Miscellaneous Stuff

Home    Contact    


Unusual Traffic at 5 AM

11-07-19



Well, it didn't take long to come up with another "horror" story--at least, it scared me. I had expected this article to be about one of my experiences earlier in the year. Then, I had a scare this morning just before 5AM when I noticed some significant, unusual traffic from the internet to my webserver. Yes, I was up before 5AM and working on one of my websites. What can I say--I'm a morning person?

I was first tipped-off to the activity when my text editor hesitated as I was typing. I checked what was happening using the "bmon" command and by looking at the "sys" and "auth" logs. They showed nothing unusual. So, I was forced to turn on access logging to see what lighttpd was doing. This is the first time I've had to resort to that, believe it or not, because I've never seen traffic before that I couldn't identify. As a result, I had to modify all my privacy policies on all my websites to tell visitors that I would briefly enable logging of IP addresses when absolutely necessary to thwart hacking attempts! The traffic turned out to be coming from port scanning, which showed up in the "access" log for misc-stuff as:


   
   "GET / HTTP/1.0" 200 10557 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
   
   

This port scanner (https://github.com/robertdavidgraham/masscan) claims: "This is an Internet-scale port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second, from a single machine." I didn't realize that was even possible.

None of my other websites logged this activity. This makes me suspect that perhaps the recent attention that misc-stuff received from my article last week, I Miss the Old Internet, has put me on some hackers' lists for the first time. Well, I guess my website security honeymoon is over, and the security nightmare begins...







Copyright © 2019 terraaeon.com. All rights reserved.