Skip to main content

Unathorized scanning detected.

Comments

12 comments

  • Infopro
    I received an e-mail from AT&T telling me my cpanel has been sending out attempts to remote to other computers.
    Can you be more specific? Without the actual domain name or any other identifiable details, can you share that email itself here please?
    0
  • frigid
    ]Can you be more specific? Without the actual domain name or any other identifiable details, can you share that email itself here please?

    Sure. The problem is they won't give me a domain, just the IP of my server. But here is the e-mail: IMPORTANT COMPUTER SAFETY NOTICE from AT&T Internet Services Security Center -" Unauthorized access scanning detected". This message is being sent to notify you that we have received complaints of attempts to gain unauthorized access to a host, server, network, or private computer that originate from your AT&T Internet account. It is possible that your computer has been compromised and you should check for any programs or files on it that you do not recognize. To address this problem we ask that you immediately take the following steps to secure your network: 1. If your computer(s) are managed by an Information Technology (IT) group at your place of work, then contact them immediately. 2. AT&T offers a free online scan tool PC Health Check that will scan for virus/spyware activity. AT&T Computer consultants trained to clean infected machines might also be located in your area (you can search at yp.com). 5. In all cases, please respond by forwarding this email to: abuse@att.net with an acknowledgement of: "I am taking steps to address this infection." When we receive such an acknowledgment, we can maintain the high quality of service you expect from us. We welcome feedback on what removal tools or method were used. Although the activity is likely unintentional, it is still in violation of AT&T's Acceptable Use Policy. To review the AT&T Acceptable Use Policy, go to: [url=http://www.corp.att.com/aup/]AT&T Acceptable Use Policy| Acceptable Use Policy| AT&T Below are some additional sites you can visit for tools or information: AT&T PC Health Check - Online virus, malware and spyware scan. http://www.microsoft.com/security/scanner/en-us/default.aspx]Microsoft Safety Scanner - Free Virus Scan with the Microsoft Safety Scanner Apple Systems Anti-virus: [url=http://www.apple.com/downloads/macosx/networking_security/avastantivirusmacedition.html]Apple - Downloads We also recommend you run anti-spyware application, like Malwarebytes Anti-Malware or Spybot: [url=http://malwarebytes.org/mbam.php]Malwarebytes | Anti-Malware Premium - Malware Detect & Removal [url=http://www.safer-networking.org/en/index.html]Spybot " Regards, AT&T Internet Services Security Center abuse@att.net SAFETY NOTE: We have included links in this email as a convenience. Please note that it is always safer to copy and paste URLs included in email directly into your browser to reach the referenced site.
    0
  • quizknows
    Usually when I receive reports like this, the first thing I do is run 'ps faux' and look at all running processes. Often you'll find something running as an unprivileged user with a spoofed process name, i.e. crond, /usr/bin/host, something "out of place" that a normal user wouldn't be running. It's a lot harder to track down if the process isn't currently ongoing.
    0
  • frigid
    ]Usually when I receive reports like this, the first thing I do is run 'ps faux' and look at all running processes. Often you'll find something running as an unprivileged user with a spoofed process name, i.e. crond, /usr/bin/host, something "out of place" that a normal user wouldn't be running. It's a lot harder to track down if the process isn't currently ongoing.

    That's what I was afraid of. It seems to happen every other day and since they don't give me a time it's proving to be nearly impossible to track down. I'm going to see if I see anything strange in the connection logs (people connecting from out of the country and the like).
    0
  • quizknows
    That's really weak that they're not giving you logs; most abuse reports are considered worthless without time stamped logs of the allegedly abusive connections.
    0
  • Infopro
    ]That's what I was afraid of. It seems to happen every other day and since they don't give me a time it's proving to be nearly impossible to track down. I'm going to see if I see anything strange in the connection logs (people connecting from out of the country and the like).

    Who is your servers Hosting Provider, AT&T?
    0
  • frigid
    ]That's really weak that they're not giving you logs; most abuse reports are considered worthless without time stamped logs of the allegedly abusive connections.

    What I pasted was all they gave me.
    ]Who is your servers Hosting Provider, AT&T?

    Yes.
    0
  • Infopro
    ]... Yes.

    Can you link me to the AT&T web hosting portal where they offer cPanel please? I'm curious and want to take a peek at it.
    0
  • frigid
    ]Can you link me to the AT&T web hosting portal where they offer cPanel please? I'm curious and want to take a peek at it.

    Oh sorry I read that wrong. AT&T is providing me internet, we have our own CPanel server in house.
    0
  • quizknows
    You are definitely entitled to ask them for logs. I know I would.
    0
  • Infopro
    ]I received an e-mail from AT&T telling me my cpanel has been sending out attempts to remote to other computers. ...

    There is nothing in that email that mentions your cPanel server is doing anything incorrectly as far as I can tell. You're going to need to contact the abuse@ address mentioned in that email for more Info. I don't see how anyone here can help you with something you can't even be sure is happening other than this one email saying so.
    0
  • frigid
    ]There is nothing in that email that mentions your cPanel server is doing anything incorrectly as far as I can tell. You're going to need to contact the abuse@ address mentioned in that email for more Info. I don't see how anyone here can help you with something you can't even be sure is happening other than this one email saying so.

    I forwarded them the e-mail asking for more info. It had the IP of the server in the e-mail subject but that's the only spot that mentions it.
    0

Please sign in to leave a comment.