The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

webmailhttps connected? What does this mean?

Discussion in 'E-mail Discussions' started by noimad1, Apr 30, 2004.

  1. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    Ok, so our server has just been crashing multiple times over the past few days for no apparent reason at all.

    I am trying to look through the log files for any indicatino of fowl play. I'm not seeing much, but I do see a bunch of these:

    Apr 29 21:42:47 h1 stunnel[13977]: webmailhttps connected from 68.231.82.107:2032
    Apr 29 21:42:47 h1 stunnel[13977]: Connection closed: 5703 bytes sent to SSL, 636 bytes sent to socket
    Apr 29 21:42:48 h1 stunnel[13980]: webmailhttps connected from 68.231.82.107:2033
    Apr 29 21:42:48 h1 stunnel[13983]: webmailhttps connected from 68.231.82.107:2034
    Apr 29 21:43:02 h1 stunnel[13980]: Connection closed: 1639 bytes sent to SSL, 8012 bytes sent to socket
    Apr 29 21:43:02 h1 stunnel[13983]: Connection closed: 1490 bytes sent to SSL, 7428 bytes sent to socket
    Apr 29 21:43:02 h1 stunnel[13991]: webmailhttps connected from 68.231.82.107:2035
    Apr 29 21:43:03 h1 stunnel[13991]: Connection closed: 887 bytes sent to SSL, 762 bytes sent to socket
    Apr 29 21:43:04 h1 stunnel[13994]: webmailhttps connected from 68.231.82.107:2036
    Apr 29 21:43:04 h1 stunnel[13995]: webmailhttps connected from 68.231.82.107:2037
    Apr 29 21:43:04 h1 stunnel[13994]: Connection closed: 0 bytes sent to SSL, 627 bytes sent to socket
    Apr 29 21:43:04 h1 stunnel[13995]: Connection closed: 714 bytes sent to SSL, 777 bytes sent to socket
    Apr 29 21:43:04 h1 stunnel[13999]: webmailhttps connected from 68.231.82.107:2038
    Apr 29 21:43:04 h1 stunnel[14002]: webmailhttps connected from 68.231.82.107:2039
    Apr 29 21:43:04 h1 stunnel[13999]: Connection closed: 3177 bytes sent to SSL, 776 bytes sent to socket
    Apr 29 21:43:04 h1 stunnel[14005]: webmailhttps connected from 68.231.82.107:2040
    Apr 29 21:43:04 h1 stunnel[14005]: Connection closed: 2967 bytes sent to SSL, 704 bytes sent to socket
    Apr 29 21:43:05 h1 stunnel[14002]: Connection closed: 6153 bytes sent to SSL, 761 bytes sent to socket
    Apr 29 21:43:05 h1 stunnel[14009]: webmailhttps connected from 68.231.82.107:2041
    Apr 29 21:43:05 h1 stunnel[14010]: webmailhttps connected from 68.231.82.107:2042
    Apr 29 21:43:05 h1 stunnel[14010]: Connection closed: 149 bytes sent to SSL, 757 bytes sent to socket
    Apr 29 21:43:05 h1 stunnel[14009]: Connection closed: 149 bytes sent to SSL, 754 bytes sent to socket
    Apr 29 21:43:05 h1 stunnel[14013]: webmailhttps connected from 68.231.82.107:2043
    Apr 29 21:43:05 h1 stunnel[14014]: webmailhttps connected from 68.231.82.107:2044
    Apr 29 21:43:05 h1 stunnel[14013]: Connection closed: 149 bytes sent to SSL, 761 bytes sent to socket
    Apr 29 21:43:05 h1 stunnel[14014]: Connection closed: 149 bytes sent to SSL, 769 bytes sent to socket
    Apr 29 21:43:05 h1 stunnel[14017]: webmailhttps connected from 68.231.82.107:2045
    Apr 29 21:43:05 h1 stunnel[14018]: webmailhttps connected from 68.231.82.107:2046
    Apr 29 21:43:05 h1 stunnel[14017]: Connection closed: 149 bytes sent to SSL, 761 bytes sent to socket
    Apr 29 21:43:05 h1 stunnel[14018]: Connection closed: 149 bytes sent to SSL, 757 bytes sent to socket
    Apr 29 21:43:06 h1 stunnel[14021]: webmailhttps connected from 68.231.82.107:2047
    Apr 29 21:43:06 h1 stunnel[14021]: Connection closed: 149 bytes sent to SSL, 756 bytes sent to socket
    Apr 29 21:43:06 h1 stunnel[14023]: webmailhttps connected from 68.231.82.107:2048
    Apr 29 21:43:06 h1 stunnel[14023]: Connection closed: 0 bytes sent to SSL, 627 bytes sent to socket
    Apr 29 21:43:08 h1 stunnel[14025]: webmailhttps connected from 68.231.82.107:2049
    Apr 29 21:43:09 h1 stunnel[14025]: Connection closed: 699 bytes sent to SSL, 1138 bytes sent to socket
    Apr 29 21:43:09 h1 stunnel[14030]: webmailhttps connected from 68.231.82.107:2050
    Apr 29 21:43:12 h1 stunnel[14030]: Connection closed: 6151 bytes sent to SSL, 709 bytes sent to socket
    Apr 29 21:43:19 h1 stunnel[14042]: webmailhttps connected from 68.231.82.107:2051
    Apr 29 21:43:19 h1 stunnel[14042]: Connection closed: 644 bytes sent to SSL, 785 bytes sent to socket
    Apr 29 21:43:20 h1 stunnel[14045]: webmailhttps connected from 68.231.82.107:2052
    Apr 29 21:43:21 h1 stunnel[14045]: Connection closed: 40225 bytes sent to SSL, 726 bytes sent to socket


    To me it looks like someone is trying to connect to webmail through different ports?

    Does anyone know what this is?

    Thanks
    Damion
     
  2. abnormis

    abnormis Registered

    Joined:
    Jan 21, 2003
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    We're having this same problem. All services become unavailable and the server needs a hard reboot. Last entries in the logs are:

    Sep 13 08:57:34 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63395
    Sep 13 08:57:34 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63394
    Sep 13 08:57:34 zeus stunnel[2983]: Connection closed: 564 bytes sent to SSL, 621 bytes sent to socket
    Sep 13 08:57:34 zeus stunnel[2983]: webmailhttps connected from 136.159.43.78:4761
    Sep 13 08:57:34 zeus stunnel[2983]: Connection closed: 952 bytes sent to SSL, 617 bytes sent to socket
    Sep 13 08:57:34 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 607 bytes sent to socket
    Sep 13 08:57:34 zeus stunnel[2983]: cpanelhttps connected from 24.0.88.175:1354
    Sep 13 08:57:34 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63396
    Sep 13 08:57:34 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 604 bytes sent to socket
    Sep 13 08:57:34 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 605 bytes sent to socket
    Sep 13 08:57:34 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63397
    Sep 13 08:57:35 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 610 bytes sent to socket
    Sep 13 08:57:35 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 609 bytes sent to socket
    Sep 13 08:57:35 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63401
    Sep 13 08:57:36 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63402
    Sep 13 08:57:36 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 613 bytes sent to socket
    Sep 13 08:57:36 zeus stunnel[2983]: Connection closed: 2688 bytes sent to SSL, 1194 bytes sent to socket
    Sep 13 08:57:36 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 611 bytes sent to socket
    Sep 13 08:57:36 zeus stunnel[2983]: cpanelhttps connected from 24.0.88.175:1355
    Sep 13 08:57:36 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63403
    Sep 13 08:57:36 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63404
    Sep 13 08:57:36 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 612 bytes sent to socket
    Sep 13 08:57:37 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 612 bytes sent to socket
    Sep 13 08:57:37 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63405
    Sep 13 08:57:37 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 610 bytes sent to socket
    Sep 13 08:57:37 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63398
    Sep 13 08:57:37 zeus stunnel[2983]: webmailhttps connected from 216.152.175.235:63399
    Sep 13 08:57:38 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 598 bytes sent to socket
    Sep 13 08:57:38 zeus stunnel[2983]: Connection closed: 150 bytes sent to SSL, 613 bytes sent to socket
    Sep 13 08:57:43 zeus stunnel[2983]: Connection closed: 5401 bytes sent to SSL, 3442 bytes sent to socket
    Sep 13 08:57:46 zeus stunnel[2983]: Connection closed: 1499 bytes sent to SSL, 1297 bytes sent to socket

    etc..etc..

    Is this some form of DoS attack? I've even checked ip_conntrack_max.

    root@zeus [~]# cat /proc/sys/net/ipv4/ip_conntrack_max
    34576

    root@zeus [~]# wc -l /proc/net/ip_conntrack
    790 /proc/net/ip_conntrack

    Anyone have any ideas?

    -Marc
     
  3. niatech

    niatech Well-Known Member

    Joined:
    Feb 20, 2005
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    16
    I had a similar issue last night. I'm still trying to find out what was wrong. Do you have more information on this?

    What OS are you running?
     

Share This Page