Random ISPs & hosting providers trying to access my webserver

[.Yoss.]

So a few weeks ago I set up a webserver for personal development only and a few days ago I found out that some hosts were trying to access my webserver.
The first one I checked was from Verizon which is very strange because I live in Europe and we don't have Verizon services where I live.

So well.. I continue getting these harvesters finding and trying to access my webserver for some mysterious reason I don't know of.

Last one that tried to connect to my webserver a few minutes ago comes from the following IP 83.247.63.172 : ISP Solcon.nl

Well here's a list of them


Does anyone know what the Christ is going on? Maybe it's my own webserver sending them invites undercover or something?

maybe I'm part of a botnet? highly unlikely though

[MentaL]

[jMerliNzz]

So a few weeks ago I set up a webserver for personal development only and a few days ago I found out that some hosts were trying to access my webserver.
The first one I checked was from Verizon which is very strange because I live in Europe and we don't have Verizon services where I live.

So well.. I continue getting these harvesters finding and trying to access my webserver for some mysterious reason I don't know of.

Last one that tried to connect to my webserver a few minutes ago comes from the following IP 83.247.63.172 : ISP Solcon.nl

Well here's a list of them


Does anyone know what the Christ is going on? Maybe it's my own webserver sending them invites undercover or something?

maybe I'm part of a botnet? highly unlikely though

At risk of having this account banned since my original one is still banned...

What you're seeing is botnet spam. Nets will routinely search over consumer IP spaces looking for ports open hosting known services hoping for an exploitable version of some software. They also then try scanning for common administrative tools (phpmyadmin, phpldapadmin, if they detect a forum, your admin or install scripts, etc). And any e-mail web clients you have installed they may try to brute force.

It's not uncommon but there's not a whole lot you can do. My server (jmerlin.net) has thousands to tens of thousands of random scans and such per day (I can check the err logs and see tons of requests for files like /admin.php /mail, etc etc). I even had them trying to brute force my SSH when it was on the default port (that really hosed the system because they had roughly 500 bots hitting it with bruteforcers). I cleaned that up though, no problemo.

You being hit with tons of spam like that doesn't mean you're part of a net, it likely means those machines are zombies in a net, however. The fact they're coming from random ISPs, and largely probably YOUR ISP indicates they're mostly consumer level machines (probably some teenage kid or parents or any other kind of computer illiterate user). It's not to be worried about if you practice decent security policies. If the spamming gets really intense (like you have a sensitive protocol without spam protection like SSH or something with root login allowed, you may end up finding you'll be the target of a 500-1000+ drone flood to brute force), mass block the IPs or download a better firewall solution (ie one that will detect and block flood/malicious attacks). A simple iptables command was sufficient to kill the attack on my server long enough to reconfigure ssh to use an off-port, ban after 3 failures, and deny root login. Haven't been hit since.

[Rishwin]

At risk of having this account banned since my original one is still banned...

What you're seeing is botnet spam. Nets will routinely search over consumer IP spaces looking for ports open hosting known services hoping for an exploitable version of some software. They also then try scanning for common administrative tools (phpmyadmin, phpldapadmin, if they detect a forum, your admin or install scripts, etc). And any e-mail web clients you have installed they may try to brute force.

It's not uncommon but there's not a whole lot you can do. My server (jmerlin.net) has thousands to tens of thousands of random scans and such per day (I can check the err logs and see tons of requests for files like /admin.php /mail, etc etc). I even had them trying to brute force my SSH when it was on the default port (that really hosed the system because they had roughly 500 bots hitting it with bruteforcers). I cleaned that up though, no problemo.

You being hit with tons of spam like that doesn't mean you're part of a net, it likely means those machines are zombies in a net, however. The fact they're coming from random ISPs, and largely probably YOUR ISP indicates they're mostly consumer level machines (probably some teenage kid or parents or any other kind of computer illiterate user). It's not to be worried about if you practice decent security policies. If the spamming gets really intense (like you have a sensitive protocol without spam protection like SSH or something with root login allowed, you may end up finding you'll be the target of a 500-1000+ drone flood to brute force), mass block the IPs or download a better firewall solution (ie one that will detect and block flood/malicious attacks). A simple iptables command was sufficient to kill the attack on my server long enough to reconfigure ssh to use an off-port, ban after 3 failures, and deny root login. Haven't been hit since.

Unlike many others, i actually don't have a problem with you. Aditionally, i like the fact that you always know what you are talking about.

You didn't spam and you weren't pasting ads everywhere, so i won't say anything if you manage to keep yourself out of trouble.

[Ytys Vynsan]

At risk of having this account banned since my original one is still banned...

What you're seeing is botnet spam. Nets will routinely search over consumer IP spaces looking for ports open hosting known services hoping for an exploitable version of some software. They also then try scanning for common administrative tools (phpmyadmin, phpldapadmin, if they detect a forum, your admin or install scripts, etc). And any e-mail web clients you have installed they may try to brute force.

It's not uncommon but there's not a whole lot you can do. My server (jmerlin.net) has thousands to tens of thousands of random scans and such per day (I can check the err logs and see tons of requests for files like /admin.php /mail, etc etc). I even had them trying to brute force my SSH when it was on the default port (that really hosed the system because they had roughly 500 bots hitting it with bruteforcers). I cleaned that up though, no problemo.

You being hit with tons of spam like that doesn't mean you're part of a net, it likely means those machines are zombies in a net, however. The fact they're coming from random ISPs, and largely probably YOUR ISP indicates they're mostly consumer level machines (probably some teenage kid or parents or any other kind of computer illiterate user). It's not to be worried about if you practice decent security policies. If the spamming gets really intense (like you have a sensitive protocol without spam protection like SSH or something with root login allowed, you may end up finding you'll be the target of a 500-1000+ drone flood to brute force), mass block the IPs or download a better firewall solution (ie one that will detect and block flood/malicious attacks). A simple iptables command was sufficient to kill the attack on my server long enough to reconfigure ssh to use an off-port, ban after 3 failures, and deny root login. Haven't been hit since.

I would recommend you watch what you go. Some sites are purely designed to catch your ip, log it, then deal with it later. (trust me, i've designed a few). Because, site taps are the main way these people get your ip. And its the easiest way for them to do so. If you wish to surf the net without worrying, hide behind a good proxy.

As the quote stated, there isn't a lot you can do, increase your protect, but I would recommend ringing your isp, and requesting a ip change. They may charge you but it shouldn't be to much and its worth the peace of mind.


Regards,
Vynsan

[.Yoss.]

At risk of having this account banned since my original one is still banned...

What you're seeing is botnet spam. Nets will routinely search over consumer IP spaces looking for ports open hosting known services hoping for an exploitable version of some software. They also then try scanning for common administrative tools (phpmyadmin, phpldapadmin, if they detect a forum, your admin or install scripts, etc). And any e-mail web clients you have installed they may try to brute force.

It's not uncommon but there's not a whole lot you can do. My server (jmerlin.net) has thousands to tens of thousands of random scans and such per day (I can check the err logs and see tons of requests for files like /admin.php /mail, etc etc). I even had them trying to brute force my SSH when it was on the default port (that really hosed the system because they had roughly 500 bots hitting it with bruteforcers). I cleaned that up though, no problemo.

You being hit with tons of spam like that doesn't mean you're part of a net, it likely means those machines are zombies in a net, however. The fact they're coming from random ISPs, and largely probably YOUR ISP indicates they're mostly consumer level machines (probably some teenage kid or parents or any other kind of computer illiterate user). It's not to be worried about if you practice decent security policies. If the spamming gets really intense (like you have a sensitive protocol without spam protection like SSH or something with root login allowed, you may end up finding you'll be the target of a 500-1000+ drone flood to brute force), mass block the IPs or download a better firewall solution (ie one that will detect and block flood/malicious attacks). A simple iptables command was sufficient to kill the attack on my server long enough to reconfigure ssh to use an off-port, ban after 3 failures, and deny root login. Haven't been hit since.

Thanks for the info, I knew that there were compromised PCs out there that were used to do illegal stuff but I didn't know what exactly. I'm glad I've always denied requests from unexpected connections.

The firewall I'm currently using seems to have enough measures to protect my system against DoS attacks that may be attempted. It seems to take care of TCP, UDP and ICMP protocols and protects them from being flooded. It also blocks hosts that try to do port scans for a certain amount of time so it would cost them a while to scan them all, however, I think they would automatically drop the attack if they don't manage to scan a certain amount of ports at a given amount of time.

I would recommend you watch what you go. Some sites are purely designed to catch your ip, log it, then deal with it later. (trust me, i've designed a few). Because, site taps are the main way these people get your ip. And its the easiest way for them to do so. If you wish to surf the net without worrying, hide behind a good proxy.

As the quote stated, there isn't a lot you can do, increase your protect, but I would recommend ringing your isp, and requesting a ip change. They may charge you but it shouldn't be to much and its worth the peace of mind.


Regards,
Vynsan

Thanks, I'm careful with what sites I visit and I also use plugins like adblock+ (coupled with a web proxy aimed at just removing ads, eg privoxy) to help block unwanted ads and noscript to prevent possible attacks that may be caused by the misuse of scripting languages.
But these hosts tried to connect to my computer without me ever connecting to them before. As explained by jMerliN, they blindly search for consumer IP ranges to find exploits on the machines in order to take control over them and/or attack them.

I already have a dynamic IP, I forgot to mention it on the 1st post, sorry for that. But if I had a static IP and decided to change it to another static one, it would not completely solve the problem but delay it. They probably scan those IP ranges several times, so it wouldn't last long until they found my new IP address.

Thank you both for your answers.