Results 1 to 6 of 6

Thread: what do the entries in this log mean????

  1. #1
    Regular Member Scum333's Avatar
    Join Date
    Jan 2000
    Location
    Rhode Island
    Posts
    460

    Post what do the entries in this log mean????

    Here is a log my Broadband router prints to on a daily basis? Does the entries in this log mean someone accessed my system sucessfully? Or, the router prevented it and is just telling me of the attempt?

    Here it is::

    -05:33:04 Unexpected access from 0.0.0.0 to 64.193.16.5 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 64.182.227.236 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 64.180.0.141 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 63.93.160.185 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 63.89.97.83 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 63.83.108.251 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 63.65.123.143 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 63.236.85.236 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 63.214.252.76 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 62.254.183.13 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 4.33.96.73 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 38.196.70.224 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 24.88.152.198 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 24.71.147.147 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 24.6.218.253 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 24.5.62.103 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 24.5.157.226 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 24.28.231.173 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 24.25.124.230 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 24.24.1.171 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 24.216.105.109 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 24.185.203.48 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 24.178.117.111 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 24.166.160.221 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 24.128.169.141 (prot=11)
    -05:33:04 Unexpected access from 0.0.0.0 to 24.115.159.231 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 65.33.170.225 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 65.27.152.222 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 64.81.42.135 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 64.81.148.137 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 64.81.114.214 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 64.58.25.12 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 64.42.49.70 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 64.36.22.108 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 64.32.209.112 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 64.26.65.133 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 64.249.122.169 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 64.23.80.18 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 64.217.230.155 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 64.21.68.26 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 64.193.16.5 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 64.182.227.236 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 64.180.0.141 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 63.93.160.185 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 63.89.97.83 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 63.83.108.251 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 63.65.123.143 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 63.236.85.236 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 63.214.252.76 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 62.254.183.13 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 4.33.96.73 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 38.196.70.224 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 24.88.152.198 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 24.71.147.147 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 24.6.218.253 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 24.5.62.103 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 24.5.157.226 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 24.28.231.173 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 24.25.124.230 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 24.24.1.171 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 24.216.105.109 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 24.185.203.48 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 24.178.117.111 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 24.166.160.221 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 24.128.169.141 (prot=11)
    -05:33:02 Unexpected access from 0.0.0.0 to 24.115.159.231 (prot=11)
    -05:05:01 Unrecognized access from 65.8.194.50:27960 to UDP port 27960
    -03:57:48 Unrecognized access from 24.2.204.81:27960 to UDP port 27661
    -03:30:19 Unexpected access from 0.0.0.0 to 24.91.0.66 (prot=11)
    -03:30:18 Unexpected access from 0.0.0.0 to 24.91.0.66 (prot=11)
    -03:30:17 Unexpected access from 0.0.0.0 to 24.128.232.6 (prot=11)
    -03:30:16 Unexpected access from 0.0.0.0 to 24.128.1.80 (prot=11)
    -03:30:13 Unexpected access from 0.0.0.0 to 24.91.0.66 (prot=11)
    -03:30:13 Unexpected access from 0.0.0.0 to 24.128.232.6 (prot=11)
    -03:30:13 Unexpected access from 0.0.0.0 to 24.128.1.80 (prot=11)
    -02:51:17 Unrecognized access from 138.9.193.104:1103 to UDP port 27961
    -02:21:04 Unrecognized access from 63.112.198.132:3528 to UDP port 27960
    -02:14:40 Unrecognized access from 203.45.190.46:27960 to UDP port 27961
    -02:03:58 Unrecognized access from 207.192.131.60:27960 to UDP port 27661
    -02:02:02 Unrecognized access from 64.34.88.65:1025 to UDP port 27961
    -01:55:05 Unrecognized access from 207.192.131.60:27960 to UDP port 27661
    -01:47:30 Unrecognized access from 24.91.154.35:2843 to TCP port 1243
    -01:47:27 Unrecognized access from 24.91.154.35:2843 to TCP port 1243
    -01:32:12 Unrecognized access from 63.206.232.180:1243 to UDP port 27961
    -01:27:51 Unrecognized access from 61.43.241.79:27960 to UDP port 27960
    -01:10:33 Unrecognized access from 24.131.156.16:3145 to TCP port 27374
    -00:52:26 Unrecognized access from 24.130.250.155:4870 to UDP port 7778
    -00:49:08 Unrecognized access from 63.50.164.110:27960 to UDP port 27661
    -00:29:33 Unrecognized access from 63.228.193.170:13329 to UDP port 27960

  2. #2
    SG Enthusiast FunK's Avatar
    Join Date
    Aug 2000
    Posts
    2,721

    Post

    Well, I see a few entries that would definitely raise an eyebrow if it were my logs.
    Look toward the bottom of the list.


    This one looks suspicious, but I don't know what the ports are for. I have added the contact info for the IP's if you feel like sending an e-mail to the abuse folks.
    I wouldn't send one on this first probe, but the other two are trojan ports.
    ====================================
    24.130.250.155:4870 to UDP port 7778

    ServiceCo LLC - Road Runner (NET-ROAD-RUNNER-13)
    13241 Woodland Park Road
    Herndon, VA 20171
    US

    Netname: ROAD-RUNNER-13
    Netblock: 24.130.0.0 - 24.130.255.255
    Maintainer: SCRR

    Coordinator:
    ServiceCo LLC (ZS30-ARIN) abuse@rr.com
    1-703-345-3416

    Domain System inverse mapping provided by:
    ====================================

    This next one is a NETBUS Trojan trying to connect to you on the default port.
    I hope you aren't infected, but you may be. While the router stopped the connection, the trojan(s) may be on your computer.
    These two may have been random, but why would they choose you? If you are infected, there is a good chance that the person who gave you the trojan (if that's the case), configured it to alert them when your online with your IP, Port, and password (if used).
    =-=-=-=-=-=-=-=-=-
    -01:47:30 Unrecognized access from 24.91.154.35:2843 to TCP port 1243


    Continental Cablevision (NETBLK-CVSN-CCNE-2BL)
    Pilot House - Lewis Wharf
    Boston, MA 02110
    US

    Netname: CVSN-CCNE-2BL
    Netblock: 24.91.0.0 - 24.91.255.255
    Maintainer: CVSN

    Coordinator:
    ServiceCo LLC (ZS30-ARIN) abuse@rr.com
    1-703-345-3416
    ==============================


    This was a connection attempt to the default SUB7 Trojan port.
    This is the trojan that is most configurable.
    I would watch both these IPs closely. If they continue the connections on the same ports, they are targeting you and trying to gain access to your computer.
    =-=-=-=-=-=-=-=-=-

    -01:10:33 Unrecognized access from 24.131.156.16:3145 to TCP port 27374


    ServiceCo LLC - Road Runner (NET-ROAD-RUNNER-14)
    13241 Woodland Park Road
    Herndon, VA 20171
    US

    Netname: ROAD-RUNNER-14
    Netblock: 24.131.0.0 - 24.131.255.255
    Maintainer: SCRR

    Coordinator:
    ServiceCo LLC (ZS30-ARIN) abuse@rr.com
    1-703-345-3416
    ====================================
    Lots of busy RR kiddies out there.

    I see allot of Q3 connections there (27960, 27961, etc) Did you try to host a game?
    Looks like folks were trying to join your server and flagged the logs.

    Hope this helps you understand the logs a little better.

    Peace,
    Simply run adaware, spybot, ZoneAlarm, HijackThis, AVG, update windows daily, have a router, don't open e-mail, turn off action scripting, don't use P2P networks, don't violate EULAs, and wear a condom to get Windows secured.

    People say Linux is alot of work!

  3. #3
    Regular Member Scum333's Avatar
    Join Date
    Jan 2000
    Location
    Rhode Island
    Posts
    460

    Talking

    Thanks Funk.

    You helped out alot. I will take the info you gave me and go from there. Actually, I have quite a bit of enemies who would love to get their hands on my machines. I just hope that they have not installed a trojan on my machine. I owe you buddy. If you ever need a favor. Just holler.

  4. #4
    Regular Member Scoot's Avatar
    Join Date
    Oct 2000
    Location
    Spokane WA. USA
    Posts
    449

    Thumbs up

    This site will tell you all about ports:
    It is not a complete list, but does list over 400 ports that are known to be used by various Trojans.
    Then you might want to read:
    Firewall Forensics (What am I seeing?)
    Wish I could help more but I am still learning also.
    Great job Funk!

    [ 02-06-2001: Message edited by: Scoot ]

  5. #5
    Regular Member Scum333's Avatar
    Join Date
    Jan 2000
    Location
    Rhode Island
    Posts
    460

    Smile

    I will do that. Thanks guys. I'm not a bad person when I say I have alot of enemies. But, I have ticked-off alot of certain people on the net that are rather Intelligent. I wouldn't put it past them to try and screw my hardware up.

    Here is what Anti-trojan reported on a port and registry scan:

    Start of search: 2/7/2001 12:33:16 AM
    Port-Scan:
    Port 135 open.
    Port 445 open.
    Port 1026 open.
    Port 6699 open.

    Registry-Scan:
    End of search: 2/7/2001 12:34:16 AM

    Search is terminated.
    Congratulations! No Trojans found in your system.

    [ 02-07-2001: Message edited by: Scum333 ]

  6. #6
    Hey guys, I'm trying to get to the bottom of someone possibly trying to use my info to do various things in my name. So I'm checking my firewall log to see if he is trying to access my computer too. Any help you guys could give would be greatly appreciated. I don't know what I'm looking at but I was wondering what do these things mean.
    OPEN TCP CLOSE TCP
    OPEN UDP CLOSE UDP
    DROP TCP

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •