|
Posted by Todd H. on June 5, 2006, 11:25 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Hi all,
>
> I got a USR router and I see some suspect log messages:
>
> Could someone help me to understand if someone ore more are trying to
> find a bug in the router software to hack my network ?
>
> May 28 18:14:35 user warning dnsprobe[505]: dns query failed
> May 28 18:10:13 user alert kernel: Intrusion -> IN=ppp_8_35_1
> OUT= MAC= SRC=87.10.216.156 DST=87.11.150.32 LEN=48 TOS=0x00 PREC=0x00
> TTL=58 ID=48499 DF PROTO=TCP SPT=2615 DPT=135 WINDOW=64800 RES=0x00
> SYN URGP=0
> May 28 18:09:55 user alert kernel: Intrusion -> IN=ppp_8_35_1
> OUT= MAC= SRC=87.11.97.13 DST=87.11.150.32 LEN=48 TOS=0x00 PREC=0x00
> TTL=121 ID=24803 DF PROTO=TCP SPT=2180 DPT=135 WINDOW=16384 RES=0x00
> SYN URGP=0
> May 28 18:09:52 user alert kernel: Intrusion -> IN=ppp_8_35_1
> OUT= MAC= SRC=87.11.97.13 DST=87.11.150.32 LEN=48 TOS=0x00 PREC=0x00
> TTL=121 ID=24484 DF PROTO=TCP SPT=2180 DPT=135 WINDOW=16384 RES=0x00
> SYN URGP=0
All probes for a windows share on port 135. Script kiddie stuff the
world over. Not a big deal so long as you aren't running a windows
share out to the internet.
> May 28 18:09:46 user alert kernel: Intrusion -> IN=ppp_8_35_1
> OUT= MAC= SRC=87.11.52.56 DST=87.11.150.32 LEN=64 TOS=0x00 PREC=0x00
> TTL=41 ID=25213 DF PROTO=TCP SPT=3716 DPT=445 WINDOW=53760 RES=0x00
> SYN URGP=0
> May 28 18:09:38 user alert kernel: Intrusion -> IN=ppp_8_35_1
> OUT= MAC= SRC=87.11.165.246 DST=87.11.150.32 LEN=48 TOS=0x00 PREC=0x00
> TTL=121 ID=31069 PROTO=TCP SPT=28824 DPT=445 WINDOW=64240 RES=0x00 SYN
> URGP=0
Similar probe on port 445, no worries.
> May 28 18:08:53 user warning dnsprobe[505]: dns query
Automated tool seeing if you have a dns server running. NOt a big
deal either assuming your router is blocking it, and you don't have
anything in your DMZ.
--
Todd H.
http://www.toddh.net/
| 
XML site map