like us to take a closer look at what's making those local connections from the IPv6 loopback address.

Thank you.
 
  • Like
Reactions: Rodrigo Gomes
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
M New very dangerous security bug/feature in cpanel filter function Security 1
U VERY strange issue Security 4
duranduran Very strange user - [email protected] ??? Security 0
N Very strange problem Security 1
WeMasterz5 Very Strange enryies in error log Security 1
Similar threads
New very dangerous security bug/feature in cpanel filter function
VERY strange issue
Very strange user - [email protected] ???
Very strange problem
Very Strange enryies in error log
Top Bottom