Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange pings in router logs


  • Please log in to reply
10 replies to this topic

#1 SadCause

SadCause

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy
  • Local time:03:12 AM

Posted 26 May 2018 - 08:17 AM

Hello! Today I was just checking my ADSL status and I took some time to check the router's log files as I regularly do and I found out that 2 IPs pinged my computer once in the night and once in the morning.

Itc7FvF.png
As you can see, there are 2 IPs that pinged my PC: once when turned on (At 00:28) and once when turned off (At 08:31).I did some research and found out that the "access" from 216.218.206.68 is actually a ShadowServer IP (From a range of them, it appers that they use also 216.218.206.66 and probably more). Even if they seem "The good guys™" I still don't like them pocking my devices without consent. Better safe than sorry I guess but I'm actually much more worried with the first ping which comes from the UK with hostname (From a reverse lookup) hostby.ups-gb.co.uk. A whois of the address doesn't show much info at all.

I'm by no means an expert, I'm just an enthusiast, that's why I'm asking if someone can help me understand if I'm just chasing shadows or actually something fishy is/was going on.

I would also like to point out that my router is a Netgear DGN2200v4, no remote login enabled.

Thanks for everything in advance and have a good day!



BC AdBot (Login to Remove)

 


#2 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,991 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:09:12 PM

Posted 26 May 2018 - 10:16 AM

Do you have your router settings set up such that it responds to external ping requests?   If you're really concerned I'd just turn that off (and most allow you to do this for ping requests originating outside the LAN).

 

Since ping requests can be "as common as dirt" I don't really get all that concerned by them in general.  I do try to remember to configure the modem-routers I set up not to respond to external ping requests.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#3 SadCause

SadCause
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy
  • Local time:03:12 AM

Posted 26 May 2018 - 10:43 AM

Nope, no mention of it in the firewall settings as well as any other section. Guess I was just worried for nothing as I thought.

I'll keep an eye out for some time, just to be sure. Thanks again.



#4 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,991 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:09:12 PM

Posted 26 May 2018 - 11:45 AM

You can also run Steve Gibson's "Shields-Up!" utility to see what it finds.  It's a great online resource that's been used to probe for vulnerabilities for a very long time now.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#5 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,991 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:09:12 PM

Posted 26 May 2018 - 11:55 AM

This page may also be of interest:  https://www.raymond.cc/blog/blocking-ping-response-in-windows-to-prevent-hackers-from-finding-you/ 

 

and/or this one http://www.sysprobs.com/enable-ping-reply-and-ftp-traffic-in-windows-10-and-server 


Edited by britechguy, 26 May 2018 - 11:56 AM.

Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 26 May 2018 - 12:53 PM

Technically speaking, the "access" you refer to are not pings. Ping uses the ICMP protocol, and this protocol has not ports.

 

In your logs, you see port numbers for the "accesses" you refer to, so they are not ping requests. They indicate data transported via a protocol that uses ports, like TCP or UDP.

From the amount of entries and the destination IP address(es), I would guess that those entries are for TCP or UDP connections that took actually place (e.g. were not blocked).

 

Take the example of the ShadowServer entry: that is for destination port 27017. TCP port 27017 is the default port for MongoDB, and I guess that's what ShadowServer tries to map.

https://docs.mongodb.com/manual/reference/default-mongodb-port/

 

However, that port is also used by many other applications, like Steam, a gaming framework.

Could it be that:

1) you or someone else on your premises is a gamer, e.g. using Steam?

2) this port is open on your router, maybe via UPNP?


Edited by Didier Stevens, 26 May 2018 - 12:55 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 SadCause

SadCause
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy
  • Local time:03:12 AM

Posted 26 May 2018 - 01:47 PM

Yes, I do play games and use Steam but again the PC was turned off at the time and so it seems strange that it could transmit anything anyway (No WOL is active at the moment).

Maybe even if the port is forwarded it will still send the data to it but fail and log it as "succeded" anyway?



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 26 May 2018 - 02:57 PM

Then it's likely that port is forwarded, your game(s) could have used UPNP (your router supports it) to open ports on your router.

 

For a TCP connection, your router will forward the SYN packet to your PC. Your PC is off, so it can't reply with a SYN/ACK packet. So no TCP connection will be established (and no actual data being transmitted).

However, it is possible that your router logs an "access" entry each time it forwards a SYN packet, regardless of there being an actual TCP connection.

 

Wake-on-LAN is highly improbable, as it uses other network protocols and the packet has to contain the MAC address of the NIC of the PC it wants to power on.


Edited by Didier Stevens, 26 May 2018 - 03:00 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 SadCause

SadCause
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy
  • Local time:03:12 AM

Posted 26 May 2018 - 03:08 PM

Yeah, it probably logs stuff this way. As I said earlier, I'm just getting worried over nothing. Thanks again then.



#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 26 May 2018 - 03:30 PM

The fact that your router receives a lot of unwanted packets, yes, that's nothing you should worry about.

The fact that your router forwards some of these packets to your PC: if you want those ports to be forwarded, then yes, you don't have to worry.

 

For port 4950, I can't find good information what it's used for. Maybe best to check on your PC if it's open and by which application.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 technonymous

technonymous

  • Members
  • 2,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 PM

Posted 05 June 2018 - 02:58 AM

If you play steam games and ever host a game, then your ip will be hit often.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users