Results 1 to 6 of 6
  1. #1
    Join Date
    Apr 2006

    * unusual connection from my apache server to another IP (cpanel)


    As far as I know.. It seems that my web server is connecting to another IP ( it have lot of lines like this:

    tcp        0   4479 xx.xx.xx.xx:80              ESTABLISHED 6358/httpd
    tcp        0      0 xx.xx.xx.xx:80            ESTABLISHED 24356/httpd
    tcp        0   2288 xx.xx.xx.xx:80              ESTABLISHED 13402/httpd
    tcp        0  40834 xx.xx.xx.xx:80                ESTABLISHED 6368/httpd
    tcp        0      1 xx.xx.xx.xx:41749              SYN_SENT    8390/httpd
    tcp        0      1 xx.xx.xx.xx:41756              SYN_SENT    6710/httpd
    tcp        0      1 xx.xx.xx.xx:41778              SYN_SENT    6193/httpd
    tcp        0      1 xx.xx.xx.xx:41778              SYN_SENT    6193/httpd
    tcp        0      1 xx.xx.xx.xx:41766              SYN_SENT    6168/httpd
    tcp        0      1 xx.xx.xx.xx:41768              SYN_SENT    5880/httpd
    tcp        0      1 xx.xx.xx.xx:41769              SYN_SENT    6757/httpd
    tcp        0      1 xx.xx.xx.xx:41770              SYN_SENT    6805/httpd
    server ip = xx.xx.xx.xx

    I got that running netstat -anp | grep httpd | grep -v CONNECTED ...

    I also banned IP with CSF Firewall at /etc/csf/csf.deny, and added like ALL : into /etc/hosts.deny file.. rebooted the server, and the IP still connected... Also that IP doesnt appear at the server status..

    I'm not familiar with that IP, and How can I stop that connection ??
    Im using RHE 4 + cpanel.


  2. #2
    Before blocking, why not try to figure out why this is even happening in the first place? It could be legit, or perhaps not.

    lsof -p pid
    ls -al /proc/pid


  3. #3
    Join Date
    Apr 2006
    I already tried that and don't see anything unusual...
    This is very rare..

  4. #4
    Join Date
    Jan 2005
    do you have mod_security installed?

  5. #5
    Join Date
    Apr 2006
    yes I have , it is installed and got eth0's rules + some gotroot rules...


  6. #6
    Try by adding that IP in host.deny and also directly add the iptables rules. I think csf firewall should block it, have you restarted its service?


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts