Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Linksys router log


  • Please log in to reply
9 replies to this topic

#1 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:11:02 AM

Posted 27 October 2004 - 08:25 PM

Grinler, thank you for answering my previous post about the Linksys logs. I will continue reading the materials you provided on this site, but little bit of extra explanation will be nice when I can relate to what I see.

I saved router log after few typical activities. I can see the websites I called. On the incoming side I understand toshiba, but then next to it is tracking something or other, which ad-aware and spybot normally detect.
The part I'd like to understand is how this all relates to what the firewall is doing beyond the router, as well as rather confusing to me incoming side - from 151... to 151... i read someplace that this sort of a log can detect holes, but I wouldn't know how to read this.

Regarding outgoing, what's this passport images about? I just went into MS knowledge base, no msn, nothing like that. Tracking range online media is not something I go to, neither is akamai, nor webtrendslive. Is Toshiba pushing this down? The rest of outgoing I understand.

I see no way to attach files, so I'm pasting text, and hope this is ok. I also hope this log isn't opening up any serious holes.

INCOMING.LOG
Date Time Src Src_Port Dest Dest_Port
10/27/2004 20:21:31 TCP from 151.197.202.187:3653 to xxx.xxx.xxx.xxx:445
10/27/2004 20:21:50 TCP from 151.197.194.237:3273 to xxx.xxx.xxx.xxx:2745
10/27/2004 20:21:58 TCP from 68.162.107.135:3277 to xxx.xxx.xxx.xxx:445
10/27/2004 20:22:00 TCP from 151.197.194.237:3273 to xxx.xxx.xxx.xxx:2745
10/27/2004 20:22:01 TCP from 68.162.107.135:3277 to xxx.xxx.xxx.xxx:445
10/27/2004 20:22:14 TCP from 151.197.245.114:2906 to xxx.xxx.xxx.xxx:445
10/27/2004 20:22:16 TCP from 151.197.191.251:3857 to xxx.xxx.xxx.xxx:445
10/27/2004 20:22:17 TCP from 151.197.207.44:3083 to xxx.xxx.xxx.xxx:445
10/27/2004 20:22:19 TCP from 151.197.191.251:3857 to xxx.xxx.xxx.xxx:445
10/27/2004 20:22:20 TCP from 151.197.207.44:3083 to xxx.xxx.xxx.xxx:445
10/27/2004 20:22:58 TCP from 151.197.202.187:1942 to xxx.xxx.xxx.xxx:445
...
10/27/2004 20:34:32 TCP from 151.197.7.147:4084 to xxx.xxx.xx.xx:445
10/27/2004 20:35:21 TCP from 151.197.226.250:2692 to xxx.xxx.xx.xx:445
10/27/2004 20:35:57 TCP from 200.103.133.87:4129 to xxx.xxx.xx.xx:445
10/27/2004 20:36:17 TCP from 151.197.217.235:2543 to xxx.xxx.xx.xx:445
10/27/2004 20:36:47 TCP from 151.197.252.244:4639 to xxx.xxx.xx.xx:445
10/27/2004 20:37:18 TCP from 151.197.42.79:3218 to xxx.xxx.xx.xx:445
10/27/2004 20:38:39 TCP from 151.197.224.210:3618 to xxx.xxx.xx.xx:445
10/27/2004 20:39:28 TCP from 151.197.207.44:2485 to xxx.xxx.xx.xx:445
10/27/2004 20:40:01 TCP from 201.254.105.198:4236 to xxx.xxx.xx.xx:445
10/27/2004 20:41:27 TCP from 151.197.202.187:1541 to xxx.xxx.xx.xx:445
10/27/2004 20:42:09 TCP from 151.197.193.239:1797 to xxx.xxx.xx.xx:445
10/27/2004 20:42:36 TCP from 213.196.225.48:4569 to xxx.xxx.xx.xx:445
10/27/2004 20:43:45 TCP from 151.197.181.185:4273 to xxx.xxx.xx.xx:445
10/27/2004 20:44:19 TCP from 151.197.127.39:3793 to xxx.xxx.xx.xx:445
10/27/2004 20:44:27 TCP from 151.197.224.210:4581 to xxx.xxx.xx.xx:445


OUTGOING
Date Time Src Src_Port Dest Dest_Port
10/27/2004 20:19:21 TCP from 192.168.1.100:1030 to supportcenter.verizon.net(206.46.187.54):80
10/27/2004 20:20:18 TCP from 192.168.1.100:1037 to www.toshibapc.com(216.23.181.206):80
10/27/2004 20:23:52 TCP from 192.168.1.100:1040 to supportcenter.verizon.net(206.46.187.54):80
10/27/2004 20:23:52 TCP from 192.168.1.100:1041 to toshibadirect.com(216.23.181.216):80
10/27/2004 20:23:56 TCP from 192.168.1.100:1048 to crs.akamai.com(65.161.97.137):80
10/27/2004 20:23:56 TCP from 192.168.1.100:1049 to statse.webtrendslive.com(63.236.111.50):80
10/27/2004 20:23:56 TCP from 192.168.1.100:1051 to tracking.rangeonlinemedia.com(66.179.100.233):80
10/27/2004 20:23:56 TCP from 192.168.1.100:1052 to statse.webtrendslive.com(63.236.111.50):80
10/27/2004 20:24:05 TCP from 192.168.1.100:1056 to www.bleepingcomputer.com(216.213.19.27):80
10/27/2004 20:24:06 TCP from 192.168.1.100:1069 to 216.239.41.104:80
10/27/2004 20:24:06 TCP from 192.168.1.100:1070 to www.bleepingcomputer.com(216.213.19.27):80
...
10/27/2004 20:34:35 TCP from 192.168.1.100:1243 to www.nytimes.com(199.239.137.200):80
10/27/2004 20:34:35 TCP from 192.168.1.100:1244 to 65.161.97.136:80
10/27/2004 20:35:25 TCP from 192.168.1.100:1248 to incoming.verizon.net(206.46.170.10):110
10/27/2004 20:35:28 TCP from 192.168.1.100:1250 to toshibadirect.com(216.23.181.216):80
10/27/2004 20:35:31 TCP from 192.168.1.100:1257 to crs.akamai.com(65.161.97.137):80
10/27/2004 20:35:31 TCP from 192.168.1.100:1258 to statse.webtrendslive.com(63.236.111.50):80
10/27/2004 20:35:31 TCP from 192.168.1.100:1260 to tracking.rangeonlinemedia.com(66.179.100.233):80
10/27/2004 20:35:31 TCP from 192.168.1.100:1261 to statse.webtrendslive.com(63.236.111.50):80
10/27/2004 20:36:32 TCP from 192.168.1.100:1269 to support.microsoft.com(207.46.248.248):80
10/27/2004 20:36:34 TCP from 192.168.1.100:1272 to www.passportimages.com(65.54.131.192):80
10/27/2004 20:36:35 TCP from 192.168.1.100:1273 to c.microsoft.com(207.46.157.156):80
10/27/2004 20:42:18 TCP from 192.168.1.100:1278 to support.microsoft.com(207.46.248.248):80
10/27/2004 20:42:19 TCP from 192.168.1.100:1279 to search.microsoft.com(207.46.250.107):80
10/27/2004 20:42:20 TCP from 192.168.1.100:1282 to rad.microsoft.com(207.68.178.238):80
10/27/2004 20:42:20 TCP from 192.168.1.100:1283 to c.microsoft.com(207.46.157.156):80
10/27/2004 20:42:22 TCP from 192.168.1.100:1277 to support.microsoft.com(207.46.248.248):80
10/27/2004 20:42:37 TCP from 192.168.1.100:1287 to c.microsoft.com(207.46.157.156):80
10/27/2004 20:43:00 TCP from 192.168.1.100:1288 to www.google.com(216.239.41.104):80


Edited to retain privacy of user - Grinler

Edited by Grinler, 29 October 2004 - 11:32 PM.


BC AdBot (Login to Remove)

 


#2 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:11:02 AM

Posted 27 October 2004 - 09:54 PM

I thought I add this since it looks curious. This INCOMING, while I'm minding my own business with no requests (that I know of) to the web. Is it correct to say that from the materials here or google, IP numbers such as 218... 70... 62 and other non-151 can be interpreted into specific web places?

10/27/2004 22:16:46 TCP from 151.197.118.41:2103 to xxx.xxx.xxx.xxx:445
10/27/2004 22:16:56 TCP from 218.168.48.161:3304 to xxx.xxx.xxx.xxx:445
10/27/2004 22:18:00 TCP from 141.151.76.139:3621 to xxx.xxx.xxx.xxx:445
10/27/2004 22:18:54 TCP from 70.57.224.197:3497 to xxx.xxx.xxx.xxx:445
10/27/2004 22:19:14 TCP from 208.60.252.1:3299 to xxx.xxx.xxx.xxx:445
10/27/2004 22:19:34 TCP from 151.197.206.105:3234 to xxx.xxx.xxx.xxx:445
10/27/2004 22:21:37 TCP from 62.57.122.72:3314 to xxx.xxx.xxx.xxx:445
10/27/2004 22:21:49 TCP from 151.197.49.19:3498 to xxx.xxx.xxx.xxx:445
10/27/2004 22:22:11 TCP from 82.64.88.47:1153 to xxx.xxx.xxx.xxx:445

151 number has to do with sending email. It's odd to see it here since outlook is closed.
I just need few clues to interpreting this stuff and if anything looks fishy, what to do. I have a firewall besides the router and am not really sure what to fill where, other than few sites went into the trusted zone.
Thanks in advance.

Removed ip address to retain users privacy - Grinler

Edited by Grinler, 29 October 2004 - 11:27 AM.


#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:02 AM

Posted 29 October 2004 - 10:34 AM

Well here is the bad news :thumbsup:

I am assuming that the ip address assigned to your router is xxx.xxx.xxx.xxx. The log shows that computers are trying to access your machine remotely from the following addresses among others:

151.197.202.187
151.197.194.237
68.162.107.135
151.197.245.114

These comptuers are most likely infected with a worm that is trying to exploit a Windows vulnerability on your computer in order to spread itself.

The good news is your linksys is blocking these attempts.


Lets take a look at the logs so I can explain what it means.

NCOMING.LOG
Date Time Src Src_Port Dest Dest_Port
10/27/2004 20:21:31 TCP from 151.197.202.187:3653 to xxx.xxx.xxx.xxx:445


This entry means at 10/27/04 at 8:21 pm a computer from IP address 151.197.202.187 using their port 3653 attempted to connect to your router (thinking its a pc) which is IP address xxx.xxx.xxx.xxx on port 445, which is Microsofts Server Message Block port that is used for Windows networking and file sharing.



Now lets look at the outgoing log:

OUTGOING
Date Time Src Src_Port Dest Dest_Port
10/27/2004 20:19:21 TCP from 192.168.1.100:1030 to supportcenter.verizon.net(206.46.187.54):80


This shows on 10/27/04 at 8:19 pm you used TCP to connect from your internal pc using the IP address 192.168.1.100 on port 1030 (these ports are randomly used when doing outgoing requests) to the server 206.46.187.54 on port 80. Port 80 is the port used by web server, so we know that you were visiting the web site on that server.


The standard services that you will use and the ports that the services you may use are:

Web Port 80
Sending Mail Port 25
Receiving Mail Port 110
FTP Port 20,21
Telnet Port 23
SSH Port 22
Secure Web Port 443

10/27/2004 20:19:21 TCP from 192.168.1.100:1030 to supportcenter.verizon.net(206.46.187.54):25


That means you were probably sending mail.


10/27/2004 20:19:21 TCP from 192.168.1.100:1030 to supportcenter.verizon.net(206.46.187.54):443


Means you were visiting a HTTPS:// site.

I hope this all makes sense

#4 JEservices

JEservices

    helping hand


  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:09:02 AM

Posted 29 October 2004 - 11:37 AM

Thanks for the editing Grinler :thumbsup:
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#5 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:11:02 AM

Posted 29 October 2004 - 07:59 PM

Thanks for the editing Grinler  :flowers:

ME TOO!
:thumbsup:
Many thanks to both of you. Your answers raised important issue:
And thank you for the xxx. How much of a problem for me is it that I did not use xxx? Should I do anything on my end to close up the hole? Change my IP address or something like that? Has it really gone public before you made xxx?

I still need to study your answers. I understand, I think, what you wrote except - how do you know that the router blocked an address?

Less important In the meantime, here are interesting sources I see in the log as I see it go by:
64.157.250.185.62572
200.14.100.114:22892
215.149.50.191:22618
215.213.96.133:21014
I found on Google this site (for last IP entered) which reports above addresses as unknown or partly unknown.
http://www.senderbase.org/search?searchString=215.213.96.133
It is an interesting source. Do you know anything about it? If you do, how do you use the information you see?

BTW, this site reports the 151... and 68... addresses you interpret as worms as (possibly) legitimate Verizon domains. I use Verizon DSL, and I know that 151... is used for in/out mail. Can you comment on this, please?

#6 JEservices

JEservices

    helping hand


  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:09:02 AM

Posted 29 October 2004 - 08:39 PM

And thank you for the xxx. How much of a problem for me is it that I did not use xxx? Should I do anything on my end to close up the hole? Change my IP address or something like that? Has it really gone public before you made xxx?



It is likely that shortly after you sent the first message, that you was pinged alot. This is not necessarily a bad thing, because a router, by default, just ignores them anyway. If someone with enough knowledge that knows exactly what router model number you have, with the IP address, they could (again only in theory), use a backdoor to gain access. These backdoors are usually left in there for administation purposes. It is very unlikely that someone would gain access to your system or data, but it is like telling everybody your physical address.

If you feel like the IP address is important to answer your question, and there are many of them, then try this method. When you paste your message over, have a piece of paper handy. When you have IP 123.123.123.123:4080, then write it down, and replace it with aaa.aaa.aaa.aaa:4080. The 4080 is the port number, and it is ok to send this in a message. On the paper write, aaa.aaa.aaa.aaa=123.123.123.123. When you have a different IP then assign it a different letter so that someone knows that you are referring to a different IP. 321.321.321.321:3010 could be changed to bbb.bbb.bbb.bbb:3010. When you finish with all of them, then send Grinler a copy of what you wrote on paper. Like this:

posted message could read aaa.aaa.aaa.aaa:4080 has a log error of continuous pings.  What can I do about it?  Also, bbb.bbb.bbb.bbb:3080 is being denied.



Message sent to Grinler via PM (Private Message).  aaa.aaa.aaa.aaa=123.123.123.123 and bbb.bbb.bbb.bbb=321.321.321.321


We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:02 AM

Posted 29 October 2004 - 11:52 PM

Whenever you see an entry in the log for incoming it is always because its been stopped.

That ip address that is listed as unknown is actually this:

OrgName:    DoD Network Information Center
OrgID:      DNIC
Address:    7990 Science Applications Ct
Address:    M/S CV 50
City:      Vienna
StateProv:  VA
PostalCode: 22183-7000
Country:    US

NetRange:  215.0.0.0 - 215.255.255.255
CIDR:      215.0.0.0/8
NetName:    DDN-NIC16
NetHandle:  NET-215-0-0-0-1
Parent:
NetType:    Direct Allocation
NameServer: AAA-VIENNA.NIPR.MIL
NameServer: AAA-KELLY.NIPR.MIL
NameServer: AAA-WHEELER.NIPR.MIL
NameServer: AAA-VAIHINGEN.NIPR.MIL
Comment:    DoD Network Information Center
Comment:    7990 Boeing Court M/S CV-50
Comment:    Vienna, VA 22183 US
RegDate:    1998-06-05
Updated:    1998-06-09

TechHandle: MIL-HSTMST-ARIN
TechName:  Network DoD
TechPhone:  +1-703-676-1051
TechEmail:  HOSTMASTER@nic.mil

OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName:  Network DoD
OrgTechPhone:  +1-703-676-1051
OrgTechEmail:  HOSTMASTER@nic.mil


Who the hell knows why its connecting to you but they get viruses too. The other ip addresses are definitely computers on the internet who are infected with a worm trying to infect other computers. NOthing you can do about it and I would not worry about it

#8 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:11:02 AM

Posted 30 October 2004 - 02:38 PM

Whenever you see an entry in the log for incoming it is always because its been stopped.

Good news. I was looking for a column saying it got blocked. Thank you. Now I get it.

Comment:    DoD Network Information Center

Thanks for the 215 IP. I am just trying to come to grips with what's what and all the information you gave is super. Now, this DoD is an interesting hit. If it isn't a wormy Defense I don't know what it is! :thumbsup:

Incidentally, Jason suggested to post a pm should I need again to post a log. I actually tried that initially because I wan't sure if to really post the logs. But I got access denied to pm or something to that effect.

Anyway, many thanks, I'm on my way to begin to understand this!

#9 JEservices

JEservices

    helping hand


  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:09:02 AM

Posted 30 October 2004 - 04:19 PM

Incidentally, Jason suggested to post a pm should I need again to post a log. I actually tried that initially because I wan't sure if to really post the logs. But I got access denied to pm or something to that effect.

Anyway, many thanks, I'm on my way to begin to understand this!



Does your system log you in to this site automatically? That type of error is usually when you try to PM someone and you are not logged in.
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#10 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:11:02 AM

Posted 01 November 2004 - 04:04 PM

I must not have been logged in from the office. PM is working just fine. Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users