[Snap] Anyone Noticed This?

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › [Snap] Anyone Noticed This?

1 | 2

scottr

262 posts

Ultimate Geek

Trusted

#465036 3-May-2011 22:10

They may not be trying to connect to whatever you're doing, but the ip that you're holding. Personally I wouldn't worry about it, you'll get a lot of this connected to the internet. Turn router firewall on and forget.

AviZ

214 posts

Master Geek
Inactive user

#465038 3-May-2011 22:21

the point im making is no matter what ip my router gets it still happens,

its clearly a port scan of some sort from the realms of irc directed at new zealand ip ranges

the point i guess the more it happens the more data gets used and we as customers have to pay for that.

i will install wireshark and turn on dmz and see what it is.

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#465054 3-May-2011 22:43

Don't worry about it, it's normal..

Let's just take a look at the common server, mine for example:

user@sakura:~$ cat /etc/hosts.deny | tail
sshd: 208.43.127.84
sshd: 207.138.211.26
sshd: 69.175.77.158
sshd: 94.76.222.178
sshd: 123.212.43.5
sshd: 121.14.119.135
sshd: 46.45.147.25
sshd: 125.46.92.195
sshd: 123.234.81.45
sshd: 69.197.153.235

That is within a space of about 15mins, I am not worried since I do use a pubkey on my server, but anything on the internet is always being poked / prodded every now and then.

As a example again who these are coming from, 46.45.147.25 is:

person: Osman Emir CERRAHOGLU
address: Kosanbit Telekomunikasyon San. Ve Tic. Ltd. Sti
address: Cevizlik Mah. Beyaz Zambak Sok. 7/3 Bakirkoy / Istanbul
e-mail: emir@kosanbit.com
phone: +90 536 452 24 62
nic-hdl: OEC3-RIPE
mnt-by: KOSANBIT-MNT
remarks: ###################################
remarks: Abuse & intrusion reports should
remarks: be sent to: abuse@kosanbit.com
remarks: ###################################
source: RIPE # Filtered

As you can see, this is overseas, most likely a infected computer on the internet being controlled by a botnet looking for servers to exploit. From the logs too I can see this IP tried the username root + password root first, then root + password second, then got blacklisted.

This is how firewalls work, if you see a intrusion log that's a good thing, take off your tinfoil hat and continue on with life, it's easier that way :)

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

AviZ

214 posts

Master Geek
Inactive user

#465066 3-May-2011 23:21

yes in my hosts.deny via denyhosts i have

13749 lines

and thats my dedicated server in the states

AviZ

214 posts

Master Geek
Inactive user

#465078 4-May-2011 00:00

ok the news is and its just not my line

all these ips are scanning common ports such as netbios and ms-msql etc

however the data may seem small but over a period of time it all adds up.

what can anyone do about it?

nothing, unless snap block the ips

so at the end of the day many others are in the same boat as i am.

muppet

2567 posts

Uber Geek

Trusted

#465103 4-May-2011 06:55

Some ISP's filter the more prolific crap, some don't. I wouldn't worry about it.

The server I have online gets hits 24/7 with SSH requests, bogus web requests, ping scans etc etc.

It's tempting I know to think that somehow you're being targetted as an individiual, but you're not. What you're seeing is commonly called Internet Background Radiation.

A very clever bloke by the name of Dean Pemberton gave a talk about it at NZNOG a few years back, you can read the pdf here if you'd like though it's just the slides that went along with the presentation.

Some ranges get targetted more than others. It might depend on how long that Internet range has been in the global routing table, there's tons of reasons.

Basically: Don't worry about it. This is why everyone's always on about keeping your machine up to date etc.

Audiophiles are such twits! They buy such pointless stuff: Gold plated cables, $2000 power cords. Idiots.

OOOHHHH HYPERFIBRE!

Beccara

1469 posts

Uber Geek

ID Verified

#465118 4-May-2011 08:27

Welcome to the internet, This is completely normal and looks to be SYN packets trying to open a connection. If memory serves me well before my morning coffee you need about 20,000 of these packets to total 1 megabyte of traffic. It's not burning your cap or anything major.

Turn off the alerts and relax

Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

scottr

262 posts

Ultimate Geek

Trusted

#465182 4-May-2011 10:23

Trying to stop those would be like trying to stop road noise from the motorway, or filter dust particles out of the air when you're walking outside.

The data used will be so small it's not even funny, adobe flash player probably uses more just to check whether or not it's up to date.

Everyone's in the same boat, it's what happens when you're on the internet. As someone said, turn off the alerts, keep everything up to date and relax.

1080p

1332 posts

Uber Geek
Inactive user

#465186 4-May-2011 10:24

http://ip-db.com/72.20.40.51

Looks like an open proxy scanner for the IRC network at http://p2p-network.net/

There is a very good reason to stay away from anything hosted by Staminus Communications if at all possible; perhaps find a new IRC network?

AviZ

214 posts

Master Geek
Inactive user

#465190 4-May-2011 10:32

i dont goto p2p, i run my own dedicated server for irc, web hosting

1 | 2