Weird traffic on server, last few days....

Discussions about Servers
MrLoathsome
Inhuman
Posts: 958
Joined: Wed Mar 31, 2010 9:02 pm
Personal rank: I am quite rank.
Location: MrLoathsome fell out of the world!

Weird traffic on server, last few days....

Post by MrLoathsome »

Has anybody else who actually looks at their log files or server consoles been seeing a bunch of connections
from IP 185.130.5.228? They never actually connect to the server, and then timeout. Not flood or DDOS attack, but seems
to retry it every 6 to 8 hours or so. (Guess based on glancing at the consoles... Aint got around to reading all my log files yet.)

Whoever that is, seems to be scanning everything everywhere last few days.
(At least according to the limited info that turned up on a quicky google search I just did.)

Not something I am too worried about as my stuff is locked up pretty tight, but just curious
if anybody else had seen this IP attempting connections to their servers. (UT and others....)
Those of you with hosted servers may not be affected if your host/isp has blacklisted that IP.

Note this traffic has been on both my main server and my test server.
Main server also runs HTTP and FTP services and has been up for years. Port scans are not uncommon.
The test server is on a different IP, and is invisible other than 1 UT server.
This scan/probe seems a bit odd compared to others I have seen over the years.

Noticed this was happening as I was getting ready to prep my main server for cloning of the HDD.
It is gonna be down for a day or 3 anyway.
It has been running 24/7 for over a decade on the same WD120GB HDD. Each year I am more amazed that it keeps running. :roll:
I have 2 identical drives sitting on a shelf here.
And pretty much every single part I need to clone the entire box. When I built it long ago, I got spare parts.
But nothing has ever broke on it other than 1 power supply 6 years ago, and a few fans.
These P3 Tualatin CPU's are bulletproof. They don't die or even have any issues if the CPU fan dies. They
just run a little bit hotter. And SuperMicro motherboards rule all. No discussion of that needed.

It is time to clone the whole goddamn thing now. And have a spare HDD ready to boot in either of them.
DD time baby. (i.e. dd if=/dev/sda of=/dev/sdb bs=512 conv=noerror,sync)

Anyhoo, I am rambling a bit. Been multi-tasking today, and one of the tasks was drinking beer.
Gonna play some Doom, then take a nap before I attempt the server HDD clone procedure.

But if anybody has seen any weird traffic from that IP, post it up, as I am curious.
Last edited by MrLoathsome on Wed Feb 03, 2016 4:10 am, edited 1 time in total.
blarg
User avatar
Chamberly
Godlike
Posts: 1963
Joined: Sat Sep 17, 2011 4:32 pm
Personal rank: Dame. Vandora
Location: TN, USA
Contact:

Re: Weird traffic on server, last few days....

Post by Chamberly »

@Nelsona China peeking around again?
Image
Image
Image Edit: Why does my sig not work anymore?
MrLoathsome
Inhuman
Posts: 958
Joined: Wed Mar 31, 2010 9:02 pm
Personal rank: I am quite rank.
Location: MrLoathsome fell out of the world!

Re: Weird traffic on server, last few days....

Post by MrLoathsome »

Wow. A quick reply.

Actually, the ip is either located in Dominica, or the Netherlands, or perhaps North Carolina.
Getting weird results from whois sites and other checks.

One of the whois thingy's I checked, showed a google maps location that seemed to be about
100 miles off the coast of Nigeria.

Those guys are up to something....

@DrFlay. Hey! Penetration testing is free if you just wait a few days. :loool:
blarg
User avatar
Barbie
Godlike
Posts: 2792
Joined: Fri Sep 25, 2015 9:01 pm
Location: moved without proper hashing

Re: Weird traffic on server, last few days....

Post by Barbie »

grep 185.130.5.228 ucc.init.log* wrote:
Spoiler
ucc.init.log.3:Open MyLevel Sun Jan 31 15:09:33 2016 185.130.5.228:39721
ucc.init.log.3:Open MyLevel Sun Jan 31 15:31:01 2016 185.130.5.228:53273
ucc.init.log.3:Open MyLevel Sun Jan 31 15:56:01 2016 185.130.5.228:54912
ucc.init.log.3:Open MyLevel Sun Jan 31 16:23:57 2016 185.130.5.228:53797
ucc.init.log.3:Open MyLevel Sun Jan 31 16:39:39 2016 185.130.5.228:34302
ucc.init.log.3:Open MyLevel Sun Jan 31 17:06:34 2016 185.130.5.228:43335
ucc.init.log.3:Open MyLevel Sun Jan 31 17:21:37 2016 185.130.5.228:50141
ucc.init.log.3:Open MyLevel Sun Jan 31 17:27:57 2016 185.130.5.228:52587
ucc.init.log.3:Open MyLevel Sun Jan 31 18:26:12 2016 185.130.5.228:35423
ucc.init.log.3:Open MyLevel Sun Jan 31 18:33:34 2016 185.130.5.228:41219
ucc.init.log.3:Open MyLevel Mon Feb 1 14:03:30 2016 185.130.5.228:48122
ucc.init.log.3:Open MyLevel Mon Feb 1 17:32:12 2016 185.130.5.228:60078
ucc.init.log.3:Open MyLevel Mon Feb 1 17:35:06 2016 185.130.5.228:37856
ucc.init.log.3:Open MyLevel Mon Feb 1 17:37:09 2016 185.130.5.228:54412
ucc.init.log.3:Open MyLevel Mon Feb 1 18:41:30 2016 185.130.5.228:37863
ucc.init.log.3:Open MyLevel Mon Feb 1 18:41:30 2016 185.130.5.228:59215
ucc.init.log.3:Open MyLevel Mon Feb 1 18:41:30 2016 185.130.5.228:59714
ucc.init.log.3:Open MyLevel Mon Feb 1 18:41:31 2016 185.130.5.228:46437
ucc.init.log.3:Open MyLevel Mon Feb 1 18:41:47 2016 185.130.5.228:57132
ucc.init.log.3:Open MyLevel Mon Feb 1 18:45:28 2016 185.130.5.228:45254
ucc.init.log.3:Open MyLevel Mon Feb 1 18:45:28 2016 185.130.5.228:33478
ucc.init.log.3:Open MyLevel Mon Feb 1 18:45:28 2016 185.130.5.228:49588
ucc.init.log.3:Open MyLevel Mon Feb 1 18:45:28 2016 185.130.5.228:51136
ucc.init.log.3:Open MyLevel Mon Feb 1 18:46:31 2016 185.130.5.228:49368
ucc.init.log.3:Open MyLevel Mon Feb 1 18:46:31 2016 185.130.5.228:34668
ucc.init.log.3:Open MyLevel Mon Feb 1 18:50:02 2016 185.130.5.228:42037
ucc.init.log.3:Open MyLevel Mon Feb 1 18:50:02 2016 185.130.5.228:42163
ucc.init.log.3:Open MyLevel Mon Feb 1 18:51:18 2016 185.130.5.228:42527
ucc.init.log.3:Open MyLevel Mon Feb 1 18:51:18 2016 185.130.5.228:42064
ucc.init.log.3:Open MyLevel Tue Feb 2 16:36:21 2016 185.130.5.228:57787
ucc.init.log.3:Open MyLevel Tue Feb 2 16:36:28 2016 185.130.5.228:51887
ucc.init.log.3:Open MyLevel Tue Feb 2 16:37:54 2016 185.130.5.228:36241
ucc.init.log.3:Open MyLevel Tue Feb 2 16:38:00 2016 185.130.5.228:60103
ucc.init.log.3:Open MyLevel Tue Feb 2 17:46:14 2016 185.130.5.228:59342
ucc.init.log.3:Open MyLevel Tue Feb 2 17:46:14 2016 185.130.5.228:46861
ucc.init.log.3:Open MyLevel Wed Feb 3 00:24:34 2016 185.130.5.228:43003
ucc.init.log.3:Open MyLevel Wed Feb 3 00:24:34 2016 185.130.5.228:38784
ucc.init.log.3:Open MyLevel Wed Feb 3 00:24:46 2016 185.130.5.228:39553
ucc.init.log.3:Open MyLevel Wed Feb 3 00:24:46 2016 185.130.5.228:44687
ucc.init.log.5:Open MyLevel Fri Jan 29 01:19:51 2016 185.130.5.228:37974
EDIT: deleted Google search query - everyone reading here is able to do that
"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett
JackGriffin
Godlike
Posts: 3774
Joined: Fri Jan 14, 2011 1:53 pm
Personal rank: -Retired-

Re: Weird traffic on server, last few days....

Post by JackGriffin »

PeerBlock. Add to blacklist. Problem solved.
So long, and thanks for all the fish
Higor
Godlike
Posts: 1866
Joined: Sun Mar 04, 2012 6:47 pm

Re: Weird traffic on server, last few days....

Post by Higor »

If you were getting hit a tenth of what |uk| servers get hit, your server would go down faster than you think.
No, that's not scanning, that's an attack trying to crash the server through a Malloc fail or to make it inaccesible by hogging the whole socket pipeline.

PD: Dat linux server log, it gets worse on that because there's actually no good binaries to help patch that ATM.
User avatar
sektor2111
Godlike
Posts: 6403
Joined: Sun May 09, 2010 6:15 pm
Location: On the roof.

Re: Weird traffic on server, last few days....

Post by sektor2111 »

Chamberly wrote:@Nelsona China peeking around again?
China will stop roaming when Earth will stop moving.
I gotta save this IP and I'll see who is this "smarty" genius.
Barbie wrote:EDIT: deleted Google search query - everyone reading here is able to do that
Why ? Let G00gle to spread his info until something will knock at turd's door. Anyway I won't post everything here for to showing you who is trying hack attempts (failed at my primitive trash server) and what kind of attempts because might not be good.

One day I was popping into Ecoop forum, suddenly some "adds" started to annoy me, I hit a click on such a window. Heh, Antivirus's web plugin warned me about an evil location called "Braside.ru" (which added later to hosts + A d d B l o c k) and hosted in Netherlands. Something from Netherlands seems to do links with sh!t with Ecoop. I don't get what's the deal with those adds and why are there because I never read them and I block all these things out of my interest.
Here is something, even reported
[attachment=0]oopsyy.PNG[/attachment]
Static Ip ? No worries, I go to see entire class and I might go at a higher level as needed. The guy seems to don't know that soon will go in troubles at accessing things... te he.
Attachments
oopsyy.PNG
MrLoathsome
Inhuman
Posts: 958
Joined: Wed Mar 31, 2010 9:02 pm
Personal rank: I am quite rank.
Location: MrLoathsome fell out of the world!

Re: Weird traffic on server, last few days....

Post by MrLoathsome »

Very interesting. I knew it was a bit different, and suspected it wasn't just hitting me.

Barbies log shows the frequency of attempts much quicker than what I have been getting, but that could be
due to one of my firewall setting someplace or another.
I have seen many many times random connection attempts that time out on the UT servers over the years, but none have been as
systematic as this one. Most of the others are probably just random port scanners that give up when they get no result.

@Higor:
Why would somebody be trying to crash antique UT servers?

Their attempts so far are failing completely is that is the goal.
Neither of my 2 machines have had any issues with normal operations.
(2 different OS's, 2 different versions of UT server....)

A simple DDOS attack would bring down my slow connection with much less effort
than whatever this is. If that is what they want to do....... :wtf: :pfff: :mad2:

@Jack:

Of course I could just block/blacklist that IP, but then soon as the same sort of crap starts showing up from a different
IP then I have to do it again. Screw that. Sounds like work. I dislike that approach.

If I can track down a pattern of some sort from the log files, I should be able to write a rule for my nifty IPTABLES stuff
that will block any IP's trying that crap dynamically. (Fail2Ban rocks. :rock: )

@sektor2111:

All the ad's on my site do suck a lot. Don't click them. (Go ahead and click the Donate Button. That one is ok, and has never been used. :roll: )
I recommend using adblock and flashblock if/when you visit my site.

afCore set the website up when he was still working on the ecoop code, as the price was right.
The site is free, and also hosts my redirect. Free is a good price, so that is what I got.

If (sektor2111.IsA('Nelsona')) bTheseGuysAreInTrouble = True;

Will post back later and let you all know if the probes continue or if anything else changes.

*Edit: If (Nelsona(sektor2111) != None) bTheseGuysAreInTrouble = True;
Thats better.
blarg
JackGriffin
Godlike
Posts: 3774
Joined: Fri Jan 14, 2011 1:53 pm
Personal rank: -Retired-

Re: Weird traffic on server, last few days....

Post by JackGriffin »

Takes too long to even consider them. I run a simple home FTP server and I block several hundred unique IP's from China *a day*. This thing you are describing happens constantly and just doesn't warrant any of your effort other than to just hammer them. The consideration flowchart for this is really simple. If they aren't there to play and they are sniffing one of your game ports (server, webadmin, FPT) then they get blacklisted and you move on.
So long, and thanks for all the fish
User avatar
sektor2111
Godlike
Posts: 6403
Joined: Sun May 09, 2010 6:15 pm
Location: On the roof.

Re: Weird traffic on server, last few days....

Post by sektor2111 »

MrLoathsome wrote: Of course I could just block/blacklist that IP, but then soon as the same sort of crap starts showing up from a different
IP then I have to do it again. Screw that. Sounds like work. I dislike that approach.
If you run Linux exist some alias as Peer Block as I know so far - and it works pretty... standalone (self updating and the rest). As long as ALL known evils are listed and your lists are up-to-date you can breath relaxed. Last time I was very relaxed from this point of view. Hosts also I guess has now 28MB of bad web locations.

What I was doing since M$ stopped XP support ? 3 months of outage monitoring how are acting the rest of users + getting info. In this way a Kick in butt for me was a step forward. Thank M$ for pushing me forward. Firewalls upgraded based on lists with evils are priceless and even free. They even give an example of using a list as model... China. Why that model ? Perhaps China sounds like a Bot "WhatTodoNext('Roaming', 'Begin');". Even if you suspend them for 1 hour, they return soon "Camptime=2.000000;" So there is one deal: Life-time restriction until someone from there ask politely to unblock him/her (which I doubt). Each time a PC started and connected to Internet in maximum 30 Minutes receives a connection from there. If not, then Internet there has problems or is "protected".
No worries rules are perfect for the rest of "roamers" as well from where you never seen an UT player or you never read those languages.
That IP which you have posted was driving me to some list 2015-2016 - looks like is known, however I'm curious if the guy wants to be a popular restriction or is just dumb.
Also I found info about some server in doing "Team-work" giving a script able to upload logs in case of sh!t requested and they go automatically on lists with 0 efforts and no time wasted for research. So to speak a cute trap for fans of stunts. Or perhaps living in the forest and suddenly discovering The Internet for 2 hours he think that the rest of world are still living in 1996 and nobody knows what he does. In my operating machine I was almost to add restrictions in reversal, ban everything except ... your daily visits and updates fired from your machine.
I'm going to start my kinda server to see if something comes around - I'll bet it won't shows up in Apache Logs and neither in UT since firewall has been already updated recently.
User avatar
Barbie
Godlike
Posts: 2792
Joined: Fri Sep 25, 2015 9:01 pm
Location: moved without proper hashing

Re: Weird traffic on server, last few days....

Post by Barbie »

MrLoathsome wrote:Why would somebody be trying to crash antique UT servers?
Either there is an unknown vulnerability in UT (from what I've seen in UScript stock code I can imagine that there are some). Or it is simply a scan what program is listening on what port. If a vulnerable program is found, another script is started and will attack this with an exploit.
"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett
User avatar
Gustavo6046
Godlike
Posts: 1462
Joined: Mon Jun 01, 2015 7:08 pm
Personal rank: Resident Wallaby
Location: Porto Alegre, Brazil
Contact:

Re: Weird traffic on server, last few days....

Post by Gustavo6046 »

Barbie wrote:
MrLoathsome wrote:Why would somebody be trying to crash antique UT servers?
Either there is an unknown vulnerability in UT (from what I've seen in UScript stock code I can imagine that there are some). Or it is simply a scan what program is listening on what port. If a vulnerable program is found, another script is started and will attack this with an exploit.
I think he didn't meant the how, but the why, i.e. the gains, and reasons for attacking the server.

In my opinion, FUN. Everyone loves messing things up! But sometimes you must limit it to testing explosive water balloons at the backyard. ;)
"Everyone is an idea man. Everybody thinks they have a revolutionary new game concept that no one else has ever thought of. Having cool ideas will rarely get you anywhere in the games industry. You have to be able to implement your ideas or provide some useful skill. Never join a project whose idea man or leader has no obvious development skills. Never join a project that only has a web designer. You have your own ideas. Focus on them carefully and in small chunks and you will be able to develop cool projects."

Weapon of Destruction
User avatar
Barbie
Godlike
Posts: 2792
Joined: Fri Sep 25, 2015 9:01 pm
Location: moved without proper hashing

Re: Weird traffic on server, last few days....

Post by Barbie »

Wasn't the WHY obvious? If I find a vulnerable application, the main goal is to get a login on that machine. And with other exploits perhaps I can gain administrative rights there. If that machine is part of a LAN I maybe can take over the whole network. And then I rent my bots to others who sends spam, infects third parties computers, spread viruses, drive DDOS attacks and all other dirty things all in the sense of getting protection or unlocking money.

The days of opening a CD tray on remote computers are long time ago.

EDIT: spell fix
"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett
MrLoathsome
Inhuman
Posts: 958
Joined: Wed Mar 31, 2010 9:02 pm
Personal rank: I am quite rank.
Location: MrLoathsome fell out of the world!

Re: Weird traffic on server, last few days....

Post by MrLoathsome »

Guess it no longer matters to me anyway.

Unplugged the broken CD drive that was on the secondary IDE channel and plugged in
one of the spare drives today.

Next step was to run the DD command and clone the disk.

Now the goddamn machine see's no HDD at all.

Unplugged secondary cable. Primary HDD still not found by the motherboard.

Tried a different ribbon cable on it. Still no HDD at all.

Guess I am done with this shit.

Fuck it all anyway.
blarg
User avatar
Barbie
Godlike
Posts: 2792
Joined: Fri Sep 25, 2015 9:01 pm
Location: moved without proper hashing

Re: Weird traffic on server, last few days....

Post by Barbie »

MrLoathsome wrote:Guess I am done with this shit.
Just for you:
Lemony-Lavender-Mint-Tea.jpg
8)

If you want support with that issue, let us know.
"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett
Post Reply