Intrustion message in my ADSL router logs

Andrew van Zyl

Andrew van Zyl

New Member
Joined
Feb 29, 2016
Messages
3
Hi all
Newbie here...I saw a few of the below messages in my D-Link 2750U log.

What does it mean? Do I need to be alarmed? Do I need to do anything in the settings?

kernel: Intrusion -> IN=ppp0.1 OUT= MAC= SRC=121.165.68.9 DST=XXX.XXX.XXX.100 LEN=40 TOS=0x10 PREC=0x00 TTL=37 ID=26844 PROTO=TCP SPT=30816 DPT=23 WINDOW=27248 RES=0x00 SYN URGP=0 MARK=0x8000000

kernel: Intrusion -> IN=ppp0.1 OUT= MAC= SRC=122.170.25.136 DST=XXX.XXX.XXX.100 LEN=40 TOS=0x10 PREC=0x00 TTL=55 ID=535 PROTO=TCP SPT=36946 DPT=23 WINDOW=32832 RES=0x00 SYN URGP=0 MARK=0x8000000

kernel: Intrusion -> IN=ppp0.1 OUT= MAC= SRC=14.223.94.117 DST=XXX.XXX.XXX.100 LEN=40 TOS=0x10 PREC=0x00 TTL=47 ID=14307 PROTO=TCP SPT=12275 DPT=23 WINDOW=57154 RES=0x00 SYN URGP=0 MARK=0x8000000

Thanks!
 
A

access

Honorary Master
Joined
Mar 17, 2009
Messages
13,703
it looks like something tried to connect to you on port 23 and was stopped.
 
Gnome

Gnome

Executive Member
Joined
Sep 19, 2005
Messages
7,208
People will scan ports on your router all the time.

eg, just looking at my logs:
Oct 30 20:37:01 , FTTH, FROM: 42.115.33.239:27807 -> 196.22.xxx.xx:23

So literally a few minutes ago someone already tried to access my router on 23.
My case may be slightly worse because I own a domain that points at my IP, but generally speaking the internet is scary place.

As long as WAN router access is blocked (including Telnet, FTP, SSH, etc.) and you don't forward any ports into your network, it is safe to assume the only data travelling on your network is the kind that you initiate.
To gain access, someone would need to rely on you to open a port/initiate the connection. Which means malware or such would be needed.
 
Last edited:
ActivateD

ActivateD

Expert Member
Joined
Jun 7, 2004
Messages
1,720
I think the Mirai malware scans port 23. Just as long as you do not have telnet internet facing and with a default password you should be fine.
 
agentrfr

agentrfr

Executive Member
Joined
Jul 8, 2008
Messages
5,303
Prolly someone port scanning you in a long list of IPs. I wouldn't worry about it, not much you can do about it. You should disable WAN ping responses too, and dont mess with port forwarding unless you know what you are doing. And dont be that guy that DMZs everything to his/her main home PC.
 
Necropolis

Necropolis

Executive Member
Joined
Feb 26, 2007
Messages
8,401
Most likely someone script was running to see if port 23 on your IP address is accessible (via NAT or Whatever).

I'm sure your routers FW declines all incoming connections by default - so nothing to worry about.
 
You must log in or register to reply here.
Top