High bandwidth + Netgear Logs (Long post, pls help)

B

bees

Well-Known Member
Joined
Oct 23, 2004
Messages
490
Reaction score
17
Location
Cape Town
Wonder if anyone can help me shed some light on this.

Background: I've got a client that, AT RANDOM TIMES, use up to 1gb internet per day. Have installed Netlimiter on PC's, removed PC's from network, changed router passwords, changed ISP passwords + DSL secure, disabled wireless on their NetGear DG834GUK, etc etc. Some days it's fine (100-150mb), other days not (500-1500 mb).

This weekend I logged into their PrePaid WebAfrica account, and saw they used 500mb on Saturday. They don't work on Saturdays, and only the Server is on. What is strange though, is that it's EXACTLY 250mb received, 250mb sent (ie, equal upload and download).

This morning I got a brainwave and checked the Firewall rules on the Netgear itself. It was set to allow ALL incoming traffic and direct it to the server. Removed that, and also copied the LOG. [EDIT: I see now it was sent to the Server's secondary Network card - but I changed the infrastructure around so that it's only on 1 Network card now, so that forward should have done nothing then. Ignore]

* Note that I removed the client's last two IP digits.

Sun, 2002-09-08 12:02:46 - PAP authentication success
Sun, 2002-09-08 12:02:56 - Send out NTP request to time-g.netgear.com
Mon, 2009-11-02 06:23:54 - Receive NTP Reply from time-g.netgear.com
Mon, 2009-11-02 06:25:02 - TCP Packet - Source:190.42.42.1,2666 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Mon, 2009-11-02 06:25:03 - <DDNS>Update OK: good
Mon, 2009-11-02 06:25:49 - TCP Packet - Source:83.4.43.244,3949 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Mon, 2009-11-02 06:26:44 - TCP Packet - Source:41.242.145.109,13601 Destination:41.243.xx.xx,135 - [Any(ALL) rule match]
Mon, 2009-11-02 06:20:57 - Router start up
Mon, 2009-11-02 06:42:11 - ICMP Packet - Source:41.185.86.62 Destination:41.243.xx.xx - [Any(ALL) rule match]
Mon, 2009-11-02 06:42:27 - TCP Packet - Source:41.185.86.62,2487 Destination:41.243.xx.xx,8080 - [Any(ALL) rule match]
Mon, 2009-11-02 06:42:28 - ICMP Packet - Source:41.185.86.62 Destination:41.243.xx.xx - [Any(ALL) rule match]
Mon, 2009-11-02 06:47:45 - ICMP Packet - Source:41.243.38.212 Destination:41.243.xx.xx - [Any(ALL) rule match]
Mon, 2009-11-02 06:48:32 - ICMP Packet - Source:193.86.3.39 Destination:41.243.xx.xx - [Any(ALL) rule match]
Mon, 2009-11-02 06:48:44 - ICMP Packet - Source:41.243.38.212 Destination:41.243.xx.xx - [Any(ALL) rule match]
Mon, 2009-11-02 06:53:33 - TCP Packet - Source:41.243.58.206,1302 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Mon, 2009-11-02 06:53:33 - TCP Packet - Source:41.243.58.206,1303 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Mon, 2009-11-02 06:59:16 - TCP Packet - Source:41.243.227.48,31448 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Mon, 2009-11-02 07:04:57 - TCP Packet - Source:208.126.55.93,12006 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Mon, 2009-11-02 07:12:32 - TCP Packet - Source:75.175.126.51,2668 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Mon, 2009-11-02 07:13:34 - TCP Packet - Source:151.32.37.226,4831 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Mon, 2009-11-02 07:13:46 - TCP Packet - Source:59.93.241.231,2276 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Mon, 2009-11-02 07:41:41 - TCP Packet - Source:41.243.159.30,3287 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Mon, 2009-11-02 07:47:47 - TCP Packet - Source:41.243.159.30,3533 Destination:41.243.xx.xx,2967 - [Any(ALL) rule match]
Mon, 2009-11-02 07:53:16 - ICMP Packet - Source:41.243.30.179 Destination:41.243.xx.xx - [Any(ALL) rule match]
Mon, 2009-11-02 07:57:07 - TCP Packet - Source:41.243.159.30,3710 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Mon, 2009-11-02 07:57:10 - TCP Packet - Source:41.243.159.30,3172 Destination:41.243.xx.xx,139 - [Any(ALL) rule match]
Mon, 2009-11-02 07:59:27 - TCP Packet - Source:41.243.159.30,3090 Destination:41.243.xx.xx,2967 - [Any(ALL) rule match]
Mon, 2009-11-02 08:17:43 - TCP Packet - Source:85.20.132.189,4944 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Mon, 2009-11-02 08:21:05 - TCP Packet - Source:201.230.50.193,3197 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Mon, 2009-11-02 08:23:18 - TCP Packet - Source:196.20.164.180,4027 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Mon, 2009-11-02 08:29:35 - TCP Packet - Source:41.243.142.206,4629 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Mon, 2009-11-02 08:29:38 - TCP Packet - Source:41.243.142.206,3113 Destination:41.243.xx.xx,139 - [Any(ALL) rule match]
Mon, 2009-11-02 08:29:42 - TCP Packet - Source:41.243.234.71,28343 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Mon, 2009-11-02 08:29:42 - TCP Packet - Source:41.243.234.71,28344 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Mon, 2009-11-02 08:32:25 - TCP Packet - Source:196.205.169.242,2620 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Mon, 2009-11-02 08:33:15 - TCP Packet - Source:66.222.115.227,2970 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Mon, 2009-11-02 08:58:40 - TCP Packet - Source:41.243.234.71,23500 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Mon, 2009-11-02 09:02:27 - TCP Packet - Source:41.243.220.252,4290 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Mon, 2009-11-02 09:03:04 - TCP Packet - Source:190.40.120.204,3357 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Mon, 2009-11-02 09:07:45 - TCP Packet - Source:41.243.142.206,3344 Destination:41.243.xx.xx,2967 - [Any(ALL) rule match]
Mon, 2009-11-02 09:08:37 - TCP Packet - Source:201.230.82.154,3506 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Mon, 2009-11-02 09:11:54 - TCP Packet - Source:41.243.90.57,1919 Destination:41.243.xx.xx,135 - [Any(ALL) rule match]
Mon, 2009-11-02 09:14:49 - TCP Packet - Source:41.243.142.206,3902 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Mon, 2009-11-02 09:20:17 - TCP Packet - Source:41.196.92.230,4636 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Mon, 2009-11-02 09:20:22 - Administrator login successful - IP:192.168.0.1
Mon, 2009-11-02 13:33:57 - Administrator login successful - IP:192.168.0.1
Mon, 2009-11-02 13:44:12 - Administrator login successful - IP:165.145.xxx.xxx(ME)
Click to expand...

Question: Does any of that in the log look suspicious? I use LogMeIn to connect to their server - so that might explain some of the entries in the log? [EDIT: I cleared the log, and logged in via Logmein - nothing was logged - so assume it's not LogMeIn?

Is it possible that someone / something used their router as a relay of some sorts? And what does all these entries in the log mean? Can I check where these come from, and what the ports are used for?

Tx.
 
Last edited:
Why do you need to allow Windows traffic at all? (135 & 445) -- also, telnet (23)
highly unlikely to be necessary. Are you sure there's no spambot running on the
LAN?
 
It might be that the router have been compromised.

If you want better logging, then you'll need to use a dedicated firewall, such as Smoothwall. This will enable you to block all outgoing traffic (and incoming as well) except specified otherwise.

Check for proxy services on the other PC's - it might be that somebody have setup a nice proxy server for their own use.

And good luck.
 
Smallaxe said:
Why do you need to allow Windows traffic at all? (135 & 445) -- also, telnet (23)
highly unlikely to be necessary. Are you sure there's no spambot running on the
LAN?
Click to expand...

It's not! Only thing that is setup now is SNMP and SNMP-TRAPS, as I installed PRTG Traffic Grapher this morning to help with this whole debacle, and had to create inbound and outbound rules.

Is it possible that someone Telnet's into the router, and opens up those ports? If I changed the router password - can they still Telnet in!?

How would I check for spambots?
 
The_Librarian said:
It might be that the router have been compromised.

If you want better logging, then you'll need to use a dedicated firewall, such as Smoothwall. This will enable you to block all outgoing traffic (and incoming as well) except specified otherwise.

Check for proxy services on the other PC's - it might be that somebody have setup a nice proxy server for their own use.

And good luck.
Click to expand...

Have tried Smoothwall before, wasn't successful. Should maybe give it a go again. Wanted it specifically for reporting purposes (User ABC at IP 192.168.0.123 used 10mb Today, 50mb last week and 250mb last month-type stuff), but couldn't get it working...
 
The fact that you reported identical usage on up/downloads is giving me reason to believe that a proxy server have been installed on one of the PC's - which means you have to view all of them as compromised.

As for the Smoothwall installation, best is to start with small steps. Get the basics working, then work your way upwards.

And do visit the forums if you're stuck, there's always somebody willing to help :)
 
Thanks for the responses TheLib.

Can't I disable Telnetting into the router from the WAN side? I've tried Telnetting into the router now, by going to cmd, telnet, and o 41.243.xx.xx but it says "Could not open connection to the host, on port 23: Connect failed". There's nothing on the log either? Even after enabling debug mode?

Smallaxe has me worried now that I see 135 and 443 is / was open, and that it became open just after port 23 (telnet) got logged.

Pls help!
 
Last edited:
bees, I know you said that your removed the Inbound rules, but you should ensure that your Inbound firewall is Enabled and set to block all incoming traffic - not just ALL except HTTP.
Also disable UPnP.

The majority your entries on the log were inbound Windows Shares (135 & 445) to PC's inside your network and Telnet (23) connections to the router (probably hacking attempts).
 
Thanks Pada,

I have blocked everything, but seems like its still allowing stuff to come through?

Tue, 2009-11-03 06:55:37 - TCP Packet - Source:190.40.209.224,4870 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Click to expand...

Where can I see where that IP comes from / to who it belongs to?

Have disabled UPnP now as well.

The router is using DDNS so that I don't have to LogMeIn into their server to access the router - should I disable that?
 
Here's more! Quite a few entries comes within the WebAfrica network (41.243.x.x), including the Telnet sessions - WHAT THE HELL!? Can someone PLEASE help me explain this...

Also, don't know how this Any(ALL) rule comes in there - have blocked everything (with logs).

Tue, 2009-11-03 11:38:39 - TCP Packet - Source:41.243.115.84,18515 Destination:41.243.xx.xx,2967 - [Any(ALL) rule match]
Tue, 2009-11-03 11:50:06 - TCP Packet - Source:41.243.26.168,3687 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 11:54:50 - TCP Packet - Source:89.204.16.215,3741 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 11:57:24 - TCP Packet - Source:41.233.5.246,4624 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 11:57:56 - TCP Packet - Source:41.243.115.84,4408 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 12:23:34 - TCP Packet - Source:221.233.125.188,6000 Destination:41.243.xx.xx,1433 - [Any(ALL) rule match]
Tue, 2009-11-03 12:29:29 - TCP Packet - Source:41.242.234.68,23200 Destination:41.243.xx.xx,135 - [Any(ALL) rule match]
Tue, 2009-11-03 12:30:43 - TCP Packet - Source:84.77.7.40,2930 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 12:30:53 - TCP Packet - Source:41.243.158.167,3296 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 12:30:56 - TCP Packet - Source:41.243.158.167,3604 Destination:41.243.xx.xx,139 - [Any(ALL) rule match]
Tue, 2009-11-03 12:35:27 - TCP Packet - Source:41.243.158.167,3775 Destination:41.243.xx.xx,135 - [Any(ALL) rule match]
Tue, 2009-11-03 12:38:16 - TCP Packet - Source:79.3.251.148,3364 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 12:52:16 - TCP Packet - Source:41.243.123.45,52743 Destination:41.243.xx.xx,135 - [Any(ALL) rule match]
Tue, 2009-11-03 12:54:08 - TCP Packet - Source:41.243.158.167,3289 Destination:41.243.xx.xx,2967 - [Any(ALL) rule match]
Tue, 2009-11-03 13:02:58 - TCP Packet - Source:41.243.158.167,3285 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 13:03:01 - TCP Packet - Source:41.243.158.167,3800 Destination:41.243.xx.xx,139 - [Any(ALL) rule match]
Tue, 2009-11-03 13:08:58 - TCP Packet - Source:41.243.158.167,3176 Destination:41.243.xx.xx,2967 - [Any(ALL) rule match]
Tue, 2009-11-03 13:14:20 - ICMP Packet - Source:41.243.10.176 Destination:41.243.xx.xx - [Any(ALL) rule match]
Tue, 2009-11-03 13:17:15 - TCP Packet - Source:118.161.246.110,2222 Destination:41.243.xx.xx,3128 - [Any(ALL) rule match]
Tue, 2009-11-03 13:20:22 - TCP Packet - Source:85.175.55.39,2268 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 13:20:26 - TCP Packet - Source:59.94.244.223,2443 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 13:20:28 - TCP Packet - Source:151.32.180.227,4560 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 13:35:09 - TCP Packet - Source:41.243.158.167,3973 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 13:35:12 - TCP Packet - Source:41.243.158.167,4085 Destination:41.243.xx.xx,139 - [Any(ALL) rule match]
Tue, 2009-11-03 13:44:19 - ICMP Packet - Source:41.243.54.86 Destination:41.243.xx.xx - [Any(ALL) rule match]
Tue, 2009-11-03 13:46:14 - TCP Packet - Source:41.243.212.164,28482 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 13:52:22 - TCP Packet - Source:41.243.218.197,8176 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 13:55:22 - TCP Packet - Source:41.243.218.197,16109 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 13:57:45 - TCP Packet - Source:41.243.218.197,22329 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 14:11:28 - TCP Packet - Source:41.243.228.48,29664 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 14:16:30 - TCP Packet - Source:41.243.228.48,40186 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 14:21:08 - TCP Packet - Source:41.243.218.197,20841 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 14:22:28 - TCP Packet - Source:41.243.123.45,29240 Destination:41.243.xx.xx,2967 - [Any(ALL) rule match]
Tue, 2009-11-03 14:24:16 - TCP Packet - Source:121.12.175.194,6000 Destination:41.243.xx.xx,135 - [Any(ALL) rule match]
Tue, 2009-11-03 14:25:11 - TCP Packet - Source:190.232.42.160,3070 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 14:25:55 - TCP Packet - Source:41.243.26.168,4799 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 14:26:12 - TCP Packet - Source:41.243.218.197,2738 Destination:41.243.xx.xx,135 - [Any(ALL) rule match]
Tue, 2009-11-03 14:27:06 - TCP Packet - Source:41.243.158.167,4537 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 14:27:37 - TCP Packet - Source:41.237.8.252,12956 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 14:32:32 - TCP Packet - Source:151.32.246.69,4802 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 14:33:22 - TCP Packet - Source:41.243.158.167,3235 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 14:33:23 - TCP Packet - Source:41.243.235.93,40211 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 14:33:35 - TCP Packet - Source:89.217.85.255,3808 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 14:34:55 - TCP Packet - Source:59.94.181.108,3911 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 14:36:43 - TCP Packet - Source:41.243.158.167,3801 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 14:38:46 - TCP Packet - Source:41.243.158.167,4458 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 14:38:49 - TCP Packet - Source:41.243.158.167,4179 Destination:41.243.xx.xx,139 - [Any(ALL) rule match]
Tue, 2009-11-03 14:41:22 - TCP Packet - Source:201.240.161.130,4057 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 14:42:42 - TCP Packet - Source:41.243.218.197,14839 Destination:41.243.xx.xx,135 - [Any(ALL) rule match]
Tue, 2009-11-03 14:44:45 - TCP Packet - Source:118.161.246.110,2469 Destination:41.243.xx.xx,3128 - [Any(ALL) rule match]
Tue, 2009-11-03 14:48:23 - TCP Packet - Source:190.40.104.236,2882 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 14:54:38 - TCP Packet - Source:41.243.218.197,15068 Destination:41.243.xx.xx,2967 - [Any(ALL) rule match]
Tue, 2009-11-03 14:56:41 - TCP Packet - Source:41.243.53.85,9959 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 14:56:41 - TCP Packet - Source:41.243.53.85,9968 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 14:57:56 - TCP Packet - Source:41.243.53.85,14680 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 15:02:30 - TCP Packet - Source:41.243.123.45,4994 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 15:02:33 - TCP Packet - Source:41.243.123.45,4994 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 15:04:00 - TCP Packet - Source:41.243.228.48,16557 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 15:04:03 - TCP Packet - Source:41.243.228.48,16590 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 15:05:08 - TCP Packet - Source:201.240.174.88,2196 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 15:11:53 - TCP Packet - Source:41.243.158.167,3235 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 15:14:00 - TCP Packet - Source:201.230.105.81,4594 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 15:17:54 - TCP Packet - Source:151.56.190.85,3144 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 15:21:14 - TCP Packet - Source:41.243.158.167,4270 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 15:31:33 - TCP Packet - Source:41.236.235.38,1761 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 15:35:51 - TCP Packet - Source:61.160.212.242,23 Destination:41.243.xx.xx,80 - [Any(ALL) rule match]
Tue, 2009-11-03 15:37:01 - TCP Packet - Source:41.243.218.197,2236 Destination:41.243.xx.xx,135 - [Any(ALL) rule match]
Tue, 2009-11-03 15:39:05 - TCP Packet - Source:41.202.9.102,39525 Destination:41.243.xx.xx,135 - [Any(ALL) rule match]
Tue, 2009-11-03 15:42:46 - ICMP Packet - Source:41.243.28.205 Destination:41.243.xx.xx - [Any(ALL) rule match]
Tue, 2009-11-03 15:47:55 - TCP Packet - Source:41.243.158.167,4894 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 15:51:23 - TCP Packet - Source:41.243.218.197,9405 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 15:55:38 - TCP Packet - Source:201.240.124.32,2988 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 15:59:49 - TCP Packet - Source:41.243.218.197,32072 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 16:02:24 - TCP Packet - Source:41.243.218.197,7417 Destination:41.243.xx.xx,135 - [Any(ALL) rule match]
Tue, 2009-11-03 16:02:39 - TCP Packet - Source:41.243.225.225,20011 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 16:02:39 - TCP Packet - Source:41.243.225.225,20012 Destination:41.243.xx.xx,445 - [Any(ALL) rule match]
Tue, 2009-11-03 16:07:34 - TCP Packet - Source:189.58.61.87,4316 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 16:08:24 - TCP Packet - Source:80.32.49.99,3913 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Tue, 2009-11-03 16:11:49 - TCP Packet - Source:41.243.123.45,57410 Destination:41.243.xx.xx,2967 - [Any(ALL) rule match]
Tue, 2009-11-03 16:14:24 - TCP Packet - Source:189.26.83.14,3184 Destination:41.243.xx.xx,23 - [Any(ALL) rule match]
Click to expand...
 
Last edited:
Phoned WebAfrica now - not willing to help.

They can't see who is 41.243.115.84, 41.243.26.168 or 41.243.158.167. Just keep telling me that there is only 1 connection to their line port on their client code.

:(
 
Have updated the logs with more entries. Can no-one tell me what is going on? Would it help if I install another router at the client? Which router would you recommend?
 
Last edited:
Make sure that you didn't enable DMZ.

Btw, can you edit the default Inbound Firewall rule? Or did you just add a new one which must block & log all the incoming connections?
 
Pada said:
Make sure that you didn't enable DMZ.

Btw, can you edit the default Inbound Firewall rule? Or did you just add a new one which must block & log all the incoming connections?
Click to expand...


DMZ is disabled.

Nope, can't edit it. Have created a BLOCK ALL rule on Inbound Services with logging.

Only realise this now - those rule matches doesn't actually mean they got in - is it? Just that it matches the rule to Block the connection, and log it?

Damnit - wish I knew more about these things....
 
My guess is that it logs it even if it blocks the connection.

Have you looked at your usage reports yet?
 
Usages seems normal again, but what bothers me - it's fine for a while, then goes balls to the wall within a day.

They're on prepaid, so I'm just buying them 1gb at a time - so if they get compromised again, it's *only* 1gb down the drain...

Thanks for the help sofar Pada - will keep this thread updated if I find something.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X