Friday, September 27, 2013

Running a CMS on one of my VPSs...now seeing weird scans.

So, I decided to run one of my own CMSs (doesn't matter which for this particular post), instead of setting up another Blogger blog.  I implemented some hardening plugins and enabled a backup solution.  The backup solution is backing up the configuration periodically via SCP to wigglit.com, which is already allowed by the FW, but I noticed that the same day I stood up the CMS and enabled the backup, I began to see scans from a 1&1 host:

Sep 27 21:57:26 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=74.208.16.118
DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=55 ID=20101 DF PROTO=TCP SPT=53949 DPT=52300 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 21:57:39 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=74.208.16.118 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=55 ID=9603 DF PROTO=TCP SPT=53185 DPT=59347 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 21:57:47 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=74.208.16.118 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=55 ID=57673 DF PROTO=TCP SPT=63266 DPT=33952 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 21:57:50 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=74.208.16.118 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=55 ID=64740 DF PROTO=TCP SPT=64200 DPT=56377 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 21:57:57 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=74.208.16.118 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=55 ID=51825 DF PROTO=TCP SPT=65017 DPT=54342 WINDOW=5840 RES=0x00 SYN URGP=0

At first, I thought I'd forgot to add an acceptance rule to the firewall, but everything works perfectly.  The traffic is bouncing off of the clean-up rule, 5 times a day, roughly around the same time.  I also initially thought that 74.208.16.118 was unixfool.com (the host that's running the CMS software), but that particular IP is 74.208.41.182.  

It makes me wonder if 1&1 is running some anti-malware software that scans what they think may be suspicious hosts.

I'll continue to investigate.