Jump to content

Detected Port Scanning attack during FTP with some of my own domains


Go to solution Solved by authorunknown,

Recommended Posts

I am currently experiancing Port Scanning attacks from some of my domains about 5 minutes after establishing an FTP connection.

post-3745-0-97097200-1399056096_thumb.jpg

My hosting provider is shifting the blame (of course) to a Eset misconfiguration. This is not the issue as I have other hosting providers with almost identical configurations and no issue. I have other domains on other IP's with this host and similar configuration and no issue. 

I am now documenting which specific ones have the issues and which ones do not. So far all attacks originate from domains that are using WordPress from veried versions and veried configurations with 2 seporate IP addresses.

 

Has anybody heard of anything like this. Is there a way to scan for the origin of this issue on a shared hosting envirnment?
 

Link to comment
Share on other sites

  • Administrators

You can exclude the IP address 192.185.146.250 from IDS by ticking "Do not notify me again" and clicking "Stop blocking". Not sure what's that device but apparently it searches for open ports on that computer.

Link to comment
Share on other sites

Alright.... You are saying that I should disregard somthing that looks like it is probing my system from a remote location when I use FTP to change files on verious websites from mutiple IP addresses?

What is the point of having that feature if we should all just disable it?

 

Current Log:

------------------

5/2/2014 12:03:35 PM    Detected Port Scanning attack    192.185.146.34:28356    192.168.2.103:57862    TCP            
5/2/2014 10:31:22 AM    Detected Port Scanning attack    192.185.146.37:36410    192.168.2.103:56662    TCP            
5/1/2014 9:44:50 AM    Detected Port Scanning attack    192.185.146.37:12284    192.168.2.103:52348    TCP            
4/30/2014 10:20:30 PM    Detected Port Scanning attack    192.185.146.250:20765    192.168.2.103:49208    TCP            
4/30/2014 10:02:05 PM    Detected Port Scanning attack    192.185.146.250:31634    192.168.2.103:53119    TCP            
4/30/2014 11:50:51 AM    Detected Port Scanning attack    192.185.146.37:31971    192.168.2.103:52207    TCP            
4/30/2014 10:45:38 AM    Detected Port Scanning attack    192.185.146.37:47539    192.168.2.103:52123    TCP            
4/30/2014 10:19:41 AM    Detected Port Scanning attack    192.185.146.37:17832    192.168.2.103:51788    TCP            
4/29/2014 8:38:08 AM    Detected Port Scanning attack    192.185.146.37:27141    192.168.2.106:57090    TCP            
4/29/2014 8:26:44 AM    Detected Port Scanning attack    192.185.146.37:32343    192.168.2.106:56761    TCP            
4/28/2014 9:26:35 AM    Detected Port Scanning attack    192.185.146.37:23036    192.168.2.106:54923    TCP            
4/24/2014 3:58:32 PM    Detected Port Scanning attack    192.185.146.37:42653    192.168.2.108:59961    TCP            
4/24/2014 3:47:41 PM    Detected Port Scanning attack    192.185.146.37:32246    192.168.2.108:59787    TCP            
4/23/2014 8:23:00 PM    Detected Port Scanning attack    192.185.146.37:37167    192.168.2.108:57372    TCP            
4/23/2014 8:03:47 PM    Detected Port Scanning attack    192.185.146.37:22773    192.168.2.108:57104    TCP            
 

------------------

Link to comment
Share on other sites

<FYI> This issue just started 4/23/2014. Before that I was not having any issue with the same FTP procedure (using Dreamweaver CS6 and no updates to this program for a long time) on the same domain with the same IP.
It was then that I started testing other domains and IPs.

Link to comment
Share on other sites

  • Solution

Resolved issue so please archive this if someone asks.... :)

I did some checking and apparently something had changed in either the host or eset that caused a setting I had in Dreamweaver CS6 for the sites with issues to no longer be an acceptable setting for FTP. I switched on the "Use passive FTP" connection method on the sites that had issues and no more port scans.

Link to comment
Share on other sites

  • 1 month later...

Not sure if this will help our not, but in our domain environment, ESET was also detecting port scan attacks.  Upon investigation it was an internal server that was periodically scanning ports.  I excluded the IP address of the server and the problem was solved. 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...