cancel
Showing results for 
Search instead for 
Did you mean: 

Router log

xxandy77xx
Grafter
Posts: 126
Registered: 21-09-2013

Router log

Hi,
does anyone know what this means its in my router logs
IDS fragment parser : fragment sweep (1 of 1) : 212.159.13.50 xx.xx.xx.xx <- (my ip) 764 59 UDP 53->59090 frag 61871:744@0+

Thank you..
21 REPLIES
Community Veteran
Posts: 1,656
Registered: 13-06-2007

Re: Router log

Well the IP address is Plusnet DNS server, port 53 is the DNS port
it's most likely a late packet thats arrived out of time or just general internet noise
xxandy77xx
Grafter
Posts: 126
Registered: 21-09-2013

Re: Router log

getting loads of these never seen this one before
Info Mar 15 20:01:36 LOGOUT session of user root killed (61.174.51.217)
Info Mar 15 20:01:29 SNTP Synchronised again with server 212.159.13.49
Info Mar 15 20:01:23 LOGOUT session of user root killed (61.174.51.217)
Info Mar 15 20:01:10 LOGOUT session of user root killed (61.174.51.217)
Info Mar 15 20:00:56 LOGOUT session of user root killed (61.174.51.217)
Info Mar 15 20:00:33 LOGOUT session of user root killed (61.174.51.217)
Info Mar 15 20:00:14 LOGOUT session of user root killed (61.174.51.217)
Info Mar 15 20:00:01 LOGOUT session of user root killed (61.174.51.217)
Info Mar 15 19:59:48 LOGOUT session of user root killed (61.174.51.217)
Info Mar 15 19:01:29 SNTP Synchronised again with server 212.159.6.9
Info Mar 15 18:13:12 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:12:58 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:12:44 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:12:31 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:12:17 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:11:59 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:11:45 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:11:31 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:11:17 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:11:04 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:10:49 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:10:35 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:10:21 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:10:07 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:09:54 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:09:40 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:09:26 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:09:12 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:08:58 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:08:45 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:08:29 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:08:13 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:07:58 LOGOUT session of user root killed (116.10.191.190)
Info Mar 15 18:07:42 LOGOUT session of user root killed (116.10.191.190)

anyone know why  port 22 has opened  i havnt made any changes on pc and how do i get it stealthed . .
thank you
Community Veteran
Posts: 5,172
Thanks: 480
Fixes: 20
Registered: 10-06-2010

Re: Router log

It looks like something from Chinese IP addresses attempting to gain remote access to your router.
It might be a good idea to check your computer for malware, and perhaps unplug your router from the Internet, reset it to factory defaults, then power it up and change the default admin password before re-connecting it. The default password - the serial number - can easily be found by any computer on your local network or even just within wireless range.
xxandy77xx
Grafter
Posts: 126
Registered: 21-09-2013

Re: Router log

thank you ejs   yeah first thing i did  comp is clean , all password changed    had no more since last night.  still have port 22 open  no idea why,  customer support  cant help either  just said do factory reset   which i had already done made no difference  Sad

Edit  port issue now been solved Smiley
Marksfish
Rising Star
Posts: 349
Thanks: 9
Fixes: 1
Registered: 22-11-2014

Re: Router log

Resurrecting this thread, did you ever get a result from this? I have set up  a new TG589 today and am getting similar, from a very similar ip range. Seems to be a bit fishy, is it something inbuilt?
LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:34:36 LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:34:31 LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:34:28 LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:34:22 LOGOUT session of user admin killed (61.174.51.216)
Info Dec 30 20:34:07 LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:34:04 LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:33:45 LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:33:42 LOGOUT session of user admin killed (61.174.51.216)
Info Dec 30 20:33:36 LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:33:18 LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:33:14 LOGOUT session of user admin killed (61.174.51.216)
Info Dec 30 20:32:58 LOGOUT session of user root killed (61.174.51.216)
Info Dec 30 20:32:47 LOGOUT session of user admin killed (61.174.51.216)
I notice however that some of mine say user admin killed. I am more than a tad worried about this. I have the firewall on, I have password protected the admin panel, so not sure what else to do?
Mark
Community Veteran
Posts: 5,172
Thanks: 480
Fixes: 20
Registered: 10-06-2010

Re: Router log

Try using a website such as http://ping.eu/port-chk/ or http://canyouseeme.org/ to find out if the router's web interface (tcp port 80) or its telnet interface (tcp port 23) are open to the Internet. If those ports are open, then they will be found fairly quickly and common default username and password combinations tried. It must be possible to configure the TG589 so that those services are only accessible from the LAN, although I don't know the exact place or commands to do that.
There is also the Plusnet Broadband Firewall https://portal.plus.net/my.html?action=firewall which could be set to "Low" to block incoming connections to common low numbered ports.
Marksfish
Rising Star
Posts: 349
Thanks: 9
Fixes: 1
Registered: 22-11-2014

Re: Router log

Thanks for the reply. I have checked the common ports on canyousee me as as the op, port 22 is open. Not really sure what SSH is, I vaguely recall something about it from years ago when I played with a cgi server. I also have port 81 open for a webcam, but they are the only 2. I had port 81 open on the PN provided router and never had this issue and I haven't yet used the PN firewall, instead relying on the router and Comodo to to the job for me.
Mark
Community Veteran
Posts: 1,841
Thanks: 103
Fixes: 6
Registered: 21-01-2013

Re: Router log

You can check for open ports with shields up.
https://www.grc.com/x/ne.dll?bh0bkyd2
Is the problem due to the routers default setting of having ports open to the ftp server for usb file sharing. IIRC it opens more than just port 21.
If you don't use file sharing to the internet, you could try unassigning ftp in "game and application sharing".
Marksfish
Rising Star
Posts: 349
Thanks: 9
Fixes: 1
Registered: 22-11-2014

Re: Router log

Quote
THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!

So i'm alright there, but this Chinese ip address is racking up the "LOGOUT session of user root killed" like there's no tomorrow. Does this mean they have gained access to the router or have tried and failed? Or am I just being totally paranoid?
Thanks
Community Veteran
Posts: 5,472
Thanks: 292
Fixes: 4
Registered: 11-08-2007

Re: Router log

Your router is being subjected to a brute force attack, where the Chinese hackers are trying to repeatedly login using SSH, but each time trying a different password/passphrase/passkey (at a rate of 10000 permutations a day) until they gain control of your router.
You MUST stealth your router's SSH port,  once it is stealthed then the router will stop replying to every login attempt, so the hackers will be unable to determine whether your router is still connected - and will hopefully give up.
If they do eventually get in via SSH, then they could easily redirect all your internet traffic to wherever they wanted, steal your online passwords, redirect your emails, and anything you do online could potentially be compromised.
A few ideas to consider -

  • Have you checked your router manufacturers website for any firmware updates?- which may have fixed an SSH security hole !.

  • Have you got "UPnP" enabled in the router ? - if so disable it and restart the router.

  • Does the router's remote access configuration have a tick box for SSH ? - ensure that all remote access protocols are disabled.

  • Setup a firewall rule to silently drop any incoming traffic from that Chinese IP address.

  • Check all port forward settings, and remove any forwarding for SSH (TCP port 22).


After checking the above points, retest using Shields UP! - "All Service Ports" test, and ensure all ports are stealthed.
Marksfish
Rising Star
Posts: 349
Thanks: 9
Fixes: 1
Registered: 22-11-2014

Re: Router log

Thanks for the suggestions.

  • Nothing on the Technicolor website. No support, no nothing if an end user  Angry

  • UPNP switched off, a bit off really as it has always been on with my other routers and not had an effect

  • Remote access is not enabled

  • Not sure how to set up a firewall rule to drop traffic, will have to have a little Google

  • The only port forwarding is to my webcam, all others turned off that I can see


Shiels Up result again:
Quote
THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!

Hopefully that means I should be okay and the router is doing its bit. I notice the attacking ip has changed now to 103.41.124.44, so from China to Hong Kong!! Unfortunately, the log only shows the last 50 entries with no option to download it Sad
Thanks
Mark
Community Veteran
Posts: 5,472
Thanks: 292
Fixes: 4
Registered: 11-08-2007

Re: Router log

Quote from: Marksfish
port 22 is open. Not really sure what SSH is

SSH is used by system administrators to remotely login to a device, and take control using command line instructions.

Quote from: Marksfish
Shields Up result again:
Quote
THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!

That is the result from the big yellow button marked "GRC's Instant UPnP Exposure Test", which shows that ports cannot be opened on demand from an external attacker.  The problem you have is that the Chinese hackers have already found an open SSH port on your router.

Instead of doing the "UPnP Exposure Test", immediately below that button there is a grey button called "All Service Ports", click on that.
The result should look like mine -

While your SSH port is still visible, then the brute force attack will continue until either the hackers succeed or you hide the port.

Quote from: Marksfish
Hopefully that means I should be okay and the router is doing its bit.

While the SSH port is visible to the internet, the hackers know that there is a way into your system.
At the moment your router is receiving remote login attempts, and it is reporting back to them that the "password" failed, so the hackers will sit there with an automated passcode generator stepping though likely combinations until they hit on a valid combination and take control of your router.
So no your router is not "doing its bit" as it is responding to SSH requests, and you are currently only protected as the hackers have not yet guessed the SSH password.
Marksfish
Rising Star
Posts: 349
Thanks: 9
Fixes: 1
Registered: 22-11-2014

Re: Router log

I have run that and the ports 22 & 81 are open. 81 is my webcam and I opened that.
I then turned on the PN firewall and turned off uPNP. Ports 22 & 81 still show open, but there are a huge amount of blue squares now saying port closed. I think I am fighting a losing battle here with my lack of tech experience  Crazy
I don't want to restart the router again in case DLM comes into play.
Mark
Marksfish
Rising Star
Posts: 349
Thanks: 9
Fixes: 1
Registered: 22-11-2014

Re: Router log

I resorted to a factory reset and tested "out of the box". Port 22 is still open  Angry. I ran a User-Specified Custom Port Probe which returned the following:
Quote
Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.
Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)
Ping Echo: PASSED — Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests) from our server.

There is very little info out there about Thomson/ Technicolor routers, especially when it comes to stealthing ports, it doesn't look like something that can be done from the front end.
Mark