0

My server works well about half a year. But a strange thing happened (several hours before).

This server has two IP-address 58.17.85.19 & 117.21.178.19

When I navigate to http://58.17.85.19, nothing different as before.

But http://117.21.178.19 will return a "302 Object moved" and become a "redirect loop"

I do some test: ($cmd = "wget http://117.21.178.19/?xx=$RANDOM --max-redirect 0 -S --no-cache -O -")

Step by step:

  • run $cmd on my PC and my firend's one (we live in two side of China, far away). -> got 302
  • run $cmd on this server -> got 200 OK (content is correct result of index.php)
  • run $cmd on another server in same computer room -> got 200 OK
  • telnet from my PC and build an HTTP request (type by hand) -> got 200 OK
  • shutdown php-fpm, run $cmd on my PC -> got 302
  • run $cmd on server -> 502 Bad Gateway
  • shutdown nginx, run $cmd on both the server and my PC -> Connection refused.
  • create iptables rule, refuse any connection to 58.17.85.19:80.
  • run nc -l 80 -k -vvv on server and run $cmd on my PC

NC show me that....

Server accept connection (Connection from [my ip])

My connection closed ! (Remove fd xx from list)

wget dump out response -> got 302

I know that, normaly, NC will accept connection, then dump HTTP request from client, and client will wait for response. this connection will open forever(infact client will close connection becouse timeout), becouse NC can't give any response.

So...

where my request gone?

who send an response to the client?

some virus on my server system?

If so, why 58.17.85.19 didn't has this error? or...

I was attacked by a middleman?

update:

start nginx at port 8888

run tcpdump -vvv -i p2p1 tcp dst port 8888 on server

wget port 8888 on client

output:

16:17:48.622315 IP (tos 0x0, ttl 52, id 13579, offset 0, flags [DF], proto TCP (6), length 60)
    123.150.23.137.34439 > moeapk.com.ddi-tcp-1: Flags [S], cksum 0x480b (correct), seq 2846877521, win 14600, options [mss 1440,sackOK,TS val 1954394 ecr 0,nop,wscale 7], length 0
16:17:48.694546 IP (tos 0x0, ttl 52, id 13580, offset 0, flags [DF], proto TCP (6), length 52)
    123.150.23.137.34439 > moeapk.com.ddi-tcp-1: Flags [.], cksum 0x26df (correct), seq 2846877522, ack 2873157145, win 115, options [nop,nop,TS val 1954466 ecr 258074469], length 0
16:17:48.697790 IP (tos 0x0, ttl 52, id 13581, offset 0, flags [DF], proto TCP (6), length 234)
    123.150.23.137.34439 > moeapk.com.ddi-tcp-1: Flags [P.], cksum 0x782d (correct), seq 0:182, ack 1, win 115, options [nop,nop,TS val 1954466 ecr 258074469], length 182
16:17:48.837835 IP (tos 0x0, ttl 52, id 13582, offset 0, flags [DF], proto TCP (6), length 52)
    123.150.23.137.34439 > moeapk.com.ddi-tcp-1: Flags [.], cksum 0x1f70 (correct), seq 182, ack 1429, win 137, options [nop,nop,TS val 1954613 ecr 258074593], length 0
***repeat 17 times like previous two line***
    123.150.23.137.34439 > moeapk.com.ddi-tcp-1: Flags [F.], cksum 0xaac6 (correct), seq 182, ack 30617, win 331, options [nop,nop,TS val 1954935 ecr 258074753], length 0
16:17:49.291838 IP (tos 0x0, ttl 52, id 13601, offset 0, flags [DF], proto TCP (6), length 52)
    123.150.23.137.34439 > moeapk.com.ddi-tcp-1: Flags [.], cksum 0xa944 (correct), seq 183, ack 30618, win 331, options [nop,nop,TS val 1955065 ecr 258075008], length 0

run tcpdump -vvv -i p2p1 tcp dst port 80 and dst host 117.21.178.19 on server

run $cmd on client

16:16:33.358800 IP (tos 0x0, ttl 52, id 5901, offset 0, flags [DF], proto TCP (6), length 60)
    123.150.23.137.39184 > moeapk.com.http: Flags [S], cksum 0x7b22 (correct), seq 3631397718, win 14600, options [mss 1440,sackOK,TS val 1879131 ecr 0,nop,wscale 7], length 0
16:16:33.417812 IP (tos 0x0, ttl 52, id 5902, offset 0, flags [DF], proto TCP (6), length 52)
    123.150.23.137.39184 > moeapk.com.http: Flags [.], cksum 0x2556 (correct), seq 3631397719, ack 4273073493, win 115, options [nop,nop,TS val 1879190 ecr 257999206], length 0
16:16:33.421014 IP (tos 0x0, ttl 127, id 54824, offset 0, flags [DF], proto TCP (6), length 40)
    123.150.23.137.39184 > moeapk.com.http: Flags [R], cksum 0x886d (correct), seq 3631397719, win 16384, length 0
***no more output. client got 302***
GongT
  • 53
  • 1
  • 1
  • 6
  • Does accessing *117.21.178.19* generate any log entries on your server? If so, do you see the code 302 there? If not, do you receive any packet at all on the server when trying to access *117.21.178.19* (`tcpdump` will help answering this question)? – scai Oct 24 '13 at 09:42
  • I first heard `tcpdump`. I checked man page and try to use it. result updated.( 123.150.23.137 is my PC's correct ip addr ) – GongT Oct 25 '13 at 08:32

0 Answers0