1

Just had a confusing couple of minutes! I was monitoring a screen (the gnu screen) running "netstat -a" and I noticed that there was one connection connected to http (port 80), fine. But when I checked my apache logs there's nothing! Neither there is in any other log files I've checked (message, secure, I've watched them all).

My system is running the latest CentOS with all the latest (as of yesterday) patches. The netstat -a output looked like follows: (I only noticed TIME_WAITs , never established new or anything else)

tcp        0      0 ::ffff:internalserverip:http    externaluserip:61215         TIME_WAIT

I've now blocked the IP and it keeps requesting my server (gets SYN_SENT in netstat now), so I guess it is some kind of bot! Do you guys have any idéa what it could be and where I can find logs on the requests?!

Thanks!

Armer
  • 11
  • 1
  • Well this was embarasing! The output in netstat was caused by an internal script which a user did not inform me about. – Armer Dec 05 '12 at 18:09

1 Answers1

0

Well, if someone connects to your web server, it doesn't mean that there should be some entry in your logs.

For example, using this command will create a connection to your server, but won't put any entry in the logs

telnet server-ip 80

And if the used just quit from the telnet session, there will be a entry in the netstat output.

Napster_X
  • 3,373
  • 18
  • 20
  • Oh, my bad, looks like I didn't notice before answering that you already got the reason for your problem :( – Napster_X Dec 05 '12 at 18:48