Port scans originating from DO?

September 3, 2015 3.4k views
Security Debian Networking
leonmorlando
By:
leonmorlando

Greetings. First of all, I would like to say I’m not very knowledgeable about anything, and I’m currently learning about Linux, security, networking and even a little programming from creating and managing Droplets. I hope this question doesn’t sound too dumb to the more knowledgeable users.
I recently set up a Debian 8.1 Droplet and added an extra layer of security to it with PSAD. Ever since its installation, I have been getting “danger level 3” warnings on the same ports and from the same IP6 address. I do not have any ports open to the world, unless specifically requested by the services I run in a Droplet –and even then, if I can change their default ports, I will assign an (almost) completely random number to them. A log is attached below.
Just to make it short, is it safe to whitelist this IP6? PSAD doesn’t seem particularly worried about it (else it would’ve been banned by rules) but it makes me uneasy to have these warnings. Specially because they seem to come from DO (or another Droplet.)

=-=-=-=-=-=-=-=-=-=-=-= Wed Sep 2 13:03:21 2015 =-=-=-=-=-=-=-=-=-=-=-=

     Danger level: [3] (out of 5) Multi-Protocol

Scanned TCP ports: [11-62078: 193 packets]
        TCP flags: [SYN: 193 packets, Nmap: -sT or -sS]
   iptables chain: INPUT, 184 packets
   iptables chain: INPUT (prefix "[UFW BLOCK]"), 9 packets
Scanned UDP ports: [7-47808: 34 packets, Nmap: -sU]
   iptables chain: INPUT (prefix "[UFW BLOCK]"), 1 packets
   iptables chain: INPUT, 33 packets

           Source: 2604:a880:0800:0010:0000:0000:0089:c001
              DNS: [No reverse dns info available]

      Destination: 2604:a880:0400:00d0:0000:0000:000e:d001
              DNS: [No reverse dns info available]

Overall scan start: Wed Sep 2 13:03:21 2015
Total email alerts: 1
Complete TCP range: [11-62078]
Complete UDP range: [7-47808]
Syslog hostname: localhost

     Global stats:
                   chain:   interface:  protocol:  packets:
                   INPUT    eth0        tcp        193
                   INPUT    eth0        udp        34

[+] UDP scan signatures:

“PSAD-CUSTOM Slammer communication attempt”
dst port: 1434 (no server bound to local port)
psad_id: 100208
chain: INPUT
packets: 1
classtype: trojan-activity

“SCAN UPnP communication attempt”
dst port: 1900 (no server bound to local port)
psad_id: 100074 (derived from: 1917 1384 1388)
chain: INPUT
packets: 1
classtype: misc-attack

[+] TCP scan signatures:

“MISC VNC communication attempt”
dst port: 5900 (no server bound to local port)
flags: SYN
psad_id: 100202
chain: INPUT
packets: 1
classtype: attempted-admin

“MISC Microsoft PPTP communication attempt”
dst port: 1723 (no server bound to local port)
flags: SYN
psad_id: 100082 (derived from: 2126 2044)
chain: INPUT
packets: 1
classtype: attempted-admin

“BACKDOOR DoomJuice file upload attempt”
dst port: 3128 (no server bound to local port)
flags: SYN
sid: 2375
chain: INPUT
packets: 1
classtype: trojan-activity

“MISC MS Terminal Server communication attempt”
dst port: 3389 (no server bound to local port)
flags: SYN
psad_id: 100077 (derived from: 1447 1448 2418)
chain: INPUT
packets: 1
classtype: misc-activity

“MISC HP Web JetAdmin communication attempt”
dst port: 8000 (no server bound to local port)
flags: SYN
psad_id: 100084 (derived from: 2547 2548 2549 2655)
chain: INPUT
packets: 1
classtype: web-application-activity

“POLICY HP JetDirect LCD commnication attempt”
dst port: 9100 (no server bound to local port)
flags: SYN
sid: 568
chain: INPUT
packets: 1
classtype: misc-activity

“BACKDOOR SatansBackdoor.2.0.Beta, or BackConstruction 2.1 Connection Attempt”
dst port: 666 (no server bound to local port)
flags: SYN
psad_id: 100041 (derived from: 118 157 158)
chain: INPUT
packets: 1
classtype: misc-activity

“BACKDOOR netbus Connection Cttempt”
dst port: 12345 (no server bound to local port)
flags: SYN
psad_id: 100028 (derived from: 109 110)
chain: INPUT
packets: 1
classtype: misc-activity

“POLICY HP JetDirect LCD communication attempt”
dst port: 9002 (no server bound to local port)
flags: SYN
sid: 510
chain: INPUT
packets: 3
classtype: misc-activity

[+] Whois Information (source IP):

ARIN WHOIS data and services are subject to the Terms of Use

available at: https://www.arin.net/whois_tou.html

If you see inaccuracies in the results, please report at

http://www.arin.net/public/whoisinaccuracy/index.xhtml

The following results may also be obtained via:

http://whois.arin.net/rest/nets;q=2604:a880:0800:0010:0000:0000:0089:c001?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2

NetRange: 2604:A880:: - 2604:A880:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR: 2604:A880::/32
NetName: DIGITALOCEAN-V6-1
NetHandle: NET6-2604-A880-1
Parent: NET6-2600 (NET6-2600-1)
NetType: Direct Allocation
OriginAS: AS14061
Organization: Digital Ocean, Inc. (DO-13)
RegDate: 2013-04-11
Updated: 2013-04-11
Ref: http://whois.arin.net/rest/net/NET6-2604-A880-1

OrgName: Digital Ocean, Inc.
OrgId: DO-13
Address: 101 Ave of the Americas
Address: 10th Floor
City: New York
StateProv: NY
PostalCode: 10013
Country: US
RegDate: 2012-05-14
Updated: 2014-10-23
Comment: http://www.digitalocean.com

Comment: Simple Cloud Hosting
Ref: http://whois.arin.net/rest/org/DO-13

Sign In to Comment
2 Answers
gparent September 3, 2015

There’s no need to concern yourself with port scans. Tools like PSAD aren’t perfect, and they’ll cause more trouble than they are worth for you.

Report
Woet September 3, 2015 
Wouters-Air:~ Woet$ host 2604:a880:0800:0010:0000:0000:0089:c001
1.0.0.c.9.8.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.8.0.0.8.8.a.4.0.6.2.ip6.arpa domain name pointer rock.scan6.shodan.io.

http://www.shodanhq.com/help/faq

Report
Have another answer? Share your knowledge.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Related