D-Link Forums
The Graveyard - Products No Longer Supported => Routers / COVR => DGL-4100 => Topic started by: suprra_girl on March 31, 2009, 03:26:45 AM
-
I'm not sure if I should post my log as I'm not sure what information may be unsafe in it, I'm sure you'll let me know if it is or not :)
My log is full of random people around the world appearing in my logs with blocked packets. The same ip, over and over and over. Is this a sign of attempted hacking? I believe the router is doing a fantastic job and not letting them in but I'd like to make sure I'm educated in this information so I know for future and know what I need to do about it.
Thank you
(I'll post my log if it's perfectly safe)
-
What are you doing when this is going on?
Do you run bittorrent or and other P2P software?
-
No actually, I was just logged into the router homepage and surfing a couple of forums. I do have p2p software installed tho but my computer is fairly safe.
-
What p2p are you using?
-
Utorrent, but it only runs early hours of the morning, I am seeing this stuff in my logs throughout the day even restarting the modem to get a new wan ip is having no effect, I did another scan and no nasty's showed up. I figure if anyone is going to know if windows is out of whack microsoft will so I used their scanner online.
Do you want me to post up the log? Will it matter if people see what Ip's i'm using on the lan and wan?
-
Na, however torrent programs can cause things like this even if you believe that they're not running.
I have a friend that might be able to explain it better.
Eddie?
-
Na, however torrent programs can cause things like this even if you believe that they're not running.
I have a friend that might be able to explain it better.
Eddie?
Always here :D
Please post the logs. And please indicate on which port your torrent is configured (if it is random this might be an easy excercise).
-
:)
-
Thanks alot
-
Thanks alot
Utorrent port 50353
Thanks. please remove the link to the log-file.
-
The protocols are TCP (6) and UDP (17).
By the looks of it you have some infection on your PC, possibly Conficker. Conficker seems to be a hoax, but it does communicate to servers. Try Google for an antiroot detector for Conficker to check.
-
Oh he's good.
-
Oh he's good.
Just a hunch. If the torrent port is static, this traffic should not be there. But looking at the IP's there seems to be a pattern. And one of them is doing a WHOAMI, which indicates deliberate targeting.
I am not a sys admin, those guys can probably tell you right away. ;)
-
I didn't check the logs, was there more then one LAN address representing this behavior?
-
The logs only show one ip address and thats the wan one, it doesn't specify lan address, I'm not quire sure how to find that info.
We are both using nod32 antivirus and is always updated.
I've run those port check scanners and they said they couldn't get through but they were scanning for usual ports, I guess hackers don't have a habit of being typical
I will find a conficker scan utility and scan with that, although I do find that particular virus unlikely but I never know who feels like kicking me up the butt today heh
-
/. had a post today on a cornflicker eye chart that I found amusing. It would be interesting to see what results you get on it from an infected host. The theory seems sound given what little I know of cornflicker. As always it would be at your own risk.
-
I did a scan with mcaffee's conficker scanner and it searched ips from 1 - 254 and nothing. Is there another one you want me to try? Have a link? I couldn't really find info/scanners? related to antiroot detecter for conficker
-
I was referring to a http://slashdot.org post this morning (april fools day is a constant affair there) showing a eye chart to detect cornflicker installations.
The links was
http://www.confickerworkinggroup.org/infection_test/cfeyechart.html
That said while it appears sound based on what little I know of cornflicker, I am not the person to run to for security advice, and I can't confirm that this is an effective test.
-
My computer appears fine so far... I did find obfuscated.A trojan on my mums pc which is now cleaned, it ended up in a file called torrent101.exe which neither of us recall downloading :/
My scanner is at 99% with nothing detected yet :)
My mums pc however is finding a few little trojans, they appear to be related to games but I've deleted them anyway :)
-
none the less, my guess is the firewall is simply doing it's job. blocking unwanted traffic, it could be as simple as those IP were part of the swarm you were a member of last and are simply not ack'ing your disconnected status. Unless you see breaches, I wouldn't sweat it.
-
Yep, I can see that it's blocking it so that's great, I was just curious as to what these constant listings were but am glad that the router is doing it's job well
Thank you all for your help, I appreciate it alot :)
-
I think Lycan is right,
I saw your other post: http://forums.dlink.com/index.php?topic=2954.0
Where you state you're using the DGL-4100 and 502t together. I'm gonna guess that the 502t is natting the connections to the dgl-4100 and what you're seeing is a connection state the 502t has established that the dgl-4100 has already timed out.
Whenever you run two gateways in-line with each other you're going to see an uptick in blocked connections, this doesn't mean you're getting hacked it just means the state tables aren't synced 100%, which is mostly likely due to the state timing out on the dgl-4100 before the 502t.
-
Err, I appreciate the response but you should have read my last post
http://forums.dlink.com/index.php?PHPSESSID=ab4e031ed8bdf7803598305245cf07ab&topic=2954.msg15976#msg15976
The purpose of that thread was to get bridge mode working correctly. As posted in that thread I noted that the 502T with isp firmware is a pos. And that's all I can say about it LOL.
If you had read a litltle further you would have seen that I wrote up a solution for NZ users.
Thanks for your reply.
-
I did read the rest of your forum post, the most logical explination lies in how a half-bridge setup works.
if you run a trace route from you system you'll see a hop in there, the ip address of the modem, because in half-bridge mode it still working similar to a router.
Having said that, I stand by my answer, you're likely seeing connections that have expired on the dgl-4100 but have yet to expire on the modem itself.
Check out http://www.dslreports.com/forum/remark,14201975, it's quite insightful.
-
The modem is not using nat at all (the dynalink) I turned it off so it's just a modem and nothing else.
I'll read your link
Cheers :)
-
Omg, they have some horrible tracert results!
40ms ping to their modems!!!! They need to sort the network out I think haha.
Thanks for the link, it was interesting seeing other peoples connections. I like mine :)