cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Am I being hacked?

FIXED
joew60
Newbie
Posts: 2
Registered: ‎19-03-2018

Am I being hacked?

‎19-03-2018 11:29 PM

Hi,

 

the last sat couple of evenings my broadband speed has dropped to the point I can’t get a connection. The router log shows a series of remote administration records.

 

 

23:21:32, 19 Mar. ( 6108.820000) Admin login successful by 192.168.1.64 on HTTP *** my login ***
23:20:48, 19 Mar. ( 6064.030000) New GUI session from IP 192.168.1.64. *** my session ***
23:13:43, 19 Mar. IN: BLOCK [16] Remote administration (TCP [210.100.234.162]:48169-​>[46.208.10.94]:22 on ppp3)
23:09:17, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33464 on ppp3)
23:09:08, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33463 on ppp3)
23:08:58, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33462 on ppp3)
23:08:49, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33461 on ppp3)
23:08:39, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33460 on ppp3)
23:08:29, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33459 on ppp3)
23:08:20, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33458 on ppp3)
23:08:10, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33457 on ppp3)
23:08:01, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33456 on ppp3)
23:07:51, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33455 on ppp3)
23:07:41, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33454 on ppp3)
23:07:32, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33453 on ppp3)
23:07:22, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33452 on ppp3)
23:07:13, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33451 on ppp3)
23:07:03, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33450 on ppp3)
23:06:54, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33449 on ppp3)
23:06:44, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33448 on ppp3)
23:06:34, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33447 on ppp3)
23:06:25, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33446 on ppp3)
23:06:15, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33445 on ppp3)
23:06:06, 19 Mar. IN: BLOCK [16] Remote administration (UDP [91.240.224.50]:44486-​>[46.208.10.94]:33444 on ppp3)
22:55:22, 19 Mar. IN: BLOCK [16] Remote administration (TCP [198.98.53.73]:53221-​>[46.208.10.94]:22 on ppp3)
22:54:31, 19 Mar. IN: BLOCK [16] Remote administration (TCP [212.92.127.26]:45854-​>[46.208.10.94]:8080 on ppp3)
22:48:56, 19 Mar. IN: BLOCK [16] Remote administration (TCP [103.89.91.193]:50494-​>[46.208.10.94]:22 on ppp3)
22:40:38, 19 Mar. IN: BLOCK [16] Remote administration (TCP [186.62.37.76]:24126-​>[46.208.10.94]:22 on ppp3)
22:22:40, 19 Mar. IN: BLOCK [16] Remote administration (TCP [39.135.17.43]:161-​>[46.208.10.94]:161 on ppp3)
22:21:56, 19 Mar. IN: BLOCK [16] Remote administration (TCP [39.135.17.39]:161-​>[46.208.10.94]:161 on ppp3)
22:21:45, 19 Mar. BLOCKED 1 more packets (because of Remote administration)
22:21:44, 19 Mar. IN: BLOCK [16] Remote administration (TCP [122.2.223.242]:63803-​>[46.208.10.94]:22 on ppp3)
22:13:21, 19 Mar. IN: BLOCK [16] Remote administration (TCP [115.231.219.29]:6000-​>[46.208.10.94]:80 on ppp3)
22:09:11, 19 Mar. IN: BLOCK [16] Remote administration (TCP [212.92.127.26]:42322-​>[46.208.10.94]:8080 on ppp3)
22:08:09, 19 Mar. IN: BLOCK [16] Remote administration (TCP [27.191.235.90]:6910-​>[46.208.10.94]:22 on ppp3)
22:00:38, 19 Mar. IN: BLOCK [16] Remote administration (TCP [89.178.17.188]:3363-​>[46.208.10.94]:22 on ppp3)
21:57:34, 19 Mar. OUT: BLOCK [65] First packet is Invalid (Packet not in tcp window: TCP [192.168.1.66]:51677-​>[17.252.60.25]:5223 on ppp3)
21:54:32, 19 Mar. IN: BLOCK [16] Remote administration (TCP [212.92.127.26]:54611-​>[46.208.10.94]:8080 on ppp3)
21:53:22, 19 Mar. OUT: BLOCK [65] First packet is Invalid (Invalid tcp flags for current tcp state: TCP [192.168.1.64]:64213-​>[23.56.3.183]:443 on ppp3)
21:46:43, 19 Mar. IN: BLOCK [16] Remote administration (TCP [103.89.91.193]:60423-​>[46.208.10.94]:22 on ppp3)
21:44:17, 19 Mar. IN: BLOCK [15] Default policy (TCP [17.252.59.246]:443-​>[46.208.10.94]:64110 on ppp3)
21:44:09, 19 Mar. IN: BLOCK [15] Default policy (TCP [217.146.190.234]:993-​>[46.208.10.94]:64035 on ppp3)
21:44:07, 19 Mar. IN: BLOCK [15] Default policy (TCP [111.56.16.93]:59665-​>[46.208.10.94]:1433 on ppp3)
21:43:57, 19 Mar. IN: BLOCK [15] Default policy (TCP [77.72.82.103]:40047-​>[46.208.10.94]:9292 on ppp3)
21:43:53, 19 Mar. IN: BLOCK [15] Default policy (TCP [114.143.24.36]:48806-​>[46.208.10.94]:1433 on ppp3)
21:43:52, 19 Mar. IN: BLOCK [15] Default policy (TCP [217.146.190.234]:993-​>[46.208.10.94]:64035 on ppp3)
21:43:45, 19 Mar. IN: BLOCK [15] Default policy (TCP [46.161.55.106]:54161-​>[46.208.10.94]:5038 on ppp3)
21:43:43, 19 Mar. IN: BLOCK [15] Default policy (TCP [217.146.190.234]:993-​>[46.208.10.94]:64035 on ppp3)
21:43:40, 19 Mar. BLOCKED 1 more packets (because of Default policy)
21:43:36, 19 Mar. IN: BLOCK [15] Default policy (TCP [217.146.190.234]:993-​>[46.208.10.94]:64035 on ppp3)
21:43:36, 19 Mar. BLOCKED 4 more packets (because of Default policy)
21:43:35, 19 Mar. IN: BLOCK [15] Default policy (TCP [217.146.190.234]:993-​>[46.208.10.94]:64035 on ppp3)
21:43:34, 19 Mar. IN: BLOCK [15] Default policy (TCP [79.170.44.129]:993-​>[46.208.10.94]:63801 on ppp3)
21:43:24, 19 Mar. IN: BLOCK [15] Default policy (TCP [79.170.44.129]:993-​>[46.208.10.94]:63800 on ppp3)
21:43:09, 19 Mar. ( 205.830000) Admin login successful by 192.168.1.64 on HTTP
21:43:09, 19 Mar. IN: BLOCK [15] Default policy (TCP [201.42.42.228]:28480-​>[46.208.10.94]:23 on ppp3)
21:43:03, 19 Mar. IN: BLOCK [15] Default policy (TCP [17.252.60.24]:443-​>[46.208.10.94]:63987 on ppp3)
21:43:03, 19 Mar. BLOCKED 3 more packets (because of Default policy)
21:43:03, 19 Mar. IN: BLOCK [15] Default policy (TCP [17.252.60.24]:443-​>[46.208.10.94]:63987 on ppp3)
21:42:56, 19 Mar. IN: BLOCK [15] Default policy (TCP [80.239.244.95]:443-​>[46.208.10.94]:63977 on ppp3)
21:42:51, 19 Mar. BLOCKED 2 more packets (because of Default policy)
21:42:49, 19 Mar. IN: BLOCK [15] Default policy (TCP [80.239.244.95]:443-​>[46.208.10.94]:63979 on ppp3)
21:42:45, 19 Mar. BLOCKED 1 more packets (because of Default policy)
21:42:44, 19 Mar. IN: BLOCK [15] Default policy (TCP [80.239.244.95]:443-​>[46.208.10.94]:63974 on ppp3)
21:42:43, 19 Mar. IN: BLOCK [15] Default policy (TCP [185.143.223.214]:43096-​>[46.208.10.94]:5106 on ppp3)
21:42:40, 19 Mar. IN: BLOCK [15] Default policy (TCP [80.239.244.95]:443-​>[46.208.10.94]:63979 on ppp3)
21:42:39, 19 Mar. IN: BLOCK [15] Default policy (TCP [80.239.244.95]:443-​>[46.208.10.94]:63971 on ppp3)
21:42:38, 19 Mar. IN: BLOCK [15] Default policy (TCP [80.239.244.95]:443-​>[46.208.10.94]:63978 on ppp3)
21:42:37, 19 Mar. BLOCKED 1 more packets (because of Default policy)
21:42:36, 19 Mar. BLOCKED 2 more packets (because of Default policy)
21:42:34, 19 Mar. IN: BLOCK [15] Default policy (TCP [80.239.244.95]:443-​>[46.208.10.94]:63977 on ppp3)
21:42:34, 19 Mar. BLOCKED 3 more packets (because of Default policy)
21:42:33, 19 Mar. IN: BLOCK [15] Default policy (TCP [80.239.244.95]:443-​>[46.208.10.94]:63977 on ppp3)
21:42:33, 19 Mar. BLOCKED 6 more packets (because of Default policy)
21:42:32, 19 Mar. IN: BLOCK [15] Default policy (TCP [80.239.244.95]:443-​>[46.208.10.94]:63978 on ppp3)
21:42:32, 19 Mar. BLOCKED 12 more packets (because of Default policy)
21:42:32, 19 Mar. IN: BLOCK [15] Default policy (TCP [80.239.244.95]:443-​>[46.208.10.94]:63979 on ppp3)
21:42:32, 19 Mar. BLOCKED 14 more packets (because of Default policy)
21:42:30, 19 Mar. IN: BLOCK [15] Default policy (TCP [80.239.244.95]:443-​>[46.208.10.94]:63978 on ppp3)
21:42:20, 19 Mar. OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.64]:64098-​>[79.170.44.129]:993 on ppp3)
21:42:02, 19 Mar. ( 138.330000) CWMP: session completed successfully
21:42:02, 19 Mar. ( 138.150000) CWMP: HTTP authentication success from https://dbtpnhdm.bt.mo
21:42:02, 19 Mar. IN: BLOCK [15] Default policy (TCP [199.117.180.13]:443-​>[46.208.10.94]:44818 on ppp3)
21:41:59, 19 Mar. ( 134.970000) NTP synchronization success!
21:41:56, 19 Mar. ( 131.250000) CWMP: Server URL: https://dbtpnhdm.bt.mo; Connecting as user: ACS username
21:41:56, 19 Mar. ( 131.240000) CWMP: Session start now. Event code(s): '1 BOOT,4 VALUE CHANGE'
21:41:55, 19 Mar. ( 130.650000) NTP synchronization start
21:41:54, 19 Mar. ( 129.770000) WAN operating mode is VDSL
21:41:54, 19 Mar. ( 129.770000) Last WAN operating mode was VDSL
21:41:53, 19 Mar. ( 128.720000) PPP IPCP Receive Configuration ACK
21:41:53, 19 Mar. ( 128.710000) PPP IPCP Send Configuration Request
21:41:53, 19 Mar. ( 128.700000) PPP IPCP Receive Configuration NAK
21:41:53, 19 Mar. ( 128.690000) PPP IPCP Send Configuration ACK
21:41:53, 19 Mar. ( 128.690000) PPP IPCP Receive Configuration Request
21:41:53, 19 Mar. ( 128.690000) PPP IPCP Send Configuration Request
21:41:52, 19 Mar. ( 127.820000) PPPoE is up -​ Down Rate=56647Kbps, Up Rate=11141Kbps; SNR Margin Down=6.1dB, Up=6.1dB
21:41:52, 19 Mar. ( 127.800000) CHAP authentication successful
21:41:52, 19 Mar. ( 127.740000) CHAP Receive Challenge
21:41:52, 19 Mar. ( 127.740000) Starting CHAP authentication with peer
21:41:52, 19 Mar. ( 127.740000) PPP LCP Receive Configuration ACK

 

Any suggestions would be appreciated.

 

Many thanks 

Message 1 of 4
(5,557 Views)
0 Thanks
3 REPLIES 3
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,887
Thanks: 4,979
Fixes: 316
Registered: ‎04-04-2007

Re: Am I being hacked?

Fix

‎20-03-2018 7:26 AM

Looks like a port scan to see if you've any open services running on your network. Do you have anything intentionally exposed to the Internet? If not, the good news is that things are being blocked.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Message 2 of 4
(5,513 Views)
0 Thanks
joew60
Newbie
Posts: 2
Registered: ‎19-03-2018

Re: Am I being hacked?

‎20-03-2018 11:38 AM

Thanks,

 

No internet exposed ports, most of my settings are standard, only put static IPs on some devices. Shields-up shows green across all service ports.

 

Guessing I can just ignore it apart from nuisance value.

 

 

Message 3 of 4
(5,463 Views)
0 Thanks
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,887
Thanks: 4,979
Fixes: 316
Registered: ‎04-04-2007

Re: Am I being hacked?

‎20-03-2018 2:24 PM - edited ‎20-03-2018 2:24 PM

Yep, I wouldn't be too concerned, especially if Shields-up comes back clear.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Message 4 of 4
(5,436 Views)
0 Thanks