Identifying and Stopping Unwanted Net Traffic

Steve Phillips steve.phillips at gmail.com
Thu Jun 25 02:28:06 UTC 2009 

On Thu, Jun 25, 2009 at 8:40 AM, Krautkramer, John <
John.Krautkramer at micrel.com> wrote:

> Hi,
>
> Yes you are correct in that I am running a web server. I just caught the
> machine acting up again and this is what "netstat -tpn" gives me:
>
> newdelli 69: netstat -tpn
> (Not all processes could be identified, non-owned process info
>  will not be shown, you would have to be root to see it all.)
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address               Foreign Address
> State       PID/Program name
> tcp        0      0 192.168.1.41:46541          85.17.35.51:80
> ESTABLISHED 3075/firefox-bin
> tcp        0 129720 192.168.1.41:8080           65.218.208.2:54343
> ESTABLISHED -
> tcp        0  37856 ::ffff:192.168.1.41:80
> ::ffff:76.67.226.234:49754  ESTABLISHED -
> tcp        0  25688 ::ffff:192.168.1.41:80
> ::ffff:76.67.226.234:49752  ESTABLISHED -
> tcp        0  31096 ::ffff:192.168.1.41:80
> ::ffff:76.67.226.234:49758  ESTABLISHED -
> tcp        0  14872 ::ffff:192.168.1.41:80
> ::ffff:76.67.226.234:49756  ESTABLISHED -
> tcp        0  27040 ::ffff:192.168.1.41:80
> ::ffff:76.67.226.234:49746  ESTABLISHED -
> tcp        0  35152 ::ffff:192.168.1.41:80
> ::ffff:76.67.226.234:49744  ESTABLISHED -
> tcp        0  20280 ::ffff:192.168.1.41:80
> ::ffff:76.67.226.234:49750  ESTABLISHED -
> tcp        0    784 ::ffff:192.168.1.41:22
> ::ffff:65.218.208.2:21290   ESTABLISHED -
> tcp        0  17576 ::ffff:192.168.1.41:80
> ::ffff:76.67.226.234:49768  ESTABLISHED -
> tcp        0  24336 ::ffff:192.168.1.41:80
> ::ffff:76.67.226.234:49762  ESTABLISHED -
> tcp        0  18928 ::ffff:192.168.1.41:80
> ::ffff:76.67.226.234:49760  ESTABLISHED -
> tcp        0  27040 ::ffff:192.168.1.41:80
> ::ffff:76.67.226.234:49766  ESTABLISHED -
> tcp        0  22984 ::ffff:192.168.1.41:80
> ::ffff:76.67.226.234:49764  ESTABLISHED -
> tcp        0      0 ::ffff:192.168.1.41:80
> ::ffff:212.200.38.150:3112  TIME_WAIT   -
> tcp        0      0 ::ffff:192.168.1.41:80
> ::ffff:212.200.38.150:3107  TIME_WAIT   -
> tcp        0      0 ::ffff:192.168.1.41:80
> ::ffff:212.200.38.150:3097  TIME_WAIT   -
> tcp        0      0 ::ffff:192.168.1.41:80
> ::ffff:212.200.38.150:3102  TIME_WAIT   -
> tcp        0      0 ::ffff:192.168.1.41:80
> ::ffff:212.200.38.150:3088  TIME_WAIT   -
> tcp        0      0 ::ffff:192.168.1.41:80
> ::ffff:212.200.38.150:3093  TIME_WAIT   -
> tcp        0      0 ::ffff:192.168.1.41:80
> ::ffff:212.200.38.150:3082  TIME_WAIT   -
> tcp        0      0 ::ffff:192.168.1.41:80
> ::ffff:212.200.38.150:3073  TIME_WAIT   -
> tcp        0      0 ::ffff:192.168.1.41:80
> ::ffff:212.200.38.150:3078  TIME_WAIT   -
>
> The only program listed is firefox which I know is running on the
> machine at the moment. The rest doesn't show any program. Does this mean
> those connections were initiated from outside of the box? If that's the
> case, then I need to find what these outside machines are getting to and
> block it some how.


If you are running a web server then it is probably safe to assume that
these connections are being initiated from outside and connecting back into
your web server on port 80. Netstat does not tend to show which side did the
initiating, but rather, the current connection list. It also doesnt say what
is so popular on your web server that is causing these people to connect.
For that you would need to look at your apache logs (or the logs for the web
server you run if its not apache) and try and find out what people are
finding so interesting.

an easy way to do this would be something similar

# netstat -an <-- find an IP address connecting to the web server
.
tcp        0  24336 ::ffff:192.168.1.41:80 <http://192.168.1.41/>
::ffff:76.67.226.234:49762  ESTABLISHED -
.
etc

# cd /path/to/webserver/logs
# grep "76.67.226.234" access_log
76.67.226.234 - - [24/Jun/2009:20:06:09 -0500] "GET /reallybigiso.iso
HTTP/1.1" 200 1000000000

This will tell you that there is someone transfering a file called
reallybigiso.iso from your webroot

based on this, you might find a pattern (someone might have found a pretty
picture they like and linked it to 398274987324 myspace sites) and then you
can decide what to do from there.


>
> As pointed out above, the port through which the connections are made is
> 80. I don't know what I would to do eliminate this since I need port 80
> for my web server to function.
>
> The IP addresses causing the problem have again changed.


If its people randomly visiting your web server then this is entirely
expected behaviour.

-- 
Steve.

More information about the redhat-list mailing list