psad scans... how do i stop this?

rava

Member
Apr 24, 2002
11
0
301
Ok i get this scan detection 15-30 times a day.... any one know how to stop it?

I know this has to do with cpanel/whm... the ip is coming from burst, and i have talked to several of the network admins at various times... they all agree it is becuase of whm/cpanel.

i was informed to email nick, but haven't gotten a reply back from him yet. hell i don't even know if i had the right email.

it is just really annouying.....

can anyone help?



=-=-=-=-=-=-=-=-=-=-=-=-=-= May 22 02:15:08 =-=-=-=-=-=-=-=-=-=-=-=-=-=
psad: portscan detected against xxxxxx.xxxxxxxx.com (xxx.xxx.xxx.xxx).

Source: 66.96.193.2
Destination: xxx.xxx.xxx.xxx
Newly scanned UDP ports: [48426-48450] (since: May 22 02:15:08)
Newly Blocked UDP packets: [2] (since: May 22 02:15:08)
Complete TCP/UDP port range: [32812-59960] (since: May 8 00:29:37)
Total blocked packets: 32
Start time: May 21 14:24:57
End time: May 22 02:15:08
Danger level: 1 out of 5
DNS info: 66.96.193.2 -& dns.burst.net


---- Whois Information: ----
Network Operations Center Inc. (NETBLK-HOSTNOC) HOSTNOC
66.96.192.0 - 66.96.255.255
BurstNET Technologies, Inc. (NETBLK-BURSTNET726) BURSTNET726
66.96.193.2 - 66.96.205.192

To single out one record, look it up with &!xxx&, where xxx is the
handle, shown in parenthesis following the name, which comes first.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

=-=-=-=-=-=-=-=-=-=-=-=-=-= May 22 02:15:08 =-=-=-=-=-=-=-=-=-=-=-=-=-=
 

jeffg

Registered
Oct 26, 2003
1
0
151
this is psad port scan active detection , your danger level email notification is set to 1 you may want to increase it.
etc/psad/psad.conf

$DANGER_LEVELS{'1'} = 5;
$DANGER_LEVELS{'2'} = 50;<------
$DANGER_LEVELS{'3'} = 1000;
$DANGER_LEVELS{'4'} = 5000;
my $ENABLE_EMAIL_ALERTS = "Y";
my $EMAIL_ALERT_DANGER_LEVEL = 2;<-50 from same source


Seeing the ports that are being scanned, it is likely someone (or a virus/worm) looking for Windows machines to exploit. Scans "might" be a before an attemped crack, but by themselves they won't do you any harm.