I have run into a very strange behavior running the Apache server. I noticed my internet connection came to a crawl while browsing the web. I looked in my Windows XP system event log and noticed Event ID 4226 - TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. I researched this event to find out Windows XP SP2 added the security of no more than 10 concurrent tcpip connection attempts per a second. Which is difficult to reach this limit unless you are load testing or have some program to designed to establish a high volume of requests. I followed this up by running my command window and using the Netstat command to see what connections were occurring and which program was the culprit.
I discovered some program/virus is sending out tcpip connection requests on port 80 running thru consecutive ip addresses via the httpd.exe file (Apache server executable).
It is hammering out these http requests non-stop by running through ip addresses randomly to make connections on port 80. You will notice in the log below it is using the php_curl.dll library. I am guessing this library is used for making network connections along with the winsock related libraries.
This problem occurs each time now I attempt to manually start the Apache server service. I don't know how go about finding out what is causing this problem and resolving it. I need help!
I have apache server service on manual now. I don't understand how it is launching itself after rebooting my machine and then starting up the apache server and before I ever open a browser.
Below is my info and some of the log I copied from Netstat command.
Operating system Windows XP SP3
Xxamp version 1.7.3 (PHP version 5.3.1, Apache 2.2)
Development on server several Wordpress 3.0 installations with various plugins
Log from Netstat: (The ones with a SYN_SENT state are the random requests)
- Code: Select all
Netstat 02/17/2011
Active Connections
Proto Local Address Foreign Address State PID
TCP XX.XXX.XX.123:80 46.29.255.22:2187 ESTABLISHED 2740
TCP XX.XXX.XX.123:1975 89.190.67.22:80 SYN_SENT 2740
TCP XX.XXX.XX.123:1976 89.190.67.23:80 SYN_SENT 2740
TCP XX.XXX.XX.123:1977 89.190.67.24:80 SYN_SENT 2740
TCP XX.XXX.XX.123:1980 89.190.67.27:80 SYN_SENT 2740
TCP XX.XXX.XX.123:1981 89.190.67.28:80 SYN_SENT 2740
TCP XX.XXX.XX.123:1984 89.190.67.31:80 SYN_SENT 2740
TCP XX.XXX.XX.123:1985 89.190.67.32:80 SYN_SENT 2740
TCP XX.XXX.XX.123:1986 89.190.67.33:80 SYN_SENT 2740
TCP XX.XXX.XX.123:1987 89.190.67.34:80 SYN_SENT 2740
TCP XX.XXX.XX.123:1988 89.190.67.35:80 SYN_SENT 2740
TCP 127.0.0.1:5152 127.0.0.1:1609 CLOSE_WAIT 1636
Active Connections
Proto Local Address Foreign Address State PID
TCP winxpmachine:2020 89.190.67.67:http SYN_SENT 2740
I:\WINDOWS\system32\MSWSOCK.dll
I:\WINDOWS\system32\WS2_32.dll
I:\xampp\php\ext\php_curl.dll
[httpd.exe]
TCP winxpmachine:2021 89.190.67.68:http SYN_SENT 2740
I:\WINDOWS\system32\MSWSOCK.dll
I:\WINDOWS\system32\WS2_32.dll
I:\xampp\php\ext\php_curl.dll
-- unknown component(s) --
[httpd.exe]
TCP winxpmachine:2023 89.190.67.70:http SYN_SENT 2740
I:\WINDOWS\system32\MSWSOCK.dll
I:\WINDOWS\system32\WS2_32.dll
I:\xampp\php\ext\php_curl.dll
-- unknown component(s) --
[httpd.exe]
TCP winxpmachine:2024 89.190.67.71:http SYN_SENT 2740
I:\WINDOWS\system32\MSWSOCK.dll
I:\WINDOWS\system32\WS2_32.dll
I:\xampp\php\ext\php_curl.dll
-- unknown component(s) --
[httpd.exe]
TCP winxpmachine:2025 89.190.67.72:http SYN_SENT 2740
I:\WINDOWS\system32\MSWSOCK.dll
I:\WINDOWS\system32\WS2_32.dll
I:\xampp\php\ext\php_curl.dll
-- unknown component(s) --
[httpd.exe]
TCP winxpmachine:2026 89.190.67.73:http SYN_SENT 2740
I:\WINDOWS\system32\MSWSOCK.dll
I:\WINDOWS\system32\WS2_32.dll
I:\xampp\php\ext\php_curl.dll
-- unknown component(s) --
[httpd.exe]
TCP winxpmachine:2027 89.190.67.74:http SYN_SENT 2740
I:\WINDOWS\system32\MSWSOCK.dll
I:\WINDOWS\system32\WS2_32.dll
I:\xampp\php\ext\php_curl.dll
[httpd.exe]
-----------------------
Feb 18th
Active Connections
Proto Local Address Foreign Address State PID
TCP XX.XXX.XX.123:80 46.29.255.22:1744 ESTABLISHED 1768
TCP XX.XXX.XX.123:1047 211.157.21.3:80 TIME_WAIT 0
TCP XX.XXX.XX.123:1049 211.157.21.4:80 TIME_WAIT 0
TCP XX.XXX.XX.123:1053 211.157.21.6:80 TIME_WAIT 0
TCP XX.XXX.XX.123:1057 211.157.21.8:80 TIME_WAIT 0
TCP XX.XXX.XX.123:1079 213.248.139.19:80 SYN_SENT 1768
TCP XX.XXX.XX.123:1080 211.157.21.19:80 SYN_SENT 1768
TCP XX.XXX.XX.123:1081 213.248.139.20:80 SYN_SENT 1768
TCP XX.XXX.XX.123:1082 211.157.21.20:80 SYN_SENT 1768
TCP XX.XXX.XX.123:1083 213.248.139.21:80 SYN_SENT 1768
TCP XX.XXX.XX.123:1085 213.248.139.22:80 SYN_SENT 1768
TCP XX.XXX.XX.123:1086 211.157.21.22:80 SYN_SENT 1768
TCP XX.XXX.XX.123:1087 213.248.139.23:80 SYN_SENT 1768
TCP XX.XXX.XX.123:1088 211.157.21.23:80 SYN_SENT 1768
TCP XX.XXX.XX.123:1089 213.248.139.24:80 SYN_SENT 1768
Active Connections
Proto Local Address Foreign Address State PID
TCP winxpmachine:1049 cable-3-6.cgates.lt:http SYN_SENT 2564
I:\WINDOWS\system32\MSWSOCK.dll
I:\WINDOWS\system32\WS2_32.dll
I:\xampp\php\ext\php_curl.dll
[httpd.exe]
TCP winxpmachine:1050 pd94206.osaknt01.ap.so-net.ne.jp:http SYN_SENT
2564
I:\WINDOWS\system32\MSWSOCK.dll
I:\WINDOWS\system32\WS2_32.dll
I:\xampp\php\ext\php_curl.dll
[httpd.exe]
TCP winxpmachine:1051 cable-3-7.cgates.lt:http SYN_SENT 2564
I:\WINDOWS\system32\MSWSOCK.dll
I:\WINDOWS\system32\WS2_32.dll
I:\xampp\php\ext\php_curl.dll
[httpd.exe]
TCP winxpmachine:1052 pd94207.osaknt01.ap.so-net.ne.jp:http SYN_SENT
2564
I:\WINDOWS\system32\MSWSOCK.dll
I:\WINDOWS\system32\WS2_32.dll
I:\xampp\php\ext\php_curl.dll
[httpd.exe]
TCP winxpmachine:1053 cable-3-8.cgates.lt:http SYN_SENT 2564
I:\WINDOWS\system32\MSWSOCK.dll
I:\WINDOWS\system32\WS2_32.dll
I:\xampp\php\ext\php_curl.dll
[httpd.exe]
If anyone can help me resolve this or has information on others who have experienced this please let me know.
Thank you,
Leapstepman
leapstepman@gmail.com