Results 1 to 9 of 9
  1. #1

    * am i being hacked?

    Hi, doing a netstat -nap shows me this:
    tcp 0 0 72.36.179.22:80 72.36.179.22:46007 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:46008 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:46009 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:46010 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:46011 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:46012 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:46013 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:46015 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:46016 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:46017 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:46018 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:46019 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:46020 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:46021 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:46022 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:46023 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:46024 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:46025 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:46026 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:46027 TIME_WAIT -
    The IP 72.36.179.22 is my server do you have any idea why is making request to itself?

    is this right o is an error? and how can i fix it?

    thanks.

  2. #2
    Well, it looks like someone has an errant script sending HTTP requests to your own server, as you can see by the output PORT 80 is the local dest port, and the source port appears to be random.

    Let me know if you cant figure this out.

    Orbityl

    Quote Originally Posted by mexicanadmin
    Hi, doing a netstat -nap shows me this:


    The IP 72.36.179.22 is my server do you have any idea why is making request to itself?

    is this right o is an error? and how can i fix it?

    thanks.

  3. #3

    Script?

    Quote Originally Posted by orbityl
    Well, it looks like someone has an errant script sending HTTP requests to your own server, as you can see by the output PORT 80 is the local dest port, and the source port appears to be random.

    Let me know if you cant figure this out.

    Orbityl

    Thanks for the answer, how can i know what script/user is doing this? Since sometimes they appear to be a lot of those and my server load goes very high... thanks.

  4. #4
    Well, you could see which one of your sites is getting tons of hits from your own IP address by checking their log files, this may be tedious depending on the number of sites you're hosting. Are you using a control panel?

    Thanks,
    :-)
    Orbityl

  5. #5

    Script?

    Quote Originally Posted by orbityl
    Well, you could see which one of your sites is getting tons of hits from your own IP address by checking their log files, this may be tedious depending on the number of sites you're hosting. Are you using a control panel?

    Thanks,
    :-)
    Orbityl
    Yes i have cpanel and whm, and also i do have like 50 sites on the server but only one using the ip 72.36.179.22 that seems to be the one with that problem am the owner of that account also so i guess the script is coming from there... i guess may be the chat room that uses a stream.cgi file (ralph's chat).

    Let me check that turning it off.

    Somebody told me i could use something like:

    iptables -A INPUT -p tcp -s 127.0.0.1 -d 72.36.179.22 --dport 80 -j DROP
    iptables -A INPUT -p tcp -s 72.36.179.22 -d 72.36.179.22 --dport 80 -j DROP

    and i did but since the destination port seems random didn't help i guess.

  6. #6
    Do you see anything strange when you do ps -u nobody from SSH?

    Orbityl

    Quote Originally Posted by mexicanadmin
    Yes i have cpanel and whm, and also i do have like 50 sites on the server but only one using the ip 72.36.179.22 that seems to be the one with that problem am the owner of that account also so i guess the script is coming from there... i guess may be the chat room that uses a stream.cgi file (ralph's chat).

    Let me check that turning it off.

    Somebody told me i could use something like:

    iptables -A INPUT -p tcp -s 127.0.0.1 -d 72.36.179.22 --dport 80 -j DROP
    iptables -A INPUT -p tcp -s 72.36.179.22 -d 72.36.179.22 --dport 80 -j DROP

    and i did but since the destination port seems random didn't help i guess.

  7. #7

    Exclamation script :S

    In this precise moment i have netstat -nap and it shows:

    tcp 0 0 72.36.179.22:80 201.143.18.117:60890 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36020 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 200.38.17.120:2938 FIN_WAIT2 -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36021 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36022 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36023 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36024 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 201.143.18.117:60881 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36025 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 201.150.143.20:3381 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36026 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36029 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36030 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36031 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36032 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 200.79.134.29:61589 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 200.79.134.29:61588 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36034 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35779 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36035 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36036 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35780 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36037 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35781 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36038 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35782 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36039 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35783 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35784 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36040 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35785 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36041 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35786 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:36042 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35787 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35788 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35789 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35790 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35791 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35792 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35793 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35794 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 200.76.240.39:26824 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35795 TIME_WAIT -
    tcp 0 16552 72.36.179.22:80 200.76.240.39:5577 ESTABLISHED 16262/httpd
    tcp 0 0 72.36.179.22:80 72.36.179.22:35796 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35797 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35798 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 200.76.240.39:25804 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35799 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35800 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35801 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35802 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35803 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35804 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35805 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35806 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 200.76.240.39:26564 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35807 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35808 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35809 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 66.50.189.44:3267 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35810 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 66.50.189.44:3264 FIN_WAIT2 -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35811 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35812 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35813 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35814 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 200.94.161.156:49402 ESTABLISHED 19591/httpd
    tcp 0 0 72.36.179.22:80 72.36.179.22:35815 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35816 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35817 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35818 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35819 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 200.79.144.161:2027 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35820 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35821 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35822 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35823 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 72.36.179.22:35824 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 200.76.240.39:26858 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 66.50.189.44:3282 TIME_WAIT -
    tcp 0 0 72.36.179.22:80 200.79.144.161:2032 ESTABLISHED 10129/httpd
    tcp 0 0 72.36.179.22:80 72.36.179.22:35825 TIME_WAIT -
    tcp 0 1 72.36.179.22:80 200.79.134.29:61604 FIN_WAIT1 -
    tcp 0 0 72.36.179.22:80 200.79.144.161:2033 ESTABLISHED 15034/httpd
    tcp 0 0 72.36.179.22:80 72.36.179.22:35826 TIME_WAIT -
    As you can see a lot of the same thing (a lot more now) the command you told me gives:

    [email protected] [/home/intercam]# ps -u nobody
    PID TTY TIME CMD
    1266 ? 00:00:00 entropychat
    300 ? 00:00:08 httpd
    19550 ? 00:00:00 httpd
    24692 ? 00:00:13 httpd
    28113 ? 00:00:25 httpd
    30268 ? 00:00:16 httpd
    31918 ? 00:00:03 httpd
    32485 ? 00:00:19 httpd
    32499 ? 00:00:10 httpd
    1125 ? 00:00:19 httpd
    3541 ? 00:00:26 httpd
    5870 ? 00:00:25 httpd
    6005 ? 00:00:20 httpd
    7549 ? 00:00:16 httpd
    8057 ? 00:00:06 httpd
    8100 ? 00:00:18 httpd
    8289 ? 00:00:29 httpd
    8555 ? 00:00:13 httpd
    9526 ? 00:00:21 httpd
    10129 ? 00:00:09 httpd
    10525 ? 00:00:17 httpd
    10601 ? 00:00:10 httpd
    11456 ? 00:00:06 httpd
    11484 ? 00:00:06 httpd
    11787 ? 00:00:09 httpd
    11839 ? 00:00:10 httpd
    12473 ? 00:00:03 httpd
    12615 ? 00:00:05 httpd
    13717 ? 00:00:08 httpd
    13756 ? 00:00:18 httpd
    14271 ? 00:00:07 httpd
    15034 ? 00:00:03 httpd
    15810 ? 00:00:11 httpd
    16262 ? 00:00:09 httpd
    16349 ? 00:00:03 httpd
    16622 ? 00:00:08 httpd
    16742 ? 00:00:03 httpd
    16838 ? 00:00:05 httpd
    16965 ? 00:00:05 httpd
    17316 ? 00:00:04 httpd
    17770 ? 00:00:07 httpd
    17779 ? 00:00:09 httpd
    18277 ? 00:00:12 httpd
    18632 ? 00:00:00 httpd
    18972 ? 00:00:05 httpd
    19015 ? 00:00:04 httpd
    19591 ? 00:00:03 httpd
    19636 ? 00:00:03 httpd
    19640 ? 00:00:06 httpd
    19641 ? 00:00:02 httpd
    20059 ? 00:00:11 httpd
    20064 ? 00:00:01 httpd
    20072 ? 00:00:03 httpd
    20296 ? 00:00:02 httpd
    20432 ? 00:00:02 httpd
    20664 ? 00:00:00 httpd
    20760 ? 00:00:02 httpd
    22139 ? 00:00:11 httpd
    22160 ? 00:00:03 httpd
    22367 ? 00:00:01 httpd
    23192 ? 00:00:00 httpd
    23873 ? 00:00:00 httpd
    23894 ? 00:00:00 httpd
    23944 ? 00:00:01 httpd
    24028 ? 00:00:00 httpd
    24165 ? 00:00:00 httpd
    24167 ? 00:00:00 httpd
    24168 ? 00:00:00 httpd
    24173 ? 00:00:00 httpd
    24466 ? 00:00:00 httpd
    24540 ? 00:00:00 httpd
    24558 ? 00:00:00 httpd
    24799 ? 00:00:00 httpd
    24830 ? 00:00:00 httpd
    24834 ? 00:00:00 httpd
    24835 ? 00:00:00 httpd
    And ps -u userusingtheip gives me:

    11170 ? 00:00:09 stream.cgi
    19732 ? 00:00:08 stream.cgi
    7372 ? 00:00:01 stream.cgi
    16142 ? 00:00:01 stream.cgi
    17505 ? 00:00:00 stream.cgi
    19603 ? 00:00:00 stream.cgi
    20098 ? 00:00:00 stream.cgi
    21006 ? 00:00:00 stream.cgi
    22037 ? 00:00:00 stream.cgi
    23607 ? 00:00:00 stream.cgi
    23648 ? 00:00:00 stream.cgi
    23667 ? 00:00:00 stream.cgi
    24288 ? 00:00:00 stream.cgi
    24328 ? 00:00:00 pure-ftpd
    24513 ? 00:00:00 stream.cgi
    24538 ? 00:00:00 stream.cgi
    24958 ? 00:00:00 stream.cgi
    24988 ? 00:00:00 chatpm.cgi
    Any ideas??

  8. #8
    Join Date
    Sep 2005
    Location
    Essex, England
    Posts
    548
    See what stream.cgi does.

  9. #9
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,080
    If you want an easy solution block the user and see what happens. I would also investigate that stream.cgi. Basically it appears that the user is for some reason connecting a lot of times to a resource intensive server and killing it, if it is the owner of the account depending on your TOS/AUP you should be able to suspend him for using too many resources.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •