Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Apache server trying to connect with unknown ip:80
Special Forums Cybersecurity Apache server trying to connect with unknown ip:80 Post 302567727 by Eotnak on Monday 24th of October 2011 09:33:19 PM
Old 10-24-2011
Apache server trying to connect with unknown ip:80
OK, so I've been learning my way through Fedora trying to progress to LFS and FreeBSD. I have a Fedora 14 machine running Apache 2.2.17, and about 2 days ago, I came across the server and saw a black screen blazing through text so fast I couldn't read it. I didn't know if it was a crash or I'd been compromised, so I pulled the ethernet cable and hit the reset button. Upon restarting I was greeted with:

Inodes that were part of a corrupted orphan linked list found

/dev/mapper/vg_192-lv_root: UNEXPECTED INCONSISTENCY; RUN fsck manually (i.e., without -a or -p options)

I ran fsck and selected y for about 15 to 30 error fixes. I would have written them down but I'd been planning on rebuilding this box. Now, however, I'd like to know the cause of this problem, so I've been googling access log messages, syslog messages, etc. Just now I stuck in some external firewall (router) rules that only allow traffic between the apache box and 3 IP addresses that I use (home and work) I found the following (edited) in the firewall log:

Oct 24 19:58:07 2011 TCP 192.168.1.xx:60664->204.141.87.16:80 on ixp0 [repeated 6 times, last time on Oct 24 19:59:40 2011]
Oct 24 19:54:57 2011 TCP 192.168.1.xx:47455->204.141.87.11:80 on ixp0 [repeated 6 times, last time on Oct 24 19:56:31 2011]
Oct 24 19:54:06 2011 TCP 192.168.1.xx:47454->204.141.87.11:80 on ixp0 [repeated 5 times, last time on Oct 24 19:54:52 2011]
Oct 24 19:50:57 2011 TCP 192.168.1.xx:60661->204.141.87.16:80 on ixp0 [repeated 6 times, last time on Oct 24 19:52:30 2011]
Oct 24 19:48:57 2011 TCP 192.168.1.xx:60660->204.141.87.16:80 on ixp0 [repeated 6 times, last time on Oct 24 19:50:30 2011]
Oct 24 19:47:57 2011 TCP 192.168.1.xx:60659->204.141.87.16:80 on ixp0 [repeated 5 times, last time on Oct 24 19:48:42 2011]
Oct 24 19:47:27 2011 TCP 192.168.1.xx:60658->204.141.87.16:80 on ixp0 [repeated 4 times, last time on Oct 24 19:47:48 2011]
Oct 24 19:45:47 2011 TCP 192.168.1.xx:60657->204.141.87.16:80 on ixp0 [repeated 6 times, last time on Oct 24 19:47:20 2011]

they were blocked and logged. It's a US company...don't know why my server is attempting to contact these IPs?

some other info. Server had been up and running with phpbb 3.0.9 (no registered users other than myself) for about 4 months. I looked over the inactive users list and filtered all of the IP blocks of those users (Russia and Ukraine) in the firewall about 2 nights before this happened. Running vsftp 2.3.4 with 2 users, one user's home directory root of one of the virual hosts, and the other was /home/user. Both could log in locally and move up outside their home directories. I was in the middle of figuring out how to lock down the one user (vhost home dir) and was going to remove FTP access for the other but I forgot to.

I know I was littered with security holes, and plan on addressing them before the new one goes online. I still have this one running as described, but don't plan on unleashing it. I would like to find out if it has been broken into or not before I start over. Anyone have any idea where to check, or why it's trying to connect to those 2 ip addresses?

thank you for your time and for sharing your priceless knowledge

---------- Post updated at 09:33 PM ---------- Previous update was at 09:26 PM ----------

Some more firewall security log:

Oct 24 21:28:55 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:52906->128.63.2.53:53 on ixp0
Oct 24 21:28:56 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:50508->192.228.79.201:53 on ixp0
Oct 24 21:28:56 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:29322->192.203.230.10:53 on ixp0
Oct 24 21:28:56 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:44569->192.203.230.10:53 on ixp0
Oct 24 21:28:56 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:5220->192.228.79.201:53 on ixp0
Oct 24 21:28:56 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:14340->128.8.10.90:53 on ixp0
Oct 24 21:28:56 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:44225->192.112.36.4:53 on ixp0
Oct 24 21:28:56 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:63708->192.36.148.17:53 on ixp0
Oct 24 21:28:57 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:37912->192.203.230.10:53 on ixp0
Oct 24 21:28:57 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:25084->192.112.36.4:53 on ixp0
Oct 24 21:28:57 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:8359->192.112.36.4:53 on ixp0
Oct 24 21:28:57 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:32749->192.112.36.4:53 on ixp0
Oct 24 21:28:57 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:5118->192.203.230.10:53 on ixp0
Oct 24 21:28:57 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:39603->199.7.83.42:53 on ixp0
Oct 24 21:28:58 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:18159->202.12.27.33:53 on ixp0
Oct 24 21:28:58 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:14484->128.8.10.90:53 on ixp0
Oct 24 21:28:58 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:2248->193.0.14.129:53 on ixp0
Oct 24 21:28:58 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:64654->193.0.14.129:53 on ixp0
Oct 24 21:28:58 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:51058->193.0.14.129:53 on ixp0
Oct 24 21:28:58 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:8535->193.0.14.129:53 on ixp0
Oct 24 21:28:58 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:60558->193.0.14.129:53 on ixp0
Oct 24 21:28:58 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:38959->193.0.14.129:53 on ixp0
Oct 24 21:28:59 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:28654->192.36.148.17:53 on ixp0
Oct 24 21:28:59 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:54992->192.5.5.241:53 on ixp0
Oct 24 21:28:59 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:62956->198.41.0.4:53 on ixp0
Oct 24 21:28:59 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:41303->128.63.2.53:53 on ixp0
Oct 24 21:28:59 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:31276->192.5.5.241:53 on ixp0
Oct 24 21:28:59 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:14432->199.7.83.42:53 on ixp0
Oct 24 21:28:59 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:3762->192.5.5.241:53 on ixp0
Oct 24 21:29:00 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:63866->128.63.2.53:53 on ixp0
Oct 24 21:29:00 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:1180->192.33.4.12:53 on ixp0
Oct 24 21:29:01 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:25832->128.63.2.53:53 on ixp0
Oct 24 21:29:01 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:62628->199.7.83.42:53 on ixp0
Oct 24 21:29:01 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:34998->192.36.148.17:53 on ixp0
Oct 24 21:29:01 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:53695->198.41.0.4:53 on ixp0
Oct 24 21:29:01 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:49673->192.58.128.30:53 on ixp0
Oct 24 21:29:01 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:8749->202.12.27.33:53 on ixp0
Oct 24 21:29:01 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:28551->128.8.10.90:53 on ixp0
Oct 24 21:29:02 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:21114->192.203.230.10:53 on ixp0
Oct 24 21:29:02 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:29879->193.0.14.129:53 on ixp0
Oct 24 21:29:02 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:4627->192.5.5.241:53 on ixp0
Oct 24 21:29:02 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:31509->192.58.128.30:53 on ixp0
Oct 24 21:29:03 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:49220->202.12.27.33:53 on ixp0
Oct 24 21:29:03 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:3657->192.33.4.12:53 on ixp0
Oct 24 21:29:03 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:44276->192.58.128.30:53 on ixp0
Oct 24 21:29:03 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:14984->192.5.5.241:53 on ixp0
Oct 24 21:29:03 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:16620->192.228.79.201:53 on ixp0
Oct 24 21:29:04 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:43240->192.58.128.30:53 on ixp0
Oct 24 21:29:04 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:48719->202.12.27.33:53 on ixp0
Oct 24 21:29:04 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:52690->198.41.0.4:53 on ixp0
Oct 24 21:29:04 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:7414->128.8.10.90:53 on ixp0
Oct 24 21:29:04 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:16525->192.228.79.201:53 on ixp0
Oct 24 21:29:04 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:4261->199.7.83.42:53 on ixp0
Oct 24 21:29:05 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:27184->192.203.230.10:53 on ixp0
Oct 24 21:29:05 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:44511->192.112.36.4:53 on ixp0
Oct 24 21:29:06 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:4327->199.7.83.42:53 on ixp0
Oct 24 21:29:08 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:16148->193.0.14.129:53 on ixp0
Oct 24 21:29:09 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:40769->128.63.2.53:53 on ixp0
Oct 24 21:29:11 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:38067->202.12.27.33:53 on ixp0
Oct 24 21:29:12 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:64440->192.5.5.241:53 on ixp0
Oct 24 21:29:14 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:52151->192.58.128.30:53 on ixp0
Oct 24 21:29:15 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:6116->198.41.0.4:53 on ixp0
Oct 24 21:29:17 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:9749->193.0.14.129:53 on ixp0
Oct 24 21:29:19 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:12706->192.58.128.30:53 on ixp0
Oct 24 21:29:21 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:65001->192.5.5.241:53 on ixp0
Oct 24 21:29:23 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:30482->128.63.2.53:53 on ixp0
Oct 24 21:29:25 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:40425->202.12.27.33:53 on ixp0
Oct 24 21:29:27 2011 Outbound Traffic Blocked - Advanced Filter Rule UDP 192.168.1.xx:14780->198.41.0.4:53 on ixp0
Oct 24 21:29:58 2011 Outbound Traffic Blocked - Advanced Filter Rule TCP 192.168.1.xx:47461->204.141.87.11:80 on ixp0
 

10 More Discussions You Might Find Interesting

1. Red Hat

Installed apache server , can't connect from outside (using CentOS in WMware )

Hello all I installed apache in CentOS 5.5 ,after searching the web for tips on configuration I did the fallowing stuff to unable connecting the http server from outside. In /etc/httpd/conf/httpd.conf I changed the Listen value to 0.0.0.8011 Then checked with then check with: netstat -anp and I... (2 Replies)
Discussion started by: umen
2 Replies

2. IP Networking

Identify unknown LAN server from IP or MAC address

Hi, I just got a little task trying to seemingly find a needle in a haystack. I have a server (FreeBSD) where several NFS mounts are established from a host somewhere on the local LAN with the 192.168.x.x prefix. Needless to say, the guy who set this up wasn't too fond of documenting... (2 Replies)
Discussion started by: brightstorm
2 Replies

3. Programming

Problem with Perl script after moving from a Windows/Apache Server to a UNIX server.

I have a Perl script that worked fine before moving it to justhost.com. It was on a Windows/Apache server. Just host is using UNIX. Other Perl scripts on other sites that were also moved work fine so I know Perl is functioning. The script is called cwrmail.pl and is located in my cgi-bin. When I... (9 Replies)
Discussion started by: BigBobbyB
9 Replies

4. Linux

Generate public key to connect from one ftp server to other server

How to generate public key to connect from one ftp server to other server to use in scripting. (0 Replies)
Discussion started by: sridhardwh
0 Replies

5. UNIX for Advanced & Expert Users

Public key to connect from one ftp server to other server

How to generate public key to connect from one ftp server to other server to use in scripting. (1 Reply)
Discussion started by: sridhardwh
1 Replies

6. UNIX for Advanced & Expert Users

Using SFTP Error Server Unknown

Not sure if this is the right forum and I apologies if not. I use Expression web to update our website on a UNIX server using SFTP. I use the same laptop, software, that works fine when at home, but when I travel, I tend to get a unknown server error. I am suspecting that it has something to do... (2 Replies)
Discussion started by: ae3799t
2 Replies

7. Shell Programming and Scripting

Connect (SSH) to Windows server via Linux server through a script and passing command.. but failing

I am trying to connect to Windows server via Linux server through a script and run two commands " cd and ls " But its giving me error saying " could not start the program" followed by the command name i specify e g : "cd" i am trying in this manner " ssh username@servername "cd... (5 Replies)
Discussion started by: sunil seelam
5 Replies

8. Red Hat

CPU high - apache real server OK, virtual server not

Got two RHEL servers - one real and one virtual/cloud. Both run apache web server. When traffic is applied, CPU seems to go quite high on virtual one (20%) but real is not really affected. Worry is that a further increase in traffic will see a problem. Experience of RHEL is limited. Whats... (2 Replies)
Discussion started by: psychocandy
2 Replies

9. Solaris

SMTP Server 550 5.1.1 User unknown Error

Hello All, I am currently running a Solaris 10 machine as inbound SMTP server i.e. bringing Emails from outside into our company. In /var/spool/mqueue , I have mails that are pending for the past 4-5 days. They are not being delivered and are causing my mount point size to increase. Error... (0 Replies)
Discussion started by: Junaid Subhani
0 Replies

10. Linux

How to connect Linux server (configure two way authentication) with Windows server?

Hi my name is Manju. ->I have configure the two way authentication on my linux server. ->Now I am able to apply two way authenticator on particuler user. ->Now I want to map this linux server to my AD server. ->Kindly tell me how to map AD(Active Directory) with this linux server. ... (0 Replies)
Discussion started by: manjusharma128
0 Replies
All times are GMT -4. The time now is 11:06 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy