cancel
Showing results for 
Search instead for 
Did you mean: 

Router reports "Security Alert"

JayG
Pro
Posts: 957
Thanks: 82
Fixes: 3
Registered: 30-10-2011

Router reports "Security Alert"

My PC has been "sleeping" for the last few hours but on waking it i have found a "security alert" email message from my Netgear DG834 from "TCP Packet - source:85.101.182.183,2777"  (destination my current IP address.) The source IP appears to be allocated to "Turk Telekom" in Istanbul.
Not the first alert I've received from the router (it's set up to email the alerts and I probably get one every fortnight or so)  but this one is different in that the router immediately started continous high speed downloading activity at the same time the message was received.
After about 5 minutes of this continuous download activty (and a quick panic!) I started a new PPP session via the router interface to obtain a new IP address (previously  31.XXX now 84.93.XXX) and am currently doing a full security scan, which has found nothing untoward (so far).
The unrequested download activity has now ceased -  has this happened to anyone else or can anyone please shed any light on what is a unique event as far as I am concerned?
12 REPLIES
Community Veteran
Posts: 19,101
Thanks: 443
Fixes: 21
Registered: 31-08-2007

Re: Router reports "Security Alert"

Check your usage at the member centre to see what sort of amount was downloaded. You'll have to make some sort of guess as to what else you'd done that day. Also have a look at the usage breakdown to see if there's anything there that you don't do (P2P for example?).
also, if you don't do gaming, P2P etc. might be worth having a look at https://portal.plus.net/my.html?action=firewall (login required) and make sure it's set to low, or at least not Off, or any specific settings are as you want.
I assume the firewall is available on all accounts, I don't know, never asked, there's a help page at http://www.plus.net/support/security/firewalls/broadbandfirewall.shtml .
Routefinder
Grafter
Posts: 382
Thanks: 1
Registered: 01-08-2007

Re: Router reports "Security Alert"

Interesting that like you I get the occassional Security alerts from my Netgear and this IP 88.253.212.232 is also Turkey
Also this one from China 221.192.199.49
Had a few since the 9th April and the 21st April.....................now the Netgear should block any irregular activity but as a safeguard I will check my Usage for any suspiscious actvitiy.  And not sure what my PlusNet Firewall is set to but for the record I use Windows defender, ESET Security and the Router is locked down as far as new wireless devices wanting to connect is concerned.
Right PlusNet Firewall on Low and my Usage looks kind of normal as I never reach my max allowance ~ my figures are normally made up of Web and Streaming and Mail, though a small amonut of "other" is shown and no Gaming, P2P or UseNet.
Community Veteran
Posts: 19,101
Thanks: 443
Fixes: 21
Registered: 31-08-2007

Re: Router reports "Security Alert"

That sounds ok Routefinder, and ESET has a good reputation. I'd don't know if you've come across a program called Malwarebytes Anti-Malware. I try and run that (the free version) once a week. Can take a while to run if you have a large drive, but it's a good program for hunting out the spyware and tracking stuff.
JayG
Pro
Posts: 957
Thanks: 82
Fixes: 3
Registered: 30-10-2011

Re: Router reports "Security Alert"

Firstly, thanks for the replies, especially Anotherone who clearly puts in a lot of effort to help other members.  Smiley
As far as I am aware all router, PC and account security settings are in place and optimised.
Full MSE and Malwarebytes scans found nothing amiss - Turkey seems to have its share of cyber-baddies but I don't suppose it's worse than many other locations.
What is now baffling me is that my daily usage breakdown for yesterday (23rd April) shows 329MB overnight usage and 748MB daytime usage - although the mystery download activity (which could have been upload - can't tell) at around 2240 yesterday could account for some of it, I downloaded 1 1/2 hours of iPlayer content to the desktop player and am certain this completed before 0800 yesterday morning.
In that respect yesterday's breakdown figures don't make sense - is it possible for one of the DCT to look more closely at these figures please? (I'm not bashful but a PM or email would be fine if protocol or data protection laws don't allow it to be posted on here.)

Edit: I should add that other than the occasional "free" iPlayer download I only use the net for surfing, and my usual daily usage is around 100MB - yesterday should have been no different!  Undecided
jojopillo
Grafter
Posts: 9,786
Registered: 16-06-2010

Re: Router reports "Security Alert"


Hour           Upload (MB)  Downloaded (MB)
0             0.0235             0.0039
1             0.0243             0.0044
2             0.0248             0.0040
3             0.0249             0.0040
4             0.0249             0.0039
5             0.0248             0.0040
6             0.0249             0.0040
7             5.0135           323.8261
8             1.6583             8.8681
9             1.4029             9.0266
10             1.0383             5.1886
11             0.8697             3.7952
12             1.0510             4.5599
13             2.2370           22.5399
14             0.8599             3.0858
15             2.2204           11.0891
16             1.1999             8.9502
17             0.5944             3.3161
18             1.4786             9.8885
19             0.9505             4.3617
20             0.3166             1.0219
21             0.0765             0.0908
22             11.3145           620.7017
23             0.7249             3.8812

iPlayer download definitely before 8am. Not sure what cause that usage between 10-11pm
Jojo Smiley
JayG
Pro
Posts: 957
Thanks: 82
Fixes: 3
Registered: 30-10-2011

Re: Router reports "Security Alert"

Thanks for that Jojo - that makes two of us, and this one of us is more baffled than ever!  Shocked
The 323MB between 0700 and 0800 corresponds to "Have I got news for you" download size, and the 620MB between 2200 and 2300 more or less corresponds to "The Bridge", the problem being that I downloaded the latter before the former, and also checked the progress via Routerstats, and then that it was showing in the desktop iPlayer programme list before closing it down, and I certainly didn't request it again later.
I'll be watching that green router light like a hawk from now on (and probably checking my medication!)  Undecided  Cheesy
Routefinder
Grafter
Posts: 382
Thanks: 1
Registered: 01-08-2007

Re: Router reports "Security Alert"

Quote from: Anotherone
That sounds ok Routefinder, and ESET has a good reputation. I'd don't know if you've come across a program called Malwarebytes Anti-Malware. I try and run that (the free version) once a week. Can take a while to run if you have a large drive, but it's a good program for hunting out the spyware and tracking stuff.

Yup, I use Malware Bytes & SuperAntiSpyware................updating and scanning about once a month.  Maybe should do those more often but for the record it/they detect mostly tracking cookies and once in a blue moon a false positive Troajn they think is embedded in say a Java installer.
luvyapnut
Newbie
Posts: 6
Registered: 11-11-2012

Re: Router reports "Security Alert"

I get dozens of notification emails weekly from my router that I can trace back to any number of locations in Turkey.
Is this normal? Does Plusnet route through any of these locations? Should I worry about them? Should I change my router password?
I have the router configured so that ONLY the MAC addresses of my home computers are allowed access.
Superuser
Superuser
Posts: 9,666
Thanks: 1,070
Fixes: 59
Registered: 06-04-2007

Re: Router reports "Security Alert"

If the alerts you are referring to are like the following:
Error      Jan 24 15:25:01  FIREWALL icmp check (1 of 2):
                                      Protocol: ICMP Src ip: 142.4.38.49 Dst ip: xxx.xxx.xxx.xxx
                                      Type: Destination Unreachable Code: Port Unreacheable
Warning  Jan 24 14:34:31  IDS proto parser : tcp null port (1 of 1) : 119.10.114.192 xxx.xxx.xxx.xxx
                                      0060 TCP 0->0 [SFARU.] seq 3355065698 ack 0 win 443
they are normal and nothing to do with Plusnet.  The source IPs are probing your connection for vulnerabilities and the router firewall has blocked the attempts, as it should do. They could be from IPs in any country, not just Turkey; the two I've listed above are from USA and China. They are nothing to worry about.
David
luvyapnut
Newbie
Posts: 6
Registered: 11-11-2012

Re: Router reports "Security Alert"

They are like this:
Dear User
Your router has detected and protected you against an attempt to gain access to your network.  This may have been an attempted hacker intrusion, or perhaps just your Internet Service Provider doing routine network maintenance.
Most of these network probes are nothing to be worried about - these types of random probes should NOT be reported, but you may want to report repeated intrusions attempts.  Save this email for comparison with future alert messages.
Your router Alert Information
Time: 01/25/2013, 14:55:55
Message: LAND
Source: 85.106.158.224, 3990
Destination:87.115.XXX.XXX, 80 (from ATM1 Inbound)
--and the emboldened IP address is usually different but sometimes the same.
The majority of them, 9/10 are from Turkey. I have traced them with an IP Lookup program.
http://ip-address-lookup-v4.com/ip/85.106.158.224
adie:green removed users IP address.
Superuser
Superuser
Posts: 9,666
Thanks: 1,070
Fixes: 59
Registered: 06-04-2007

Re: Router reports "Security Alert"

That looks to be the same sort of thing as I mentioned, random probing seeking vulnerabilities. This is the sort of thing that unfortunately occurs, but the router's firewall is doing its job and blocking access. So nothing to be concerned about.
David
Community Veteran
Posts: 19,101
Thanks: 443
Fixes: 21
Registered: 31-08-2007

Re: Router reports "Security Alert"

spraxyt has already advised that these result from "probes" from the source IP addresses looking for vulnerabilities. Other possibilities are they are looking for P2P connections etc.
The IP address you are currently on (which you shouldn't post in a public forum for your own protection) may have previously been used by someone who was using P2P or similar.
None of these things are as a result of any Plusnet routing or anything to do with Plusnet. They aren't uncommon (unfortunately). Last week I was getting repeated probes on port 23 and 14143 coming from Brazil and China, the latter port which I haven't discovered any particular significance of yet, these amongst a number of other ports that were being probed..
However, I wouldn't say it was nothing to be worried or concerned about (sorry spraxyt), but nothing to panic about, as your firewalls are doing their job. It is advisable that you make sure (& check) that you are as secure as you can be dependant on your usage and program requirements. Also run Anti-malware and Anti-virus programs to check your system is clean.
I mentioned about the Plusnet Firewall in my reply #1, make sure it is set on at least Low unless you need to allow access to any of those ports. Use a higher setting if appropriate to your needs.
There is also Plusnet's Safe Surf option. Set this to block those ports if you don't use any of those applications.
Both of those will block traffic on those ports from reaching your modem/router. If you make changes to the Firewall or Safe Surf options you will need to drop your PPP session and reconnect before they take effect (your IP address will change as a consequence as well, unless you are on a fixed IP).
Also visit  http://www.grc.com/default.htm and make use of ShieldsUP!
There are also a number of other useful facilities on that site you may want to use.
HTH.