0

I am using a dedicated server hosting for one of my project. I got a mail from my server provider that their monitoring system noticed a network scan (or network attack) from an IP address. The Netscan output they send to me is something like this 

Sun Mar 16 09:57:21 2014 TCP my_server_ip 63624 => attacker_server_ip_1 5038
Sun Mar 16 09:57:21 2014 TCP my_server_ip 63624 => attacker_server_ip_2 5038
Sun Mar 16 09:57:21 2014 TCP my_server_ip 63624 => attacker_server_ip_3 5038 
Sun Mar 16 09:57:21 2014 TCP my_server_ip 63624 => attacker_server_ip_4 5038

and so on .... The attacker has used multipal ips probablity more than 200 ip.
Please guide me what attack is all about and what should i do to avoid this attack.

Many many thanks in advance

Haider Ali
  • 113
  • 4

1 Answers1

3

Unless you are running a service on port 63624, by my reading of this log, it was YOUR server which was doing the port scan. (IE it may have been hacked) You have not advised what OS you are using - advising this might help us work out whats going on, but do you get any kind of response when you telnet to your server on port 63624 ?

The reason I say this is the traffic shows as going from your server to the attackers server, when normally the reverse would be expected. Similarly, while not impossible, I think it would be unusual for an ISP to notify you of an incoming port scan, as they occur all the time and there is little that can be done about about them.

Are you able to post a fuller version of the log ?

davidgo
  • 5,964
  • 2
  • 21
  • 38