tcprcvbuf and httpd

[HugoR]

Since yesterday (I had this pb2 weeks ago) I reach a very ennoying pb.
I have a VPS at 1and1.

Strangely, at 5AM, the tcprcvbuf reach itsmax value, and after that the kmemsize also.

If I desactivate allthe website in Parallel, nothing solve.
IfI kill HTTPD, everything comes normal.
Restarting the server does not help.

When I go to var/log/httpd, I do not see problems.

Strangly, the incoming traffic in Virtuozzo raise up since 5AM.

As I have a novice, I can not find a solution to start HTTPD without blocking the server by tcprcvbuf usage and mem size.

I am stuck in a very bad situation, and any help would be appreciated a lot.

Thank you.

 

[IgorG]

Are you sure that this problem related to Plesk but not to Virtuozzo?

 

[HugoR]

Yes.

I found the problem, but I do not know how to solve it.
It seems that the VPS is infected. It connect and accept traffic from somewhere.
It cause too many connexion with HTTPD and raise up the memory and tcp buffer.

It important to say that I desactivate all the domain managed on the VPS, so there is only left the HTTPD service, and there is no cron job.
I see that in the HTTPD log, but I can not find how to solve it. The IP always change.

186.86.232.130 - - [16/Feb/2011:02:15:46 +0100] "POST / HTTP/1.0" 200 6043 "http://rbc.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7"
186.86.232.130 - - [16/Feb/2011:02:15:47 +0100] "POST / HTTP/1.0" 200 6043 "http://subscribe.ru" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)"
186.86.232.130 - - [16/Feb/2011:02:15:48 +0100] "POST / HTTP/1.0" 200 6043 "http://yandex.ru" "Mozilla/4.0 (compatible; MSIE 6.0; Nitro) Opera 8.50 [ja]"
186.86.232.130 - - [16/Feb/2011:02:15:48 +0100] "POST / HTTP/1.0" 200 6043 "http://job.ru" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.2.15 Version/10.00"
186.86.232.130 - - [16/Feb/2011:02:15:48 +0100] "POST / HTTP/1.0" 200 6043 "http://mail.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 SeaMonkey/1.0.4"
186.86.232.130 - - [16/Feb/2011:02:15:49 +0100] "POST / HTTP/1.0" 200 6043 "http://lib.ru" "Mozilla/4.0 (compatible; MSIE 6.0; Symbian OS; Nokia 6600/5.27.0; 1665) Opera 8.60 [ru]"
186.86.232.130 - - [16/Feb/2011:02:15:50 +0100] "POST / HTTP/1.0" 200 6043 "http://rambler.ru" "Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050609 Firefox/1.0.4"
186.86.232.130 - - [16/Feb/2011:02:15:50 +0100] "POST / HTTP/1.0" 200 6043 "http://download.ru" "Opera/9.80 (X11; Linux x86_64; U; en) Presto/2.2.15 Version/10.10"
186.86.232.130 - - [16/Feb/2011:02:15:50 +0100] "POST / HTTP/1.0" 200 6043 "http://rol.ru" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070221 SUSE/2.0.0.2-6.1 Firefox/2.0.0.2"
186.86.232.130 - - [16/Feb/2011:02:15:50 +0100] "POST / HTTP/1.0" 200 6043 "http://download.ru" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
186.86.232.130 - - [16/Feb/2011:02:15:51 +0100] "POST / HTTP/1.0" 200 6043 "http://gismeteo.ru" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50"
186.86.232.130 - - [16/Feb/2011:02:15:51 +0100] "POST / HTTP/1.0" 200 6043 "http://yandex.ru" "Opera/9.23 (Windows NT 5.1; U; ru)"
186.86.232.130 - - [16/Feb/2011:02:15:51 +0100] "POST / HTTP/1.0" 200 6043 "http://fomenko.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 SeaMonkey/1.0.4"
186.86.232.130 - - [16/Feb/2011:02:15:52 +0100] "POST / HTTP/1.0" 200 6043 "http://download.ru" "Opera/9.80 (X11; Linux x86_64; U; en) Presto/2.2.15 Version/10.10"
186.86.232.130 - - [16/Feb/2011:02:15:53 +0100] "POST / HTTP/1.0" 200 6043 "http://yahoo.com" "Mozilla/4.0 (compatible; MSIE 6.0; Nitro) Opera 8.50 [ja]"
186.86.232.130 - - [16/Feb/2011:02:15:53 +0100] "POST / HTTP/1.0" 200 6043 "http://google.com" "Opera/10.00 (Windows NT 6.0; U; en) Presto/2.2.0"
186.86.232.130 - - [16/Feb/2011:02:15:53 +0100] "POST / HTTP/1.0" 200 6043 "http://job.ru" "Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.50"
186.86.232.130 - - [16/Feb/2011:02:15:54 +0100] "POST / HTTP/1.0" 200 6043 "http://altavista.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8) Gecko/20051107 Firefox/1.5"
186.86.232.130 - - [16/Feb/2011:02:15:54 +0100] "POST / HTTP/1.0" 200 6043 "http://lenta.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 (.NET CLR 3.5.30729)"
186.86.232.130 - - [16/Feb/2011:02:15:55 +0100] "POST / HTTP/1.0" 200 6043 "http://fomenko.ru" "Opera/9.0 (Windows NT 5.1; U; en)"
186.86.232.130 - - [16/Feb/2011:02:15:55 +0100] "POST / HTTP/1.0" 200 6043 "http://mail.ru" "Mozilla/4.0 (compatible; MSIE 6.0; Symbian OS; Nokia 6600/5.27.0; 6329) Opera 8.00 [ru]"
186.86.232.130 - - [16/Feb/2011:02:15:56 +0100] "POST / HTTP/1.0" 200 6043 "http://job.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20"
186.86.232.130 - - [16/Feb/2011:02:15:56 +0100] "POST / HTTP/1.0" 200 6043 "http://mail.com" "Mozilla/2.0 (compatible; MSIE 3.01; Windows 98)"
186.86.232.130 - - [16/Feb/2011:02:15:57 +0100] "POST / HTTP/1.0" 200 6043 "http://altavista.com" "Mozilla/4.0 (compatible; MSIE 6.0; ; Linux armv5tejl; U) Opera 8.02 [en_US] Maemo browser 0.4.31 N770/SU-18"
186.86.232.130 - - [16/Feb/2011:02:15:58 +0100] "POST / HTTP/1.0" 200 6043 "http://rambler.ru" "Mozilla/4.0 (compatible; MSIE 6.0; Nitro) Opera 8.50 [en]"
186.86.232.130 - - [16/Feb/2011:02:15:58 +0100] "POST / HTTP/1.0" 200 6043 "http://subscribe.ru" "Mozilla/5.0 (X11; U; Linux x86_64; ru; rv:1.9.1.1) Gecko/20090730 Gentoo Firefox/3.5.1"
186.86.232.130 - - [16/Feb/2011:02:15:58 +0100] "POST / HTTP/1.0" 200 6043 "http://yandex.ru" "Mozilla/4.0 (compatible; MSIE 6.0; Nitro) Opera 8.50 [it]"
186.86.232.130 - - [16/Feb/2011:02:15:59 +0100] "POST / HTTP/1.0" 200 6043 "http://rambler.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/0.4.154.25 Safari/525.19"
127.0.0.1 - - [16/Feb/2011:02:16:00 +0100] "GET / HTTP/1.0" 403 5043 "-" "Apache (internal dummy connection)"
186.86.232.130 - - [16/Feb/2011:02:16:00 +0100] "POST / HTTP/1.0" 200 6043 "http://referat.ru" "Mozilla/4.0 (compatible; MSIE 6.0; Nitro) Opera 8.50 [es-es]"
186.86.232.130 - - [16/Feb/2011:02:16:00 +0100] "POST / HTTP/1.0" 200 6043 "http://rambler.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl-NL; rv:1.7.5) Gecko/20041202 Firefox/1.0"
186.86.232.130 - - [16/Feb/2011:02:16:00 +0100] "POST / HTTP/1.0" 200 6043 "http://mail.com" "Mozilla/4.0 (compatible; MSIE 6.0; Nitro) Opera 8.50 [de]"
186.86.232.130 - - [16/Feb/2011:02:16:01 +0100] "POST / HTTP/1.0" 200 6043 "http://gismeteo.ru" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
186.86.232.130 - - [16/Feb/2011:02:16:01 +0100] "POST / HTTP/1.0" 200 6043 "http://rbc.ru" "Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9a1) Gecko/20061204 GranParadiso/3.0a1"
186.86.232.130 - - [16/Feb/2011:02:16:01 +0100] "POST / HTTP/1.0" 200 6043 "http://lenta.ru" "Mozilla/4.0 (compatible; MSIE 6.0; Symbian OS; Nokia 6600/5.27.0; 9399) Opera 8.65 [ru]"
186.86.232.130 - - [16/Feb/2011:02:16:02 +0100] "POST / HTTP/1.0" 200 6043 "http://fomenko.ru" "Mozilla/4.0 (compatible; MSIE 6.0; Symbian OS; Nokia 6600/5.27.0; 1657) Opera 8.60 [ru]"
127.0.0.1 - - [16/Feb/2011:02:16:03 +0100] "GET / HTTP/1.0" 403 5043 "-" "Apache (internal dummy connection)"
186.86.232.130 - - [16/Feb/2011:02:16:02 +0100] "POST / HTTP/1.0" 200 6043 "http://mail.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
186.86.232.130 - - [16/Feb/2011:02:16:03 +0100] "POST / HTTP/1.0" 200 6043 "http://subscribe.ru" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1) Gecko/20060601 Firefox/2.0 (Ubuntu-edgy)"
186.86.232.130 - - [16/Feb/2011:02:16:03 +0100] "POST / HTTP/1.0" 200 6043 "http://subscribe.ru" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
127.0.0.1 - - [16/Feb/2011:02:16:05 +0100] "GET / HTTP/1.0" 403 5043 "-" "Apache (internal dummy connection)"
186.86.232.130 - - [16/Feb/2011:02:16:05 +0100] "POST / HTTP/1.0" 200 6043 "http://referat.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8) Gecko/20051107 Firefox/1.5"
186.86.232.130 - - [16/Feb/2011:02:16:05 +0100] "POST / HTTP/1.0" 200 6043 "http://rol.ru" "Opera/9.23 (Windows NT 5.1; U; ru)"
186.86.232.130 - - [16/Feb/2011:02:16:06 +0100] "POST / HTTP/1.0" 200 6043 "http://gazeta.ru" "Opera/8.51 (Windows NT 5.1; U; en)"
186.86.232.130 - - [16/Feb/2011:02:16:06 +0100] "POST / HTTP/1.0" 200 6043 "http://gazeta.ru" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1"
186.86.232.130 - - [16/Feb/2011:02:16:06 +0100] "POST / HTTP/1.0" 200 6043 "http://fomenko.ru" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.0.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
127.0.0.1 - - [16/Feb/2011:02:16:07 +0100] "GET / HTTP/1.0" 403 5043 "-" "Apache (internal dummy connection)"
127.0.0.1 - - [16/Feb/2011:02:16:08 +0100] "GET / HTTP/1.0" 403 5043 "-" "Apache (internal dummy connection)"
186.86.232.130 - - [16/Feb/2011:02:16:08 +0100] "POST / HTTP/1.0" 200 6043 "http://gazeta.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
186.86.232.130 - - [16/Feb/2011:02:16:08 +0100] "POST / HTTP/1.0" 200 6043 "http://mail.com" "Opera/8.51 (Windows NT 5.1; U; en)"
186.86.232.130 - - [16/Feb/2011:02:16:10 +0100] "POST / HTTP/1.0" 200 6043 "http://subscribe.ru" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
186.86.232.130 - - [16/Feb/2011:02:16:10 +0100] "POST / HTTP/1.0" 200 6043 "http://fomenko.ru" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
186.86.232.130 - - [16/Feb/2011:02:16:10 +0100] "POST / HTTP/1.0" 200 6043 "http://referat.ru" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1"
186.86.232.130 - - [16/Feb/2011:02:16:10 +0100] "POST / HTTP/1.0" 200 6043 "http://referat.ru" "Opera/7.23 (Windows 98; U) [en]"
186.86.232.130 - - [16/Feb/2011:02:16:12 +0100] "POST / HTTP/1.0" 200 6043 "http://fomenko.ru" "Mozilla/4.0 (compatible; MSIE 6.0; Symbian OS; Nokia 6600/5.27.0; 1665) Opera 8.60 [ru]"