Portal Home > Knowledgebase > Articles Database > Server attacking my own server?
Server attacking my own server?
| Posted by imthebest, 11-07-2011, 12:35 AM |
| Hi,
Something is going wrong in my server since a few days ago. Please take a look at the output of the following netstat command:
As you can see, it looks like my server is attacking itself with a flood of connections. This is strange and slows down the server to the point of getting it almost unresponsive.
Is this an attack?
Regards,
Peter
|
| Posted by wpmaster, 11-07-2011, 03:33 AM |
| If it's attacking itself, have you checked what caused the connection? is it because of website hacking or other security hole?
|
| Posted by imthebest, 11-07-2011, 10:59 AM |
| I don't know if it is attacking itself. I need suggestions of what commands should I run in order to trace the source of these connections.
|
| Posted by resellermarkets, 11-08-2011, 03:20 AM |
| What is hosted on the secondary IP, may be its on use by MYSQL or something which is a process for the server..??
Check what is running on the second IP to get more info.
|
| Posted by scamtrex, 11-08-2011, 06:16 AM |
| Maybe look for processes that use a lot of CPU, an "attack" needs a lot of resources, and start monitoring them.
I know it sounds basic, but the first thing you need to figure out is where the attacks is comming from.
About commands, I do not know, maybe iptraf or lsof?
Last edited by scamtrex; 11-08-2011 at 06:19 AM.
|
| Posted by Snoork Hosting, 11-08-2011, 02:44 PM |
| Do you have CSF firewall installed on your server? If you have large quantities of IP blocks on your server, you can initiate a flood attack toward your server without even knowing.
Run this command on the server and check how many connections are coming from each IP address.
If you see large number of connections such as +150 from particular IP addresses, I would recommend blocking them in firewall.
|
| Posted by reflexiv, 11-08-2011, 06:56 PM |
| From what I understand the OP said the connection count was the local server IP. Not a good idea to block your own server IP.
To get more info, try 'netstat -nap | grep IP'. The last column to the right will either tell you the PID/service. That should provide more clues. For even more info do 'lsof -p PID' to see what files the connection has open.
Also check 'top' and post the first 15 lines here. The culprit process will likely be up there.
|
| Posted by Snoork Hosting, 11-08-2011, 07:38 PM |
| I did not say to block the server IP address. I said if there is a large number of connections such as +150 from particular IP addresses, I would recommend blocking them in firewall.
Do not block your server IP address
|
| Posted by HostAdmins, 11-09-2011, 01:34 AM |
| This can be due to any looping in your coding used for any of the accounts in the server. Try to analyze the access of this IPs from your logs if they are binding to the port 80 which you can find out with netstat command.
Any specific process running in the top results with high CPU usage ?
|
| Posted by bhanuprasad1981, 11-09-2011, 02:22 PM |
| did you install nginx or varnish on your server ? once i had similar issue with nginx install missing mod_rpaf
|
Add to Favourites 
Print this Article
Also Read
ruby fails (Views: 661)
Shared Hosting
Shared Hosting
