Hello,
So every day, I am now receiving a decent number of emails (I'd say maybe around 50) showing that various IP addresses from all over the world are trying to connect to one of my VPSes.
They're always the same.
First they attempt to connect to TCP port 7001 3 times. Then, they attempt to connect to TCP port 2004 3 times. Finally, they try to attempt to connect to TCP port 8080 5 times before lfd blocks them.
I've verified the ports are closed and nothing is listening on them by running netstat -tulpn
However, what worries me a bit is this. I currently own three domains. All three run on the same physical virtual machine for now. But two of the domains have an entirely different IPv4 and IPv6 address then the first. Some of the attempts are on the first IPv4 address, some are on the second.
I am not certain how they could have figured out the second address. I believe I have my DNS server setup in such a way where zone-walking is impossible.
We have been attempting to use Skype for Business, where we need to modify our DNS records to point the Skype for Business application to the right servers. Same with Exchange. Need DNS records so our mail clients, like outlook (yuck) know how to access the exchange server.
I've googled all the ports and I see, as usual, they can be used for multiple programs, but the one thing they all seem to share is a trojan or virus (whatever you want to call it) tends to use all three of those ports. I haven't researched to see if it's the same trojan / virus that uses them.
Does anyone know of any legitimate programs or services that might be trying to connect to those ports? Anything come in mind as to what might be happening? It's been going on for about a week now.
Thanks.
So every day, I am now receiving a decent number of emails (I'd say maybe around 50) showing that various IP addresses from all over the world are trying to connect to one of my VPSes.
They're always the same.
First they attempt to connect to TCP port 7001 3 times. Then, they attempt to connect to TCP port 2004 3 times. Finally, they try to attempt to connect to TCP port 8080 5 times before lfd blocks them.
I've verified the ports are closed and nothing is listening on them by running netstat -tulpn
However, what worries me a bit is this. I currently own three domains. All three run on the same physical virtual machine for now. But two of the domains have an entirely different IPv4 and IPv6 address then the first. Some of the attempts are on the first IPv4 address, some are on the second.
I am not certain how they could have figured out the second address. I believe I have my DNS server setup in such a way where zone-walking is impossible.
We have been attempting to use Skype for Business, where we need to modify our DNS records to point the Skype for Business application to the right servers. Same with Exchange. Need DNS records so our mail clients, like outlook (yuck) know how to access the exchange server.
I've googled all the ports and I see, as usual, they can be used for multiple programs, but the one thing they all seem to share is a trojan or virus (whatever you want to call it) tends to use all three of those ports. I haven't researched to see if it's the same trojan / virus that uses them.
Does anyone know of any legitimate programs or services that might be trying to connect to those ports? Anything come in mind as to what might be happening? It's been going on for about a week now.
Thanks.
Comment