Deciphering ADSL modem logs

D

dudleygb

Expert Member
Joined
Feb 21, 2007
Messages
1,976
Reaction score
1
Location
CT: the best place in SA
Anyone know what this blurb means, from my ADSL router/modem log?

Jan 5 21:36:01 user alert kernel: Intrusion -> IN=ppp_8_35_1 OUT= MAC= SRC=196.210.226.40 DST=196.210.136.154 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=65195 DF PROTO=TCP SPT=4060 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
Jan 5 21:36:04 user alert kernel: Intrusion -> IN=ppp_8_35_1 OUT= MAC= SRC=196.210.226.40 DST=196.210.136.154 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=65196 DF PROTO=TCP SPT=4060 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
Jan 5 21:38:53 user alert kernel: Intrusion -> IN=ppp_8_35_1 OUT= MAC= SRC=61.139.52.124 DST=196.210.136.154 LEN=52 TOS=0x00 PREC=0x00 TTL=34 ID=53525 DF PROTO=TCP SPT=52254 DPT=23 WINDOW=49640 RES=0x00 SYN URGP=0
Jan 5 21:38:56 user alert kernel: Intrusion -> IN=ppp_8_35_1 OUT= MAC= SRC=61.139.52.124 DST=196.210.136.154 LEN=52 TOS=0x00 PREC=0x00 TTL=34 ID=53526 DF PROTO=TCP SPT=52254 DPT=23 WINDOW=49640 RES=0x00 SYN URGP=0
Jan 5 22:17:55 user alert kernel: Intrusion -> IN=ppp_8_35_1 OUT= MAC= SRC=196.26.208.168 DST=196.210.136.154 LEN=44 TOS=0x00 PREC=0x00 TTL=31 ID=19438 PROTO=TCP SPT=37319 DPT=25 WINDOW=2048 RES=0x00 SYN URGP=0
 
Those IP addresses are trying to telnet to your modem. Port 23 the last one was trying to connect to a smtp port on your modem.

I trust your modem is configured not to allow management connections from the WAN/PPPOE port and only from your internal LAN.
 
so its like a DOS attack on my modem? Sheesh. WTF.
For no reason at all, my modems been acting strange for like the passed week or so, losing connections etc. Wonder if this is whats causing it...

yeah just dbl checked, no WAN management connections are enabled
 
Last edited:
More like they are scanning for open ports, Easy enough to fix just cycle your modem and get a new IP address.
 
If you want you can find out the owners of those IP blocks and log an abuse with them. Use Fixed Orbit to find them http://www.fixedorbit.com/search.htm

Just make sure you send them the logs and explain our timezone to them, maybe convert those times to GMT format.
 
are you possibly using something like ddns to point at your pc?
 
going to need to right a small piece of code that cycles my modem every hour or so, cause this could be whats causing my modem to bomb out all the time

hi guys thanx for the info,cool, will give that orbit software a try.

not using anything but my modem, no ddns, never set anything up like that

my routers pretty old but I still reckon it should be able to protect me from outside attacks
 
Last edited:
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X