Results 1 to 11 of 11
  1. #1

    Possible problem with the ethernet of my dedi?

    Hello i have recently get this server , we moved to this server in the same datacenter

    Linux OS:centos 5.4
    Kernel Version(uname -r) 2.6.28.7
    Hardware Information:icore7 920 + 12gb ram
    Software Version;csf firewall, ossec Intrusion Detection System, rvsitebuilder
    Control Panel(if any)whm+ fantastico

    yesterday the dc tech logged-in by ssh (root) cause we couldn't connect to the ftp box we keep our backup's (the new box couldnt connect to the ftp got time out)
    They fixed it.

    Today i got a time out and after 2 reset and restaring of services the server was back again.Then i got this messages and it still coming (3 hours now i get 1 similar message per 5 second )

    Code:
    Nov  4 12:31:20 gandalf kernel: martian source 217.20.117.1 from 127.0.0.239, on dev eth0
    Nov  4 12:31:20 gandalf kernel: ll header: ff:ff:ff:ff:ff:ff:00:1a:4b:3a:7e:23:08:06
    Nov  4 12:31:21 gandalf kernel: martian source 217.20.117.1 from 127.0.0.244, on dev eth0
    Nov  4 12:31:21 gandalf kernel: ll header: ff:ff:ff:ff:ff:ff:00:1a:4b:3a:7e:23:08:06
    Nov  4 12:31:22 gandalf kernel: martian source 217.20.117.1 from 127.0.0.252, on dev eth0
    Nov  4 12:31:22 gandalf kernel: ll header: ff:ff:ff:ff:ff:ff:00:18:71:80:07:86:08:06
    Nov  4 12:31:22 gandalf kernel: martian source 217.20.117.1 from 127.0.0.244, on dev eth0
    Nov  4 12:31:22 gandalf kernel: ll header: ff:ff:ff:ff:ff:ff:00:1a:4b:3a:7e:23:08:06
    Also the firewall stopped the port scanning from a server within the same dc.

    I checked it on google and the explanation's varies but most say that is a problem of the router/switch or similar.

    Can anyone help me or guide me what to search more, me or the dc tech's

    Thanks

  2. #2
    Hi!

    mmmmm... that's rather weird. Can you run a package sniffer and see if you can get more info? 127.0.0.0/8 is reserved for loopback interfaces (lo), so I could think of some kind of attack here (but I'm just speculating).

    Can you run tcpdump for a while and see what it returns? (please, filter-out port 22 or whatever port you have ssh running on, or else you will see the capture flooded by those).

  3. #3
    Hello
    I run a tcpdump filtering ssh port

    i found those weird things

    Code:
    16:26:16.956623 IP 95-168-183-182.internetserviceteam.com.sent-lm > 255.255.255.255.binderysupport: UDP, length 32
    16:26:16.956636 IP 95-168-183-182.internetserviceteam.com.sent-lm > 255.255.255.255.cr-websystems: UDP, length 32
    16:26:16.956645 IP 95-168-183-182.internetserviceteam.com.sent-lm > 255.255.255.255.idcp: UDP, length 32
    16:26:16.956651 IP 95-168-183-182.internetserviceteam.com.sent-lm
    16:34:15.258919 arp who-has sexually.assaulted.by.pirat3.com tell 89-149-218-93.internetserviceteam.com
    17:01:32.504274 arp who-has 95-168-183-1.internetserviceteam.com tell 95.168.183.240
    17:03:15.188637 IP ns9.dnspro.de.domain > mydomain.38128:  31901 1/4/4 (206)
    17:03:15.188752 IP mydomain.51376 > ns9.dnspro.de.domain:  7747+ PTR? 2.116.20.217.in-addr.arpa. (43)
    17:03:15.189149 IP ns9.dnspro.de.domain > mydomain.51376:  7747 1/2/2 (135)
    17:03:15.244610 IP 88.218.236.142.61447 > mydomain.http: . ack 855 win 64059
    17:03:59.476539 IP 95-168-183-182.internetserviceteam.com.sent-lm > 255.255.255.255.binderysupport: UDP, length 32
    17:03:59.476557 IP 95-168-183-182.internetserviceteam.com.sent-lm > 255.255.255.255.cr-websystems: UDP, length 32
    17:03:59.476571 IP 95-168-183-182.internetserviceteam.com.sent-lm > 255.255.255.255.idcp: UDP, length 32
    P 95-168-183-182.internetserviceteam.com.sent-lm > 255.255.255.255.norton-lambert: UDP, length 32
    17:03:59.476598 IP 95-168-183-182.internetserviceteam.com.sent-lm > 255.255.255.255.psbserver: UDP, length 32
    17:03:59.476611 IP 95-168-183-182.internetserviceteam.com.sent-lm > 255.255.255.255.digiman: UDP, length 32
    internetservice team is the adress of my dc, so that i.p is inside my dc.

  4. #4
    yay... I forgot to say: add "-n" to tcpdump, so it doesn't resolve all IPs.

  5. #5
    some of them ...

    Code:
     
    7:27:53.558951 IP 188.72.202.61.netbios-ns > 188.72.202.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
    17:27:53.677585 IP 84.16.229.24.51248 > 239.255.255.250.ssdp: UDP, length 98
    17:27:53.698776 IP 95.168.183.182.sent-lm > 255.255.255.255.binderysupport: UDP, length 32
    17:27:53.698795 IP 95.168.183.182.sent-lm > 255.255.255.255.cr-websystems: UDP, length 32
    17:27:53.698810 IP 95.168.183.182.sent-lm > 255.255.255.255.idcp: UDP, length 32
    17:27:53.698824 IP 95.168.183.182.sent-lm > 255.255.255.255.norton-lambert: UDP, length 32
    17:27:53.698839 IP 95.168.183.182.sent-lm > 255.255.255.255.psbserver: UDP, length 32
    17:27:53.698853 IP 95.168.183.182.sent-lm > 255.255.255.255.digiman: UDP, length 32
    17:27:53.698868 IP 95.168.183.182.sent-lm > 255.255.255.255.2374: UDP, length 32
    17:27:53.698882 IP 95.168.183.182.sent-lm > 255.255.255.255.virtualtape: UDP, length 32
    17:27:53.698897 IP 95.168.183.182.sent-lm > 255.255.255.255.orbiter: UDP, length 32
    17:27:53.698911 IP 95.168.183.182.sent-lm > 255.255.255.255.vrts-registry: UDP, length 32
    17:27:53.698926 IP 95.168.183.182.sent-lm > 255.255.255.255.crmsbits: UDP, length 32
    17:27:53.698940 IP 95.168.183.182.sent-lm > 255.255.255.255.pxc-epmap: UDP, length 32
    17:27:53.698955 IP 95.168.183.182.sent-lm > 255.255.255.255.bues_service: UDP, length 32
    17:27:53.698969 IP 95.168.183.182.sent-lm > 255.255.255.255.griffin: UDP, length 32
    17:27:53.698984 IP 95.168.183.182.sent-lm > 255.255.255.255.taskman-port: UDP, length 32
     
     
    17:33:33.165872 IP6 fe80::fdc6:4f92:3b91:b9ed > ff02::1:ffff:fffe: ICMP6, neighbor solicitation, who has fe80::ffff:ffff:fffe, length 32
    
     
     
    
    17:32:45.617004 arp who-has 78.159.116.245 tell 89.149.218.93
    17:32:45.686930 IP 188.72.202.61.netbios-ns > 188.72.202.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
    17:32:45.692540 IP6 fe80::dc09:138c:cf78:83a4 > ff02::1:ffff:fffe: ICMP6, neighbor solicitation, who has fe80::ffff:ffff:fffe, length 32
    17:32:45.757022 IP 188.72.202.61.netbios-ns > 188.72.202.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
     
     
    
    17:33:35.248649 arp who-has 217.20.117.1 tell 95.168.183.219
    17:33:35.288068 IP 88.218.236.142.62789 > 188.72.202.104.http: . ack 835 win 64506
    17:33:35.396451 IP6 fe80::fdc6:4f92:3b91:b9ed > ff02::1:ffff:fffe: ICMP6, neighbor solicitation, who has fe80::ffff:ffff:fffe, length 32
    17:33:35.567275 IP 61.220.8.20.33517 > 188.72.202.92.domain:  33159 [1au] A? irc.seviyorsun.net. (47)
    17:33:35.574813 IP 188.72.202.104.60780 > 10.1.60.23.smtp: S 2008761098:2008761098(0) win 5840 <mss 1460>
    17:33:35.623686 IP 188.72.202.61.netbios-ns > 188.72.202.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
    17:33:35.765150 IP 188.72.202.61.netbios-ns > 188.72.202.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
    17:33:35.768713 arp who-has 78.138.170.190 tell 78.159.121.118
    17:33:35.846497 IP 188.72.202.61.netbios-ns > 188.72.202.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
    17:33:35.865259 IP6 fe80::6da0:fc81:e8f9:ed8b > ff02::1:ffff:fffe: ICMP6, neighbor solicitation, who has fe80::ffff:ffff:fffe, length 32
    17:33:35.884456 arp who-has 95.168.183.1 tell 95.168.183.53
    17:33:36.001701 IP 0.0.0.0.snmptrap > 0.0.0.0.snmptrap:  Trap(97)  .1.3.6.1.4.1.3183.1.1 0.0.0.0 enterpriseSpecific s=2453248 38745376 .1.3[|snmp]
    17:33:36.007500 IP 188.72.202.61.netbios-ns > 188.72.202.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
    17:33:36.011465 arp who-has 95.168.183.1 tell 95.168.183.217
    17:33:36.094569 IP6 fe80::2c17:9e4f:2d38:bfaa.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
    17:33:36.167246 IP6 fe80::fdc6:4f92:3b91:b9ed > ff02::1:ffff:fffe: ICMP6, neighbor solicitation, who has fe80::ffff:ffff:fffe, length 32
    17:33:36.185471 IP 84.16.229.24.65144 > 239.255.255.250.ssdp: UDP, length 98
    
    17:36:04.696370 IP 95.168.183.182.sent-lm > 255.255.255.255.binderysupport: UDP, length 32
    17:36:04.696391 IP 95.168.183.182.sent-lm > 255.255.255.255.cr-websystems: UDP, length 32
    17:36:04.696408 IP 95.168.183.182.sent-lm > 255.255.255.255.idcp: UDP, length 32
    17:36:04.696424 IP 95.168.183.182.sent-lm > 255.255.255.255.norton-lambert: UDP, length 32
    17:36:04.696442 IP 95.168.183.182.sent-lm > 255.255.255.255.psbserver: UDP, length 32
    17:36:04.696458 IP 95.168.183.182.sent-lm > 255.255.255.255.digiman: UDP, length 32
    17:36:04.696475 IP 95.168.183.182.sent-lm > 255.255.255.255.2374: UDP, length 32
    17:36:04.696491 IP 95.168.183.182.sent-lm > 255.255.255.255.virtualtape: UDP, length 32
    17:36:04.696510 IP 95.168.183.182.sent-lm > 255.255.255.255.orbiter: UDP, length 32
    17:36:04.696526 IP 95.168.183.182.sent-lm > 255.255.255.255.vrts-registry: UDP, length 32
    17:36:04.696542 IP 95.168.183.182.sent-lm > 255.255.255.255.crmsbits: UDP, length 32
    17:36:04.696558 IP 95.168.183.182.sent-lm > 255.255.255.255.pxc-epmap: UDP, length 32
    17:36:04.696575 IP 95.168.183.182.sent-lm > 255.255.255.255.bues_service: UDP, length 32
    17:36:04.696591 IP 95.168.183.182.sent-lm > 255.255.255.255.griffin: UDP, length 32
    17:36:04.696607 IP 95.168.183.182.sent-lm > 255.255.255.255.taskman-port: UDP, length 32
    17:36:04.707045 IP 94.68.251.247.4944 > 188.72.202.104.http: . ack 11616 win 65535
    
    17:38:27.744231 IP 188.72.202.104.smtp > 174.133.206.90.40759: F 2017:2017(0) ack 206886 win 65535
    17:38:27.763347 IP 88.218.236.142.62791 > 188.72.202.104.gnunet: . ack 665 win 65340
    17:38:27.785318 arp who-has 217.20.117.1 tell 95.168.183.219
    17:38:27.819990 arp who-has 95.168.183.1 tell 95.168.183.240
    17:38:27.822979 IP 88.218.236.142.62841 > 188.72.202.104.http: P 6315:7214(899) ack 2950 win 64506
    17:38:27.823004 IP 188.72.202.104.http > 88.218.236.142.62841: . ack 7214 win 63700
    17:38:27.860700 IP 85.72.60.150.15131 > 188.72.202.104.smtp: . 56400:57852(1452) ack 1 win 65535
    17:38:27.860744 IP 188.72.202.104.smtp > 85.72.60.150.15131: . ack 57852 win 65535
    17:38:27.864248 IP 174.133.206.90.40759 > 188.72.202.104.smtp: . ack 1980 win 11638
    17:38:27.864267 IP 174.133.206.90.40759 > 188.72.202.104.smtp: . ack 2017 win 11638
    17:38:27.864445 IP 174.133.206.90.40759 > 188.72.202.104.smtp: R 206886:206886(0) ack 2017 win 11638
    17:38:27.864521 IP 174.133.206.90.40759 > 188.72.202.104.smtp: R 623931481:623931481(0) win 0
    17:38:27.864684 IP 188.72.202.104.http > 88.218.236.142.62841: P 2950:3372(422) ack 7214 win 63700
    17:38:27.866852 IP 188.72.202.104.http > 88.218.236.142.62841: P 3372:3377(5) ack 7214 win 63700
    17:38:27.873013 IP 174.133.206.90.smtp > 188.72.202.104.45950: P 254:306(52) ack 77 win 5840
    17:38:27.924519 IP 88.218.236.142.62841 > 188.72.202.104.http: . ack 3377 win 64079
    17:38:28.029564 IP 195.46.1.35.smtp > 188.72.202.104.17420: FP 130:145(15) ack 117952 win 65535
    17:38:28.057169 arp who-has 95.15.114.110 tell 95.168.187.230
    17:38:28.094495 IP 188.72.202.104.http > 94.68.251.247.nimreg: F 335:335(0) ack 826 win 7425
    17:38:28.127577 arp who-has 84.77.14.149 tell 84.16.247.130
    17:38:28.148127 IP 94.68.251.247.nimreg > 188.72.202.104.http: . ack 336 win 65201
    17:38:28.255701 IP 67.218.116.133.42796 > 188.72.202.104.http: S 2914755276:2914755276(0) win 5840 <mss 1460,sackOK,timestamp 926205446 0,nop,wscale 7>
    17:38:28.255740 IP 188.72.202.104.http > 67.218.116.133.42796: S 3001874313:3001874313(0) ack 2914755277 win 5840 <mss 1460>
    17:38:28.435028 IP 67.218.116.133.42796 > 188.72.202.104.http: . ack 1 win 5840
    17:38:28.478563 IP 67.218.116.133.42796 > 188.72.202.104.http: P 1:314(313) ack 1 win 5840
    17:38:28.478600 IP 188.72.202.104.http > 67.218.116.133.42796: . ack 314 win 6432
    17:38:28.539884 IP 188.72.202.104.28414 > 217.20.115.1.domain:  53419+ PTR? 142.236.218.88.in-addr.arpa. (45)
    17:38:28.540242 IP 217.20.115.1.domain > 188.72.202.104.28414:  53419 NXDomain 0/1/0 (103)
    17:38:28.602471 IP 188.72.202.104.http > 67.218.116.133.42796: P 1:631(630) ack 314 win 6432
    17:38:28.602594 IP 188.72.202.104.http > 67.218.116.133.42796: F 631:631(0) ack 314 win 6432
    17:38:28.656804 IP 85.72.60.150.15131 > 188.72.202.104.smtp: . 57852:59304(1452) ack 1 win 65535
    17:38:28.656847 IP 188.72.202.104.smtp > 85.72.60.150.15131: . ack 59304 win 65535
    17:38:28.672100 IP 85.72.60.150.15131 > 188.72.202.104.smtp: . 59304:60756(1452) ack 1 win 65535
    17:38:28.672133 IP 188.72.202.104.smtp > 85.72.60.150.15131: . ack 60756 win 65535
    17:38:28.781081 IP 67.218.116.133.42796 > 188.72.202.104.http: . ack 631 win 6930
    17:38:28.785203 arp who-has 217.20.117.1 tell 95.168.183.219
    17:38:28.798249 arp who-has 95.168.183.1 tell 95.168.183.217
    17:38:28.806663 IP 67.218.116.133.42796 > 188.72.202.104.http: F 314:314(0) ack 632 win 6930
    17:38:28.806698 IP 188.72.202.104.http > 67.218.116.133.42796: . ack 315 win 6432
    17:38:28.819882 arp who-has 95.168.183.1 tell 95.168.183.240
    17:38:28.871685 arp who-has 212.95.39.123 tell 89.149.218.93
    17:38:28.965863 IP 91.191.170.170 > 95.168.183.230: ICMP echo request, id 13, seq 44560, length 36
    17:38:29.115202 IP 195.46.1.35.smtp > 188.72.202.104.17420: FP 130:145(15) ack 117952 win 65535
    17:38:29.167476 arp who-has 95.168.177.93 tell 95.168.189.133
    17:38:29.256307 arp who-has 78.159.61.65 tell 78.159.121.118
    17:38:29.326817 IP 95.168.183.182.sent-lm > 255.255.255.255.binderysupport: UDP, length 32
    17:38:29.326838 IP 95.168.183.182.sent-lm > 255.255.255.255.cr-websystems: UDP, length 32
    17:38:29.326858 IP 95.168.183.182.sent-lm > 255.255.255.255.idcp: UDP, length 32
    17:38:29.326874 IP 95.168.183.182.sent-lm > 255.255.255.255.norton-lambert: UDP, length 32
    17:38:29.326891 IP 95.168.183.182.sent-lm > 255.255.255.255.psbserver: UDP, length 32
    17:38:29.326908 IP 95.168.183.182.sent-lm > 255.255.255.255.digiman: UDP, length 32
    17:38:29.326925 IP 95.168.183.182.sent-lm > 255.255.255.255.2374: UDP, length 32
    17:38:29.326941 IP 95.168.183.182.sent-lm > 255.255.255.255.virtualtape: UDP, length 32
    17:38:29.326958 IP 95.168.183.182.sent-lm > 255.255.255.255.orbiter: UDP, length 32
    17:38:29.326975 IP 95.168.183.182.sent-lm > 255.255.255.255.vrts-registry: UDP, length 32
    17:38:29.326991 IP 95.168.183.182.sent-lm > 255.255.255.255.crmsbits: UDP, length 32
    17:38:29.327008 IP 95.168.183.182.sent-lm > 255.255.255.255.pxc-epmap: UDP, length 32
    17:38:29.327025 IP 95.168.183.182.sent-lm > 255.255.255.255.bues_service: UDP, length 32
    17:38:29.327041 IP 95.168.183.182.sent-lm > 255.255.255.255.griffin: UDP, length 32
    17:38:29.327058 IP 95.168.183.182.sent-lm > 255.255.255.255.taskman-port: UDP, length 32

  6. #6
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,948
    Try running 'ifconfig eth0' and see if you're dropping packets or if there are collisions. That would be the first sign of the interface going out.
    | John Edel Jetfire Networks L.L.C. Trusted Hosting Solutions
    | Consistent, Reliable, Stable OpenVZ & KVM Virtual Private Servers
    | SpamWall AV & Full SMTP Filtering
    Now an SSLStore Titanium Partner!

  7. #7
    Code:
     
    inet6 addr: fe80::226:18ff:fe7d:f67c/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:13418638 errors:0 dropped:0 overruns:0 frame:0
    TX packets:10328690 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:2592209888 (2.4 GiB) TX bytes:2051053252 (1.9 GiB)
    Interrupt:248 Base address:0xc000

  8. #8
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,948
    Do me a favor, if you can? Post the output of /etc/hosts and /etc/sysconfig/network as well as 'ifconfig lo' (omitting your host/domain here if you wish) just so we can take a peek. The 127.0.0.X sort of threw me for a loop.
    | John Edel Jetfire Networks L.L.C. Trusted Hosting Solutions
    | Consistent, Reliable, Stable OpenVZ & KVM Virtual Private Servers
    | SpamWall AV & Full SMTP Filtering
    Now an SSLStore Titanium Partner!

  9. #9
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,913
    Those are broadcasts from outside of your network, or possibly servers within hte network have those ips bound to their interfaces. either way, don't worry about them too much.

    As far as your problems, I would run as constant ping to your box and see if you have drops at specific times. If you throw a decent IP tables rule or iptables based software firewall on your system, it should filter these out for you.
    Dan Sheppard ~ Freelance whatever

  10. #10
    just some broadcasts and expected traffic, if your server is in the same network segment as other servers.

    As for your problems, I would start a 24/7 monitoring over that server (both, internal and external), you can use Zabbix for this (www.zabbix.org).
    Last edited by soulhunter; 11-04-2009 at 11:30 PM. Reason: ate a word :(

  11. #11
    Quote Originally Posted by nwtg View Post
    Do me a favor, if you can? Post the output of /etc/hosts and /etc/sysconfig/network as well as 'ifconfig lo' (omitting your host/domain here if you wish) just so we can take a peek. The 127.0.0.X sort of threw me for a loop.

    Code:
    127.0.0.1 localhost 
    202.72.202.200 gandalf.domain.gr gandalf earth.domain.gr earth 202-72-202-200.local 202-72-202-200
    ip is not the one

    Code:
     
     
    NETWORKING=yes
    HOSTNAME=gandalf.domain.gr
    DOMAINNAME=domain.gr

    Code:
     
    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:497082 errors:0 dropped:0 overruns:0 frame:0
              TX packets:497082 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:402212623 (383.5 MiB)  TX bytes:402212623 (383.5 MiB)

    i also notice that in cpanel when i try to add a hostname give me those :

    Code:
    Hostname Changed to: gandalf.domain.gr 
    Updating Apache configuration 
    Updating cPanel license...Done. Update succeeded. 
     
     
     
    
    Traceback (most recent call last): 
    File "/usr/local/cpanel/bin/reset_mailman_hostname", line 16, in ? 
    import paths 
    ImportError: No module named paths
    is that common ?
    Last edited by adamsgr; 11-05-2009 at 09:36 AM.

Similar Threads

  1. Problem browsing websites on my dedi server
    By fekra in forum Dedicated Server
    Replies: 2
    Last Post: 08-31-2009, 11:22 AM
  2. Replies: 12
    Last Post: 11-21-2008, 12:45 PM
  3. Problem with Ethernet Card ?
    By map007 in forum Hosting Security and Technology
    Replies: 1
    Last Post: 04-17-2008, 01:17 PM
  4. PHP Apache problem (Window Dedi)
    By redihot.com in forum Dedicated Server
    Replies: 4
    Last Post: 09-20-2007, 07:35 PM
  5. Laptop Ethernet Jack Problem
    By Cary3 in forum Web Hosting Lounge
    Replies: 3
    Last Post: 05-28-2003, 07:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •