authorunknown 2 Posted May 2, 2014 Share Posted May 2, 2014 I am currently experiancing Port Scanning attacks from some of my domains about 5 minutes after establishing an FTP connection. My hosting provider is shifting the blame (of course) to a Eset misconfiguration. This is not the issue as I have other hosting providers with almost identical configurations and no issue. I have other domains on other IP's with this host and similar configuration and no issue. I am now documenting which specific ones have the issues and which ones do not. So far all attacks originate from domains that are using WordPress from veried versions and veried configurations with 2 seporate IP addresses. Has anybody heard of anything like this. Is there a way to scan for the origin of this issue on a shared hosting envirnment? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,919 Posted May 2, 2014 Administrators Share Posted May 2, 2014 You can exclude the IP address 192.185.146.250 from IDS by ticking "Do not notify me again" and clicking "Stop blocking". Not sure what's that device but apparently it searches for open ports on that computer. Link to comment Share on other sites More sharing options...
authorunknown 2 Posted May 2, 2014 Author Share Posted May 2, 2014 Alright.... You are saying that I should disregard somthing that looks like it is probing my system from a remote location when I use FTP to change files on verious websites from mutiple IP addresses? What is the point of having that feature if we should all just disable it? Current Log: ------------------ 5/2/2014 12:03:35 PM Detected Port Scanning attack 192.185.146.34:28356 192.168.2.103:57862 TCP 5/2/2014 10:31:22 AM Detected Port Scanning attack 192.185.146.37:36410 192.168.2.103:56662 TCP 5/1/2014 9:44:50 AM Detected Port Scanning attack 192.185.146.37:12284 192.168.2.103:52348 TCP 4/30/2014 10:20:30 PM Detected Port Scanning attack 192.185.146.250:20765 192.168.2.103:49208 TCP 4/30/2014 10:02:05 PM Detected Port Scanning attack 192.185.146.250:31634 192.168.2.103:53119 TCP 4/30/2014 11:50:51 AM Detected Port Scanning attack 192.185.146.37:31971 192.168.2.103:52207 TCP 4/30/2014 10:45:38 AM Detected Port Scanning attack 192.185.146.37:47539 192.168.2.103:52123 TCP 4/30/2014 10:19:41 AM Detected Port Scanning attack 192.185.146.37:17832 192.168.2.103:51788 TCP 4/29/2014 8:38:08 AM Detected Port Scanning attack 192.185.146.37:27141 192.168.2.106:57090 TCP 4/29/2014 8:26:44 AM Detected Port Scanning attack 192.185.146.37:32343 192.168.2.106:56761 TCP 4/28/2014 9:26:35 AM Detected Port Scanning attack 192.185.146.37:23036 192.168.2.106:54923 TCP 4/24/2014 3:58:32 PM Detected Port Scanning attack 192.185.146.37:42653 192.168.2.108:59961 TCP 4/24/2014 3:47:41 PM Detected Port Scanning attack 192.185.146.37:32246 192.168.2.108:59787 TCP 4/23/2014 8:23:00 PM Detected Port Scanning attack 192.185.146.37:37167 192.168.2.108:57372 TCP 4/23/2014 8:03:47 PM Detected Port Scanning attack 192.185.146.37:22773 192.168.2.108:57104 TCP ------------------ Link to comment Share on other sites More sharing options...
authorunknown 2 Posted May 2, 2014 Author Share Posted May 2, 2014 <FYI> This issue just started 4/23/2014. Before that I was not having any issue with the same FTP procedure (using Dreamweaver CS6 and no updates to this program for a long time) on the same domain with the same IP.It was then that I started testing other domains and IPs. Link to comment Share on other sites More sharing options...
Solution authorunknown 2 Posted May 3, 2014 Author Solution Share Posted May 3, 2014 Resolved issue so please archive this if someone asks.... I did some checking and apparently something had changed in either the host or eset that caused a setting I had in Dreamweaver CS6 for the sites with issues to no longer be an acceptable setting for FTP. I switched on the "Use passive FTP" connection method on the sites that had issues and no more port scans. Link to comment Share on other sites More sharing options...
LocknetSSmith 6 Posted June 6, 2014 Share Posted June 6, 2014 Not sure if this will help our not, but in our domain environment, ESET was also detecting port scan attacks. Upon investigation it was an internal server that was periodically scanning ports. I excluded the IP address of the server and the problem was solved. Link to comment Share on other sites More sharing options...
Recommended Posts