D-Link Modem Log - kernel intrusion ???

[howardb]

Hey all,

Was checking my D-Link ADSL modem logs when I got home to get some detail for OpenWeb re the speed issues, however see some strange entries as follows, with similar values but different IP's in the "SRC=" section - never noticed these before:

kernel: Intrusion -> IN=ppp_0_8_35_1 OUT= MAC= SRC=115.69.210.200 DST=197.87.102.117 LEN=48 TOS=0x18 PREC=0x00 TTL=103 ID=17063 DF PROTO=TCP SPT=3695 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0

I have no idea what these values mean, however the first IP address on all the logged entries points to some random suspect country... second IP address is Mweb JHB so I assume this is my current connection to them using my backup Mweb account.

Thoughts, ideas, comments welcome.

 

[Rickster]

Does your line drop? Chick this out

 

[howardb]

Does your line drop? Chick this out

Thanks Rickster. Saw that post, however my modem/line doesn't drop at all, except when IS is buggering around. I've plugged in my backup D-link (new) and will check the logs again tomorrow.

There are about 15 of these entries during today at different times, each with a different "SRC=" IP address, Ukraine, Pakistan, Russia, San Paulo, etc... haven't gone through all of them yet.

Just really weird.

 

[Franna]

Hackers are scanning your router for open ports.

Port 445 http://www.petri.co.il/whats_port_445_in_w2k_xp_2003.htm

 

[The_Unbeliever]

Hackers are scanning your router for open ports.

Port 445 http://www.petri.co.il/whats_port_445_in_w2k_xp_2003.htm

In that case, set up a honeypot/tarpit to frustrate them

 

[HavocXphere]

Franna's post is accurate. And there is nothing to worry about - routers tend to run *nix and don't have WAN facing SMB (if any SMB at all for that matter).

 

[howardb]

Thanks guys, will watch it for the next few days - just never seen it before.

 

[slvR]

Sorry about hijacking..
Basically my thread http://mybroadband.co.za/vb/showthread.php/604220-The-Old-Dlink-2500u

Apr 2 06:02:48 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=176.26.212.97 DST=196.210.137.161 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=23669 DF PROTO=TCP SPT=52073 DPT=55825 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 06:02:50 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=185.21.216.194 DST=196.210.137.161 LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=16341 DF PROTO=TCP SPT=51527 DPT=55825 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 06:02:50 daemon err dnsmasq[18393]: failed to load names from /etc/hosts: No such file or directory
Apr 2 06:02:51 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=162.213.197.171 DST=196.210.137.161 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=23946 DF PROTO=TCP SPT=49890 DPT=6851 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 06:02:51 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=46.7.202.110 DST=196.210.137.161 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=26513 DF PROTO=TCP SPT=56938 DPT=55825 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 06:02:51 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=162.213.197.171 DST=196.210.137.161 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=17059 DF PROTO=TCP SPT=56813 DPT=6851 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 06:02:51 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=185.21.216.194 DST=196.210.137.161 LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=16342 DF PROTO=TCP SPT=51527 DPT=55825 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 06:03:06 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=201.52.174.8 DST=196.210.137.161 LEN=64 TOS=0x00 PREC=0x00 TTL=45 ID=20373 PROTO=TCP SPT=36735 DPT=55825 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 06:03:06 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=199.19.94.71 DST=196.210.137.161 LEN=64 TOS=0x00 PREC=0x00 TTL=47 ID=60028 DF PROTO=TCP SPT=57167 DPT=55825 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 06:03:06 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=78.22.118.141 DST=196.210.137.161 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=4680 DF PROTO=TCP SPT=51442 DPT=55825 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 06:03:07 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=201.52.174.8 DST=196.210.137.161 LEN=64 TOS=0x00 PREC=0x00 TTL=45 ID=26852 PROTO=TCP SPT=36735 DPT=55825 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 06:03:07 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=78.22.118.141 DST=196.210.137.161 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=44993 DF PROTO=TCP SPT=51442 DPT=55825 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 06:03:07 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=142.177.61.121 DST=196.210.137.161 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=7468 DF PROTO=TCP SPT=61134 DPT=55825 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 06:03:07 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=2.51.14.123 DST=196.210.137.161 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=19656 DF PROTO=TCP SPT=63781 DPT=55825 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 06:03:08 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=78.22.118.141 DST=196.210.137.161 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=46820 DF PROTO=TCP SPT=51442 DPT=55825 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 06:13:12 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=109.93.63.225 DST=196.210.137.161 LEN=52 TOS=0x00 PREC=0x00 TTL=42 ID=52211 DF PROTO=TCP SPT=2545 DPT=55825 WINDOW=16384 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 06:23:09 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=176.92.89.176 DST=196.210.137.161 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=20095 DF PROTO=TCP SPT=63693 DPT=55825 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 06:33:19 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=87.231.110.213 DST=196.210.137.161 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=57409 DF PROTO=TCP SPT=61767 DPT=55825 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 06:43:08 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=109.93.116.2 DST=196.210.137.161 LEN=52 TOS=0x00 PREC=0x00 TTL=107 ID=21836 DF PROTO=TCP SPT=58628 DPT=55825 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 06:53:15 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=23.227.160.93 DST=196.210.137.161 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=43456 DF PROTO=TCP SPT=43789 DPT=6851 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 07:04:27 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=23.227.160.93 DST=196.210.137.161 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=27127 DF PROTO=TCP SPT=53099 DPT=6851 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 07:16:01 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=198.147.20.80 DST=196.210.137.161 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=39363 DF PROTO=TCP SPT=34064 DPT=6851 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 07:23:07 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=71.114.45.125 DST=196.210.137.161 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=19232 DF PROTO=TCP SPT=56622 DPT=61166 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 07:33:06 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=86.129.200.5 DST=196.210.137.161 LEN=52 TOS=0x00 PREC=0x00 TTL=108 ID=6999 DF PROTO=TCP SPT=55132 DPT=61166 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 07:43:07 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=120.61.48.69 DST=196.210.137.161 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=8043 DF PROTO=TCP SPT=29606 DPT=61166 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 07:53:06 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=108.30.161.12 DST=196.210.137.161 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=16349 DF PROTO=TCP SPT=64255 DPT=61166 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 2 08:03:07 user alert kernel: Intrusion -> IN=ppp0 OUT= MAC= SRC=173.28.178.185 DST=196.210.137.161 LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=11332 DF PROTO=TCP SPT=64477 DPT=61166 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

Still looking for the cause of the problem. If you do find anything please let me know.

 

[genetic]

I've got exactly the same! :wtf:

Apr 1 21:52:02 user alert kernel: Intrusion -> IN=ppp0.1 OUT= MAC= SRC=58.218.232.154 DST=105.229.204.247 LEN=60 TOS=0x10 PREC=0x00 TTL=43 ID=64877 DF PROTO=TCP SPT=33210 DPT=23 WINDOW=4380 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 1 22:02:45 user alert kernel: Intrusion -> IN=ppp0.1 OUT= MAC= SRC=198.20.99.130 DST=105.229.204.247 LEN=40 TOS=0x10 PREC=0x00 TTL=113 ID=42861 PROTO=TCP SPT=35500 DPT=1911 WINDOW=17344 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 1 22:10:17 user alert kernel: Intrusion -> IN=ppp0.1 OUT= MAC= SRC=80.82.70.117 DST=105.229.204.247 LEN=40 TOS=0x10 PREC=0x00 TTL=246 ID=54321 PROTO=TCP SPT=37264 DPT=21320 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

 

[nand]

It's an iptables(linux firewall) dump of a packet.

As others have said, someone is probably doing a port scan on your router.

In this case, probing port 445.

Edit: each item in the list corresponds to a header within the packet... If you'd like to know.

 

[The_Unbeliever]

I'm not worried about that kind of thing as I'm running Smoothwall.

The hackers can prod and poke until they're blue in the face, but they won't find any open ports.

 

[howardb]

Interesting info, thanks all. Got a few more last night.
Going to recheck the historic logs to see if there were prior entries.
Port 445 is blocked on my router and firewall, but will check others later.

 

[phlux22]

hi there, new here, was hoping you might be able to shed some light? been recently getting a lot of intrusion detected on my DLink 2750U provided by telkom. i know my machines are safe, but my issue is, everytime i get one of these, my wireless drops. Any way to avoid this from happening, as it is getting really tedious to watch something then have the wireless drop for 5 minutes.

thanking you in advance.

 

[Alex$The$Alien]

Franna's post is accurate. And there is nothing to worry about - routers tend to run *nix and don't have WAN facing SMB (if any SMB at all for that matter).

Yes there is reason to worry. if they find vulnerabilities on your router which is a given since no software/firmware is perfect.
There are cases when the TCP headers are extracted/intercepted in bytes then compiled. what these headers include may or may not include a password to your favorate porn site or your bank account. Rather make yourself invisible to the best of your capabilities

I've been getting these EVERY few Minutes for for quite some time. though I make sure that all my ports are closed from remote access.

But if you want to cut the head off the snake, then you can turn off ping requests from remote locations in your router access control settings

The settings are enabled by default for Telnet port 23 and ICMP(Internet Control Message Protocol)
Turn them off so that outside sources cannot ping your router. Hackers are constantly port scanning, looking for vulnerabilities that your ISP cannot always protect you from.

Services
Allows access to the router via FTP, HTTP, ICMP, SNMP, SSH, TELNET, and TFTP.