Someone's trying to break into my router

[wikus]

I am seeing the following logs in my router:

Jan 1 00:11:03 user alert kernel: Intrusion -> IN=ppp_0_8_35_1 OUT= MAC= SRC=85.159.233.111 DST=41.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=60370 DF PROTO=TCP SPT=46773 DPT=48983 WINDOW=5840 RES=0x00 SYN URGP=0

Jan 1 00:11:03 user alert kernel: Intrusion -> IN=ppp_0_8_35_1 OUT= MAC= SRC=85.159.233.111 DST=41.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=60371 DF PROTO=TCP SPT=46773 DPT=48983 WINDOW=5840 RES=0x00 SYN URGP=0

Jan 1 00:11:03 user alert kernel: Intrusion -> IN=ppp_0_8_35_1 OUT= MAC= SRC=85.159.233.111 DST=41.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=60372 DF PROTO=TCP SPT=46773 DPT=48983 WINDOW=5840 RES=0x00 SYN URGP=0

Jan 1 00:11:03 user alert kernel: Intrusion -> IN=ppp_0_8_35_1 OUT= MAC= SRC=85.159.233.111 DST=41.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=60373 DF PROTO=TCP SPT=46773 DPT=48983 WINDOW=5840 RES=0x00 SYN URGP=0

Jan 1 00:11:03 user alert kernel: Intrusion -> IN=ppp_0_8_35_1 OUT= MAC= SRC=98.225.114.212 DST=41.*.*.* LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=32330 DF PROTO=TCP SPT=4095 DPT=48983 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 1 00:12:03 user alert kernel: Intrusion -> IN=ppp_0_8_35_1 OUT= MAC= SRC=71.252.208.230 DST=41.*.*.* LEN=48 TOS=0x00 PREC=0x00 TTL=51 ID=53315 DF PROTO=TCP SPT=51816 DPT=48983 WINDOW=65535 RES=0x00 SYN URGP=0

Is someone or something trying to break into my router or PC?

Every so often my router kind of freezes for exactly 15 seconds and no traffic goes in or out eg. it starts at 20:06:00 and ends at 20:06:15

 

[Tsimo]

you using any type pf torrent or P2P app?

 

[wikus]

I see the port is being used by uTorrent...

 

[wikus]

you using any type pf torrent or P2P app?

Yes, uTorrent.

I saw it's the port uTorrent is using atm

 

[Tsimo]

could be bounced packets if you are using torrent Apps.

 

[Tsimo]

compare the source Ip`s to hosts that you are currently connected to via uTorrent

 

[wikus]

could be bounced packets if you are using torrent Apps.

Could it be responsible for no traffic going through my router every now and then?

 

[Tsimo]

could be that your router is getting flooded with data. as it has to filter all the traffic it may not be able to keep up. i can be wrong but it seems likely.
if you stop the uTorrent does the router still freeze?

 

[wikus]

could be that your router is getting flooded with data. as it has to filter all the traffic it may not be able to keep up. i can be wrong but it seems likely.
if you stop the uTorrent does the router still freeze?

I will have to check.

But I suspect it could be the cause, as there was nearly 40 peers on the one last torrent my PC's busy with.
Now that there are only 14 peers it's not freezing anymore

 

[nakedpeanut]

I will have to check.

But I suspect it could be the cause, as there was nearly 40 peers on the one last torrent my PC's busy with.
Now that there are only 14 peers it's not freezing anymore

Out of curiosity are you using either peer blocker or peer guardian?
And is your uTorrent connection settings correct?
Maybe allowing more connections than your connection can handle?

 

[Tsimo]

well lemme know. i am curious..

 

[quovadis]

It's inbound requests for files for which your IP appears in a torrent tracker somewhere. It'll happen regardless of whether your Torrent Application is open or closed until such a time as your issued IP is removed from the tracker.

 

[nakedpeanut]

Ya i seen it offten after a torrent i turn my pc off. Nothing connected to the router!
And the internet light keeps flashing (showing traffic) to the router... Goes on for a while

 

[kwaggawerner]

Wasn't me

 

[wikus]

Out of curiosity are you using either peer blocker or peer guardian?
And is your uTorrent connection settings correct?
Maybe allowing more connections than your connection can handle?

No, I don't use either of these.
I checked my settings and it was set to 2mbps, whereas my line is 384kb.

I corrected the settings, will see what it does now.

 

[dabbler]

This stuff goes on all day long. Bugs me.

Apr  4 07:00:01 kubuntu1004 sshd[11563]: Failed password for invalid user kinder from 71.232.57.194 port 59142 ssh2
Apr  4 07:00:05 kubuntu1004 sshd[11566]: Failed password for invalid user kinder from 71.232.57.194 port 59377 ssh2
Apr  4 07:00:11 kubuntu1004 sshd[11569]: Failed password for invalid user abilenki from 71.232.57.194 port 59633 ssh2
Apr  4 07:00:15 kubuntu1004 sshd[11572]: Failed password for invalid user abilenki from 71.232.57.194 port 59922 ssh2
Apr  4 07:00:20 kubuntu1004 sshd[11575]: Failed password for invalid user abilenki from 71.232.57.194 port 60182 ssh2
Apr  4 07:00:24 kubuntu1004 sshd[11577]: Failed password for invalid user bcampion from 71.232.57.194 port 60456 ssh2
Apr  4 07:00:28 kubuntu1004 sshd[11580]: Failed password for invalid user bcampion from 71.232.57.194 port 60698 ssh2
Apr  4 07:00:33 kubuntu1004 sshd[11583]: Failed password for invalid user bcampion from 71.232.57.194 port 60984 ssh2
Apr  4 07:00:38 kubuntu1004 sshd[11586]: Failed password for invalid user burrelli from 71.232.57.194 port 33035 ssh2
Apr  4 07:00:42 kubuntu1004 sshd[11589]: Failed password for invalid user burrelli from 71.232.57.194 port 33291 ssh2
Apr  4 07:00:47 kubuntu1004 sshd[11592]: Failed password for invalid user burrelli from 71.232.57.194 port 33544 ssh2
Apr  4 07:00:52 kubuntu1004 sshd[11595]: Failed password for invalid user cheryl from 71.232.57.194 port 33849 ssh2
Apr  4 07:00:57 kubuntu1004 sshd[11598]: Failed password for invalid user cheryl from 71.232.57.194 port 34129 ssh2
Apr  4 07:01:01 kubuntu1004 sshd[11601]: Failed password for invalid user cheryl from 71.232.57.194 port 34399 ssh2
Apr  4 07:01:07 kubuntu1004 sshd[11604]: Failed password for invalid user crichard from 71.232.57.194 port 34652 ssh2
Apr  4 07:01:12 kubuntu1004 sshd[11607]: Failed password for invalid user crichard from 71.232.57.194 port 34979 ssh2
Apr  4 07:01:16 kubuntu1004 sshd[11610]: Failed password for invalid user crichard from 71.232.57.194 port 35270 ssh2
Apr  4 07:01:21 kubuntu1004 sshd[11613]: Failed password for invalid user dkauffman from 71.232.57.194 port 35524 ssh2
Apr  4 07:01:25 kubuntu1004 sshd[11616]: Failed password for invalid user dkauffman from 71.232.57.194 port 35798 ssh2
Apr  4 07:01:30 kubuntu1004 sshd[11618]: Failed password for invalid user dkauffman from 71.232.57.194 port 36025 ssh2
Apr  4 07:01:35 kubuntu1004 sshd[11622]: Failed password for invalid user jmartin from 71.232.57.194 port 36335 ssh2
Apr  4 07:01:39 kubuntu1004 sshd[11625]: Failed password for invalid user jmartin from 71.232.57.194 port 36637 ssh2
Apr  4 07:01:44 kubuntu1004 sshd[11627]: Failed password for invalid user jmartin from 71.232.57.194 port 36892 ssh2
Apr  4 07:01:48 kubuntu1004 sshd[11630]: Failed password for invalid user linda from 71.232.57.194 port 37147 ssh2
Apr  4 07:01:54 kubuntu1004 sshd[11633]: Failed password for invalid user linda from 71.232.57.194 port 37432 ssh2
Apr  4 07:01:59 kubuntu1004 sshd[11636]: Failed password for invalid user linda from 71.232.57.194 port 37737 ssh2
Apr  4 07:02:03 kubuntu1004 sshd[11639]: Failed password for invalid user atir from 71.232.57.194 port 38020 ssh2
Apr  4 07:02:07 kubuntu1004 sshd[11642]: Failed password for invalid user atir from 71.232.57.194 port 38245 ssh2
Apr  4 07:02:12 kubuntu1004 sshd[11645]: Failed password for invalid user atir from 71.232.57.194 port 38536 ssh2
Apr  4 07:02:17 kubuntu1004 sshd[11648]: Failed password for invalid user tir from 71.232.57.194 port 38819 ssh2
Apr  4 07:02:22 kubuntu1004 sshd[11651]: Failed password for invalid user tir from 71.232.57.194 port 39124 ssh2
Apr  4 07:02:25 kubuntu1004 sshd[11654]: Failed password for invalid user tir from 71.232.57.194 port 39376 ssh2
Apr  4 07:02:30 kubuntu1004 sshd[11657]: Failed password for invalid user bayonne from 71.232.57.194 port 39602 ssh2
Apr  4 07:02:35 kubuntu1004 sshd[11660]: Failed password for invalid user bayonne from 71.232.57.194 port 39886 ssh2
Apr  4 07:02:40 kubuntu1004 sshd[11663]: Failed password for invalid user bayonne from 71.232.57.194 port 40162 ssh2
Apr  4 07:02:44 kubuntu1004 sshd[11666]: Failed password for invalid user press from 71.232.57.194 port 40461 ssh2
Apr  4 07:02:48 kubuntu1004 sshd[11668]: Failed password for invalid user press from 71.232.57.194 port 40690 ssh2
Apr  4 07:02:53 kubuntu1004 sshd[11671]: Failed password for invalid user press from 71.232.57.194 port 40928 ssh2
Apr  4 07:02:57 kubuntu1004 sshd[11674]: Failed password for invalid user nishiyama from 71.232.57.194 port 41204 ssh2
Apr  4 07:03:01 kubuntu1004 sshd[11677]: Failed password for invalid user nishiyama from 71.232.57.194 port 41429 ssh2
Apr  4 07:03:06 kubuntu1004 sshd[11680]: Failed password for invalid user nishiyama from 71.232.57.194 port 41685 ssh2
Apr  4 07:03:11 kubuntu1004 sshd[11683]: Failed password for invalid user fluffy from 71.232.57.194 port 41968 ssh2
Apr  4 07:03:16 kubuntu1004 sshd[11686]: Failed password for invalid user fluffy from 71.232.57.194 port 42247 ssh2
Apr  4 07:03:20 kubuntu1004 sshd[11689]: Failed password for invalid user fluffy from 71.232.57.194 port 42530 ssh2
Apr  4 07:03:24 kubuntu1004 sshd[11692]: Failed password for invalid user library from 71.232.57.194 port 42795 ssh2
Apr  4 07:03:29 kubuntu1004 sshd[11694]: Failed password for invalid user library from 71.232.57.194 port 43043 ssh2
Apr  4 07:03:33 kubuntu1004 sshd[11697]: Failed password for invalid user library from 71.232.57.194 port 43323 ssh2
Apr  4 07:03:38 kubuntu1004 sshd[11700]: Failed password for invalid user linux from 71.232.57.194 port 43583 ssh2
Apr  4 07:03:42 kubuntu1004 sshd[11703]: Failed password for invalid user linux from 71.232.57.194 port 43830 ssh2
Apr  4 07:03:47 kubuntu1004 sshd[11706]: Failed password for invalid user linux from 71.232.57.194 port 44093 ssh2
Apr  4 07:03:51 kubuntu1004 sshd[11709]: Failed password for invalid user unix from 71.232.57.194 port 44347 ssh2
Apr  4 07:03:55 kubuntu1004 sshd[11712]: Failed password for invalid user unix from 71.232.57.194 port 44589 ssh2
Apr  4 07:03:59 kubuntu1004 sshd[11715]: Failed password for invalid user unix from 71.232.57.194 port 44359 ssh2
Apr  4 07:04:04 kubuntu1004 sshd[11717]: Failed password for invalid user word from 71.232.57.194 port 44599 ssh2
Apr  4 07:04:08 kubuntu1004 sshd[11720]: Failed password for invalid user word from 71.232.57.194 port 44875 ssh2
Apr  4 07:04:12 kubuntu1004 sshd[11723]: Failed password for invalid user word from 71.232.57.194 port 45132 ssh2
Apr  4 07:04:17 kubuntu1004 sshd[11726]: Failed password for invalid user username from 71.232.57.194 port 45374 ssh2
Apr  4 07:04:21 kubuntu1004 sshd[11729]: Failed password for invalid user username from 71.232.57.194 port 45627 ssh2
Apr  4 07:04:25 kubuntu1004 sshd[11732]: Failed password for invalid user username from 71.232.57.194 port 45871 ssh2
Apr  4 07:04:29 kubuntu1004 sshd[11735]: Failed password for invalid user sharon from 71.232.57.194 port 46122 ssh2
Apr  4 07:04:34 kubuntu1004 sshd[11737]: Failed password for invalid user sharon from 71.232.57.194 port 46363 ssh2
Apr  4 07:04:38 kubuntu1004 sshd[11740]: Failed password for invalid user sharon from 71.232.57.194 port 46620 ssh2
Apr  4 07:04:42 kubuntu1004 sshd[11743]: Failed password for invalid user httpd from 71.232.57.194 port 46884 ssh2
Apr  4 07:04:47 kubuntu1004 sshd[11746]: Failed password for invalid user httpd from 71.232.57.194 port 47131 ssh2
Apr  4 07:04:51 kubuntu1004 sshd[11749]: Failed password for invalid user httpd from 71.232.57.194 port 47414 ssh2
Apr  4 07:04:56 kubuntu1004 sshd[11752]: Failed password for invalid user mikael from 71.232.57.194 port 47656 ssh2

And thats a small bit of it!!!

 

[Tsimo]

i would block that IP on your router. its def trying to login to your PC.

 

[wikus]

When I download an FTP file now, there are no more disconnects and no such entries in the log.

Could it be the tracker that has some sort of timeout or could it be the tracker that is updating?

 

[Tsimo]

yeah. most likely its a torrent tracker that is trying to update its seeders / Peers. i would just ignore those when you are using Utorrent.

 

[syntax]

i would block that IP on your router. its def trying to login to your PC.

blocking a single ip is kind of useless, just block ssh access from external in, in fact, block all access from external in including management access on the router.