Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > [VERY STRANGE] Lots of connections from server IPs


[VERY STRANGE] Lots of connections from server IPs




Posted by imthebest, 11-07-2011, 11:20 AM
Hi, Something is going wrong in my server since a few days ago. Please take a look at the output of the following netstat command: As you can see, it looks like my server is attacking itself with a flood of connections. This is strange and slows down the server to the point of getting it almost unresponsive. Is this an attack? I need suggestions of what commands should I run in order to trace the source of these connections. Regards, Peter
Posted by bdowne01, 11-07-2011, 12:18 PM
Is this a web server? We had a client that hosted a ton of Wordpress blogs on their servers, and a few of their clients installed a wordpress plugin that constantly hit the box on it's IP address to poll some RSS feed. It actually got so bad it DOS'd itself! It's a shot in the dark, but might be worth investigating.
Posted by Jakiao, 11-07-2011, 05:00 PM
bdowne01's idea is pretty solid and something I've seen several times in the past too. Other things you can check is which port on your server it is connecting to. If it's the same destination port cross-reference it with the PID/Program list found using "netstat -nlp". If you see port 80, then my money is on bdowne01's idea
Posted by bdowne01, 11-07-2011, 05:04 PM
Just wanted to pipe in another little tidbit to Jakiao's suggestion. You've got to be fast, but sometimes you can find the offending code by using /proc. If you end up finding a PID with netstat that is connected via the loopback socket, quickly navigate to /proc//cwd. A second terminal window is best, so you can do it quickly. Often, you'll find yourself in the directory that the executing code is running from. Saves a lot of footwork.
Posted by Jakiao, 11-07-2011, 05:25 PM
Assuming this is related to Apache, with netstat -nlp he will be given the parent PID of Apache. That's constant between restarts. It's a whole different beast if he's trying to track the cwd in Apache children. Quickness and a second terminal (or screen session) will definitely be necessary then Oh, another useful command for digging into what an individual process is doing: lsof -p That command gives an output of all the file descriptors and sockets owned by the specified PID. Quite useful on many occasions!
Posted by reflexiv, 11-08-2011, 07:04 PM
Just noticed this is a double/duplicate post: http://www.webhostingtalk.com/showthread.php?t=1096574


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Help! I'm drowning in choices for managed server companies (Views: 695)
Google AdSense (Views: 694)
Have trouble finding a reseller host (Views: 702)
ddos And Dns cache (Views: 690)
Cool Automated Snapshot Backups [Long, but worth it] (Views: 756)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.