Bounder12 Posted April 1, 2025 Report Posted April 1, 2025 (edited) I am new to server hosting Vintage story and noticed this today. Looks to me like someone was pen testing my server right? Edited April 1, 2025 by Bounder12
Broccoli Clock Posted April 2, 2025 Report Posted April 2, 2025 (edited) So, can't tell you if it's normal or not, but it looks like generic sniffing. For a start there are too many hits for it to be targetting a specific port number, while there aren't enough for it to be a mass port check. I could be wrong with that, but just from the initial log that would be my assumption (which, again, could be wrong). Now, an interesting rabbit hole to go down is geolocating the IPs, as the majority are registered to a company in England called "Driftnet Ltd", with a couple of exceptions. For example, the 185.236.x.x are all Driftnet IPs, and if you go to the website for Driftnet then the fun begins. For a start it's an American company, not British, yet their registered office is an address in Oxford (England). What's more, a lot of its products are cyber-security related, which obviously gets the spidey senses tingling. What is interesting, is the 87.236.137.213 address, as that is apparently registered to Neutel Communications, which is an Internet provider from Bahrain. You asked if this was someone testing your system? Yes, it looks that way, multiple similar IPs all registered to the same company hitting your server all within a short period of time. However, and I should say that while I have studied cyber security as part of my qualifications I'm no expert, on the surface it looks like someone using a 3rd party tool, hosted by Driftnet to do some port sniffing, perhaps accidentally doing that sniffing from their own ISP assigned IP (hence the Bahrain hit). While that could seem suspicious, perhaps they are just sniffing a range of IPs and yours happened to be within that block, they could be doing general "white hat" research. As to what to conclude? No idea without more info, but the info we have is a tantalising first step down a rabbit hole. It's really tough without more data to be honest. If it's just this limited number of hits, I'd forget it but keep an eye on the logs. Edited April 2, 2025 by Broccoli Clock
Hexalan Posted April 2, 2025 Report Posted April 2, 2025 I run my own server and I also work in security. Yes, your server is being scanned. If it's on the Internet more that 5 minutes, it's being scanned. You would be well served by putting some sort of block list at the network layer on your server. I assume you're subscribing to IaaS somewhere. If you're on AWS, just put a security group on the instance and only allow the IP ranges of the people that are playing with you. It doesn't have to extremely detailed to block most of the crap. You could allow entire address ranges of ISPs and still block almost all the crap. At the very least turn on the built-in allow-listing in VS.
Bounder12 Posted April 2, 2025 Author Report Posted April 2, 2025 (edited) I'm hosting this server on my personal pc at home. I have an asus RT-AX58U router, any logging that could provide more details or any service I can put on that port to capture the packets to inspect them? Id be happy to do so as I changed the port shortly after seeing that in the logs. Was half tempted to chalk it up to a server list scan or something but the multiple different ips made me think otherwise. @Hexalan, @Broccoli Edited April 2, 2025 by Bounder12 Typo
Broccoli Clock Posted April 3, 2025 Report Posted April 3, 2025 (edited) 14 hours ago, Hexalan said: If it's on the Internet more that 5 minutes, it's being scanned. I think it's important to provide a little context here, you are absolutely right, but it's more the case that everything is being scanned, just connecting a device (any device) to the Internet will end up with it being scanned. I used to do this years ago when companies were stupid enough to mass produce things like routers or webcams all with the same admin username/password, and war driving is 'still a thing'. 14 hours ago, Bounder12 said: Was half tempted to chalk it up to a server list scan or something but the multiple different ips made me think otherwise. It's multiple IPs but from just 2 sources, it's not some mass port hit in a DDoS. The fact that it happened at the same time suggests there is a link between those two sources, but I'd still be tempted to call it a general sniff than something more targetted. Unless you have more logs. The thing that does make me stop and show concern is the file size error log, trying to upload a ~900Kb file would definitely be called "sus". It'd be interesting to see what form those other invalid packets took. Edited April 3, 2025 by Broccoli Clock
Bounder12 Posted April 3, 2025 Author Report Posted April 3, 2025 12 hours ago, Broccoli Clock said: It'd be interesting to see what form those other invalid packets took. If you have a way to capture um I'm happy to put something up or turn on logging. I'm about as curious as you are at this point but out of my depth.
Broccoli Clock Posted April 6, 2025 Report Posted April 6, 2025 On 4/3/2025 at 8:47 PM, Bounder12 said: If you have a way to capture um I'm happy to put something up or turn on logging. I'm about as curious as you are at this point but out of my depth. I guess it would need to be at the OS level, unless the game has a more detailed log file. There are numerous utils out there, it depends on the OS you are using although that window UI suggests it's MS. If that is the case, the native pktmon may be all you need.
Bounder12 Posted April 11, 2025 Author Report Posted April 11, 2025 On 4/6/2025 at 5:41 AM, Broccoli Clock said: I guess it would need to be at the OS level, unless the game has a more detailed log file. There are numerous utils out there, it depends on the OS you are using although that window UI suggests it's MS. If that is the case, the native pktmon may be all you need. Sadly they havnt hit again. So I guess our investigation is over.
Recommended Posts