Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

psad scans... how do i stop this?

Discussion in 'General Discussion' started by rava, May 22, 2002.

  1. rava

    rava Member

    Joined:
    Apr 24, 2002
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    301
    Ok i get this scan detection 15-30 times a day.... any one know how to stop it?

    I know this has to do with cpanel/whm... the ip is coming from burst, and i have talked to several of the network admins at various times... they all agree it is becuase of whm/cpanel.

    i was informed to email nick, but haven't gotten a reply back from him yet. hell i don't even know if i had the right email.

    it is just really annouying.....

    can anyone help?



    =-=-=-=-=-=-=-=-=-=-=-=-=-= May 22 02:15:08 =-=-=-=-=-=-=-=-=-=-=-=-=-=
    psad: portscan detected against xxxxxx.xxxxxxxx.com (xxx.xxx.xxx.xxx).

    Source: 66.96.193.2
    Destination: xxx.xxx.xxx.xxx
    Newly scanned UDP ports: [48426-48450] (since: May 22 02:15:08)
    Newly Blocked UDP packets: [2] (since: May 22 02:15:08)
    Complete TCP/UDP port range: [32812-59960] (since: May 8 00:29:37)
    Total blocked packets: 32
    Start time: May 21 14:24:57
    End time: May 22 02:15:08
    Danger level: 1 out of 5
    DNS info: 66.96.193.2 -& dns.burst.net


    ---- Whois Information: ----
    Network Operations Center Inc. (NETBLK-HOSTNOC) HOSTNOC
    66.96.192.0 - 66.96.255.255
    BurstNET Technologies, Inc. (NETBLK-BURSTNET726) BURSTNET726
    66.96.193.2 - 66.96.205.192

    To single out one record, look it up with &!xxx&, where xxx is the
    handle, shown in parenthesis following the name, which comes first.

    The ARIN Registration Services Host contains ONLY Internet
    Network Information: Networks, ASN's, and related POC's.
    Please use the whois server at rs.internic.net for DOMAIN related
    Information and whois.nic.mil for NIPRNET Information.

    =-=-=-=-=-=-=-=-=-=-=-=-=-= May 22 02:15:08 =-=-=-=-=-=-=-=-=-=-=-=-=-=
     
  2. jeffg

    jeffg Registered

    Joined:
    Oct 26, 2003
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    151
    this is psad port scan active detection , your danger level email notification is set to 1 you may want to increase it.
    etc/psad/psad.conf

    $DANGER_LEVELS{'1'} = 5;
    $DANGER_LEVELS{'2'} = 50;<------
    $DANGER_LEVELS{'3'} = 1000;
    $DANGER_LEVELS{'4'} = 5000;
    my $ENABLE_EMAIL_ALERTS = "Y";
    my $EMAIL_ALERT_DANGER_LEVEL = 2;<-50 from same source


    Seeing the ports that are being scanned, it is likely someone (or a virus/worm) looking for Windows machines to exploit. Scans "might" be a before an attemped crack, but by themselves they won't do you any harm.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice