Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Router Log Showing Security Problem?
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Other forums
- :
- Tech Help - Software/Hardware etc
- :
- Re: Router Log Showing Security Problem?
Router Log Showing Security Problem?
15-06-2008 9:58 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
A friend of mine runs a small business. I installed a Netgear router and set it to email me the log once a week. The router has been set to block sites on certain keywords, essentially porn sites and some social networks.
His business premises are closed at weekends yet the router showed a lot of links made over the weekend to a host of different countries. He is running Kaspersky and is up to date so (should) be virus and malware free, although the PC is probably left on at weekends there isn’t any ‘messenger’ software installed or anything else that would obviously make these type of contacts.
I have posted the part of the log concerned and x’d out some of his IP address, having looked at the log do any of you have a good idea what is happening here?
Cheers...
Fri, 2008-06-13 17:57:57 - Initialize LCP.
Fri, 2008-06-13 17:57:57 - LCP is allowed to come up.
Fri, 2008-06-13 17:58:03 - CHAP authentication success Fri, 2008-06-13 18:03:21 - TCP Packet - Source:85.197.216.15,22112 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 18:15:38 - TCP Packet - Source:67.86.215.253,50620 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 18:22:06 - TCP Packet - Source:91.177.136.156,56234 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 18:22:12 - TCP Packet - Source:91.177.136.156,56243 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 18:38:28 - TCP Packet - Source:82.80.131.103,56308 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 18:38:28 - TCP Packet - Source:77.101.224.113,3112 Destination:86.xxx.xx.xx,45682 - [DOS] Fri, 2008-06-13 18:38:28 - TCP Packet - Source:81.224.116.93,61446 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 19:07:48 - TCP Packet - Source:124.100.144.125,50621 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 19:17:03 - TCP Packet - Source:86.136.234.236,6271 Destination:86.xxx.xx.xx,445 - [DOS] Fri, 2008-06-13 19:17:03 - TCP Packet - Source:60.242.138.223,13067 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 19:19:44 - TCP Packet - Source:209.59.79.112,53656 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 21:45:02 - TCP Packet - Source:189.18.187.27,4395 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 21:45:02 - TCP Packet - Source:78.147.15.98,54277 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 22:11:38 - TCP Packet - Source:122.167.3.164,50038 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 23:40:34 - TCP Packet - Source:65.26.40.146,33641 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 23:40:37 - TCP Packet - Source:80.2.14.251,55910 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 23:40:37 - TCP Packet - Source:80.2.14.251,56313 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 00:12:28 - TCP Packet - Source:193.239.244.130,3521 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 02:09:49 - TCP Packet - Source:87.119.160.82,53888 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 10:57:16 - TCP Packet - Source:24.130.172.41,1849 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 10:57:19 - TCP Packet - Source:121.15.220.104,12200 Destination:86.xxx.xx.xx,8080 - [DOS] Sat, 2008-06-14 10:57:19 - TCP Packet - Source:82.181.88.82,42498 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 10:57:24 - TCP Packet - Source:68.255.97.165,4495 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 15:02:17 - TCP Packet - Source:86.121.15.85,45891 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 15:02:20 - TCP Packet - Source:118.101.43.164,5448 Destination:86.xxx.xx.xx,45682 - [DOS] Sat, 2008-06-14 15:02:20 - TCP Packet - Source:86.121.15.85,45891 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 15:02:23 - TCP Packet - Source:60.50.239.17,11319 Destination:86.xxx.xx.xx,45682 - [DOS] Sat, 2008-06-14 15:02:24 - TCP Packet - Source:68.198.228.125,52593 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 15:02:27 - TCP Packet - Source:86.121.15.85,45891 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 18:25:12 - TCP Packet - Source:212.76.37.158,58874 Destination:86.xxx.xx.xx,41571 - [DOS]
His business premises are closed at weekends yet the router showed a lot of links made over the weekend to a host of different countries. He is running Kaspersky and is up to date so (should) be virus and malware free, although the PC is probably left on at weekends there isn’t any ‘messenger’ software installed or anything else that would obviously make these type of contacts.
I have posted the part of the log concerned and x’d out some of his IP address, having looked at the log do any of you have a good idea what is happening here?
Cheers...
Fri, 2008-06-13 17:57:57 - Initialize LCP.
Fri, 2008-06-13 17:57:57 - LCP is allowed to come up.
Fri, 2008-06-13 17:58:03 - CHAP authentication success Fri, 2008-06-13 18:03:21 - TCP Packet - Source:85.197.216.15,22112 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 18:15:38 - TCP Packet - Source:67.86.215.253,50620 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 18:22:06 - TCP Packet - Source:91.177.136.156,56234 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 18:22:12 - TCP Packet - Source:91.177.136.156,56243 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 18:38:28 - TCP Packet - Source:82.80.131.103,56308 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 18:38:28 - TCP Packet - Source:77.101.224.113,3112 Destination:86.xxx.xx.xx,45682 - [DOS] Fri, 2008-06-13 18:38:28 - TCP Packet - Source:81.224.116.93,61446 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 19:07:48 - TCP Packet - Source:124.100.144.125,50621 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 19:17:03 - TCP Packet - Source:86.136.234.236,6271 Destination:86.xxx.xx.xx,445 - [DOS] Fri, 2008-06-13 19:17:03 - TCP Packet - Source:60.242.138.223,13067 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 19:19:44 - TCP Packet - Source:209.59.79.112,53656 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 21:45:02 - TCP Packet - Source:189.18.187.27,4395 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 21:45:02 - TCP Packet - Source:78.147.15.98,54277 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 22:11:38 - TCP Packet - Source:122.167.3.164,50038 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 23:40:34 - TCP Packet - Source:65.26.40.146,33641 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 23:40:37 - TCP Packet - Source:80.2.14.251,55910 Destination:86.xxx.xx.xx,41571 - [DOS] Fri, 2008-06-13 23:40:37 - TCP Packet - Source:80.2.14.251,56313 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 00:12:28 - TCP Packet - Source:193.239.244.130,3521 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 02:09:49 - TCP Packet - Source:87.119.160.82,53888 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 10:57:16 - TCP Packet - Source:24.130.172.41,1849 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 10:57:19 - TCP Packet - Source:121.15.220.104,12200 Destination:86.xxx.xx.xx,8080 - [DOS] Sat, 2008-06-14 10:57:19 - TCP Packet - Source:82.181.88.82,42498 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 10:57:24 - TCP Packet - Source:68.255.97.165,4495 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 15:02:17 - TCP Packet - Source:86.121.15.85,45891 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 15:02:20 - TCP Packet - Source:118.101.43.164,5448 Destination:86.xxx.xx.xx,45682 - [DOS] Sat, 2008-06-14 15:02:20 - TCP Packet - Source:86.121.15.85,45891 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 15:02:23 - TCP Packet - Source:60.50.239.17,11319 Destination:86.xxx.xx.xx,45682 - [DOS] Sat, 2008-06-14 15:02:24 - TCP Packet - Source:68.198.228.125,52593 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 15:02:27 - TCP Packet - Source:86.121.15.85,45891 Destination:86.xxx.xx.xx,41571 - [DOS] Sat, 2008-06-14 18:25:12 - TCP Packet - Source:212.76.37.158,58874 Destination:86.xxx.xx.xx,41571 - [DOS]
7 REPLIES 7
Re: Router Log Showing Security Problem?
15-06-2008 10:30 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
You can ignore those reports as they are false.
First these are incoming connection attempts not outgoing and is normal 'internet noise' that everyone gets. The clue here is the source is external and the destination internal.
Second, DOS stands for Denial Of Service but you are not getting a DOS attack. The router is falsely reporting DOS after only seeing single packets whereas a DOS attack involves 1000s of packets every second to try and flood your connection to stop it working.
The Netgear router falsely reports single packets as DOS. Either ignore them or turn of the reporting of DOS in the router as it is meaningless and only causes confusion.
First these are incoming connection attempts not outgoing and is normal 'internet noise' that everyone gets. The clue here is the source is external and the destination internal.
Second, DOS stands for Denial Of Service but you are not getting a DOS attack. The router is falsely reporting DOS after only seeing single packets whereas a DOS attack involves 1000s of packets every second to try and flood your connection to stop it working.
The Netgear router falsely reports single packets as DOS. Either ignore them or turn of the reporting of DOS in the router as it is meaningless and only causes confusion.
Re: Router Log Showing Security Problem?
15-06-2008 11:33 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Hi Peter
Thanks for a quick and thorough response, much appreciated.
Regards
Peter
Thanks for a quick and thorough response, much appreciated.
Regards
Peter
Re: Router Log Showing Security Problem?
15-06-2008 12:04 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
AAMOI is that a dynamic or fixed IP ?
Re: Router Log Showing Security Problem?
15-06-2008 12:29 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Just checked over the last few weeks logs and it changes so must be dynamic.
Re: Router Log Showing Security Problem?
15-06-2008 4:35 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Hmm wonder if it's p2p afterglow? (i noticed they were almost all to the same port)
Re: Router Log Showing Security Problem?
15-06-2008 4:42 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I wondered about that as well but AFAIAA There isn't any P2p software installed, unless the router picked up an IP that had just been used for a P2P session. I will check for P2P software next time I am there.
Re: Router Log Showing Security Problem?
15-06-2008 6:01 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I'm thinking of the latter -- picking up an IP -- rather than the user having p2p s/w.
I used to get this a lot in my ZA logs when I was using a regular ADSL modem and got a new IP at least daily.
I used to get this a lot in my ZA logs when I was using a regular ADSL modem and got a new IP at least daily.
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Other forums
- :
- Tech Help - Software/Hardware etc
- :
- Re: Router Log Showing Security Problem?