Announcement

Collapse
No announcement yet.

Website, CSF, and lots of attacks.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spork Schivago
    replied
    Re: Website, CSF, and lots of attacks.

    Originally posted by keeney123 View Post
    I had this one that said they are from Microsoft and all my accounts were being scan and credits were compromised. It told me that there was a virus and to call a 1-800 number to correct the problem. If I closed the window I would not be able to use my machine. This was on firefox, internet explorer and google chrome. It took me awhile to get rid of it. The final thing is I had to increase security levels on my router and computer. Of course this then slows the computer on the internet.
    Those things can be a bit nasty. I've ran across one that took advantage of some vulnerability in some browser. It prevented me from closing the window. I just CTRL-ALT-DELETE'd and ended the browser. Then, when I restarted the browser, I very quick like just closed the tab that was loading the bad stuff.

    Leave a comment:


  • Spork Schivago
    replied
    Re: Website, CSF, and lots of attacks.

    Originally posted by mariushm View Post
    There's also lots of viruses that infect servers and home computers and join botnets (for mass email spam, mass flood of servers for ransom as in send bitcoin here and we'll stop ddos-ing your servers) and these automatically scan ip ranges to detect other computers and then try to infect them though known vulnerabilities.

    Probably some of those viruses know of some vulnerabilities on a particular version of telnet server app and try to detect if your server runs it.
    Okay. So, do you think they're just constantly scanning that port every day in case I finally setup a telnet server or something?

    I'd have to say it's some sort of botnet, based on the sheer number of attempts, always from a different IP address...I guess they could be spoofing their IP address, but that'd be pretty pointless, wouldn't it be? They'd never get any responses from my server. Does the TCP implement any type of handshaking at all? If not, maybe they could be flying blind. For example, spoof their IP, try sending an exploit to my server, assume the exploit was successful, have the exploit open port 2323, try connecting to port 2323, etc.

    Is that possible at all or no?

    Leave a comment:


  • keeney123
    replied
    Re: Website, CSF, and lots of attacks.

    I had this one that said they are from Microsoft and all my accounts were being scan and credits were compromised. It told me that there was a virus and to call a 1-800 number to correct the problem. If I closed the window I would not be able to use my machine. This was on firefox, internet explorer and google chrome. It took me awhile to get rid of it. The final thing is I had to increase security levels on my router and computer. Of course this then slows the computer on the internet.
    Last edited by keeney123; 09-23-2016, 11:25 AM.

    Leave a comment:


  • mariushm
    replied
    Re: Website, CSF, and lots of attacks.

    There's also lots of viruses that infect servers and home computers and join botnets (for mass email spam, mass flood of servers for ransom as in send bitcoin here and we'll stop ddos-ing your servers) and these automatically scan ip ranges to detect other computers and then try to infect them though known vulnerabilities.

    Probably some of those viruses know of some vulnerabilities on a particular version of telnet server app and try to detect if your server runs it.
    Last edited by mariushm; 09-23-2016, 03:07 AM.

    Leave a comment:


  • Spork Schivago
    replied
    Re: Website, CSF, and lots of attacks.

    Originally posted by stj View Post
    a crawler would only try one port if it's well written and try a lot of i.p.'s
    if it tried to walk through all the port numbers it would trip firewalls and be blocked instantly - by only trying one port each pass, it avoids that.
    Yeah, I believe crawlers are just for HTTP / HTTPS stuff, right? Is an indexer one that does one port each pass? Maybe try a port, wait a day, try another port, wait a day, etc?

    These TCP port 23's have been going on for a long time now, since I setup CSF. They've just recently increased in frequency. That worried me a little.

    Leave a comment:


  • stj
    replied
    Re: Website, CSF, and lots of attacks.

    a crawler would only try one port if it's well written and try a lot of i.p.'s
    if it tried to walk through all the port numbers it would trip firewalls and be blocked instantly - by only trying one port each pass, it avoids that.

    Leave a comment:


  • Spork Schivago
    replied
    Re: Website, CSF, and lots of attacks.

    For the port 2323 / 23 stuff? Or the SSH stuff?

    What do you mean by indexing tool? Kinda like a web crawler (like what Google might use) but recording open ports? I'd think if that was the case, they'd be trying more than just port 23 and 2323.

    I'm starting to think the 23 / 2323 thing isn't so much an attack, just some misconfigured service or something. I mean if it was an attack, why just those two ports? My server blocks them after a certain number of attempts. They are permanently banned and cannot connect again. Do you think maybe they're trying to bring down my server with some sort of simple DDoS? Connect, get banned, connect from another IP address, get banned, do it enough, fill up enough memory...

    Leave a comment:


  • stj
    replied
    Re: Website, CSF, and lots of attacks.

    it could have been an indexing tool.
    either private scum (Israeli / NSA / GCHQ etc)

    or something like shodan.
    https://www.shodan.io/

    Leave a comment:


  • Spork Schivago
    replied
    Re: Website, CSF, and lots of attacks.

    Originally posted by Uniballer View Post
    Most attacks are run from scripts that try the same attacks endlessly on any IP address and TCP/UDP ports they can connect to. Telnet is normally on port 23, and some people are known to run a telnet server at port 2323 (although nobody should be using telnet for remote access anymore), just as HTTP normally runs on port 80, and some people run an HTTP server at 8080. These "attacks" you are seeing are just probes looking for known weaknesses so they can start a real attack. It's just Internet life in 2016.

    I generally find that after setting up a new server the first probes will find it and start looking for weaknesses within an hour.
    I figured it was a script as well. I've seen some people try running an SSH brute force attack. Before I had security software setup, one person was flooding my logs trying a brute force SSH attack but he was connected to a closed port. Must not have been very intelligent. I figured one of them script kiddies.

    One of these days, if they keep trying, they'll probably find away in. Sooner or later, I'm sure something will be exploitable. My provider isn't the best and I'm running an outdated version of CentOS. I'd love something a bit newer, you know? Maybe one of these days I'll switch to someone else.

    Reverse DNS pointers, for instance, I cannot set them up. Kinda sucks. I thought I'd have control over that, but they run some custom anti-mass-mailing program or something and everything goes through their relay or whatever you want to call it. I guess that's why I cannot have reverse DNS pointer records setup.

    Leave a comment:


  • Spork Schivago
    replied
    Re: Website, CSF, and lots of attacks.

    Originally posted by stj View Post
    they probably arent from china, china is under 24/7 flood attack by some western government.
    makes it a right pain in the ass to download large files from chinese servers!

    most likely it's coming out of the u.s. or israel and being proxied a few times.
    as for what they are looking for - maybe they are looking for "internet of shit" / dedicated devices.
    I figured it was being proxied. I thought it was coming from the same person / group / whatever. I mean I'm sure there's a few that are just random people, but the majority of them are all TCP port 23. There's a few that start with 2323 or end in 2323 but even in them, minus that one 2323 port, the rest from that IP are 23. Almost like it's a script and someone had a typo and accidently put in port 2323 instead of 23. Maybe they're trying some sort of brute force telenet attack (although I don't have a telnet server setup).

    Leave a comment:


  • Uniballer
    replied
    Re: Website, CSF, and lots of attacks.

    Most attacks are run from scripts that try the same attacks endlessly on any IP address and TCP/UDP ports they can connect to. Telnet is normally on port 23, and some people are known to run a telnet server at port 2323 (although nobody should be using telnet for remote access anymore), just as HTTP normally runs on port 80, and some people run an HTTP server at 8080. These "attacks" you are seeing are just probes looking for known weaknesses so they can start a real attack. It's just Internet life in 2016.

    I generally find that after setting up a new server the first probes will find it and start looking for weaknesses within an hour.

    Leave a comment:


  • stj
    replied
    Re: Website, CSF, and lots of attacks.

    they probably arent from china, china is under 24/7 flood attack by some western government.
    makes it a right pain in the ass to download large files from chinese servers!

    most likely it's coming out of the u.s. or israel and being proxied a few times.
    as for what they are looking for - maybe they are looking for "internet of shit" / dedicated devices.

    Leave a comment:


  • Spork Schivago
    replied
    Re: Website, CSF, and lots of attacks.

    Oh, here's one from China:
    Code:
    Time:  Wed Sep 21 17:19:59 2016 -0400
    IP:   119.142.214.95 (CN/China/-)
    Hits:  6
    Blocked: Permanent Block
    
    Sample of block hits:
    Sep 21 17:18:17 franklin kernel: [60435227.564237] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=119.142.214.95 DST=104.238.117.105 LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=28970 PROTO=TCP SPT=26132 DPT=23 WINDOW=60614 RES=0x00 SYN URGP=0
    Sep 21 17:18:48 franklin kernel: [60435258.794419] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=119.142.214.95 DST=104.238.117.105 LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=28970 PROTO=TCP SPT=26132 DPT=23 WINDOW=60614 RES=0x00 SYN URGP=0
    Sep 21 17:19:05 franklin kernel: [60435275.934858] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=119.142.214.95 DST=104.238.117.105 LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=28970 PROTO=TCP SPT=26132 DPT=23 WINDOW=60614 RES=0x00 SYN URGP=0
    Sep 21 17:19:41 franklin kernel: [60435312.039721] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=119.142.214.95 DST=104.238.117.105 LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=28970 PROTO=TCP SPT=26132 DPT=23 WINDOW=60614 RES=0x00 SYN URGP=0
    Sep 21 17:19:44 franklin kernel: [60435315.001672] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=119.142.214.95 DST=104.238.117.105 LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=28970 PROTO=TCP SPT=26132 DPT=23 WINDOW=60614 RES=0x00 SYN URGP=0
    Sep 21 17:19:54 franklin kernel: [60435324.471412] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=119.142.214.95 DST=104.238.117.105 LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=28970 PROTO=TCP SPT=26132 DPT=2323 WINDOW=60614 RES=0x00 SYN URGP=0
    Notice how it's TCP DPT 23 again, except for the last one, DPT 2323.

    EDIT: It seems I might have forgotten to check my e-mail for a day or two. Been so busy, I guess I didn't realize it. I'd still like to know why soooo many people are trying to connect to port 23 or 2323. I wonder what was running on this IP before I obtained it. I figure since I've had it for like a year now, people would know the domain belongs to someone else now. I still get 404's in the logs for a Jet Li video. The Jet Li stuff was like 6 years ago!!!! Maybe old search engines or something that haven't updated their crawling database?
    Last edited by Spork Schivago; 09-22-2016, 10:00 AM.

    Leave a comment:


  • Spork Schivago
    started a topic Website, CSF, and lots of attacks.

    Website, CSF, and lots of attacks.

    Hello,

    I have a domain and a virtual private server. I've noticed an increasing number of port scans detected by ConfigServer Firewall. For example, yesterday, there were about 40 e-mails from CSF. Today, 116. They're all from different companies, like Ukraine, Mexico, Brazil, Pakistan, etc.

    For example, here's one from Pakistan:
    Code:
    Sep 22 06:09:22 franklin kernel: [60481528.708196] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=182.184.82.253 DST=132.148.11.44 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=47797 PROTO=TCP SPT=1297 DPT=23 WINDOW=26683 RES=0x00 SYN URGP=0
    Sep 22 06:09:26 franklin kernel: [60481532.850047] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=182.184.82.253 DST=132.148.11.44 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=47797 PROTO=TCP SPT=1297 DPT=23 WINDOW=26683 RES=0x00 SYN URGP=0
    Sep 22 06:09:46 franklin kernel: [60481553.078695] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=182.184.82.253 DST=132.148.11.44 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=47797 PROTO=TCP SPT=1297 DPT=23 WINDOW=26683 RES=0x00 SYN URGP=0
    Sep 22 06:10:11 franklin kernel: [60481577.312413] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=182.184.82.253 DST=132.148.11.44 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=47797 PROTO=TCP SPT=1297 DPT=23 WINDOW=26683 RES=0x00 SYN URGP=0
    Sep 22 06:10:31 franklin kernel: [60481597.490389] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=182.184.82.253 DST=132.148.11.44 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=47797 PROTO=TCP SPT=1297 DPT=23 WINDOW=26683 RES=0x00 SYN URGP=0
    Sep 22 06:10:34 franklin kernel: [60481600.893815] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=182.184.82.253 DST=132.148.11.44 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=47797 PROTO=TCP SPT=1297 DPT=23 WINDOW=26683 RES=0x00 SYN URGP=0
    Here's one from China:
    Code:
    Time:  Thu Sep 22 05:58:15 2016 -0400
    IP:   14.148.236.121 (CN/China/-)
    Hits:  6
    Blocked: Permanent Block
    
    Sample of block hits:
    Sep 22 05:57:41 franklin kernel: [60480827.524481] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=14.148.236.121 DST=132.148.11.44 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=43932 PROTO=TCP SPT=18515 DPT=23 WINDOW=10289 RES=0x00 SYN URGP=0
    Sep 22 05:57:46 franklin kernel: [60480832.454751] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=14.148.236.121 DST=132.148.11.44 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=43932 PROTO=TCP SPT=29503 DPT=23 WINDOW=10289 RES=0x00 SYN URGP=0
    Sep 22 05:57:49 franklin kernel: [60480835.343203] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=14.148.236.121 DST=132.148.11.44 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=43932 PROTO=TCP SPT=29503 DPT=23 WINDOW=10289 RES=0x00 SYN URGP=0
    Sep 22 05:57:50 franklin kernel: [60480835.628279] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=14.148.236.121 DST=132.148.11.44 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=43932 PROTO=TCP SPT=29503 DPT=23 WINDOW=10289 RES=0x00 SYN URGP=0
    Sep 22 05:58:08 franklin kernel: [60480853.638766] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=14.148.236.121 DST=132.148.11.44 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=43932 PROTO=TCP SPT=18389 DPT=2323 WINDOW=10289 RES=0x00 SYN URGP=0
    Sep 22 05:58:10 franklin kernel: [60480856.579357] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:18:51:1a:39:f2:00:26:98:08:34:c1:08:00 SRC=14.148.236.121 DST=132.148.11.44 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=43932 PROTO=TCP SPT=25257 DPT=23 WINDOW=10289 RES=0x00 SYN URGP=0
    I see a lot of them that have TCP protocol and a destination port of 23. As I'm sure you all probably know, TCP port 23 is generally the telnet port. I have nothing running on port 23. Any ideas why sooooo many people are trying to connect to this port? From Brazil, they first try to connect to port 2323 and then to port 23. Every time someone from Brazil tries connecting, they try connected to port 2323 first and then 23. I think maybe they're all from the same person or something. Any suggestions?
Working...