Results 1 to 4 of 4
  1. #1

    lfd with 400 connections!!

    Hello,

    I receive the below message from my csf firewall that says:

    Code:
    lfd on VPS: 89.43.xxx.xxx (TR/Turkey) blocked with too many connections
    
    
    Connections: 400
    Blocked:     Temporary Block for 1800 seconds [CT_LIMIT]
    
    Connections:
    tcp: 89.43.xxx.xxx:38004 -> MyServerIP:80 (TIME_WAIT)
    tcp: 89.43.xxx.xxx:48414 -> MyServerIP:80 (TIME_WAIT)
    tcp: 89.43.xxx.xxx:55198 -> MyServerIP:80 (TIME_WAIT)
    tcp: 89.43.xxx.xxx:35606 -> MyServerIP:80 (TIME_WAIT)
    tcp: 89.43.xxx.xxx:51748 -> MyServerIP:80 (TIME_WAIT)
    tcp: 89.43.xxx.xxx:49874 -> MyServerIP:80 (TIME_WAIT)
    tcp: 89.43.xxx.xxx:43686 -> MyServerIP:80 (TIME_WAIT)
    tcp: 89.43.xxx.xxx:52308 -> MyServerIP:80 (TIME_WAIT)
    tcp: 89.43.xxx.xxx:58596 -> MyServerIP:80 (TIME_WAIT)
    tcp: 89.43.xxx.xxx:36102 -> MyServerIP:80 (TIME_WAIT)
    tcp: 89.43.xxx.xxx:35840 -> MyServerIP:80 (TIME_WAIT)
    tcp: 89.43.xxx.xxx:44042 -> MyServerIP:80 (TIME_WAIT)
    tcp: 89.43.xxx.xxx:54974 -> MyServerIP:80 (TIME_WAIT)
    tcp: 89.43.xxx.xxx:41036 -> MyServerIP:80 (TIME_WAIT)
    tcp: 89.43.xxx.xxx:54788 -> MyServerIP:80 (TIME_WAIT)
    
    ........

    The 89.43.xxx.xxx is one IP that seems connect to my server...

    Please can anyone explain what exactly that is?

    I mean the IP 89.43.xxx.xxx make too many connections to MyServerIP port 80 OR from my server IP I make those connections??

    The symbol -> What mean?

    Please can anyone explain the above connections?

    Thank you!

  2. #2
    Looks pretty straight forward... the IP address 89.43.xxx.xxx had made 400 connections to your HTTP server (on port 80).

    As to what it is, or what is it trying to accomplish, that's anyone's guess: could be a crawler, a bot, a malicious script trying to find exploits in your website, etc... it's really not that uncommon. Once your website is public you can expect such things to happen.
    Uptime Monitor - Minimize your downtime by being the first to know about it!

    Blacklist Monitor - Are any of your IPs or Domains blacklisted? Find out before it gets to affect you or your clients.

  3. #3
    Thank you so much for your answer!!

    I was a bit confuse because very often I see the below:

    Code:
    /usr/local/cpanel/3rdparty/perl/526/bin/perl
    
    Command Line (often faked in exploits):
    
    spamd child
    
    Network connections by the process (if any):
    
    tcp: 127.0.0.1:783 -> 127.0.0.1:34916
    udp: MyServerIP:47963 -> 8.8.8.8:53
    So with the above I think that 127.0.0.1 and MyServerIP make those connections as (->) symbol says... So the 127.0.0.1 and MyServerIP had access to my server to make those connections...

    Now when I sow the 400 connections I say the 89.43.xxx.xxx had access to the server and make outgoing connections IP to where to MyServerIP?

    Thank you again for your answer!

  4. #4
    Join Date
    Jul 2005
    Location
    here, there, where?
    Posts
    4,102
    127.0.0.1 is the loop back address for the network card, normal to see it. The other is a connection to google's dns services, again normal.
    -Steven | Cooini, LLC
    "It is the mark of an educated mind to be able to entertain a thought without accepting it" -Aristotle

Similar Threads

  1. Replies: 2
    Last Post: 05-15-2003, 08:53 PM
  2. Dell PowerEdge 600SC with 400 gigs for $119
    By Jeffbg123 in forum Dedicated Hosting Offers
    Replies: 4
    Last Post: 05-07-2003, 12:54 PM
  3. Free shell with IRC connections allowed?
    By avara in forum Web Hosting Lounge
    Replies: 5
    Last Post: 03-26-2002, 09:59 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •