Hi,
I have a big problem that brings my web server down and that is 200-300 connections from inside the server. It takes all the memory and the CPU. Taking a netstat it shows 200-300 like this (same Ip on both side): cp 0 0 213.225.xx.xx:3923 213.225.xx.xx:80 ESTABLISHED 7219/httpd tcp 0 0 213.225.xx.xx:80 213.225.xx.xx:3922 ESTABLISHED 7219/httpd tcp 0 0 213.225.xx.xx:3922 213.225.xx.xx:80 ESTABLISHED 7218/httpd tcp 0 0 213.225.xx.xx:80 213.225.xx.xx:3921 ESTABLISHED 7218/httpd tcp 0 0 213.225.xx.xx:3921 213.225.xx.xx:80 ESTABLISHED 7216/httpd tcp 0 0 213.225.xx.xx:80 213.225.xx.xx:3920 ESTABLISHED 7216/httpd tcp 0 0 213.225.xx.xx:3920 213.225.xx.xx:80 ESTABLISHED 7214/httpd tcp 0 0 213.225.xx.xx:80 213.225.xx.xx:3919 ESTABLISHED 7214/httpd tcp 0 0 213.225.xx.xx:3919 213.225.xx.xx:80 ESTABLISHED 7212/httpd Typing a ps -l "pid" on any of the 2-300 ps shows: root# ps -l 7104 F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD 140 S 15 7104 1 0 60 0 - 3695 do_sel ? 0:00 /usr/sbin/httpd -f /etc/httpd/conf/http Is there someone who could help me with a way to localize where and who starts this processes? And is there a way to limit the amount of connections made by something like this script or what ever doing this. When restarting the server it only takes a few minutes until there are 200-300 connections like this. I have been forced to shut down the web server on this raq until I can find a way to stop this "attack" Regards K schantz euroweb Norway _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
