The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

psad scans... how do i stop this?

Discussion in 'General Discussion' started by rava, May 22, 2002.

  1. rava

    rava Member

    Joined:
    Apr 24, 2002
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Ok i get this scan detection 15-30 times a day.... any one know how to stop it?

    I know this has to do with cpanel/whm... the ip is coming from burst, and i have talked to several of the network admins at various times... they all agree it is becuase of whm/cpanel.

    i was informed to email nick, but haven't gotten a reply back from him yet. hell i don't even know if i had the right email.

    it is just really annouying.....

    can anyone help?



    =-=-=-=-=-=-=-=-=-=-=-=-=-= May 22 02:15:08 =-=-=-=-=-=-=-=-=-=-=-=-=-=
    psad: portscan detected against xxxxxx.xxxxxxxx.com (xxx.xxx.xxx.xxx).

    Source: 66.96.193.2
    Destination: xxx.xxx.xxx.xxx
    Newly scanned UDP ports: [48426-48450] (since: May 22 02:15:08)
    Newly Blocked UDP packets: [2] (since: May 22 02:15:08)
    Complete TCP/UDP port range: [32812-59960] (since: May 8 00:29:37)
    Total blocked packets: 32
    Start time: May 21 14:24:57
    End time: May 22 02:15:08
    Danger level: 1 out of 5
    DNS info: 66.96.193.2 -& dns.burst.net


    ---- Whois Information: ----
    Network Operations Center Inc. (NETBLK-HOSTNOC) HOSTNOC
    66.96.192.0 - 66.96.255.255
    BurstNET Technologies, Inc. (NETBLK-BURSTNET726) BURSTNET726
    66.96.193.2 - 66.96.205.192

    To single out one record, look it up with &!xxx&, where xxx is the
    handle, shown in parenthesis following the name, which comes first.

    The ARIN Registration Services Host contains ONLY Internet
    Network Information: Networks, ASN's, and related POC's.
    Please use the whois server at rs.internic.net for DOMAIN related
    Information and whois.nic.mil for NIPRNET Information.

    =-=-=-=-=-=-=-=-=-=-=-=-=-= May 22 02:15:08 =-=-=-=-=-=-=-=-=-=-=-=-=-=
     
  2. jeffg

    jeffg Registered

    Joined:
    Oct 26, 2003
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    this is psad port scan active detection , your danger level email notification is set to 1 you may want to increase it.
    etc/psad/psad.conf

    $DANGER_LEVELS{'1'} = 5;
    $DANGER_LEVELS{'2'} = 50;<------
    $DANGER_LEVELS{'3'} = 1000;
    $DANGER_LEVELS{'4'} = 5000;
    my $ENABLE_EMAIL_ALERTS = "Y";
    my $EMAIL_ALERT_DANGER_LEVEL = 2;<-50 from same source


    Seeing the ports that are being scanned, it is likely someone (or a virus/worm) looking for Windows machines to exploit. Scans "might" be a before an attemped crack, but by themselves they won't do you any harm.
     
Loading...
Similar Threads - psad scans stop
  1. iso99
    Replies:
    3
    Views:
    68

Share This Page