PDA

View Full Version : Firewall logs



dave859
12-10-2010, 07:15 PM
Since using my spider9000 with my belkin router ive been getting very weird firewall logs building up inside the router including port scans and also Intrusion detected from certain IP's addresses. When i reset the router to get a new IP, all logs are clear for days using pc's but with in 10 minutes of the spiderbox connecting my security logs start filling up.

john.dat
12-10-2010, 07:59 PM
Since using my spider9000 with my belkin router ive been getting very weird firewall logs building up inside the router including port scans and also Intrusion detected from certain IP's addresses. When i reset the router to get a new IP, all logs are clear for days using pc's but with in 10 minutes of the spiderbox connecting my security logs start filling up.

I think those logs were always there or you have changed something on your PC (a program more likely)thats talking to home maybe checking for updates or something .

Your router will log attemps for traffic to get in but if its a NATS type router with Firewall, nothing should get through - NOT even your SBox data as its NOT heading for your PC, its heading for your SBox .The router is like a brickwall with your PC on the inside and your SBox on the outside, same applies to the Internet, that is also on the outside of the wall .So check any recently installed programs for calling home and run a security program to check for trojans or a virus (or even a tracking cookie).

dave859
12-10-2010, 08:07 PM
thanks, i will have a look

Giga
13-10-2010, 09:06 AM
When you clear the router logs in the router, and you have new routerlogs, check what home ip addresses are appearing in the logs. Should be in the same range of your router ip address first 3 sets should be the same: ###.###.###.
the last 3 digits would identify each device in your home network: ###.###.###.###
example:
192.168.123.: home ip range
192.168.123.001 or 192.168.123.254 probably your router or gateway
192.168.123.002 to 192.168.123.253 computers, STB, ...
compare each device IP address against the log in your router and it should tell you what device has the mentioned in/out traffic.

dave859
13-10-2010, 10:43 AM
i reset the router and used all pc's in the house under a new IP address for 4 hours with a clear firewall log, at 11pm i added the spiderbox to the router and it now reads

Oct 12 23:09:23 kernel: Intrusion detected from 92.115.140.137. Source port is 1119, and destination port is 445 which use the TCP protocol.

Oct 12 23:09:26 kernel: Intrusion detected from 92.115.140.137. Source port is 1119, and destination port is 445 which use the TCP protocol.

Oct 12 23:19:37 kernel: Intrusion detected from 92.25.77.140. Source port is 61759, and destination port is 445 which use the TCP protocol.

Oct 12 23:19:38 kernel: Intrusion detected from 92.25.77.140. Source port is 61760, and destination port is 135 which use the TCP protocol.

Oct 13 00:25:39 kernel: Intrusion detected from 77.36.97.76. Source port is 12650, and destination port is 445 which use the TCP protocol.

Oct 13 00:25:42 kernel: Intrusion detected from 77.36.97.76. Source port is 12650, and destination port is 445 which use the TCP protocol.

Oct 13 00:41:34 kernel: Intrusion detected from 88.74.85.32. Source port is 2302, and destination port is 445 which use the TCP protocol.

Oct 13 00:41:37 kernel: Intrusion detected from 88.74.85.32. Source port is 2302, and destination port is 445 which use the TCP protocol.

Oct 13 00:52:32 kernel: Intrusion detected from 200.148.120.43. Source port is 4509, and destination port is 445 which use the TCP protocol.

Oct 13 00:52:35 kernel: Intrusion detected from 200.148.120.43. Source port is 4509, and destination port is 445 which use the TCP protocol.

Oct 13 00:54:56 kernel: Intrusion detected from 59.180.146.7. Source port is 2948, and destination port is 23 which use the TCP protocol.

Oct 13 01:01:47 kernel: Intrusion detected from 189.59.153.173. Source port is 58784, and destination port is 445 which use the TCP protocol.

Oct 13 01:32:58 kernel: Intrusion detected from 200.158.41.141. Source port is 3604, and destination port is 445 which use the TCP protocol.

Oct 13 01:33:01 kernel: Intrusion detected from 200.158.41.141. Source port is 3604, and destination port is 445 which use the TCP protocol.

Oct 13 01:35:15 kernel: Intrusion detected from 182.1.203.105. Source port is 30716, and destination port is 445 which use the TCP protocol.

Oct 13 01:36:06 kernel: Intrusion detected from 109.170.8.29. Source port is 3458, and destination port is 445 which use the TCP protocol.

Oct 13 02:43:22 kernel: Intrusion detected from 82.56.10.213. Source port is 1502, and destination port is 445 which use the TCP protocol.

Oct 13 02:43:25 kernel: Intrusion detected from 82.56.10.213. Source port is 1502, and destination port is 445 which use the TCP protocol.

Oct 13 02:49:53 kernel: Intrusion detected from 112.201.153.142. Source port is 2577, and destination port is 445 which use the TCP protocol.

Oct 13 02:49:55 kernel: Intrusion detected from 112.201.153.142. Source port is 2577, and destination port is 445 which use the TCP protocol.

Oct 13 02:50:40 kernel: Intrusion detected from 118.167.184.205. Source port is 3200, and destination port is 445 which use the TCP protocol.

Oct 13 02:54:42 kernel: Intrusion detected from 189.127.110.88. Source port is 3331, and destination port is 445 which use the TCP protocol.

Oct 13 03:09:37 kernel: Intrusion detected from 61.150.91.89. Source port is 6000, and destination port is 4899 which use the TCP protocol.

Oct 13 03:17:40 kernel: Intrusion detected from 61.231.74.253. Source port is 1656, and destination port is 445 which use the TCP protocol.

Oct 13 03:48:44 kernel: Intrusion detected from 222.73.218.113. Source port is 6000, and destination port is 1433 which use the TCP protocol.

Oct 13 04:15:02 kernel: Intrusion detected from 222.73.218.113. Source port is 6000, and destination port is 1433 which use the TCP protocol.

Oct 13 04:46:19 kernel: Intrusion detected from 117.196.227.75. Source port is 3879, and destination port is 445 which use the TCP protocol.

Oct 13 04:46:22 kernel: Intrusion detected from 117.196.227.75. Source port is 3879, and destination port is 445 which use the TCP protocol.

Oct 13 04:58:12 kernel: Intrusion detected from 112.200.148.23. Source port is 1920, and destination port is 445 which use the TCP protocol.

Oct 13 04:58:15 kernel: Intrusion detected from 112.200.148.23. Source port is 1920, and destination port is 445 which use the TCP protocol.

Oct 13 05:07:47 kernel: Intrusion detected from 222.73.218.113. Source port is 6000, and destination port is 1433 which use the TCP protocol.

Oct 13 05:13:53 kernel: Intrusion detected from 119.93.12.140. Source port is 3485, and destination port is 445 which use the TCP protocol.

Oct 13 05:13:56 kernel: Intrusion detected from 119.93.12.140. Source port is 3485, and destination port is 445 which use the TCP protocol.

Oct 13 05:34:03 kernel: Intrusion detected from 95.26.71.20. Source port is 4797, and destination port is 445 which use the TCP protocol.

Oct 13 05:34:06 kernel: Intrusion detected from 95.26.71.20. Source port is 4797, and destination port is 445 which use the TCP protocol.

Oct 13 05:55:18 kernel: Intrusion detected from 213.34.193.106. Source port is 3807, and destination port is 445 which use the TCP protocol.

Oct 13 05:55:21 kernel: Intrusion detected from 213.34.193.106. Source port is 3807, and destination port is 445 which use the TCP protocol.

Oct 13 06:00:39 kernel: Intrusion detected from 217.12.112.177. Source port is 3388, and destination port is 445 which use the TCP protocol.

Oct 13 06:26:51 kernel: Intrusion detected from 64.65.93.45. Source port is 2991, and destination port is 445 which use the TCP protocol.

Oct 13 06:26:54 kernel: Intrusion detected from 64.65.93.45. Source port is 2991, and destination port is 445 which use the TCP protocol.

Oct 13 06:28:05 kernel: Intrusion detected from 187.13.19.200. Source port is 4780, and destination port is 445 which use the TCP protocol.

Oct 13 06:37:04 kernel: Intrusion detected from 190.42.217.209. Source port is 2992, and destination port is 23 which use the TCP protocol.

Oct 13 07:00:35 kernel: Intrusion detected from 190.125.214.187. Source port is 1767, and destination port is 445 which use the TCP protocol.

Oct 13 07:00:38 kernel: Intrusion detected from 190.125.214.187. Source port is 1767, and destination port is 445 which use the TCP protocol.

Oct 13 07:09:51 kernel: Intrusion detected from 186.10.96.135. Source port is 3454, and destination port is 445 which use the TCP protocol.

Oct 13 07:20:28 kernel: Intrusion detected from 125.27.228.163. Source port is 2988, and destination port is 445 which use the TCP protocol.

Oct 13 07:34:17 kernel: Intrusion detected from 96.24.25.30. Source port is 1127, and destination port is 445 which use the TCP protocol.

Oct 13 07:44:12 kernel: Intrusion detected from 190.50.151.67. Source port is 2928, and destination port is 445 which use the TCP protocol.

Oct 13 07:52:42 kernel: Intrusion detected from 147.64.125.73. Source port is 2594, and destination port is 445 which use the TCP protocol.

Oct 13 08:08:04 kernel: Intrusion detected from 124.237.121.52. Source port is 6000, and destination port is 3128 which use the TCP protocol.

Oct 13 08:16:07 kernel: Intrusion detected from 82.178.22.117. Source port is 1330, and destination port is 445 which use the TCP protocol.

Oct 13 08:25:21 kernel: Intrusion detected from 114.39.78.35. Source port is 4019, and destination port is 445 which use the TCP protocol.

Oct 13 08:39:59 kernel: Intrusion detected from 59.116.4.167. Source port is 1279, and destination port is 445 which use the TCP protocol.

Oct 13 08:40:02 kernel: Intrusion detected from 59.116.4.167. Source port is 1279, and destination port is 445 which use the TCP protocol.

Oct 13 08:46:34 kernel: Intrusion detected from 210.4.118.12. Source port is 27056, and destination port is 445 which use the TCP protocol.

Oct 13 09:01:09 kernel: Intrusion detected from 190.166.200.150. Source port is 53481, and destination port is 445 which use the TCP protocol.

Oct 13 09:08:58 kernel: Intrusion detected from 114.37.165.179. Source port is 3335, and destination port is 445 which use the TCP protocol.

Oct 13 09:17:52 kernel: Intrusion detected from 194.121.138.44. Source port is 2806, and destination port is 445 which use the TCP protocol.

Oct 13 09:31:17 kernel: Intrusion detected from 92.25.150.215. Source port is 59109, and destination port is 445 which use the TCP protocol.

Oct 13 09:37:57 kernel: Intrusion detected from 216.16.251.20. Source port is 2327, and destination port is 445 which use the TCP protocol.

Oct 13 09:48:36 kernel: Intrusion detected from 78.39.62.24. Source port is 4005, and destination port is 445 which use the TCP protocol.

Oct 13 09:58:53 kernel: Intrusion detected from 114.32.1.87. Source port is 4247, and destination port is 445 which use the TCP protocol.

Oct 13 10:06:57 kernel: Intrusion detected from 122.255.31.210. Source port is 43654, and destination port is 25 which use the TCP protocol.

Oct 13 10:24:46 kernel: Intrusion detected from 219.255.132.105. Source port is 45356, and destination port is 22 which use the TCP protocol.

Oct 13 10:26:23 kernel: Intrusion detected from 92.25.150.215. Source port is 50323, and destination port is 135 which use the TCP protocol.

john.dat
13-10-2010, 12:10 PM
OK, 2 things,

1.I didn't know you had other PC's sharing the router -

2.Those IP addresses are from all over the world eg London, Brasil, Philippines, India etc - maybe nothing unusual, depends on how your router firewall works and doesn't mean to say they are getting past your Firewall into your PC

Are you using anything odd thats attached to your router ?

Are you using 'Port Forwarding' or any special rules you set up in your router ?

so I would

1.Have your PC only connected for 1-2 hours and post log without you using PC

2.Then add Spider and post log

3.Every 1-2 hours, attach another device (PC)

This way we can possibly narrow down what's causing it if anything

john.dat
13-10-2010, 02:35 PM
Also check with 'Shields UP' here

__https://www.grc.com/x/ne.dll?bh0bkyd2

From this page, scroll down to the bottom and press Proceed

The other tests you can select are shown after the above

So see how secure your system really is - mine is 'Stealth'