cancel
Showing results for 
Search instead for 
Did you mean: 

Hub One Logs - Suspicious activity?

bales1983
Grafter
Posts: 29
Thanks: 1
Registered: ‎01-12-2015

Hub One Logs - Suspicious activity?

Hi Guys,
Have a new Plusnet Hub One and last night i saw some activity which i was wondering if anyone could interpret?
It seems to be incoming connections aimed at a device that was switched off at the time?
Can anyone make sense of what this may be? (replaced my external IP with ***.***.***.***) also i have no port forwarding set up so maybe UPNP?
Many thanks all Smiley
05:15:14, 11 Dec. IN: ACCEPT [57] Connection closed (Port Forwarding: UDP [192.168.1.99]:6889 <-​-​> [***.***.***.***]:6889 -​ -​ -​ [178.93.251.109]:6881 ppp3 NAPT)
05:13:14, 11 Dec. IN: ACCEPT [54] Connection opened (Port Forwarding: UDP [192.168.1.99]:6889 <-​-​> [***.***.***.***]:6889 -​ -​ -​ [178.93.251.109]:6881 ppp3 NAPT)
05:09:26, 11 Dec. IN: ACCEPT [57] Connection closed (Port Forwarding: UDP [192.168.1.99]:6889 <-​-​> [***.***.***.***]]:6889 -​ -​ -​ [137.175.217.57]:9232 ppp3 NAPT)
05:07:26, 11 Dec. IN: ACCEPT [54] Connection opened (Port Forwarding: UDP [192.168.1.99]:6889 <-​-​> [***.***.***.***]:6889 -​ -​ -​ [137.175.217.57]:9232 ppp3 NAPT)
05:00:48, 11 Dec. IN: ACCEPT [57] Connection closed (Port Forwarding: UDP [192.168.1.99]:6889 <-​-​>[***.***.***.***]:6889 -​ -​ -​ [110.142.118.100]:50321 ppp3 NAPT)
04:58:48, 11 Dec. IN: ACCEPT [54] Connection opened (Port Forwarding: UDP [192.168.1.99]:6889 <-​-​> [***.***.***.***]:6889 -​ -​ -​ [110.142.118.100]:50321 ppp3 NAPT)
04:57:30, 11 Dec. IN: ACCEPT [57] Connection closed (Port Forwarding: UDP [192.168.1.99]:6889 <-​-​> [***.***.***.***]:6889 -​ -​ -​ [52.1.199.191]:8618 ppp3 NAPT)
04:57:10, 11 Dec. IN: ACCEPT [57] Connection closed (Port Forwarding: UDP [192.168.1.99]:6889 <-​-​> [***.***.***.***]:6889 -​ -​ -​ [61.150.43.122]:1727 ppp3 NAPT)
04:55:30, 11 Dec. IN: ACCEPT [54] Connection opened (Port Forwarding: UDP [192.168.1.99]:6889 <-​-​> [***.***.***.***]:6889 -​ -​ -​ [52.1.199.191]:8618 ppp3 NAPT)
04:55:11, 11 Dec. IN: ACCEPT [54] Connection opened (Port Forwarding: UDP [192.168.1.99]:6889 <-​-​> [***.***.***.***]:6889 -​ -​ -​ [61.150.43.122]:1727 ppp3 NAPT)
04:52:37, 11 Dec. IN: ACCEPT [57] Connection closed (Port Forwarding: UDP [192.168.1.99]:6889 <-​-​> [***.***.***.***]:6889 -​ -​ -​ [41.37.184.5]:6881 ppp3 NAPT)
04:50:38, 11 Dec. IN: ACCEPT [54] Connection opened (Port Forwarding: UDP [192.168.1.99]:6889 <-​-​> [***.***.***.***]:6889 -​ -​ -​ [41.37.184.5]:6881 ppp3 NAPT)
04:50:12, 11 Dec. IN: ACCEPT [57] Connection closed (Port Forwarding: UDP [192.168.1.99]:6889 <-​-​> [***.***.***.***]:6889 -​ -​ -​ [121.216.47.78]:50348 ppp3 NAPT)
04:48:12, 11 Dec. IN: ACCEPT [54] Connection opened (Port Forwarding: UDP [192.168.1.99]:6889 <-​-​> [***.***.***.***]]:6889 -​ -​ -​ [121.216.47.78]:50348 ppp3 NAPT)
04:38:01, 11 Dec. IN: ACCEPT [57] Connection closed (Port Forwarding: UDP [192.168.1.99]:6889 <-​-​> [***.***.***.***]:6889 -​ -​ -​ [95.56.67.130]:12767 ppp3 NAPT)
04:36:01, 11 Dec. IN: ACCEPT [54] Connection opened (Port Forwarding: UDP [192.168.1.99]:6889 <-​-​> [***.***.***.***]]:6889 -​ -​ -​ [95.56.67.130]:12767 ppp3 NAPT)
04:20:17, 11 Dec. IN: ACCEPT [57] Connection closed (Port Forwarding: UDP [192.168.1.99]:6889 <-​-​> [***.***.***.***]:6889 -​ -​ -​ [202.169.225.52]:58050 ppp3 NAPT)
04:18:17, 11 Dec. IN: ACCEPT [54] Connection opened (Port Forwarding: UDP [192.168.1.99]:6889 <-​-​>[***.***.***.***]:6889 -​ -​ -​ [202.169.225.52]:58050 ppp3 NAPT)
3 REPLIES
minkey
Grafter
Posts: 386
Registered: ‎22-07-2007

Re: Hub One Logs - Suspicious activity?

UDP over port 6889 is quite often attributed to bittorrent connections.
Do you have any torrent software installed? It probably though, if you are on a non-static IP that someone who used to have your current IP was using torrent software and it's still being broadcast as a possible connection.
bales1983
Grafter
Posts: 29
Thanks: 1
Registered: ‎01-12-2015

Re: Hub One Logs - Suspicious activity?

To be honest I have used uTorrent on that system for downloading Linux images so maybe it was that? As i say though the pc was off at the time. I do have a static IP so I can understand how something may have been directing to me for bits of a file but what I dont quite follow is how with 3 separate pc's that have all used bittorrent, the router chose to direct the requests to that one? Smiley
Community Veteran
Posts: 5,228
Thanks: 495
Fixes: 22
Registered: ‎10-06-2010

Re: Hub One Logs - Suspicious activity?

Only one computer can use port 6889 on your external IP at any one time, so the router must have stored which computer used port 6889 last.