【问题标题】:reading netstat of Ubuntu AWS EC2 instance读取 Ubuntu AWS EC2 实例的 netstat
【发布时间】:2015-09-29 19:36:59
【问题描述】:

网络统计:

ubuntu@ip-172-31-60-232:/$ netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0    187 ip-172-31-60-232.:51044 unknown.prolexic.c:http ESTABLISHED
tcp        0    187 ip-172-31-60-232.:51045 unknown.prolexic.c:http ESTABLISHED
tcp        0      0 ip-172-31-60-232.ec:ssh rrcs-71-43-133-18:50725 ESTABLISHED
tcp        0    187 ip-172-31-60-232.:51048 unknown.prolexic.c:http ESTABLISHED
tcp        0    187 ip-172-31-60-232.:51046 unknown.prolexic.c:http ESTABLISHED
tcp        0    187 ip-172-31-60-232.:51047 unknown.prolexic.c:http ESTABLISHED
tcp        0    187 ip-172-31-60-232.:51050 unknown.prolexic.c:http ESTABLISHED
tcp        0    187 ip-172-31-60-232.:51049 unknown.prolexic.c:http ESTABLISHED
tcp        0    187 ip-172-31-60-232.:51043 unknown.prolexic.c:http ESTABLISHED
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.196-s:45931 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.196-s:43103 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.196-s:46224 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.196-s:51975 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.196-s:45529 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.196-s:52326 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.196-s:46529 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.196-s:35851 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.196-s:42878 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.196-s:44822 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.196-s:45080 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.196-s:51681 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.199-s:54884 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.8.68.54-stati:53652 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.196-s:51548 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.8.68.54-stati:39783 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.199-s:58173 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.196-s:45439 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.199-s:55093 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.196-s:46086 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.196-s:46085 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.199-s:35563 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.196-s:45901 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.196-s:45727 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.199-s:52116 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.196-s:46065 CLOSE_WAIT
tcp6       0      0 ip-172-31-60-232.e:http 159.122.120.199-s:45937 CLOSE_WAIT
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ]         DGRAM                    8617     /var/spool/postfix/dev/log
unix  9      [ ]         DGRAM                    8615     /dev/log
unix  3      [ ]         STREAM     CONNECTED     101130   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     101043   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     9394
unix  3      [ ]         STREAM     CONNECTED     100999   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     9448
unix  3      [ ]         STREAM     CONNECTED     101072   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     9409
unix  3      [ ]         STREAM     CONNECTED     100993   /var/run/mysqld/mysqld.sock
unix  2      [ ]         DGRAM                    8862
unix  3      [ ]         STREAM     CONNECTED     101134
unix  3      [ ]         STREAM     CONNECTED     101083
unix  3      [ ]         STREAM     CONNECTED     101054   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     9450
unix  3      [ ]         STREAM     CONNECTED     8571
unix  3      [ ]         STREAM     CONNECTED     101000
unix  2      [ ]         DGRAM                    35035
unix  3      [ ]         STREAM     CONNECTED     9436
unix  3      [ ]         STREAM     CONNECTED     101112   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     7997
unix  3      [ ]         STREAM     CONNECTED     9385
unix  3      [ ]         STREAM     CONNECTED     9438
unix  3      [ ]         STREAM     CONNECTED     9387
unix  3      [ ]         STREAM     CONNECTED     101049   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     9442
unix  3      [ ]         STREAM     CONNECTED     9414
unix  3      [ ]         STREAM     CONNECTED     13189
unix  3      [ ]         STREAM     CONNECTED     9457
unix  3      [ ]         STREAM     CONNECTED     9453
unix  3      [ ]         STREAM     CONNECTED     9405
unix  3      [ ]         STREAM     CONNECTED     100996
unix  3      [ ]         STREAM     CONNECTED     9444
unix  3      [ ]         STREAM     CONNECTED     9396
unix  3      [ ]         STREAM     CONNECTED     8519
unix  3      [ ]         STREAM     CONNECTED     101117
unix  3      [ ]         DGRAM                    7633
unix  3      [ ]         STREAM     CONNECTED     101001   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     9375
unix  3      [ ]         STREAM     CONNECTED     101111
unix  3      [ ]         STREAM     CONNECTED     9412
unix  3      [ ]         STREAM     CONNECTED     9430
unix  3      [ ]         STREAM     CONNECTED     101129
unix  3      [ ]         STREAM     CONNECTED     101045   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     9432
unix  3      [ ]         STREAM     CONNECTED     7593     @/com/ubuntu/upstart
unix  3      [ ]         STREAM     CONNECTED     100997   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     9415
unix  3      [ ]         STREAM     CONNECTED     100995   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     100986
unix  3      [ ]         STREAM     CONNECTED     13190
unix  3      [ ]         STREAM     CONNECTED     101113
unix  3      [ ]         STREAM     CONNECTED     9374
unix  3      [ ]         STREAM     CONNECTED     101046
unix  3      [ ]         STREAM     CONNECTED     9371
unix  3      [ ]         STREAM     CONNECTED     101115
unix  3      [ ]         STREAM     CONNECTED     8639
unix  3      [ ]         STREAM     CONNECTED     9418
unix  3      [ ]         STREAM     CONNECTED     9370
unix  2      [ ]         DGRAM                    8619
unix  3      [ ]         STREAM     CONNECTED     9420
unix  3      [ ]         STREAM     CONNECTED     101108   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     101071
unix  3      [ ]         STREAM     CONNECTED     101062   /var/run/mysqld/mysqld.sock
unix  3      [ ]         DGRAM                    7634
unix  3      [ ]         STREAM     CONNECTED     101135   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     101119
unix  3      [ ]         STREAM     CONNECTED     9377
unix  3      [ ]         STREAM     CONNECTED     9426
unix  3      [ ]         STREAM     CONNECTED     9424
unix  3      [ ]         STREAM     CONNECTED     101044
unix  3      [ ]         STREAM     CONNECTED     9445
unix  3      [ ]         STREAM     CONNECTED     8567
unix  3      [ ]         STREAM     CONNECTED     9378
unix  3      [ ]         STREAM     CONNECTED     100987   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     101120   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     9447
unix  3      [ ]         STREAM     CONNECTED     100994
unix  3      [ ]         STREAM     CONNECTED     9451
unix  3      [ ]         STREAM     CONNECTED     8572     /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     101084   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     9381
unix  3      [ ]         STREAM     CONNECTED     9403
unix  3      [ ]         STREAM     CONNECTED     101048
unix  3      [ ]         STREAM     CONNECTED     9391
unix  3      [ ]         STREAM     CONNECTED     100998
unix  3      [ ]         STREAM     CONNECTED     101068   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     9382
unix  3      [ ]         STREAM     CONNECTED     101078   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     13197    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     8008     @/com/ubuntu/upstart
unix  3      [ ]         STREAM     CONNECTED     100990
unix  3      [ ]         STREAM     CONNECTED     9411
unix  3      [ ]         STREAM     CONNECTED     9384
unix  2      [ ]         DGRAM                    9468
unix  3      [ ]         STREAM     CONNECTED     101109
unix  2      [ ]         DGRAM                    9463
unix  3      [ ]         STREAM     CONNECTED     9439
unix  3      [ ]         STREAM     CONNECTED     8640     /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     9406
unix  3      [ ]         STREAM     CONNECTED     100989   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     9441
unix  3      [ ]         STREAM     CONNECTED     9400
unix  3      [ ]         STREAM     CONNECTED     8568
unix  3      [ ]         STREAM     CONNECTED     9456
unix  3      [ ]         STREAM     CONNECTED     9388
unix  3      [ ]         STREAM     CONNECTED     9408
unix  3      [ ]         STREAM     CONNECTED     101047   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     101110   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     9454
unix  3      [ ]         STREAM     CONNECTED     9390
unix  3      [ ]         STREAM     CONNECTED     9402
unix  3      [ ]         STREAM     CONNECTED     9397
unix  3      [ ]         STREAM     CONNECTED     9367
unix  3      [ ]         STREAM     CONNECTED     101107
unix  3      [ ]         STREAM     CONNECTED     9427
unix  3      [ ]         STREAM     CONNECTED     100988
unix  3      [ ]         STREAM     CONNECTED     101077
unix  3      [ ]         STREAM     CONNECTED     9429
unix  3      [ ]         STREAM     CONNECTED     101114   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     101042
unix  2      [ ]         DGRAM                    12906
unix  3      [ ]         STREAM     CONNECTED     13196
unix  3      [ ]         STREAM     CONNECTED     9435
unix  3      [ ]         STREAM     CONNECTED     9433
unix  3      [ ]         STREAM     CONNECTED     101067
unix  2      [ ]         DGRAM                    9344
unix  3      [ ]         STREAM     CONNECTED     7582
unix  3      [ ]         STREAM     CONNECTED     101118   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     9417
unix  3      [ ]         STREAM     CONNECTED     101053
unix  3      [ ]         STREAM     CONNECTED     8545     @/com/ubuntu/upstart
unix  3      [ ]         STREAM     CONNECTED     9421
unix  3      [ ]         STREAM     CONNECTED     9399
unix  3      [ ]         STREAM     CONNECTED     100991   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     9393
unix  3      [ ]         STREAM     CONNECTED     101061
unix  3      [ ]         STREAM     CONNECTED     9423
unix  3      [ ]         STREAM     CONNECTED     100992
unix  3      [ ]         STREAM     CONNECTED     101116   /var/run/mysqld/mysqld.sock
unix  3      [ ]         STREAM     CONNECTED     9368
ubuntu@ip-172-31-60-232:/$

我相信有人正在破坏我的服务器

我认为 IP 159.122.120.196 是罪魁祸首,但我不完全确定。我的服务器现在已重新打开。这不是我的专业领域,所以您能给我的任何指导将不胜感激。

【问题讨论】:

  • 不要让 netstat 为您解析地址。您无法知道如何解释那些看起来像地址的主机名,但您不知道它们是否正确,并且某些反向 DNS 条目会颠倒八位字节的顺序。请改用netstat -n

标签: amazon-ec2 netstat ddos


【解决方案1】:

今晚我从同一个 IP 获得了恶意流量,以至于它产生 apache2 的速度如此之快,以至于我的服务器内核惊慌失措。在我的例子中,它是在 Wordpress 网站上每秒多次访问 xmlrpc.php 的三个 IP 之一。我使用 iptables 减少了流量——重新开始工作。

如果您的问题是“159.122.120.199 是一个坏的演员 IP 地址吗?”,答案似乎是肯定的。

【讨论】:

    猜你喜欢
    • 2015-04-17
    • 2018-08-23
    • 2015-11-19
    • 2019-08-19
    • 1970-01-01
    • 2020-09-02
    • 1970-01-01
    • 2023-01-22
    • 1970-01-01
    相关资源
    最近更新 更多