Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Router log files show I am under constant attack


  • Please log in to reply
2 replies to this topic

#1 Steve M 1978

Steve M 1978

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 08 April 2016 - 08:08 AM

Hi Here is a snippit from my Asus AC68U router logs, I am getting attacked on RDP port every few seconds. The port is open on the internal device but i use a different port externally.

 

How can i block this IP at router level to stop the attacks?

 

Line 3: Apr  8 12:47:53 kernel: ACCEPT IN=eth0 OUT=br0 SRC=70.89.117.249 DST=192.168.1.167 LEN=52 TOS=0x00 PREC=0x00 TTL=109 ID=20738 DF PROTO=TCP SPT=55475 DPT=3389 SEQ=2515410609 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405780103030801010402) 
Line 4: Apr  8 12:47:55 kernel: ACCEPT IN=eth0 OUT=br0 SRC=70.89.117.249 DST=192.168.1.167 LEN=52 TOS=0x00 PREC=0x00 TTL=109 ID=21816 DF PROTO=TCP SPT=60263 DPT=3389 SEQ=1139366544 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405780103030801010402) 
Line 7: Apr  8 12:47:58 kernel: ACCEPT IN=eth0 OUT=br0 SRC=70.89.117.249 DST=192.168.1.167 LEN=52 TOS=0x00 PREC=0x00 TTL=109 ID=23473 DF PROTO=TCP SPT=60263 DPT=3389 SEQ=1139366544 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405780103030801010402) 
Line 13: Apr  8 12:48:00 kernel: ACCEPT IN=eth0 OUT=br0 SRC=70.89.117.249 DST=192.168.1.167 LEN=52 TOS=0x00 PREC=0x00 TTL=109 ID=24504 DF PROTO=TCP SPT=64633 DPT=3389 SEQ=1090588391 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405780103030801010402) 
Line 16: Apr  8 12:48:03 kernel: ACCEPT IN=eth0 OUT=br0 SRC=70.89.117.249 DST=192.168.1.167 LEN=52 TOS=0x00 PREC=0x00 TTL=109 ID=26189 DF PROTO=TCP SPT=64633 DPT=3389 SEQ=1090588391 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405780103030801010402) 

I am going to try and force my external IP to change tonight which should help but i would love to be able to get to the bottom of this attack 



BC AdBot (Login to Remove)

 


#2 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 08 April 2016 - 02:46 PM

An IP lookup says Comcast is the ISP for 70.89.117.249.  Maybe get in contact with Comcast?



#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:36 AM

Posted 09 April 2016 - 04:32 PM

Those are SYN packets send to port 3389. Since you say port 3389 is not open on your router, these packets are effectively already "blocked". Do you know if your router is also acting as a firewall? i.e. is it just dropping those packets, or is it sending back RST packets?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users