Billion Router 7800N Showing alarming things in firewall.

kenneth50 · ‎13-01-2014

Hi all it would seem the firewall is shouting out loud with something called Back Orifice Scan.
Now i have reported this issue and it seems to have fallen on deaf ears.
Now the firewall log is great for showing the SYN Floods etc which is normal for the internet but when we get an attack from the name servers no less its a bit worrying.


  Apr 21 03:35:46   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 87.112.141.247:31337 
  Apr 21 03:35:46   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 87.112.141.247:31337 
  Apr 21 03:35:47   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 87.112.141.247:31337 
  Apr 21 03:35:49   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 87.112.141.247:31337 
  Apr 21 03:35:53   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 87.112.141.247:31337 
  Apr 21 22:51:34   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 87.112.141.247:31337 
  Apr 21 22:51:34   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 87.112.141.247:31337 
  Apr 21 22:51:35   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 87.112.141.247:31337 
  Apr 21 22:51:37   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 87.112.141.247:31337 
  Apr 22 04:34:24   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 146.200.34.24:31337 
  Apr 22 04:34:24   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 146.200.34.24:31337 
  Apr 22 04:34:25   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 146.200.34.24:31337 
  Apr 22 04:34:27   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 146.200.34.24:31337 
  Apr 22 04:34:31   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 146.200.34.24:31337 
  Apr 23 18:22:20   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 146.200.34.24:31337 
  Apr 23 18:22:20   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 146.200.34.24:31337 
  Apr 23 18:22:21   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 146.200.34.24:31337 
  Apr 23 18:22:23   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 146.200.34.24:31337 
  Apr 23 18:22:27   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 146.200.34.24:31337 
  May 04 20:51:21   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 146.200.34.24:31337 
  May 04 20:51:21   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 146.200.34.24:31337 
  May 04 20:51:22   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 146.200.34.24:31337 
  May 04 20:51:24   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 146.200.34.24:31337 
  May 04 20:51:28   home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 146.200.34.24:31337

For now i am keeping the log on my cloud space with all Back Orifice Scan attacks but for them that do not know what it is here is a link http://en.wikipedia.org/wiki/Back_Orifice .
Now all computers on internal network has been scanned that's the 2 laptops and 1 desktop. All mobile phones have been scanned all clean. The scan is coming from the name servers which means either the name server is infected or some clever script kid has managed to spoof the name server.
Which either one it is, its not good, considering this port is scanning is also used for other types of attacks.
Now that port luckily is not open on any computer and the routers SPI is doing its job. I have even netstat'd each computer to make sure of this.
So can the mods please pass this on, i so hope this doesn't fall on deaf ears again, I know the easy fix for myself is to change the DNS but that would mean a disconnection and reconnection to which then that evil monkey called DLM will punish me (Keeps coming out the closet with a evil grin!).
Thanks in advance.

Please note this has nothing to do with anything like torrents etc.....

AndyH · ‎27-10-2012

Hi
212.159.13.49 and 212.159.13.50 are Plusnet's DNS servers.

kenneth50 · ‎13-01-2014

I know they are Plusnet DNS servers hence why i have posted on the forum.
Its worrying that their DNS servers are doing such scans.

ejs · ‎10-06-2010

I expect this is nothing more than DNS queries being sent from random port numbers, so occasionally the port number the DNS query is sent from will be 31337. So the reply gets sent to port 31337. And the security rule is just matching any packet to UDP port 31337.
You can set the source port for a test DNS query with the dig command:
dig -b "0.0.0.0#31337" @212.159.6.9 plus.net
Also, is this another case of DNS traffic doubling, where each query gets sent to both DNS servers?

kenneth50 · ‎13-01-2014

@ejs is this on the router or the Windows computers ?
Edit: also its only just recent this issue as well, reason i know this is because i check the logs often and the april 21st ones are the first ones to show.
Thanks for your help.
Also the command doesn't work on either router or windows computers.

Edit2: I have changed the DNS over to Level 3 and also reconfigured the firewall rules as well to completely block that port no other application or service uses it so a total block to that port will not harm either.

ejs · ‎10-06-2010

Sorry, the dig command is part of bind which you would need to download and unzip for Windows.
I still think the log messages are unlikely to be due to an actual attack. If my theory that the log entries were caused by replies to dns queries sent from port 31337, then you might see the same thing regardless of which dns servers you use, although part of the issue could also be the dns server took too long to reply, so that the stateful firewall had forgotten about the outgoing query by the time the response arrived.

kenneth50 · ‎13-01-2014

Thanks for the reply since moving to another DNS no issues.
Edit: Just checked the logs on router nothing coming through from port 31337, so the issue is with the Plusnet DNS servers and apart from you ejs no one from plusnet has responded typical falling on deaf ears.
Plus.net needs to act on the issue quickly.
Downside of having to change the DNS is losing the stable 15 day connection which on the line we are on is very lucky to even get that far. So please some from plusnet respond to this.

Billion Router 7800N Showing alarming things in firewall.

Billion Router 7800N Showing alarming things in firewall.

Re: Billion Router 7800N Showing alarming things in firewall.

Re: Billion Router 7800N Showing alarming things in firewall.

Re: Billion Router 7800N Showing alarming things in firewall.

Re: Billion Router 7800N Showing alarming things in firewall.

Re: Billion Router 7800N Showing alarming things in firewall.

Re: Billion Router 7800N Showing alarming things in firewall.