Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Billion Router 7800N Showing alarming things in firewall.
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- Re: Billion Router 7800N Showing alarming things i...
Billion Router 7800N Showing alarming things in firewall.
06-05-2014 10:44 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Hi all it would seem the firewall is shouting out loud with something called Back Orifice Scan.
Now i have reported this issue and it seems to have fallen on deaf ears.
Now the firewall log is great for showing the SYN Floods etc which is normal for the internet but when we get an attack from the name servers no less its a bit worrying.
For now i am keeping the log on my cloud space with all Back Orifice Scan attacks but for them that do not know what it is here is a link http://en.wikipedia.org/wiki/Back_Orifice .
Now all computers on internal network has been scanned that's the 2 laptops and 1 desktop. All mobile phones have been scanned all clean. The scan is coming from the name servers which means either the name server is infected or some clever script kid has managed to spoof the name server.
Which either one it is, its not good, considering this port is scanning is also used for other types of attacks.
Now that port luckily is not open on any computer and the routers SPI is doing its job. I have even netstat'd each computer to make sure of this.
So can the mods please pass this on, i so hope this doesn't fall on deaf ears again, I know the easy fix for myself is to change the DNS but that would mean a disconnection and reconnection to which then that evil monkey called DLM will punish me (Keeps coming out the closet with a evil grin!).
Thanks in advance.
Please note this has nothing to do with anything like torrents etc.....
Now i have reported this issue and it seems to have fallen on deaf ears.
Now the firewall log is great for showing the SYN Floods etc which is normal for the internet but when we get an attack from the name servers no less its a bit worrying.
Apr 21 03:35:46 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 87.112.141.247:31337
Apr 21 03:35:46 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 87.112.141.247:31337
Apr 21 03:35:47 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 87.112.141.247:31337
Apr 21 03:35:49 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 87.112.141.247:31337
Apr 21 03:35:53 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 87.112.141.247:31337
Apr 21 22:51:34 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 87.112.141.247:31337
Apr 21 22:51:34 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 87.112.141.247:31337
Apr 21 22:51:35 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 87.112.141.247:31337
Apr 21 22:51:37 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 87.112.141.247:31337
Apr 22 04:34:24 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 146.200.34.24:31337
Apr 22 04:34:24 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 146.200.34.24:31337
Apr 22 04:34:25 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 146.200.34.24:31337
Apr 22 04:34:27 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 146.200.34.24:31337
Apr 22 04:34:31 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 146.200.34.24:31337
Apr 23 18:22:20 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 146.200.34.24:31337
Apr 23 18:22:20 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 146.200.34.24:31337
Apr 23 18:22:21 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 146.200.34.24:31337
Apr 23 18:22:23 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 146.200.34.24:31337
Apr 23 18:22:27 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 146.200.34.24:31337
May 04 20:51:21 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 146.200.34.24:31337
May 04 20:51:21 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 146.200.34.24:31337
May 04 20:51:22 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 146.200.34.24:31337
May 04 20:51:24 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.50:53 to 146.200.34.24:31337
May 04 20:51:28 home user.info kernel: HackAttack: [Back Orifice Scan] UDP packet from [ppp_0_0_38_1] 212.159.13.49:53 to 146.200.34.24:31337
For now i am keeping the log on my cloud space with all Back Orifice Scan attacks but for them that do not know what it is here is a link http://en.wikipedia.org/wiki/Back_Orifice .
Now all computers on internal network has been scanned that's the 2 laptops and 1 desktop. All mobile phones have been scanned all clean. The scan is coming from the name servers which means either the name server is infected or some clever script kid has managed to spoof the name server.
Which either one it is, its not good, considering this port is scanning is also used for other types of attacks.
Now that port luckily is not open on any computer and the routers SPI is doing its job. I have even netstat'd each computer to make sure of this.
So can the mods please pass this on, i so hope this doesn't fall on deaf ears again, I know the easy fix for myself is to change the DNS but that would mean a disconnection and reconnection to which then that evil monkey called DLM will punish me (Keeps coming out the closet with a evil grin!).
Thanks in advance.
Please note this has nothing to do with anything like torrents etc.....
Message 1 of 7
(7,512 Views)
6 REPLIES 6
Re: Billion Router 7800N Showing alarming things in firewall.
06-05-2014 11:04 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Hi
212.159.13.49 and 212.159.13.50 are Plusnet's DNS servers.
212.159.13.49 and 212.159.13.50 are Plusnet's DNS servers.
Message 2 of 7
(778 Views)
Re: Billion Router 7800N Showing alarming things in firewall.
06-05-2014 11:10 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I know they are Plusnet DNS servers hence why i have posted on the forum.
Its worrying that their DNS servers are doing such scans.
Its worrying that their DNS servers are doing such scans.
Message 3 of 7
(778 Views)
Re: Billion Router 7800N Showing alarming things in firewall.
07-05-2014 6:16 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I expect this is nothing more than DNS queries being sent from random port numbers, so occasionally the port number the DNS query is sent from will be 31337. So the reply gets sent to port 31337. And the security rule is just matching any packet to UDP port 31337.
You can set the source port for a test DNS query with the dig command:
dig -b "0.0.0.0#31337" @212.159.6.9 plus.net
Also, is this another case of DNS traffic doubling, where each query gets sent to both DNS servers?
You can set the source port for a test DNS query with the dig command:
dig -b "0.0.0.0#31337" @212.159.6.9 plus.net
Also, is this another case of DNS traffic doubling, where each query gets sent to both DNS servers?
Message 4 of 7
(778 Views)
Re: Billion Router 7800N Showing alarming things in firewall.
07-05-2014 12:41 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@ejs is this on the router or the Windows computers ?
Edit: also its only just recent this issue as well, reason i know this is because i check the logs often and the april 21st ones are the first ones to show.
Thanks for your help.
Also the command doesn't work on either router or windows computers.
Edit2: I have changed the DNS over to Level 3 and also reconfigured the firewall rules as well to completely block that port no other application or service uses it so a total block to that port will not harm either.
Edit: also its only just recent this issue as well, reason i know this is because i check the logs often and the april 21st ones are the first ones to show.
Thanks for your help.
Also the command doesn't work on either router or windows computers.
Edit2: I have changed the DNS over to Level 3 and also reconfigured the firewall rules as well to completely block that port no other application or service uses it so a total block to that port will not harm either.
Message 5 of 7
(778 Views)
Re: Billion Router 7800N Showing alarming things in firewall.
08-05-2014 6:21 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Sorry, the dig command is part of bind which you would need to download and unzip for Windows.
I still think the log messages are unlikely to be due to an actual attack. If my theory that the log entries were caused by replies to dns queries sent from port 31337, then you might see the same thing regardless of which dns servers you use, although part of the issue could also be the dns server took too long to reply, so that the stateful firewall had forgotten about the outgoing query by the time the response arrived.
I still think the log messages are unlikely to be due to an actual attack. If my theory that the log entries were caused by replies to dns queries sent from port 31337, then you might see the same thing regardless of which dns servers you use, although part of the issue could also be the dns server took too long to reply, so that the stateful firewall had forgotten about the outgoing query by the time the response arrived.
Message 6 of 7
(778 Views)
Re: Billion Router 7800N Showing alarming things in firewall.
08-05-2014 2:25 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Thanks for the reply since moving to another DNS no issues.
Edit: Just checked the logs on router nothing coming through from port 31337, so the issue is with the Plusnet DNS servers and apart from you ejs no one from plusnet has responded typical falling on deaf ears.
Plus.net needs to act on the issue quickly.
Downside of having to change the DNS is losing the stable 15 day connection which on the line we are on is very lucky to even get that far. So please some from plusnet respond to this.
Edit: Just checked the logs on router nothing coming through from port 31337, so the issue is with the Plusnet DNS servers and apart from you ejs no one from plusnet has responded typical falling on deaf ears.
Plus.net needs to act on the issue quickly.
Downside of having to change the DNS is losing the stable 15 day connection which on the line we are on is very lucky to even get that far. So please some from plusnet respond to this.
Message 7 of 7
(778 Views)
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- Re: Billion Router 7800N Showing alarming things i...