Router log
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- Re: Router log
Router log
13-03-2014 8:09 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
does anyone know what this means its in my router logs
IDS fragment parser : fragment sweep (1 of 1) : 212.159.13.50 xx.xx.xx.xx <- (my ip) 764 59 UDP 53->59090 frag 61871:744@0+
Thank you..
Re: Router log
13-03-2014 8:26 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
it's most likely a late packet thats arrived out of time or just general internet noise
Re: Router log
15-03-2014 11:38 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Info Mar 15 20:01:36 LOGOUT session of user root killed (61.174.51.217)
Info Mar 15 20:01:29 SNTP Synchronised again with server 212.159.13.49
Info Mar 15 20:01:23 LOGOUT session of user root killed (61.174.51.217)
Info Mar 15 20:01:10 LOGOUT session of user root killed (61.174.51.217)
Info Mar 15 20:00:56 LOGOUT session of user root killed (61.174.51.217)
Info Mar 15 20:00:33 LOGOUT session of user root killed (61.174.51.217)
Info Mar 15 20:00:14 LOGOUT session of user root killed (61.174.51.217)
Info Mar 15 20:00:01 LOGOUT session of user root killed (61.174.51.217)
Info Mar 15 19:59:48 LOGOUT session of user root killed (61.174.51.217)
Info Mar 15 19:01:29 SNTP Synchronised again with server 212.159.6.9
Info Mar 15 18:13:12 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:12:58 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:12:44 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:12:31 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:12:17 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:11:59 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:11:45 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:11:31 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:11:17 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:11:04 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:10:49 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:10:35 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:10:21 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:10:07 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:09:54 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:09:40 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:09:26 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:09:12 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:08:58 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:08:45 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:08:29 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:08:13 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:07:58 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:07:42 LOGOUT session of user root killed (116.10.191.190)
anyone know why port 22 has opened i havnt made any changes on pc and how do i get it stealthed . .
thank you
Re: Router log
16-03-2014 6:59 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
It might be a good idea to check your computer for malware, and perhaps unplug your router from the Internet, reset it to factory defaults, then power it up and change the default admin password before re-connecting it. The default password - the serial number - can easily be found by any computer on your local network or even just within wireless range.
Re: Router log
16-03-2014 10:09 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Edit port issue now been solved
Re: Router log
30-12-2014 8:53 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:34:36 LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:34:31 LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:34:28 LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:34:22 LOGOUT session of user admin killed (61.174.51.216)
Info Dec 30 20:34:07 LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:34:04 LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:33:45 LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:33:42 LOGOUT session of user admin killed (61.174.51.216)
Info Dec 30 20:33:36 LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:33:18 LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:33:14 LOGOUT session of user admin killed (61.174.51.216)
Info Dec 30 20:32:58 LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:32:47 LOGOUT session of user admin killed (61.174.51.216)
I notice however that some of mine say user admin killed. I am more than a tad worried about this. I have the firewall on, I have password protected the admin panel, so not sure what else to do?
Mark
Re: Router log
30-12-2014 9:10 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
There is also the Plusnet Broadband Firewall https://portal.plus.net/my.html?action=firewall which could be set to "Low" to block incoming connections to common low numbered ports.
Re: Router log
30-12-2014 9:28 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Mark
Re: Router log
30-12-2014 10:06 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
https://www.grc.com/x/ne.dll?bh0bkyd2
Is the problem due to the routers default setting of having ports open to the ftp server for usb file sharing. IIRC it opens more than just port 21.
If you don't use file sharing to the internet, you could try unassigning ftp in "game and application sharing".
Re: Router log
30-12-2014 10:35 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!
So i'm alright there, but this Chinese ip address is racking up the "LOGOUT session of user root killed" like there's no tomorrow. Does this mean they have gained access to the router or have tried and failed? Or am I just being totally paranoid?
Thanks
Re: Router log
31-12-2014 12:23 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
You MUST stealth your router's SSH port, once it is stealthed then the router will stop replying to every login attempt, so the hackers will be unable to determine whether your router is still connected - and will hopefully give up.
If they do eventually get in via SSH, then they could easily redirect all your internet traffic to wherever they wanted, steal your online passwords, redirect your emails, and anything you do online could potentially be compromised.
A few ideas to consider -
- Have you checked your router manufacturers website for any firmware updates?- which may have fixed an SSH security hole !.
- Have you got "UPnP" enabled in the router ? - if so disable it and restart the router.
- Does the router's remote access configuration have a tick box for SSH ? - ensure that all remote access protocols are disabled.
- Setup a firewall rule to silently drop any incoming traffic from that Chinese IP address.
- Check all port forward settings, and remove any forwarding for SSH (TCP port 22).
After checking the above points, retest using Shields UP! - "All Service Ports" test, and ensure all ports are stealthed.
Re: Router log
31-12-2014 7:42 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
- Nothing on the Technicolor website. No support, no nothing if an end user
- UPNP switched off, a bit off really as it has always been on with my other routers and not had an effect
- Remote access is not enabled
- Not sure how to set up a firewall rule to drop traffic, will have to have a little Google
- The only port forwarding is to my webcam, all others turned off that I can see
Shiels Up result again:
Quote THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!
Hopefully that means I should be okay and the router is doing its bit. I notice the attacking ip has changed now to 103.41.124.44, so from China to Hong Kong!! Unfortunately, the log only shows the last 50 entries with no option to download it
Thanks
Mark
Re: Router log
31-12-2014 8:29 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: Marksfish port 22 is open. Not really sure what SSH is
SSH is used by system administrators to remotely login to a device, and take control using command line instructions.
Quote from: Marksfish Shields Up result again:
Quote THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!
That is the result from the big yellow button marked "GRC's Instant UPnP Exposure Test", which shows that ports cannot be opened on demand from an external attacker. The problem you have is that the Chinese hackers have already found an open SSH port on your router.
Instead of doing the "UPnP Exposure Test", immediately below that button there is a grey button called "All Service Ports", click on that.
The result should look like mine -
While your SSH port is still visible, then the brute force attack will continue until either the hackers succeed or you hide the port.
Quote from: Marksfish Hopefully that means I should be okay and the router is doing its bit.
While the SSH port is visible to the internet, the hackers know that there is a way into your system.
At the moment your router is receiving remote login attempts, and it is reporting back to them that the "password" failed, so the hackers will sit there with an automated passcode generator stepping though likely combinations until they hit on a valid combination and take control of your router.
So no your router is not "doing its bit" as it is responding to SSH requests, and you are currently only protected as the hackers have not yet guessed the SSH password.
Re: Router log
31-12-2014 9:16 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I then turned on the PN firewall and turned off uPNP. Ports 22 & 81 still show open, but there are a huge amount of blue squares now saying port closed. I think I am fighting a losing battle here with my lack of tech experience
I don't want to restart the router again in case DLM comes into play.
Mark
Re: Router log
31-12-2014 10:22 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.
Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)
Ping Echo: PASSED — Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests) from our server.
There is very little info out there about Thomson/ Technicolor routers, especially when it comes to stealthing ports, it doesn't look like something that can be done from the front end.
Mark
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page