Results 1 to 6 of 6
  1. #1
    Join Date
    Apr 2006
    Posts
    503

    * unusual connection from my apache server to another IP (cpanel)

    Hello,

    As far as I know.. It seems that my web server is connecting to another IP (84.20.6.132).. it have lot of lines like this:

    Code:
    tcp        0   4479 xx.xx.xx.xx:80             88.7.160.124:4942           ESTABLISHED 6358/httpd
    tcp        0      0 xx.xx.xx.xx:80             87.219.168.218:1987         ESTABLISHED 24356/httpd
    tcp        0   2288 xx.xx.xx.xx:80             88.7.160.124:4929           ESTABLISHED 13402/httpd
    tcp        0  40834 xx.xx.xx.xx:80             88.17.6.80:4829             ESTABLISHED 6368/httpd
    tcp        0      1 xx.xx.xx.xx:41749          84.20.6.132:80              SYN_SENT    8390/httpd
    tcp        0      1 xx.xx.xx.xx:41756          84.20.6.132:80              SYN_SENT    6710/httpd
    tcp        0      1 xx.xx.xx.xx:41778          84.20.6.132:80              SYN_SENT    6193/httpd
    tcp        0      1 xx.xx.xx.xx:41778          84.20.6.132:80              SYN_SENT    6193/httpd
    tcp        0      1 xx.xx.xx.xx:41766          84.20.6.132:80              SYN_SENT    6168/httpd
    tcp        0      1 xx.xx.xx.xx:41768          84.20.6.132:80              SYN_SENT    5880/httpd
    tcp        0      1 xx.xx.xx.xx:41769          84.20.6.132:80              SYN_SENT    6757/httpd
    tcp        0      1 xx.xx.xx.xx:41770          84.20.6.132:80              SYN_SENT    6805/httpd
    server ip = xx.xx.xx.xx

    I got that running netstat -anp | grep httpd | grep -v CONNECTED ...

    I also banned IP 84.20.6.132 with CSF Firewall at /etc/csf/csf.deny, and added like ALL : 84.20.6.132 into /etc/hosts.deny file.. rebooted the server, and the IP still connected... Also that IP doesnt appear at the server status..

    I'm not familiar with that IP, and How can I stop that connection ??
    Im using RHE 4 + cpanel.

    Thanks.

  2. #2
    Before blocking, why not try to figure out why this is even happening in the first place? It could be legit, or perhaps not.

    lsof -p pid
    ls -al /proc/pid

    etc

  3. #3
    Join Date
    Apr 2006
    Posts
    503
    I already tried that and don't see anything unusual...
    This is very rare..

  4. #4
    Join Date
    Jan 2005
    Posts
    2,175
    do you have mod_security installed?

  5. #5
    Join Date
    Apr 2006
    Posts
    503
    yes I have , it is installed and got eth0's rules + some gotroot rules...

    thanks

  6. #6
    Try by adding that IP in host.deny and also directly add the iptables rules. I think csf firewall should block it, have you restarted its service?

    Thanks,

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •