Are random packets normal?

Posted by TheLQ on Server Fault See other posts from Server Fault or by TheLQ
Published on 2011-01-11T01:10:44Z Indexed on 2011/01/11 1:55 UTC
Read the original article Hit count: 308

About a month ago on one of my servers I started receiving random packets from IPs all over the world. So I did the smart thing and stopped putting off installing an IDS. This IDS is a ClearOS Gateway which comes with Snort and SnortSam. I enabled it, checked

There is a total of 4 ports open, two of which forward to the server I'm talking about. These ports are 3724 and 8085, so they aren't going to be easily detected in a port scan.

However checking some logs of this server I found that the attack is resuming. I found this

...
Accepting connection from '75.166.155.122'
[Auth] got unknown packet from '75.166.155.122'
Accepting connection from '98.164.154.93'
[Auth] got unknown packet from '98.164.154.93'
Ping MySQL to keep connection alive
Accepting connection from '70.241.195.129'
[Auth] got unknown packet from '70.241.195.129'
Accepting connection from '67.182.229.169'
[Auth] got unknown packet from '67.182.229.169'
Accepting connection from '69.137.140.38'
[Auth] got unknown packet from '69.137.140.38'
Accepting connection from '76.31.72.55'
[Auth] got unknown packet from '76.31.72.55'
Accepting connection from '97.88.139.39'
[Auth] got unknown packet from '97.88.139.39'
Accepting connection from '173.35.62.112'
[Auth] got unknown packet from '173.35.62.112'
Accepting connection from '187.15.10.73'
[Auth] got unknown packet from '187.15.10.73'
Accepting connection from '66.66.94.124'
[Auth] got unknown packet from '66.66.94.124'
Accepting connection from '75.159.219.124'
[Auth] got unknown packet from '75.159.219.124'
Accepting connection from '99.102.100.82'
[Auth] got unknown packet from '99.102.100.82'
Accepting connection from '24.128.240.45'
[Auth] got unknown packet from '24.128.240.45'
Accepting connection from '99.231.7.39'
[Auth] got unknown packet from '99.231.7.39'
Accepting connection from '206.255.79.56'
[Auth] got unknown packet from '206.255.79.56'
Accepting connection from '68.97.106.235'
[Auth] got unknown packet from '68.97.106.235'
Accepting connection from '69.134.67.251'
[Auth] got unknown packet from '69.134.67.251'
Accepting connection from '63.228.138.186'
[Auth] got unknown packet from '63.228.138.186'
Accepting connection from '184.39.146.193'
[Auth] got unknown packet from '184.39.146.193'
Accepting connection from '69.171.161.102'
[Auth] got unknown packet from '69.171.161.102'
Accepting connection from '76.0.47.228'
[Auth] got unknown packet from '76.0.47.228'
Ping MySQL to keep connection alive
Accepting connection from '126.112.201.14'
[Auth] got unknown packet from '126.112.201.14'
Ping MySQL to keep connection alive

Now that scares me. Why isn't Snort detecting this? How were they able to find this specific port?

More importantly, what normally would these packets contain? Is this something I should be worried about? How can I stop this?

© Server Fault or respective owner

Related posts about port-forwarding

Related posts about snort