Very strange IP ( 0.0.0.4) making many connections

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
126
29
28
Brazil
cPanel Access Level
Root Administrator
Hello guys,

Today I received the alert below in my email. This is very strange!

The port 0.0.0.4:80 responds but does not seem to recognize HTTP requests.

Does anyone have any idea what this might be?

I use NGINX as a proxy in front of Apache, and recently I activated IPv6 on my server.

Code:
lfd on myserver.com: 0.0.0.4 (-/-/-) blocked with too many connections

Time:        Sat Jun 24 09:42:50 2017 -0300
IP:          0.0.0.4 (-/-/-)
Connections: 437
Blocked:     Permanent Block

Connections:
tcp6: 0.0.0.4:39360 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39568 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39976 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39668 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:40048 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:40226 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:38570 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:40302 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39372 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:40176 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39684 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:38666 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:38552 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39848 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:38566 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:40128 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:80 -> 0.0.0.4:39308 (TIME_WAIT)
tcp6: 0.0.0.4:40014 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39656 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:40330 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:38974 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39762 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39748 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:40106 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39886 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:38662 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:38792 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:39336 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:38902 -> 0.0.0.4:80 (TIME_WAIT)
tcp6: 0.0.0.4:40294 -> 0.0.0.4:80 (TIME_WAIT)
......
Code:
[~]# wget -p http://0.0.0.4
--2017-06-24 15:03:53--  http://0.0.0.4/
Connecting to 0.0.0.4:80... Failed: Invalid argument.
Note that in the list it says tcp6, but 0.0.0.4 is not a valid IPv6.
 
Last edited by a moderator:

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
126
29
28
Brazil
cPanel Access Level
Root Administrator
After some research and testing, I discovered that the tcp6 protocol also responds ipv4.

And that any server with cPanel, returns wget -p http://0.0.0.4 with:
Connecting to 0.0.0.4:80... Failed: Invalid argument.

What I can not imagine what it could be doing that number of requests. Anyone have any suggestions?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello,

Have you reviewed /usr/local/apache/logs/access_log and /usr/local/apache/logs/error_log to see what access attempts are occurring when you notice those connection attempts?

Thank you.
 

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
126
29
28
Brazil
cPanel Access Level
Root Administrator
Hello Michael!

I did not find this IP anywhere in the logs.

What I see in "/usr/local/apache/logs/access_log" at the same time of the problem is this. But it seems to be something common within this log:
Code:
::1 - - [24/Jun/2017:09:42:23 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:42:41 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:07 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:08 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:09 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:10 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:11 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:12 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:13 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:14 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:15 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:16 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:17 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:18 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:19 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:20 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:21 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:22 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:23 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:24 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:25 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:26 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:27 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:28 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:29 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:30 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:31 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:32 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:33 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:34 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:35 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:36 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:37 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:40 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:43:57 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:44:38 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
127.0.0.1 - - [24/Jun/2017:09:45:06 -0300] "GET /whm-server-status?auto HTTP/1.1" 200 1210 "-" "munin/2.0.25 (libwww-perl/6.15)"
127.0.0.1 - - [24/Jun/2017:09:45:08 -0300] "GET /whm-server-status?auto HTTP/1.1" 200 1210 "-" "munin/2.0.25 (libwww-perl/6.15)"
::1 - - [24/Jun/2017:09:45:09 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
127.0.0.1 - - [24/Jun/2017:09:45:10 -0300] "GET /whm-server-status?auto HTTP/1.1" 200 1210 "-" "munin/2.0.25 (libwww-perl/6.15)"
::1 - - [24/Jun/2017:09:45:10 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:45:11 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:45:12 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:45:13 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:45:28 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:45:29 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:45:32 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:45:37 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:45:44 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:45:49 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:46:01 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
127.0.0.1 - - [24/Jun/2017:09:46:22 -0300] "GET / HTTP/1.0" 400 10067 "-" "-"
::1 - - [24/Jun/2017:09:46:32 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:46:33 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:46:34 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:46:43 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:07 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:08 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:09 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:10 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:11 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:12 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:13 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:14 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:15 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:16 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
::1 - - [24/Jun/2017:09:47:17 -0300] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
Judging by the status of the connections (TIME_WAIT), I believe that none could connect to port 80 with this IP.

The only different things that were done on this server recently was the installation of IPv6 and KernelCare.
 

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
126
29
28
Brazil
cPanel Access Level
Root Administrator
Hello Michael!

I use NGINX a long time, and this only started to appear after I activated IPv6.

Note that the connection uses the tcp6 protocol.
I'm pretty sure it's something related to IPv6, I just do not know what!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello,

Feel free to open a support ticket using the link in my signature if you'd like us to take a closer look at what's making those local connections from the IPv6 loopback address.

Thank you.
 
  • Like
Reactions: Rodrigo Gomes