Internet port scanning and security attempts.

PsyBorg

Wake up! Time to fly!
As many know over a year ago I got my phone hacked from someone who managed to get my password for the forums here. I didn't know much about phones and security then. Since then I have been REAL conscious of security. I have my firewall let me know when anything not normal happens.

In the last month I have been hit with 274 port scanning and security vulnerability intrusion attacks. 99% of them are out of St Petersburg Russia according to whois look up. 99% of these attack warnings occur when I am logged on the forums here or immediately after I log off.

What I would like to know is if any of you guys monitor intrusions this closely or just let your firewalls manage them and not bother you with warnings. I am really curious if I am being singled out or this is pretty much the case for everyone and there are just that many :poop:birds in the world. Would some of you more savvy guys look at your intrusion detection log and let me know if you see the same thing or if I should be worried and need to dig further or even get authorities involved.

I don't remember this many attempts in the past when I was on other systems or prior to the phone hack.
 

JasonK

Participation Award Recipient
a good while back, I remember that if you turned up a windows machine, you had to do it on a private network that was firewalled off, because the general flow of 'remote hacking' attempts scanning IP addresses was so significant that it would likely be infected before you finished the install setup and started installing patches. Yes this speaks to the bad default security of windows... but also to the amount of 'looking for vulnerabilities' that are generally out there.

A quick google doesn't show any 'standard' process associated with port 274, so if I was to guess, this might be scanning for some sort of infection or some software that uses that port but isn't very standard. Or could even be scanning for software running 'off port' (sometimes done as a security through obscurity situation).
 

LitterBug

Techno Nut
Moderator
I have a dedcated firewall which everything is behind. I will never trust the AIO router/wifi/print/storage cluster #-#_ devices which are under patched, full of vunerabilities, and have holes built in by design. Port scans are very common. they are looking for ANYTHING that may be open to attack. Any server or IOT device belongs on a different network (subnet) so if it is compromised, it does not offer up a path to the rest of your network.

LB
 

PsyBorg

Wake up! Time to fly!
Yeah I started learning networking back in the late 80's and 90's but got away from it all after I got hurt. I'm not up on all I should be security wise. I have been lazy and used products like Norton 360 before. I now have a better corporate level security software in place. It blocks all ports automatically and I set up my programs in a learning mode to let it set up all the things I use as I add them.

Its been very reliable and stable and I trust it for the most part. Its just the step up in warnings that has me asking questions. Obviously its doing its thing or else I would not have all these alerts. It has even blocked Amazon AWS port scans as well as US Army port scans (unless those ip's were some how spoofed and renamed)

So bottom line this is all the new hotness of the interwebz and I am just reading into things too much.
 

LitterBug

Techno Nut
Moderator
Funny thing is, I was blocking a lot of the "HOT" problems back in '95 before they became an issue. I had an AIO vendor tell me that I was paranoid when I wanted things patched in their firmware, and low and behold, that same vendor is now on the CERT list for the exact vulnerabilities I told them about many many moons ago. They End-of-Lifed a bunch of those products when a simple patch would have done too.... >sigh<
 

PsyBorg

Wake up! Time to fly!
yeah I need to learn how to block the most common problem children before my firewall has to detect them. Maybe Ill poke you with a stick at some point and get some more in depth things to do with block lists n such. Its so hard to know what sites are safe to get that info from and what sites are the hackers just phishing for old dummies like myself.
 

JasonK

Participation Award Recipient
yeah I need to learn how to block the most common problem children before my firewall has to detect them. Maybe Ill poke you with a stick at some point and get some more in depth things to do with block lists n such. Its so hard to know what sites are safe to get that info from and what sites are the hackers just phishing for old dummies like myself.

well, the best defense is defense in layers were you assume that any one or two layers _will_ be compromised. Minimal permissions needed to function at each layer, etc, etc. (yah, for software security training on the company dime ;) ).
 

makattack

Winter is coming
Moderator
Mentor
Hey PsyBorg, sorry to hear about your ordeal. As you can see with the SolarWinds APT incident, this is sadly not unusual. An anecdotal example I can provide is a recent incident I encountered. I've been taking cybersecurity classes for my work, and one of my homework assignments required setting up a CentOS system on AWS, and locking it down from defaults, then running some pentests on it. Well, it was interesting to note that as soon as I fired it up, I noticed the logs were showing that I was getting login attempts with "root" before I could even disable that from remote SSH login... it was seconds. So, yeah, it doesn't take long before you get probed.

My advice for individual users is the following (and it fits with JasonK's defense in layers principle):
  • Don't use the same password for different services. Use a long password if not using MFA (see next point)
  • If possible, enable multi-factor authentication, but try to stay away from SMS only systems. Using an app like Google Authenticator, Authy, Microsoft Authenticator, et al would be more secure (as your phone hijacking shows)
  • Verify sites you're accessing / links you're clicking. Make sure it's over HTTPS or you're connected to a VPN (encrypted link) you trust. Double-check the SSL/TLS certificate of that site (that padlock symbol on your browser)
 
Last edited:

PsyBorg

Wake up! Time to fly!
are you guys using phone's of pc.

I used to be PC only.. Never owned a smart phone until 2018.. which got hit with an Iframe attack from some one doin nasty things here checkin peoples set ups. I have since gone back to just a computer for internet but I do have a different phone for calls and text only.
 

flyingkelpie

Elite member
Yeah I started learning networking back in the late 80's and 90's but got away from it all after I got hurt. I'm not up on all I should be security wise. I have been lazy and used products like Norton 360 before. I now have a better corporate level security software in place. It blocks all ports automatically and I set up my programs in a learning mode to let it set up all the things I use as I add them.

Its been very reliable and stable and I trust it for the most part. Its just the step up in warnings that has me asking questions. Obviously its doing its thing or else I would not have all these alerts. It has even blocked Amazon AWS port scans as well as US Army port scans (unless those ip's were some how spoofed and renamed)

So bottom line this is all the new hotness of the interwebz and I am just reading into things too much.
Is McaFee alright cos I've got it and I have no problems. Or is it just like all the others?
 

jtuttle11

Junior Member
As many know over a year ago I got my phone hacked from someone who managed to get my password for the forums here. I didn't know much about phones and security then. Since then I have been REAL conscious of security. I have my firewall let me know when anything not normal happens.

In the last month I have been hit with 274 port scanning and security vulnerability intrusion attacks. 99% of them are out of St Petersburg Russia according to whois look up. 99% of these attack warnings occur when I am logged on the forums here or immediately after I log off.

What I would like to know is if any of you guys monitor intrusions this closely or just let your firewalls manage them and not bother you with warnings. I am really curious if I am being singled out or this is pretty much the case for everyone and there are just that many :poop:birds in the world. Would some of you more savvy guys look at your intrusion detection log and let me know if you see the same thing or if I should be worried and need to dig further or even get authorities involved.

I don't remember this many attempts in the past when I was on other systems or prior to the phone hack.
 

jtuttle11

Junior Member
I know that it says 'Password' But you should NEVER use an actual Word, Birthday, Anniversary or combination of any of these. Always use a random series of characters, Upper case and lower case and if allowed by the website Special characters like punctuation marks.
 

flyingkelpie

Elite member
I know that it says 'Password' But you should NEVER use an actual Word, Birthday, Anniversary or combination of any of these. Always use a random series of characters, Upper case and lower case and if allowed by the website Special characters like punctuation marks.
Wise advice.
 

JasonK

Participation Award Recipient
correct horse battery stapler.... what sucks is when website force passwords like Tr0ub4dor&3 and don't let passwords like that work...

password_strength.png
 

JasonK

Participation Award Recipient
or even better, use something like that for a password safe, then then use 32 character randomly generated passwords of all 4 types, unique for each website. which gets you something like (6-7)^32 bits [~8e24 to ~1e27] of entropy for each password. a 'easy' to remember/hard to crak key to the vault.
 

AndrewLIK

New member
As I know firewalls can also be configured to alert administrators if they detect connection requests across a broad range of ports from a single host. However, hackers can get around this protection by conducting a port scan in strobe or stealth mode. In general, I advise you to discuss this with someone who is more competent in such matters. For any questions related to security, I contact Hereford security company. These guys have been providing me with services for years, so I always turn only to them.
 
Last edited:

JasonK

Participation Award Recipient
seems like this might be usefuf
The Tor Project.
completely anonymous browser(apparently)
not completely, but fairly close.. there are still some limitations in how it works that someone with enough intention could pin it down. (by controlling edges, using traffic analysis, etc.. it is hard to do, but there are at least theoretical attacks).