Question

Port scans originating from DO?

Greetings. First of all, I would like to say I’m not very knowledgeable about anything, and I’m currently learning about Linux, security, networking and even a little programming from creating and managing Droplets. I hope this question doesn’t sound too dumb to the more knowledgeable users. I recently set up a Debian 8.1 Droplet and added an extra layer of security to it with PSAD. Ever since its installation, I have been getting “danger level 3” warnings on the same ports and from the same IP6 address. I do not have any ports open to the world, unless specifically requested by the services I run in a Droplet --and even then, if I can change their default ports, I will assign an (almost) completely random number to them. A log is attached below. Just to make it short, is it safe to whitelist this IP6? PSAD doesn’t seem particularly worried about it (else it would’ve been banned by rules) but it makes me uneasy to have these warnings. Specially because they seem to come from DO (or another Droplet.)

=-=-=-=-=-=-=-=-=-=-=-= Wed Sep 2 13:03:21 2015 =-=-=-=-=-=-=-=-=-=-=-=

     Danger level: [3] (out of 5) Multi-Protocol

Scanned TCP ports: [11-62078: 193 packets]
        TCP flags: [SYN: 193 packets, Nmap: -sT or -sS]
   iptables chain: INPUT, 184 packets
   iptables chain: INPUT (prefix "[UFW BLOCK]"), 9 packets
Scanned UDP ports: [7-47808: 34 packets, Nmap: -sU]
   iptables chain: INPUT (prefix "[UFW BLOCK]"), 1 packets
   iptables chain: INPUT, 33 packets

           Source: 2604:a880:0800:0010:0000:0000:0089:c001
              DNS: [No reverse dns info available]

      Destination: 2604:a880:0400:00d0:0000:0000:000e:d001
              DNS: [No reverse dns info available]

Overall scan start: Wed Sep 2 13:03:21 2015 Total email alerts: 1 Complete TCP range: [11-62078] Complete UDP range: [7-47808] Syslog hostname: localhost

     Global stats:
                   chain:   interface:  protocol:  packets:
                   INPUT    eth0        tcp        193
                   INPUT    eth0        udp        34

[+] UDP scan signatures:

“PSAD-CUSTOM Slammer communication attempt” dst port: 1434 (no server bound to local port) psad_id: 100208 chain: INPUT packets: 1 classtype: trojan-activity

“SCAN UPnP communication attempt” dst port: 1900 (no server bound to local port) psad_id: 100074 (derived from: 1917 1384 1388) chain: INPUT packets: 1 classtype: misc-attack

[+] TCP scan signatures:

“MISC VNC communication attempt” dst port: 5900 (no server bound to local port) flags: SYN psad_id: 100202 chain: INPUT packets: 1 classtype: attempted-admin

“MISC Microsoft PPTP communication attempt” dst port: 1723 (no server bound to local port) flags: SYN psad_id: 100082 (derived from: 2126 2044) chain: INPUT packets: 1 classtype: attempted-admin

“BACKDOOR DoomJuice file upload attempt” dst port: 3128 (no server bound to local port) flags: SYN sid: 2375 chain: INPUT packets: 1 classtype: trojan-activity

“MISC MS Terminal Server communication attempt” dst port: 3389 (no server bound to local port) flags: SYN psad_id: 100077 (derived from: 1447 1448 2418) chain: INPUT packets: 1 classtype: misc-activity

“MISC HP Web JetAdmin communication attempt” dst port: 8000 (no server bound to local port) flags: SYN psad_id: 100084 (derived from: 2547 2548 2549 2655) chain: INPUT packets: 1 classtype: web-application-activity

“POLICY HP JetDirect LCD commnication attempt” dst port: 9100 (no server bound to local port) flags: SYN sid: 568 chain: INPUT packets: 1 classtype: misc-activity

“BACKDOOR SatansBackdoor.2.0.Beta, or BackConstruction 2.1 Connection Attempt” dst port: 666 (no server bound to local port) flags: SYN psad_id: 100041 (derived from: 118 157 158) chain: INPUT packets: 1 classtype: misc-activity

“BACKDOOR netbus Connection Cttempt” dst port: 12345 (no server bound to local port) flags: SYN psad_id: 100028 (derived from: 109 110) chain: INPUT packets: 1 classtype: misc-activity

“POLICY HP JetDirect LCD communication attempt” dst port: 9002 (no server bound to local port) flags: SYN sid: 510 chain: INPUT packets: 3 classtype: misc-activity

[+] Whois Information (source IP):

ARIN WHOIS data and services are subject to the Terms of Use

available at: https://www.arin.net/whois_tou.html

If you see inaccuracies in the results, please report at

http://www.arin.net/public/whoisinaccuracy/index.xhtml

The following results may also be obtained via:

http://whois.arin.net/rest/nets;q=2604:a880:0800:0010:0000:0000:0089:c001?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2

NetRange: 2604:A880:: - 2604:A880:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF CIDR: 2604:A880::/32 NetName: DIGITALOCEAN-V6-1 NetHandle: NET6-2604-A880-1 Parent: NET6-2600 (NET6-2600-1) NetType: Direct Allocation OriginAS: AS14061 Organization: Digital Ocean, Inc. (DO-13) RegDate: 2013-04-11 Updated: 2013-04-11 Ref: http://whois.arin.net/rest/net/NET6-2604-A880-1

OrgName: Digital Ocean, Inc. OrgId: DO-13 Address: 101 Ave of the Americas Address: 10th Floor City: New York StateProv: NY PostalCode: 10013 Country: US RegDate: 2012-05-14 Updated: 2014-10-23 Comment: http://www.digitalocean.com

Comment: Simple Cloud Hosting Ref: http://whois.arin.net/rest/org/DO-13

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

WoetSeptember 3, 2015
Wouters-Air:~ Woet$ host 2604:a880:0800:0010:0000:0000:0089:c001
1.0.0.c.9.8.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.8.0.0.8.8.a.4.0.6.2.ip6.arpa domain name pointer rock.scan6.shodan.io.

http://www.shodanhq.com/help/faq

gparentSeptember 3, 2015

There’s no need to concern yourself with port scans. Tools like PSAD aren’t perfect, and they’ll cause more trouble than they are worth for you.