What's new

Security Issue AC87

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Sky

Regular Contributor
I caught this bit of data in my log. The ip's trace to known bad actors, but this is a new twist tapping high ports, etc. I've seen the bot scans for PPTP b ut this is different than normal, perhaps OpenVPN scans? I don't know, can someone take a look at this? I can send the log in full if needed.

Oct 29 07:59:49 vpnserver1[1095]: 192.241.201.221:34728 TLS: Initial packet from [AF_INET]192.241.201.221:34728 (via [AF_INET]98.36.240.130%eth0), sid=01000000 00000000
Oct 29 07:59:49 vpnserver1[1095]: 192.241.201.221:34728 TLS Error: reading acknowledgement record from packet
Oct 29 08:00:49 vpnserver1[1095]: 192.241.201.221:34728 [UNDEF] Inactivity timeout (--ping-restart), restarting
Oct 29 08:00:49 vpnserver1[1095]: 192.241.201.221:34728 SIGUSR1[soft,ping-restart] received, client-instance restarting
Oct 29 13:43:28 vpnserver1[1095]: 185.200.118.71:45378 TLS: Initial packet from [AF_INET]185.200.118.71:45378 (via [AF_INET]98.36.240.130%eth0), sid=12121212 12121212
Oct 29 13:44:28 vpnserver1[1095]: 185.200.118.71:45378 [UNDEF] Inactivity timeout (--ping-restart), restarting
Oct 29 13:44:28 vpnserver1[1095]: 185.200.118.71:45378 SIGUSR1[soft,ping-restart] received, client-instance restarting
Oct 29 14:39:48 vpnserver1[1095]: 167.94.138.22:30734 TLS: Initial packet from [AF_INET]167.94.138.22:30734 (via [AF_INET]98.36.240.130%eth0), sid=4d658221 07fcfd52
Oct 29 14:40:03 vpnserver1[1095]: 167.94.138.60:46245 TLS: Initial packet from [AF_INET]167.94.138.60:46245 (via [AF_INET]98.36.240.130%eth0), sid=f87caac7 6749fcd0
Oct 29 14:40:48 vpnserver1[1095]: 167.94.138.22:30734 [UNDEF] Inactivity timeout (--ping-restart), restarting
Oct 29 14:40:48 vpnserver1[1095]: 167.94.138.22:30734 SIGUSR1[soft,ping-restart] received, client-instance restarting
Oct 29 14:41:03 vpnserver1[1095]: 167.94.138.60:46245 [UNDEF] Inactivity timeout (--ping-restart), restarting
Oct 29 14:41:03 vpnserver1[1095]: 167.94.138.60:46245 SIGUSR1[soft,ping-restart] received, client-instance restarting

Thanks,
Sky
 
Looks like normal port scanners to me (although as you say they don't normally bother with high ports).

Interestingly the 167.94.x.y addresses are from censys.io. I noticed that since only a couple of days ago they've been aggressively scanning all ports on my router, even the high ports. That's new. I've now blocked them.

 
Last edited:
Looks like normal port scanners to me (although as you say they don't normally bother with high ports).

Interestingly the 167.94.x.y addresses are from censys.io. I noticed that since only a couple of days ago they've been aggressively scanning all ports on my router, even the high ports. That's new. I've now blocked them.


Sorry to be so late — forgot to say "Thanks!"
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top