Originally posted by keeney123
View Post
Announcement
Collapse
No announcement yet.
Website, CSF, and lots of attacks.
Collapse
X
-
Re: Website, CSF, and lots of attacks.
-
Re: Website, CSF, and lots of attacks.
Originally posted by mariushm View PostThere's also lots of viruses that infect servers and home computers and join botnets (for mass email spam, mass flood of servers for ransom as in send bitcoin here and we'll stop ddos-ing your servers) and these automatically scan ip ranges to detect other computers and then try to infect them though known vulnerabilities.
Probably some of those viruses know of some vulnerabilities on a particular version of telnet server app and try to detect if your server runs it.
I'd have to say it's some sort of botnet, based on the sheer number of attempts, always from a different IP address...I guess they could be spoofing their IP address, but that'd be pretty pointless, wouldn't it be? They'd never get any responses from my server. Does the TCP implement any type of handshaking at all? If not, maybe they could be flying blind. For example, spoof their IP, try sending an exploit to my server, assume the exploit was successful, have the exploit open port 2323, try connecting to port 2323, etc.
Is that possible at all or no?
Leave a comment:
-
Re: Website, CSF, and lots of attacks.
I had this one that said they are from Microsoft and all my accounts were being scan and credits were compromised. It told me that there was a virus and to call a 1-800 number to correct the problem. If I closed the window I would not be able to use my machine. This was on firefox, internet explorer and google chrome. It took me awhile to get rid of it. The final thing is I had to increase security levels on my router and computer. Of course this then slows the computer on the internet.Last edited by keeney123; 09-23-2016, 11:25 AM.
Leave a comment:
-
Re: Website, CSF, and lots of attacks.
There's also lots of viruses that infect servers and home computers and join botnets (for mass email spam, mass flood of servers for ransom as in send bitcoin here and we'll stop ddos-ing your servers) and these automatically scan ip ranges to detect other computers and then try to infect them though known vulnerabilities.
Probably some of those viruses know of some vulnerabilities on a particular version of telnet server app and try to detect if your server runs it.Last edited by mariushm; 09-23-2016, 03:07 AM.
Leave a comment:
-
Re: Website, CSF, and lots of attacks.
Originally posted by stj View Posta crawler would only try one port if it's well written and try a lot of i.p.'s
if it tried to walk through all the port numbers it would trip firewalls and be blocked instantly - by only trying one port each pass, it avoids that.
These TCP port 23's have been going on for a long time now, since I setup CSF. They've just recently increased in frequency. That worried me a little.
Leave a comment:
-
Re: Website, CSF, and lots of attacks.
a crawler would only try one port if it's well written and try a lot of i.p.'s
if it tried to walk through all the port numbers it would trip firewalls and be blocked instantly - by only trying one port each pass, it avoids that.
Leave a comment:
-
Re: Website, CSF, and lots of attacks.
For the port 2323 / 23 stuff? Or the SSH stuff?
What do you mean by indexing tool? Kinda like a web crawler (like what Google might use) but recording open ports? I'd think if that was the case, they'd be trying more than just port 23 and 2323.
I'm starting to think the 23 / 2323 thing isn't so much an attack, just some misconfigured service or something. I mean if it was an attack, why just those two ports? My server blocks them after a certain number of attempts. They are permanently banned and cannot connect again. Do you think maybe they're trying to bring down my server with some sort of simple DDoS? Connect, get banned, connect from another IP address, get banned, do it enough, fill up enough memory...
Leave a comment:
-
Re: Website, CSF, and lots of attacks.
it could have been an indexing tool.
either private scum (Israeli / NSA / GCHQ etc)
or something like shodan.
https://www.shodan.io/
Leave a comment:
-
Re: Website, CSF, and lots of attacks.
Originally posted by Uniballer View PostMost attacks are run from scripts that try the same attacks endlessly on any IP address and TCP/UDP ports they can connect to. Telnet is normally on port 23, and some people are known to run a telnet server at port 2323 (although nobody should be using telnet for remote access anymore), just as HTTP normally runs on port 80, and some people run an HTTP server at 8080. These "attacks" you are seeing are just probes looking for known weaknesses so they can start a real attack. It's just Internet life in 2016.
I generally find that after setting up a new server the first probes will find it and start looking for weaknesses within an hour.
One of these days, if they keep trying, they'll probably find away in. Sooner or later, I'm sure something will be exploitable. My provider isn't the best and I'm running an outdated version of CentOS. I'd love something a bit newer, you know? Maybe one of these days I'll switch to someone else.
Reverse DNS pointers, for instance, I cannot set them up. Kinda sucks. I thought I'd have control over that, but they run some custom anti-mass-mailing program or something and everything goes through their relay or whatever you want to call it. I guess that's why I cannot have reverse DNS pointer records setup.
Leave a comment:
-
Re: Website, CSF, and lots of attacks.
Originally posted by stj View Postthey probably arent from china, china is under 24/7 flood attack by some western government.
makes it a right pain in the ass to download large files from chinese servers!
most likely it's coming out of the u.s. or israel and being proxied a few times.
as for what they are looking for - maybe they are looking for "internet of shit" / dedicated devices.
Leave a comment:
-
Re: Website, CSF, and lots of attacks.
Most attacks are run from scripts that try the same attacks endlessly on any IP address and TCP/UDP ports they can connect to. Telnet is normally on port 23, and some people are known to run a telnet server at port 2323 (although nobody should be using telnet for remote access anymore), just as HTTP normally runs on port 80, and some people run an HTTP server at 8080. These "attacks" you are seeing are just probes looking for known weaknesses so they can start a real attack. It's just Internet life in 2016.
I generally find that after setting up a new server the first probes will find it and start looking for weaknesses within an hour.
Leave a comment:
-
Re: Website, CSF, and lots of attacks.
they probably arent from china, china is under 24/7 flood attack by some western government.
makes it a right pain in the ass to download large files from chinese servers!
most likely it's coming out of the u.s. or israel and being proxied a few times.
as for what they are looking for - maybe they are looking for "internet of shit" / dedicated devices.
Leave a comment:
-
Re: Website, CSF, and lots of attacks.
Oh, here's one from China:
Code:Time: Wed Sep 21 17:19:59 2016 -0400 IP: 119.142.214.95 (CN/China/-) Hits: 6 Blocked: Permanent Block Sample of block hits: Sep 21 17:18:17 franklin kernel: [60435227.564237] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=119.142.214.95 DST=104.238.117.105 LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=28970 PROTO=TCP SPT=26132 DPT=23 WINDOW=60614 RES=0x00 SYN URGP=0 Sep 21 17:18:48 franklin kernel: [60435258.794419] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=119.142.214.95 DST=104.238.117.105 LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=28970 PROTO=TCP SPT=26132 DPT=23 WINDOW=60614 RES=0x00 SYN URGP=0 Sep 21 17:19:05 franklin kernel: [60435275.934858] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=119.142.214.95 DST=104.238.117.105 LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=28970 PROTO=TCP SPT=26132 DPT=23 WINDOW=60614 RES=0x00 SYN URGP=0 Sep 21 17:19:41 franklin kernel: [60435312.039721] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=119.142.214.95 DST=104.238.117.105 LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=28970 PROTO=TCP SPT=26132 DPT=23 WINDOW=60614 RES=0x00 SYN URGP=0 Sep 21 17:19:44 franklin kernel: [60435315.001672] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=119.142.214.95 DST=104.238.117.105 LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=28970 PROTO=TCP SPT=26132 DPT=23 WINDOW=60614 RES=0x00 SYN URGP=0 Sep 21 17:19:54 franklin kernel: [60435324.471412] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=119.142.214.95 DST=104.238.117.105 LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=28970 PROTO=TCP SPT=26132 DPT=2323 WINDOW=60614 RES=0x00 SYN URGP=0
EDIT: It seems I might have forgotten to check my e-mail for a day or two. Been so busy, I guess I didn't realize it. I'd still like to know why soooo many people are trying to connect to port 23 or 2323. I wonder what was running on this IP before I obtained it. I figure since I've had it for like a year now, people would know the domain belongs to someone else now. I still get 404's in the logs for a Jet Li video. The Jet Li stuff was like 6 years ago!!!! Maybe old search engines or something that haven't updated their crawling database?Last edited by Spork Schivago; 09-22-2016, 10:00 AM.
Leave a comment:
-
Website, CSF, and lots of attacks.
Hello,
I have a domain and a virtual private server. I've noticed an increasing number of port scans detected by ConfigServer Firewall. For example, yesterday, there were about 40 e-mails from CSF. Today, 116. They're all from different companies, like Ukraine, Mexico, Brazil, Pakistan, etc.
For example, here's one from Pakistan:
Code:Sep 22 06:09:22 franklin kernel: [60481528.708196] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=182.184.82.253 DST=132.148.11.44 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=47797 PROTO=TCP SPT=1297 DPT=23 WINDOW=26683 RES=0x00 SYN URGP=0 Sep 22 06:09:26 franklin kernel: [60481532.850047] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=182.184.82.253 DST=132.148.11.44 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=47797 PROTO=TCP SPT=1297 DPT=23 WINDOW=26683 RES=0x00 SYN URGP=0 Sep 22 06:09:46 franklin kernel: [60481553.078695] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=182.184.82.253 DST=132.148.11.44 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=47797 PROTO=TCP SPT=1297 DPT=23 WINDOW=26683 RES=0x00 SYN URGP=0 Sep 22 06:10:11 franklin kernel: [60481577.312413] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=182.184.82.253 DST=132.148.11.44 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=47797 PROTO=TCP SPT=1297 DPT=23 WINDOW=26683 RES=0x00 SYN URGP=0 Sep 22 06:10:31 franklin kernel: [60481597.490389] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=182.184.82.253 DST=132.148.11.44 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=47797 PROTO=TCP SPT=1297 DPT=23 WINDOW=26683 RES=0x00 SYN URGP=0 Sep 22 06:10:34 franklin kernel: [60481600.893815] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=182.184.82.253 DST=132.148.11.44 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=47797 PROTO=TCP SPT=1297 DPT=23 WINDOW=26683 RES=0x00 SYN URGP=0
Code:Time: Thu Sep 22 05:58:15 2016 -0400 IP: 14.148.236.121 (CN/China/-) Hits: 6 Blocked: Permanent Block Sample of block hits: Sep 22 05:57:41 franklin kernel: [60480827.524481] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=14.148.236.121 DST=132.148.11.44 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=43932 PROTO=TCP SPT=18515 DPT=23 WINDOW=10289 RES=0x00 SYN URGP=0 Sep 22 05:57:46 franklin kernel: [60480832.454751] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=14.148.236.121 DST=132.148.11.44 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=43932 PROTO=TCP SPT=29503 DPT=23 WINDOW=10289 RES=0x00 SYN URGP=0 Sep 22 05:57:49 franklin kernel: [60480835.343203] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=14.148.236.121 DST=132.148.11.44 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=43932 PROTO=TCP SPT=29503 DPT=23 WINDOW=10289 RES=0x00 SYN URGP=0 Sep 22 05:57:50 franklin kernel: [60480835.628279] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=14.148.236.121 DST=132.148.11.44 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=43932 PROTO=TCP SPT=29503 DPT=23 WINDOW=10289 RES=0x00 SYN URGP=0 Sep 22 05:58:08 franklin kernel: [60480853.638766] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=14.148.236.121 DST=132.148.11.44 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=43932 PROTO=TCP SPT=18389 DPT=2323 WINDOW=10289 RES=0x00 SYN URGP=0 Sep 22 05:58:10 franklin kernel: [60480856.579357] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=14.148.236.121 DST=132.148.11.44 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=43932 PROTO=TCP SPT=25257 DPT=23 WINDOW=10289 RES=0x00 SYN URGP=0
Tags: None
Leave a comment: