Intensive portscans from all over the world

tfstfs · 04-21-2018, 08:25 AM

From time to time I am getting firewall notifications about portscans on the server. Sometimes arrive 5-20 messages per day, sometimes there are no messages for weeks and months.

Since yesterday such messages started to arrive every 3-5 minutes. Portscans from all over the world - USA, Germany, Italy, Sweden, Japan, Australia, Saudi Arabia, Ecuador etc, etc. IP addresses don't reteat.

All meessages contain the same port numbers; 2004, 7001, 8080. Is anyone experiencing something like this? What is the purpose tu run the same port scans from all ovewr the world?

Thanks.

============================

Code:

Time:    Sat Apr 21 13:48:54 2018 +0100
IP:      165.227.193.20 (US/United States/-)
Hits:    11
Blocked: Temporary Block for 3600 seconds [PS_LIMIT]

Sample of block hits:
Apr 21 13:48:32 srv2 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=08:60:6e:69:79:35:1c:e6:c7:52:07:40:08:00 SRC=165.227.193.20 DST=XXX.XXX.XXX.XXX LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=54341 DF PROTO=TCP SPT=45230 DPT=7001 WINDOW=29200 RES=0x00 SYN URGP=0 
Apr 21 13:48:33 srv2 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=08:60:6e:69:79:35:1c:e6:c7:52:07:40:08:00 SRC=165.227.193.20 DST=XXX.XXX.XXX.XXX LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=54342 DF PROTO=TCP SPT=45230 DPT=7001 WINDOW=29200 RES=0x00 SYN URGP=0 
Apr 21 13:48:35 srv2 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=08:60:6e:69:79:35:1c:e6:c7:52:07:40:08:00 SRC=165.227.193.20 DST=XXX.XXX.XXX.XXX LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=54343 DF PROTO=TCP SPT=45230 DPT=7001 WINDOW=29200 RES=0x00 SYN URGP=0 
Apr 21 13:48:37 srv2 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=08:60:6e:69:79:35:1c:e6:c7:52:07:40:08:00 SRC=165.227.193.20 DST=XXX.XXX.XXX.XXX LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=42335 DF PROTO=TCP SPT=57062 DPT=2004 WINDOW=29200 RES=0x00 SYN URGP=0 
Apr 21 13:48:38 srv2 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=08:60:6e:69:79:35:1c:e6:c7:52:07:40:08:00 SRC=165.227.193.20 DST=XXX.XXX.XXX.XXX LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=42336 DF PROTO=TCP SPT=57062 DPT=2004 WINDOW=29200 RES=0x00 SYN URGP=0 
Apr 21 13:48:40 srv2 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=08:60:6e:69:79:35:1c:e6:c7:52:07:40:08:00 SRC=165.227.193.20 DST=XXX.XXX.XXX.XXX LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=42337 DF PROTO=TCP SPT=57062 DPT=2004 WINDOW=29200 RES=0x00 SYN URGP=0 
Apr 21 13:48:43 srv2 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=08:60:6e:69:79:35:1c:e6:c7:52:07:40:08:00 SRC=165.227.193.20 DST=XXX.XXX.XXX.XXX LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=36264 DF PROTO=TCP SPT=46744 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0 
Apr 21 13:48:44 srv2 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=08:60:6e:69:79:35:1c:e6:c7:52:07:40:08:00 SRC=165.227.193.20 DST=XXX.XXX.XXX.XXX LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=36265 DF PROTO=TCP SPT=46744 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0 
Apr 21 13:48:46 srv2 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=08:60:6e:69:79:35:1c:e6:c7:52:07:40:08:00 SRC=165.227.193.20 DST=XXX.XXX.XXX.XXX LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=36266 DF PROTO=TCP SPT=46744 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0 
Apr 21 13:48:48 srv2 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=08:60:6e:69:79:35:10:bd:18:e5:ff:80:08:00 SRC=165.227.193.20 DST=XXX.XXX.XXX.XXX LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=54269 DF PROTO=TCP SPT=48520 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0 
Apr 21 13:48:49 srv2 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=08:60:6e:69:79:35:10:bd:18:e5:ff:80:08:00 SRC=165.227.193.20 DST=XXX.XXX.XXX.XXX LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=54270 DF PROTO=TCP SPT=48520 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0

coralfang · 04-21-2018, 03:46 PM

Sounds like an automated botnet scanning for a service running on those open ports.

I just searched and found this article on BleepingComputer, posted yesterday (20th april); which goes on to mention a particular botnet is actively scanning the ports you mentioned; 2004, 7001, and 8080.

https://www.bleepingcomputer.com/new...vulnerability/

I would assume you're getting scanned by this.

Quote:

A botnet made up of servers and smart devices has begun the mass exploitation of a severe Drupal CMS vulnerability and is using already compromised systems to infect new machines, in a worm-like behavior.

The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS.

Quote:

80: Weblogic, Wordpress, Drupal, WebDav, ClipBucket
2004: Webuzo
7001: Weblogic
8080: Wordpress, WebDav, DasanNetwork Solution

tfstfs · 04-21-2018, 04:13 PM

Thank you very much for your answer.
Yes, it looks like a botnet. A few hours ago all portscans stopped and I am not getting a single firewall notification anymore.

frankbell · 04-21-2018, 09:07 PM

Remote port scans are a fact of life on the internet and have been for a long long time. They are one of the reasons firewalls are a good thing.

sundialsvcs · 04-22-2018, 06:10 PM

Port-scans are so commonplace that they're not really interesting enough to log. What's troublesome is what comes next.

This is why I protect my systems – as I describe in my blog here – with OpenVPN, using one-of-a-kind digital certificates and tls-auth. According to anything that anyone can see from the outside, the only "open ports" are 80 and 443. OpenVPN itself cannot be detected even if you suspect that it is there ... somewhere.

Unless you possess a valid credential that was issued only to you and that hasn't been revoked, "there's nothing there." (Even so, "further, inner, rings of protection" await those who are allowed to pass.)

Number of unauthorized access attempts: Zero.