Why is emoncms.org server doing port scanning of my IP

Wasnt emoncms supposed to be only one way for the client/nanoderf to send, not to listen any ports and now seeing several port scan (attempts) from emoncms server coming towards my IP...

Address 213.138.101.177 -> emonvm.default.openenergymon.uk0.bigv.io

Feb 19 15:53:24 HackAttack: [SPI:Illegal connection state attack] TCP packet from [brwan] 213.138.101.177:80 to 89:3057
Feb 19 15:53:29 HackAttack: [SPI:Illegal connection state attack] TCP packet from [brwan] 213.138.101.177:80 to 89:2876
Feb 19 15:53:35 HackAttack: [SPI:Illegal connection state attack] TCP packet from [brwan] 213.138.101.177:80 to 89:2876
Feb 19 15:53:36 HackAttack: [SPI:Illegal connection state attack] TCP packet from [brwan] 213.138.101.177:80 to 89:3057
Feb 19 15:53:47 HackAttack: [SPI:Illegal connection state attack] TCP packet from [brwan] 213.138.101.177:80 to 89:2876
Feb 19 15:54:00 HackAttack: [SPI:Illegal connection state attack] TCP packet from [brwan] 213.138.101.177:80 to 89:3057

First three digits of my own ip address removed. I have not opened any ports back to nanode rf - so is there a virus in emoncms server or whats going on here ????

Petrik's picture

Re: Why is emoncms.org server doing port scanning of my IP

Did some snooping around. The requets from public hosted opencms.org are not in synch what my nanoderf is sendin so either there is a bug in the emoncms code or alternatively there is a virus on the hosted public opencms.org server.

The row with HackAttack is an unexpected reply from public emoncms.org. Others are just normal replies returned by a request from nanoderf.

Feb 19 19:39:25 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:2925
Feb 19 19:39:27 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:2925
Feb 19 19:39:27 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:2925
Feb 19 19:39:30 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:2925
Feb 19 19:39:36 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:2925
Feb 19 19:39:39 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:3037
Feb 19 19:39:43 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:2881
Feb 19 19:39:48 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:2925
Feb 19 19:39:53 HackAttack: [SPI:Illegal connection state attack] TCP packet from [brwan] 213.138.101.177:80 to xx.xx.xx.xx:2837
Feb 19 19:40:00 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:2925
Feb 19 19:40:12 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:2925
Feb 19 19:40:24 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:2925
Feb 19 19:40:36 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:2925
Feb 19 19:40:48 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:2925
Feb 19 19:41:00 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:2925
...
Feb 19 19:53:44 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:2924
Feb 19 19:53:46 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:2825
Feb 19 19:53:47 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:2858
Feb 19 19:53:50 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:2924
Feb 19 19:53:54 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:3014
Feb 19 19:53:57 HackAttack: [SPI:Illegal connection state attack] TCP packet from [brwan] 213.138.101.177:80 to xx.xx.xx.xx:2986
Feb 19 19:53:58 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:2825
Feb 19 19:53:59 HackAttack: [SPI:Illegal connection state attack] TCP packet from [brwan] 213.138.101.177:80 to xx.xx.xx.xx:3019
Feb 19 19:53:59 PacketFilter: Forward TCP packet from [brwan] 213.138.101.177:80 to 192.168.0.100:2858

The frequency this happens is often enough to trigger a hack attack algorithm on my firewall as this happens almost every couple of seconds.

Feb 19 19:57:01 HackAttack: [SPI:Illegal connection state attack] TCP packet from [brwan] 213.138.101.177:80 to xx.xx.xx.xx:2845
Feb 19 19:57:07 HackAttack: [SPI:Illegal connection state attack] TCP packet from [brwan] 213.138.101.177:80 to xx.xx.xx.xx:2879
Feb 19 19:57:13 HackAttack: [SPI:Illegal connection state attack] TCP packet from [brwan] 213.138.101.177:80 to xx.xx.xx.xx:2879
Feb 19 19:57:15 HackAttack: [SPI:Illegal connection state attack] TCP packet from [brwan] 213.138.101.177:80 to xx.xx.xx.xx:2889
Feb 19 19:57:21 HackAttack: [SPI:Illegal connection state attack] TCP packet from [brwan] 213.138.101.177:80 to xx.xx.xx.xx:2889
Feb 19 19:57:25 HackAttack: [SPI:Illegal connection state attack] TCP packet from [brwan] 213.138.101.177:80 to xx.xx.xx.xx:2879

 

Lloyd's picture

Re: Why is emoncms.org server doing port scanning of my IP

I think you need to see what is in those packets.  When I build my NanodeRF it was rubbish at closing connections down properly (the library may have moved on since then), and I found I was getting packets coming back from servers when they finally decided to time out a connection.  It seemed random, but in fact was not.

Lloyd

Petrik's picture

Re: Why is emoncms.org server doing port scanning of my IP

 

Hmm - that could be a reason. Then its partially an emoncms.org server configuration error if it holds a transactional server port open for more than a couple of seconds. Too long timeout on server side would explain mismatch on numbers.

Unfortunately dont have a packet sniffer at hand - any recommendations for windows workstation ?

Lloyd's picture

Re: Why is emoncms.org server doing port scanning of my IP

Wireshark is usually the packet sniffer of choice.  And it is free.

Lloyd

Lloyd's picture

Re: Why is emoncms.org server doing port scanning of my IP

But don't forget your firewall may not be letting the packets through,so you may have to disable it to capture anything.

Petrik's picture

Re: Why is emoncms.org server doing port scanning of my IP

 

Of course firewall will not let unauthorized return packets through. So for this experiment I can allow everything from emoncms.org to my nanoderf. Will try when have some time to look into wireshark.

Read some time ago nanoderf hangups. Have not had any for me so maybe firewall can prevent this?

Also have raspberry pi waiting just to figure out how to copy my users emoncms.org contents to raspberry pi installed version. Should be easy, but not for a first timer.

Petrik's picture

Re: Why is emoncms.org server doing port scanning of my IP

 

Thanks to Lloyd's feedback spent just a couple of hours with Nanode RF and looks like it resets due to not receiving OK from emoncms.org. Changed the script to have small delays and added more wait time (20 transmits). Additionally changed MAC code to a known unused device that I had.

Looks like the amount of resets reduced unrecognized return packages settling the firewall.

Also tried to hook up the nanodeRF to public internet using a bridged port but then could not get IP address. Any hints how to get nanodeRF DHCP to work with public internet and get IP address ? When hooked up in LAN it gets the address just nicely...

 

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.