Thanks Jamie for your suggestion. I had the user run "ps auxwwww | grep openssl", as you had suggested, and found that there are almost 200 entries similar to these:
root       604  0.0  0.4  13084  9712 ?        S    Nov19   0:00 openssl s_client -quiet -connect 127.0.0.1 10000
root       713  0.0  0.3  13084  6164 ?        S    Nov19   0:00 openssl s_client -quiet -connect 127.0.0.1 10000
root       722  0.0  0.4  13084  9448 ?        S    Nov19   0:00 openssl s_client -quiet -connect 127.0.0.1 10000
root       896  0.0  0.4  13084 10036 ?        S    Nov19   0:00 openssl s_client -quiet -connect 127.0.0.1 10000
root      1334  0.0  0.4  13084  9716 ?        S    Nov19   0:00 openssl s_client -quiet -connect 127.0.0.1 10000
root      1419  0.0  0.4  13084  9712 ?        S    Nov19   0:00 openssl s_client -quiet -connect 127.0.0.1 10000
At least the command being run is clear. I just don't know why just yet.
 
Cheers,
Matt


From: Jamie Cameron [mailto:jcameron@webmin.com]
Sent: Friday, November 18, 2011 11:43 AM
It looks like the openssl command is trying to connect to webmin. You should run ps auxwwww | grep openssl and see what the full command is, and why it is being run..

On Nov 18, 2011, at 7:50 AM, Mathew Samuel <Mathew.Samuel@entrust.com> wrote:

Hi,
 
Thanks Jamie for your suggestion. I had the user run "lsof -i -n -P | grep 10000" and a sample of the results were as follows:
 
openssl     425     root   12u  IPv4  8555921       TCP 127.0.0.1:48645->127.0.0.1:10000 (ESTABLISHED)
miniserv.   426     root   10u  IPv4  8555922       TCP 127.0.0.1:10000->127.0.0.1:48645 (ESTABLISHED)
openssl     642     root  200u  IPv4  9236934       TCP 127.0.0.1:43174->127.0.0.1:10000 (ESTABLISHED)
openssl     748     root  292u  IPv4  9573695       TCP 127.0.0.1:40536->127.0.0.1:10000 (ESTABLISHED)
openssl     837     root  106u  IPv4  8896948       TCP 127.0.0.1:38701->127.0.0.1:10000 (ESTABLISHED)
miniserv.   838     root   10u  IPv4  8896949       TCP 127.0.0.1:10000->127.0.0.1:38701 (ESTABLISHED)
openssl    1125     root   14u  IPv4  8563134       TCP 127.0.0.1:43037->127.0.0.1:10000 (ESTABLISHED)
miniserv.  1126     root   10u  IPv4  8563135       TCP 127.0.0.1:10000->127.0.0.1:43037 (ESTABLISHED)
openssl    1348     root  202u  IPv4  9244199       TCP 127.0.0.1:44598->127.0.0.1:10000 (ESTABLISHED)
openssl    1457     root  294u  IPv4  9580896       TCP 127.0.0.1:58226->127.0.0.1:10000 (ESTABLISHED)
openssl    1521     root  108u  IPv4  8904154       TCP 127.0.0.1:53522->127.0.0.1:10000 (ESTABLISHED)
openssl    1796     root   16u  IPv4  8570316       TCP 127.0.0.1:45121->127.0.0.1:10000 (ESTABLISHED)
miniserv.  1797     root   10u  IPv4  8570317       TCP 127.0.0.1:10000->127.0.0.1:45121 (ESTABLISHED)
openssl    2028     root  204u  IPv4  9251459       TCP 127.0.0.1:47330->127.0.0.1:10000 (ESTABLISHED)
openssl    2194     root  110u  IPv4  8911338       TCP 127.0.0.1:40496->127.0.0.1:10000 (ESTABLISHED)
openssl    2471     root   18u  IPv4  8577512       TCP 127.0.0.1:47104->127.0.0.1:10000 (ESTABLISHED)
miniserv.  2472     root   10u  IPv4  8577513       TCP 127.0.0.1:10000->127.0.0.1:47104 (ESTABLISHED)
openssl    2703     root  206u  IPv4  9258670       TCP 127.0.0.1:42726->127.0.0.1:10000 (ESTABLISHED)
openssl    2885     root  112u  IPv4  8918594       TCP 127.0.0.1:53319->127.0.0.1:10000 (ESTABLISHED)
openssl    3199     root   20u  IPv4  8584800       TCP 127.0.0.1:52909->127.0.0.1:10000 (ESTABLISHED)
 
This repeats for about 200 lines. Seems that some are miniserv related while the majority are due to openssl? All of them are localhost initiated though. What might be causing miniserv to initiate these connections?
 
Cheers,
Matt


From: Jamie Cameron [mailto:jcameron@webmin.com]
Sent: Wednesday, November 16, 2011 11:45 PM
To: Webmin users list
Subject: Re: [webmin-l] Why so many ESTABLISHED connections with port 10000?

Did you try running lsof or fuser to see what process was on the other end of those connections? That would go a long way to explaining the problem...

Mathew Samuel <Mathew.Samuel@entrust.com> wrote:

Hi,
 
I received a reported problem on a RHEL 5.6 system we have running Webmin 1.530 where the user was unable to connect to the Webmin port 10000. The user did a "netstat -na | grep 10000" and here is a small snippet of the results of that command:
 
tcp      121      0 127.0.0.1:10000             127.0.0.1:46875             ESTABLISHED
tcp        0      0 127.0.0.1:10000             127.0.0.1:60187             ESTABLISHED
tcp        0      0 127.0.0.1:10000             127.0.0.1:44568             ESTABLISHED
tcp        0      0 127.0.0.1:10000             127.0.0.1:52070             ESTABLISHED
tcp      121      0 127.0.0.1:10000             127.0.0.1:37472             ESTABLISHED
tcp        0      0 127.0.0.1:10000             127.0.0.1:49516             ESTABLISHED
tcp        0      0 127.0.0.1:10000             127.0.0.1:50536             ESTABLISHED
tcp      121      0 127.0.0.1:10000             127.0.0.1:39037             ESTABLISHED
tcp        0      0 127.0.0.1:10000             127.0.0.1:60282             ESTABLISHED
tcp      121      0 127.0.0.1:10000             127.0.0.1:35194             ESTABLISHED
tcp        0      0 127.0.0.1:10000             127.0.0.1:44615             ESTABLISHED
tcp        0      0 127.0.0.1:10000             127.0.0.1:52806             ESTABLISHED
tcp      121      0 127.0.0.1:10000             127.0.0.1:35909             ESTABLISHED
tcp        0      0 127.0.0.1:10000             127.0.0.1:45892             ESTABLISHED
tcp      121      0 127.0.0.1:10000             127.0.0.1:59203             ESTABLISHED
tcp      121      0 127.0.0.1:10000             127.0.0.1:51523             ESTABLISHED
tcp      121      0 127.0.0.1:10000             127.0.0.1:35395             ESTABLISHED
tcp        0      0 127.0.0.1:10000             127.0.0.1:52545             ESTABLISHED
tcp        0      0 127.0.0.1:10000             127.0.0.1:57422             ESTABLISHED
tcp      121      0 127.0.0.1:10000             127.0.0.1:43853             ESTABLISHED
Apparently there were about 200 ESTABLISHED connections in total and so it appeared there was no more space to establish the new connection he was trying to make. The problem goes away upon restarting the Webmin service however the ESTABLISHED connections soon return.
 
Just wondering if any one understands what is going on here? Why would there be so many connections between localhost itself taking place with the Webmin port?
 
Cheers,
Matt
 
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
-
Forwarded by the Webmin mailing list at webadmin-list@lists.sourceforge.net
To remove yourself from this list, go to
http://lists.sourceforge.net/lists/listinfo/webadmin-list