Hello,

a few days ago I detected my site is over-loaded (too many mysql connections).

Checking netstat I discovered something strange: like there were a lot of incoming connections from localhost:80 to localhost:... (sequential ports), like the following (xxx.xxx.xxx.xxx stands for server's own IP):

netstat -an --inet | grep :80

tcp 0 0 xxx.xxx.xxx.xxx:52367 xxx.xxx.xxx.xxx:80 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:52363 xxx.xxx.xxx.xxx:80 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:52358 xxx.xxx.xxx.xxx:80 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:52352 xxx.xxx.xxx.xxx:80 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:52355 xxx.xxx.xxx.xxx:80 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:52411 xxx.xxx.xxx.xxx:80 TIME_WAIT

It is pretty strange -- I am behind double firewall (provider's and iptables), and anyway, there is no possibility to originate a "connection" from xxx.xxx.xxx.xxx:80, since this is a privlieged port already taken by Apache.

This strange activity was only a short-timed, so there were no traces of it in `sar´ reporting, for example.

I'd like to know about this strange behaviour better, to be able to prevent further attacks.

Has anybody encountered such an activity?