Results 1 to 1 of 1
Thread: Strange portscan activity
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- Feb 2008
Strange portscan activity
a few days ago I detected my site is over-loaded (too many mysql connections).
Checking netstat I discovered something strange: like there were a lot of incoming connections from localhost:80 to localhost:... (sequential ports), like the following (xxx.xxx.xxx.xxx stands for server's own IP):
netstat -an --inet | grep :80
tcp 0 0 xxx.xxx.xxx.xxx:52367 xxx.xxx.xxx.xxx:80 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:52363 xxx.xxx.xxx.xxx:80 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:52358 xxx.xxx.xxx.xxx:80 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:52352 xxx.xxx.xxx.xxx:80 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:52355 xxx.xxx.xxx.xxx:80 TIME_WAIT
tcp 0 0 xxx.xxx.xxx.xxx:52411 xxx.xxx.xxx.xxx:80 TIME_WAIT
It is pretty strange -- I am behind double firewall (provider's and iptables), and anyway, there is no possibility to originate a "connection" from xxx.xxx.xxx.xxx:80, since this is a privlieged port already taken by Apache.
This strange activity was only a short-timed, so there were no traces of it in `sar´ reporting, for example.
I'd like to know about this strange behaviour better, to be able to prevent further attacks.
Has anybody encountered such an activity?