SG Broadband Community

SG Broadband Community. Everything you'd like to know about Cable Modems, DSL, Satellite, Networking, Security, Wireless, Routers and more.
https://www.speedguide.net/forums/

what do the entries in this log mean????

https://www.speedguide.net/forums/viewtopic.php?t=26538

Page 1 of 1

what do the entries in this log mean????

Posted: Mon Feb 05, 2001 11:43 pm
by Scum333
Here is a log my Broadband router prints to on a daily basis? Does the entries in this log mean someone accessed my system sucessfully? Or, the router prevented it and is just telling me of the attempt?

Here it is::

-05:33:04 Unexpected access from 0.0.0.0 to 64.193.16.5 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 64.182.227.236 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 64.180.0.141 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 63.93.160.185 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 63.89.97.83 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 63.83.108.251 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 63.65.123.143 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 63.236.85.236 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 63.214.252.76 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 62.254.183.13 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 4.33.96.73 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 38.196.70.224 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 24.88.152.198 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 24.71.147.147 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 24.6.218.253 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 24.5.62.103 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 24.5.157.226 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 24.28.231.173 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 24.25.124.230 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 24.24.1.171 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 24.216.105.109 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 24.185.203.48 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 24.178.117.111 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 24.166.160.221 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 24.128.169.141 (prot=11)
-05:33:04 Unexpected access from 0.0.0.0 to 24.115.159.231 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 65.33.170.225 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 65.27.152.222 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 64.81.42.135 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 64.81.148.137 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 64.81.114.214 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 64.58.25.12 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 64.42.49.70 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 64.36.22.108 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 64.32.209.112 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 64.26.65.133 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 64.249.122.169 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 64.23.80.18 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 64.217.230.155 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 64.21.68.26 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 64.193.16.5 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 64.182.227.236 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 64.180.0.141 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 63.93.160.185 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 63.89.97.83 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 63.83.108.251 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 63.65.123.143 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 63.236.85.236 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 63.214.252.76 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 62.254.183.13 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 4.33.96.73 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 38.196.70.224 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 24.88.152.198 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 24.71.147.147 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 24.6.218.253 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 24.5.62.103 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 24.5.157.226 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 24.28.231.173 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 24.25.124.230 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 24.24.1.171 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 24.216.105.109 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 24.185.203.48 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 24.178.117.111 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 24.166.160.221 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 24.128.169.141 (prot=11)
-05:33:02 Unexpected access from 0.0.0.0 to 24.115.159.231 (prot=11)
-05:05:01 Unrecognized access from 65.8.194.50:27960 to UDP port 27960
-03:57:48 Unrecognized access from 24.2.204.81:27960 to UDP port 27661
-03:30:19 Unexpected access from 0.0.0.0 to 24.91.0.66 (prot=11)
-03:30:18 Unexpected access from 0.0.0.0 to 24.91.0.66 (prot=11)
-03:30:17 Unexpected access from 0.0.0.0 to 24.128.232.6 (prot=11)
-03:30:16 Unexpected access from 0.0.0.0 to 24.128.1.80 (prot=11)
-03:30:13 Unexpected access from 0.0.0.0 to 24.91.0.66 (prot=11)
-03:30:13 Unexpected access from 0.0.0.0 to 24.128.232.6 (prot=11)
-03:30:13 Unexpected access from 0.0.0.0 to 24.128.1.80 (prot=11)
-02:51:17 Unrecognized access from 138.9.193.104:1103 to UDP port 27961
-02:21:04 Unrecognized access from 63.112.198.132:3528 to UDP port 27960
-02:14:40 Unrecognized access from 203.45.190.46:27960 to UDP port 27961
-02:03:58 Unrecognized access from 207.192.131.60:27960 to UDP port 27661
-02:02:02 Unrecognized access from 64.34.88.65:1025 to UDP port 27961
-01:55:05 Unrecognized access from 207.192.131.60:27960 to UDP port 27661
-01:47:30 Unrecognized access from 24.91.154.35:2843 to TCP port 1243
-01:47:27 Unrecognized access from 24.91.154.35:2843 to TCP port 1243
-01:32:12 Unrecognized access from 63.206.232.180:1243 to UDP port 27961
-01:27:51 Unrecognized access from 61.43.241.79:27960 to UDP port 27960
-01:10:33 Unrecognized access from 24.131.156.16:3145 to TCP port 27374
-00:52:26 Unrecognized access from 24.130.250.155:4870 to UDP port 7778
-00:49:08 Unrecognized access from 63.50.164.110:27960 to UDP port 27661
-00:29:33 Unrecognized access from 63.228.193.170:13329 to UDP port 27960

Posted: Tue Feb 06, 2001 12:52 am
by FunK
Well, I see a few entries that would definitely raise an eyebrow if it were my logs.
Look toward the bottom of the list.


This one looks suspicious, but I don't know what the ports are for. I have added the contact info for the IP's if you feel like sending an e-mail to the abuse folks.
I wouldn't send one on this first probe, but the other two are trojan ports.
====================================
24.130.250.155:4870 to UDP port 7778

ServiceCo LLC - Road Runner (NET-ROAD-RUNNER-13)
13241 Woodland Park Road
Herndon, VA 20171
US

Netname: ROAD-RUNNER-13
Netblock: 24.130.0.0 - 24.130.255.255
Maintainer: SCRR

Coordinator:
ServiceCo LLC (ZS30-ARIN) abuse@rr.com
1-703-345-3416

Domain System inverse mapping provided by:
====================================

This next one is a NETBUS Trojan trying to connect to you on the default port.
I hope you aren't infected, but you may be. While the router stopped the connection, the trojan(s) may be on your computer.
These two may have been random, but why would they choose you? If you are infected, there is a good chance that the person who gave you the trojan (if that's the case), configured it to alert them when your online with your IP, Port, and password (if used).
=-=-=-=-=-=-=-=-=-
-01:47:30 Unrecognized access from 24.91.154.35:2843 to TCP port 1243


Continental Cablevision (NETBLK-CVSN-CCNE-2BL)
Pilot House - Lewis Wharf
Boston, MA 02110
US

Netname: CVSN-CCNE-2BL
Netblock: 24.91.0.0 - 24.91.255.255
Maintainer: CVSN

Coordinator:
ServiceCo LLC (ZS30-ARIN) abuse@rr.com
1-703-345-3416
==============================


This was a connection attempt to the default SUB7 Trojan port.
This is the trojan that is most configurable.
I would watch both these IPs closely. If they continue the connections on the same ports, they are targeting you and trying to gain access to your computer.
=-=-=-=-=-=-=-=-=-

-01:10:33 Unrecognized access from 24.131.156.16:3145 to TCP port 27374


ServiceCo LLC - Road Runner (NET-ROAD-RUNNER-14)
13241 Woodland Park Road
Herndon, VA 20171
US

Netname: ROAD-RUNNER-14
Netblock: 24.131.0.0 - 24.131.255.255
Maintainer: SCRR

Coordinator:
ServiceCo LLC (ZS30-ARIN) abuse@rr.com
1-703-345-3416
====================================
Lots of busy RR kiddies out there.

I see allot of Q3 connections there (27960, 27961, etc) Did you try to host a game?
Looks like folks were trying to join your server and flagged the logs.

Hope this helps you understand the logs a little better.

Peace,

Posted: Tue Feb 06, 2001 8:39 pm
by Scum333
Thanks Funk.

You helped out alot. I will take the info you gave me and go from there. Actually, I have quite a bit of enemies who would love to get their hands on my machines. I just hope that they have not installed a trojan on my machine. I owe you buddy. If you ever need a favor. Just holler.

Posted: Tue Feb 06, 2001 8:46 pm
by Scoot
This site will tell you all about ports:
It is not a complete list, but does list over 400 ports that are known to be used by various Trojans.
Then you might want to read:
Firewall Forensics (What am I seeing?)
Wish I could help more but I am still learning also.
Great job Funk!

[ 02-06-2001: Message edited by: Scoot ]

Posted: Wed Feb 07, 2001 12:30 am
by Scum333
I will do that. Thanks guys. I'm not a bad person when I say I have alot of enemies. But, I have ticked-off alot of certain people on the net that are rather Intelligent. I wouldn't put it past them to try and screw my hardware up.

Here is what Anti-trojan reported on a port and registry scan:

Start of search: 2/7/2001 12:33:16 AM
Port-Scan:
Port 135 open.
Port 445 open.
Port 1026 open.
Port 6699 open.

Registry-Scan:
End of search: 2/7/2001 12:34:16 AM

Search is terminated.
Congratulations! No Trojans found in your system.

[ 02-07-2001: Message edited by: Scum333 ]

Posted: Wed Mar 04, 2009 6:37 pm
by liverpoolfan
Hey guys, I'm trying to get to the bottom of someone possibly trying to use my info to do various things in my name. So I'm checking my firewall log to see if he is trying to access my computer too. Any help you guys could give would be greatly appreciated. I don't know what I'm looking at but I was wondering what do these things mean.
OPEN TCP CLOSE TCP
OPEN UDP CLOSE UDP
DROP TCP
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited