This is infuriating that I continue to get this repeats of nine and more possible hack attempts from the same certain IP addresses blocked by Malwarebytes, which I get popups every time it happens. This is a snapshot from my logs after one has happened, and I also save text file logs of it.

From what I can tell, they appeared to be originating from Linode almost every time and when I tried to file complaints with them, they keep claiming it is a security researcher or something and end up doing nothing about it. I’m currently wondering what to do about this as I have a folder of so many save logs of it on my computer.

  • MangoPenguin@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    23
    ·
    10 months ago

    It’s normal to get scans/attempts on any public IP.

    That said, malwarebytes is usually run on personal computers, do you have ports forwarded to your PC from the internet?

      • i2ndshenanigans@lemmy.world
        link
        fedilink
        English
        arrow-up
        16
        ·
        10 months ago

        If they are making it past your firewall and hitting your computer then the firewall is open and it shouldn’t be. Or that’s an outbound connection triggering the alert.

        • Kid_Thunder@kbin.social
          link
          fedilink
          arrow-up
          6
          ·
          edit-2
          10 months ago

          Just clarification here, a NAT is NOT a firewall. It will drop packets originating from outside the network if the ports aren’t forwarded to an IP simply because the NAT has no idea which device on the network to send the packets to. A forwarded port is you telling the NAT to assume packets coming into a specific port should be forwarded to a specific device. It is acting as a security measure simply by coincidence but not by design. Unlike a firewall it will not inspect any packet payload or attempt to make a security decision on outbound packets. It only routes based on the packet headers.

          A firewall on the other hand actively will reject or drop packets because it is an Intrusion Prevention System (IPS). This is why if your router has a built-in firewall, your NAT will still drop the packets – because it isn’t a firewall nor is it what is being referred to if you disable it.

          • Weslee@lemmy.world
            link
            fedilink
            English
            arrow-up
            5
            ·
            10 months ago
            1. You are seeing the logs on your pc, if the connections are hitting your pc then your router is not doing its job correctly and you need to look into it.
            2. If you don’t have a static ip set up, try rebooting your router. Most ISPs will cycle you a new IP address.
            3. I don’t think this is really a hack attempt, for one, no one hacks people using their true ip, and you said you spoke to them so
            • Konala Koala@lemmy.worldOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              10 months ago

              Well, I just went through some online instructions to setup an inbound rule in Windows Defender Firewall that is a list of IPs to have it block, hoping that will solve this ongoing problem I was having.

        • Konala Koala@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          10 months ago

          Not that I can tell, this is what shows up in the logs of just one of the hack or scan attempts.

          Malwarebytes www.malwarebytes.com

          -Log Details- Protection Event Date: 1/2/24 Protection Event Time: 10:48 PM Log File: f150648e-a9ea-11ee-8d8b-04d4c458e8f6.json

          -Software Information- Version: 4.6.7.301 Components Version: 1.0.2222 Update Package Version: 1.0.79191 License: Premium

          -System Information- OS: Windows 10 (Build 19045.3803) CPU: x64 File System: NTFS User: System

          -Blocked Website Details- Malicious Website: 1

          -Website Data- Category: Compromised Domain: IP Address: 45.79.168.172 Port: 6667 Type: Inbound

          • Kid_Thunder@kbin.social
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            10 months ago

            Port 6667 is a typical IRC port. It is sometimes used by remote access backdoors for command and control via a channel (chat room basically) on an IRC server, however, if that port isn’t forward OR you don’t have your PC set as the DMZ Host (you should never do this), then you probably have malicious software on your system.

            If it isn’t forwarded, then your NAT would drop the packets and Malwarebytes would never see it because they wouldn’t be there. Malicious software can forward ports via uPNP and you should turn that off on your router or router/modem combo. It can also make it through if the connection is starting from inside of your network for TCP, which is the protocol that would be used for 6667 normally.

  • Skull giver@popplesburger.hilciferous.nl
    link
    fedilink
    English
    arrow-up
    16
    ·
    10 months ago

    Looks like it’s just a port scanner. If you’re going to report every port scanner or exploit bot, you’re going to have a full time job as a voluntary internet policeman.

    I’d just ignore it if I were you, these things happen. My servers gets hundreds, or sometimes even thousand of these a day.

    If it pops up in Malwarebytes that means you’ve either opened the port or disabled your router’s firewall somehow. If this was intentional: welcome to the internet. If it wasn’t, check your firewall settings, because there are much worse things than automatic exploit scanners.

    You can try to fight back (you could tarpit the scanners, or use a gzip bomb to maybe crash their scanner) but it’s probably not worth the effort.

  • cmnybo@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    6
    ·
    10 months ago

    If you don’t have any of those ports open, then just ignore it. There are lots of bots out there that are just scanning for easy targets.