I have a virtual server set up and the access log is full of hundreds of lines like below - 3 or 4 of these coming in per second… (XXX.XXX.XXX.XXX is the IP address of my virtualmin server)
XXX.XXX.XXX.XXX - - [16/Nov/2013:23:11:07 +0000] “GET / HTTP/1.1” 200 21442 “-” “php-openid/2.1.2 (php/5.3.3) curl/7.19.7”
So these requests are coming from my machine. I haven’t a clue whats going on, can anyone help explain what the cause of these requests may be and how I can investigate further?
So these requests are coming from your own server and going to your own server?
You might want to use netstat -tpn | grep :80 to see which process is making the connections.
Thank you Locutus
Here’s the result of your suggestion; I’m not entirely sure how to interpret it - where is the process identified? - Thanks for your help. (server ip is 82.68.151.12)
tcp 0 0 82.68.151.12:39239 82.68.151.12:80 TIME_WAIT -
tcp 0 0 ::ffff:82.68.151.12:80 ::ffff:82.68.151.12:39240 TIME_WAIT -
tcp 0 0 ::ffff:82.68.151.12:80 ::ffff:82.68.151.12:39246 TIME_WAIT -
tcp 0 0 ::ffff:82.68.151.12:80 ::ffff:66.249.75.114:52124 TIME_WAIT -
tcp 0 0 ::ffff:82.68.151.12:80 ::ffff:82.68.151.12:39241 TIME_WAIT -
tcp 0 0 ::ffff:82.68.151.12:80 ::ffff:46.149.94.161:59560 TIME_WAIT -
tcp 0 0 ::ffff:82.68.151.12:80 ::ffff:46.149.94.161:59552 TIME_WAIT -
tcp 0 0 ::ffff:82.68.151.12:80 ::ffff:46.149.94.161:59563 TIME_WAIT -
tcp 0 0 ::ffff:82.68.151.12:80 ::ffff:46.149.94.161:59551 TIME_WAIT -
tcp 0 0 ::ffff:82.68.151.12:80 ::ffff:82.68.151.12:39245 TIME_WAIT -
tcp 0 0 ::ffff:82.68.151.12:80 ::ffff:46.149.94.161:59556 TIME_WAIT -
tcp 0 0 ::ffff:82.68.151.12:80 ::ffff:46.149.94.161:59571 TIME_WAIT -
tcp 0 0 ::ffff:82.68.151.12:80 ::ffff:82.68.151.12:39239 TIME_WAIT -
tcp 0 0 ::ffff:82.68.151.12:80 ::ffff:82.68.151.12:39242 TIME_WAIT -
Unfortunately the process ID is not shown for TIME_WAIT connections. You need to repeat the command (possibly quickly) and try to catch the connections while in ESTABLISHED state.
ahh
Now I have
tcp 0 0 82.68.151.12:39474 82.68.151.12:80 ESTABLISHED 21034/php-cgi
tcp 0 0 82.68.151.12:39456 82.68.151.12:80 TIME_WAIT -
tcp 0 0 82.68.151.12:39453 82.68.151.12:80 TIME_WAIT -
tcp 0 0 82.68.151.12:39475 82.68.151.12:80 ESTABLISHED 18047/php-cgi
tcp 0 0 ::ffff:82.68.151.12:80 ::ffff:109.205.249.36:36668 TIME_WAIT -
tcp 0 0 ::ffff:82.68.151.12:80 ::ffff:82.68.151.12:39467 TIME_WAIT -
tcp 0 0 ::ffff:82.68.151.12:80 ::ffff:82.68.151.12:39475 ESTABLISHED 18171/httpd
tcp 0 0 82.68.151.12:39474 82.68.151.12:80 ESTABLISHED 21034/php-cgi
tcp 0 0 82.68.151.12:39456 82.68.151.12:80 TIME_WAIT -
tcp 0 0 82.68.151.12:39453 82.68.151.12:80 TIME_WAIT -
tcp 0 0 82.68.151.12:39475 82.68.151.12:80 ESTABLISHED 18047/php-cgi
tcp 0 0 ::ffff:82.68.151.12:80 ::ffff:109.205.249.36:36668 TIME_WAIT -
tcp 0 0 ::ffff:82.68.151.12:80 ::ffff:82.68.151.12:39467 TIME_WAIT -
tcp 0 0 ::ffff:82.68.151.12:80 ::ffff:82.68.151.12:39475 ESTABLISHED 18171/httpd
so it seems the processes (if I read the above log correctly) are all calls to /usr/bin/php-cgi
Some of these are from the affected virtual server user, others are from other virtual server users…
Still not sure what to do next…
Thanks for looking at this.
Locutus:
Thanks for help. I followed one process identified above and disabled the server belonging to that user and the requests have stopped.
Glad you figured it out! 
And yes, not all of the connections you’re seeing would be associated with the problem, it can be other traffic too.
Next step, you might want to ask the server owner what kind of scripts he has on his account, and why they perform that great number of requests you’ve been seeing. It COULD be malware, but it’s more likely just a script running amok.