Website, CSF, and lots of attacks.

**Spork Schivago** · 09-22-2016, 09:53 AM

Re: Website, CSF, and lots of attacks.

Oh, here's one from China:

Code:

Time:  Wed Sep 21 17:19:59 2016 -0400
IP:   119.142.214.95 (CN/China/-)
Hits:  6
Blocked: Permanent Block

Sample of block hits:
Sep 21 17:18:17 franklin kernel: [60435227.564237] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=119.142.214.95 DST=104.238.117.105 LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=28970 PROTO=TCP SPT=26132 DPT=23 WINDOW=60614 RES=0x00 SYN URGP=0
Sep 21 17:18:48 franklin kernel: [60435258.794419] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=119.142.214.95 DST=104.238.117.105 LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=28970 PROTO=TCP SPT=26132 DPT=23 WINDOW=60614 RES=0x00 SYN URGP=0
Sep 21 17:19:05 franklin kernel: [60435275.934858] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=119.142.214.95 DST=104.238.117.105 LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=28970 PROTO=TCP SPT=26132 DPT=23 WINDOW=60614 RES=0x00 SYN URGP=0
Sep 21 17:19:41 franklin kernel: [60435312.039721] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=119.142.214.95 DST=104.238.117.105 LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=28970 PROTO=TCP SPT=26132 DPT=23 WINDOW=60614 RES=0x00 SYN URGP=0
Sep 21 17:19:44 franklin kernel: [60435315.001672] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=119.142.214.95 DST=104.238.117.105 LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=28970 PROTO=TCP SPT=26132 DPT=23 WINDOW=60614 RES=0x00 SYN URGP=0
Sep 21 17:19:54 franklin kernel: [60435324.471412] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=119.142.214.95 DST=104.238.117.105 LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=28970 PROTO=TCP SPT=26132 DPT=2323 WINDOW=60614 RES=0x00 SYN URGP=0

Notice how it's TCP DPT 23 again, except for the last one, DPT 2323.

EDIT: It seems I might have forgotten to check my e-mail for a day or two. Been so busy, I guess I didn't realize it. I'd still like to know why soooo many people are trying to connect to port 23 or 2323. I wonder what was running on this IP before I obtained it. I figure since I've had it for like a year now, people would know the domain belongs to someone else now. I still get 404's in the logs for a Jet Li video. The Jet Li stuff was like 6 years ago!!!! Maybe old search engines or something that haven't updated their crawling database?

**stj** · 09-22-2016, 10:07 AM

Re: Website, CSF, and lots of attacks.

they probably arent from china, china is under 24/7 flood attack by some western government.
makes it a right pain in the ass to download large files from chinese servers!

most likely it's coming out of the u.s. or israel and being proxied a few times.
as for what they are looking for - maybe they are looking for "internet of shit" / dedicated devices.

**Uniballer** · 09-22-2016, 10:49 AM

Re: Website, CSF, and lots of attacks.

Most attacks are run from scripts that try the same attacks endlessly on any IP address and TCP/UDP ports they can connect to. Telnet is normally on port 23, and some people are known to run a telnet server at port 2323 (although nobody should be using telnet for remote access anymore), just as HTTP normally runs on port 80, and some people run an HTTP server at 8080. These "attacks" you are seeing are just probes looking for known weaknesses so they can start a real attack. It's just Internet life in 2016.

I generally find that after setting up a new server the first probes will find it and start looking for weaknesses within an hour.

**Spork Schivago** · 09-22-2016, 04:17 PM

Re: Website, CSF, and lots of attacks.

Originally posted by stj

they probably arent from china, china is under 24/7 flood attack by some western government.
makes it a right pain in the ass to download large files from chinese servers!

most likely it's coming out of the u.s. or israel and being proxied a few times.
as for what they are looking for - maybe they are looking for "internet of shit" / dedicated devices.

I figured it was being proxied. I thought it was coming from the same person / group / whatever. I mean I'm sure there's a few that are just random people, but the majority of them are all TCP port 23. There's a few that start with 2323 or end in 2323 but even in them, minus that one 2323 port, the rest from that IP are 23. Almost like it's a script and someone had a typo and accidently put in port 2323 instead of 23. Maybe they're trying some sort of brute force telenet attack (although I don't have a telnet server setup).

**Spork Schivago** · 09-22-2016, 04:22 PM

Re: Website, CSF, and lots of attacks.

Originally posted by Uniballer

Most attacks are run from scripts that try the same attacks endlessly on any IP address and TCP/UDP ports they can connect to. Telnet is normally on port 23, and some people are known to run a telnet server at port 2323 (although nobody should be using telnet for remote access anymore), just as HTTP normally runs on port 80, and some people run an HTTP server at 8080. These "attacks" you are seeing are just probes looking for known weaknesses so they can start a real attack. It's just Internet life in 2016.

I generally find that after setting up a new server the first probes will find it and start looking for weaknesses within an hour.

I figured it was a script as well. I've seen some people try running an SSH brute force attack. Before I had security software setup, one person was flooding my logs trying a brute force SSH attack but he was connected to a closed port. Must not have been very intelligent. I figured one of them script kiddies.

One of these days, if they keep trying, they'll probably find away in. Sooner or later, I'm sure something will be exploitable. My provider isn't the best and I'm running an outdated version of CentOS. I'd love something a bit newer, you know? Maybe one of these days I'll switch to someone else.

Reverse DNS pointers, for instance, I cannot set them up. Kinda sucks. I thought I'd have control over that, but they run some custom anti-mass-mailing program or something and everything goes through their relay or whatever you want to call it. I guess that's why I cannot have reverse DNS pointer records setup.

**stj** · 09-22-2016, 04:47 PM

Re: Website, CSF, and lots of attacks.

it could have been an indexing tool.
either private scum (Israeli / NSA / GCHQ etc)

or something like shodan.
https://www.shodan.io/

**Spork Schivago** · 09-22-2016, 07:30 PM

Re: Website, CSF, and lots of attacks.

For the port 2323 / 23 stuff? Or the SSH stuff?

What do you mean by indexing tool? Kinda like a web crawler (like what Google might use) but recording open ports? I'd think if that was the case, they'd be trying more than just port 23 and 2323.

I'm starting to think the 23 / 2323 thing isn't so much an attack, just some misconfigured service or something. I mean if it was an attack, why just those two ports? My server blocks them after a certain number of attempts. They are permanently banned and cannot connect again. Do you think maybe they're trying to bring down my server with some sort of simple DDoS? Connect, get banned, connect from another IP address, get banned, do it enough, fill up enough memory...

**stj** · 09-22-2016, 08:56 PM

Re: Website, CSF, and lots of attacks.

a crawler would only try one port if it's well written and try a lot of i.p.'s
if it tried to walk through all the port numbers it would trip firewalls and be blocked instantly - by only trying one port each pass, it avoids that.

**Spork Schivago** · 09-22-2016, 09:16 PM

Re: Website, CSF, and lots of attacks.

Originally posted by stj

a crawler would only try one port if it's well written and try a lot of i.p.'s
if it tried to walk through all the port numbers it would trip firewalls and be blocked instantly - by only trying one port each pass, it avoids that.

Yeah, I believe crawlers are just for HTTP / HTTPS stuff, right? Is an indexer one that does one port each pass? Maybe try a port, wait a day, try another port, wait a day, etc?

These TCP port 23's have been going on for a long time now, since I setup CSF. They've just recently increased in frequency. That worried me a little.

**mariushm** · 09-23-2016, 03:06 AM

Re: Website, CSF, and lots of attacks.

There's also lots of viruses that infect servers and home computers and join botnets (for mass email spam, mass flood of servers for ransom as in send bitcoin here and we'll stop ddos-ing your servers) and these automatically scan ip ranges to detect other computers and then try to infect them though known vulnerabilities.

Probably some of those viruses know of some vulnerabilities on a particular version of telnet server app and try to detect if your server runs it.

**keeney123** · 09-23-2016, 11:23 AM

Re: Website, CSF, and lots of attacks.

I had this one that said they are from Microsoft and all my accounts were being scan and credits were compromised. It told me that there was a virus and to call a 1-800 number to correct the problem. If I closed the window I would not be able to use my machine. This was on firefox, internet explorer and google chrome. It took me awhile to get rid of it. The final thing is I had to increase security levels on my router and computer. Of course this then slows the computer on the internet.

**Spork Schivago** · 09-23-2016, 11:47 AM

Re: Website, CSF, and lots of attacks.

Originally posted by mariushm

There's also lots of viruses that infect servers and home computers and join botnets (for mass email spam, mass flood of servers for ransom as in send bitcoin here and we'll stop ddos-ing your servers) and these automatically scan ip ranges to detect other computers and then try to infect them though known vulnerabilities.

Probably some of those viruses know of some vulnerabilities on a particular version of telnet server app and try to detect if your server runs it.

Okay. So, do you think they're just constantly scanning that port every day in case I finally setup a telnet server or something?

I'd have to say it's some sort of botnet, based on the sheer number of attempts, always from a different IP address...I guess they could be spoofing their IP address, but that'd be pretty pointless, wouldn't it be? They'd never get any responses from my server. Does the TCP implement any type of handshaking at all? If not, maybe they could be flying blind. For example, spoof their IP, try sending an exploit to my server, assume the exploit was successful, have the exploit open port 2323, try connecting to port 2323, etc.

Is that possible at all or no?

**Spork Schivago** · 09-23-2016, 11:49 AM

Re: Website, CSF, and lots of attacks.

Originally posted by keeney123

I had this one that said they are from Microsoft and all my accounts were being scan and credits were compromised. It told me that there was a virus and to call a 1-800 number to correct the problem. If I closed the window I would not be able to use my machine. This was on firefox, internet explorer and google chrome. It took me awhile to get rid of it. The final thing is I had to increase security levels on my router and computer. Of course this then slows the computer on the internet.

Those things can be a bit nasty. I've ran across one that took advantage of some vulnerability in some browser. It prevented me from closing the window. I just CTRL-ALT-DELETE'd and ended the browser. Then, when I restarted the browser, I very quick like just closed the tab that was loading the bad stuff.

**keeney123** · 09-23-2016, 03:32 PM

Re: Website, CSF, and lots of attacks.

Originally posted by Spork Schivago

Those things can be a bit nasty. I've ran across one that took advantage of some vulnerability in some browser. It prevented me from closing the window. I just CTRL-ALT-DELETE'd and ended the browser. Then, when I restarted the browser, I very quick like just closed the tab that was loading the bad stuff.

This was way more aggressive. As I could close the browser like Firefox and open a completely different browser like internet explorer and it was right there. It completely ignore the start and home page and went directly to its page. I block the domain with Bit Defender and it started loading on another domain. It did not matter what site I went to it was there. I increased the security of the browsers to high and it did not matter. I completely deleted the browser and then reloaded it and it was there. I finally loaded Google Chrome and it was clean for about three or four searches and then it appeared. I then set my Bit Defender to max gaming mode and then went into my modem and set that to Max security and that solved the problem. The problem then is the web searches are slower.

**TechGeek** · 09-23-2016, 04:10 PM

Re: Website, CSF, and lots of attacks.

re-install Windows. DONE.

**Spork Schivago** · 09-23-2016, 05:32 PM

Re: Website, CSF, and lots of attacks.

Originally posted by keeney123

This was way more aggressive. As I could close the browser like Firefox and open a completely different browser like internet explorer and it was right there. It completely ignore the start and home page and went directly to its page. I block the domain with Bit Defender and it started loading on another domain. It did not matter what site I went to it was there. I increased the security of the browsers to high and it did not matter. I completely deleted the browser and then reloaded it and it was there. I finally loaded Google Chrome and it was clean for about three or four searches and then it appeared. I then set my Bit Defender to max gaming mode and then went into my modem and set that to Max security and that solved the problem. The problem then is the web searches are slower.

Keeney123, I feel that I owe you for one reason or another. Anyway, it sounds like your PC was actually infected and might still be. If you don't mind running some tests, we might be able to figure out if it is or not.

One thing you might want to do first is to download Malwarebytes and run that:

https://www.malwarebytes.com/mwb-download/

You probably want the free download. Once you start installing, eventually it will bring up a pop-up window with some check marks. One will say Enable free trial of Malwarebytes Premium. Uncheck that unless you plan on purchasing the premium version.

Once Malwarebytes starts, don't click Scan Now. Wait until it finishes updating. Then, click on Settings. On the left hand side, you'll see a category titled: Detection and Protection. Click that and you should see some check boxes. Click the one that says Scan for rootkits.

After that, click the option that says Scan. It's after Dashboard and before Settings on the top of Malwarebytes. Click on Custom Scan. Then click the big blue button that says CONFIGURE SCAN. Make sure Scan for Rootkits is checked on the left hand side. Also, make sure your drive is checked. You might have more than one drive to pick from. For example, here, we have the C: drive and the D: drive. Our D: drive is the blu-ray burner so there's no sense for us to scan that. If you're not sure, you can check them all. It shouldn't hurt anything. After that, click Scan Now.

Go do something for a while. It can take a while to scan. Once it's done scanning, let us know what it says for Detected Objects:

There's more programs I'll have you run, if you're okay with it, but we should start there.

**Spork Schivago** · 09-23-2016, 05:33 PM

Re: Website, CSF, and lots of attacks.

TechGeek is correct. Ultimately, if you are infected, you should always reinstall Windows. If you need to do this, contact me via e-mail and I'll walk you through it. If you have more than one PC connected to the internet, it'd be easier.

**RJARRRPCGP** · 09-23-2016, 05:46 PM

Re: Website, CSF, and lots of attacks.

Originally posted by Spork Schivago

TechGeek is correct. Ultimately, if you are infected, you should always reinstall Windows. If you need to do this, contact me via e-mail and I'll walk you through it. If you have more than one PC connected to the internet, it'd be easier.

QFT and also wipe the entire drive! You don't want ghost Windows reminants!

**Spork Schivago** · 09-23-2016, 07:14 PM

Re: Website, CSF, and lots of attacks.

Originally posted by RJARRRPCGP

QFT and also wipe the entire drive! You don't want ghost Windows reminants!

What do you mean by QFT? Quick Format?

This can be a bit tricky. Although I personally don't care much for recovery partitions and images and prefer a clean installation, some people like them very much. When they pay me and they have some pre-installed version of something like Cyberlink and I wipe the entire drive, they might get pretty upset when I give the PC back without Cyberlink. If they want it reinstalled, a lot of times, they might be forced to either purchase it directly or purchase recovery disks....

So, depending on whether Keeney123 wants a clean install or his pre-installed bloatware, I mean software, I think that would determine what way is the best.

Some BIOSes use partitions for system tools, like UEFI type BIOSes. If those partitions are destroyed, those tools won't work.

Website, CSF, and lots of attacks.

Website, CSF, and lots of attacks.

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Related Topics