Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
From time to time I am getting firewall notifications about portscans on the server. Sometimes arrive 5-20 messages per day, sometimes there are no messages for weeks and months.
Since yesterday such messages started to arrive every 3-5 minutes. Portscans from all over the world - USA, Germany, Italy, Sweden, Japan, Australia, Saudi Arabia, Ecuador etc, etc. IP addresses don't reteat.
All meessages contain the same port numbers; 2004, 7001, 8080. Is anyone experiencing something like this? What is the purpose tu run the same port scans from all ovewr the world?
Sounds like an automated botnet scanning for a service running on those open ports.
I just searched and found this article on BleepingComputer, posted yesterday (20th april); which goes on to mention a particular botnet is actively scanning the ports you mentioned; 2004, 7001, and 8080.
A botnet made up of servers and smart devices has begun the mass exploitation of a severe Drupal CMS vulnerability and is using already compromised systems to infect new machines, in a worm-like behavior.
The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS.
Thank you very much for your answer.
Yes, it looks like a botnet. A few hours ago all portscans stopped and I am not getting a single firewall notification anymore.
Port-scans are so commonplace that they're not really interesting enough to log. What's troublesome is what comes next.
This is why I protect my systems – as I describe in my blog here – with OpenVPN, using one-of-a-kind digital certificates and tls-auth. According to anything that anyone can see from the outside, the only "open ports" are 80 and 443. OpenVPN itself cannot be detected even if you suspect that it is there ... somewhere.
Unless you possess a valid credential that was issued only to you and that hasn't been revoked, "there's nothing there." (Even so, "further, inner, rings of protection" await those who are allowed to pass.)
Number of unauthorized access attempts: Zero.
Last edited by sundialsvcs; 04-22-2018 at 06:14 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.