Review of my home broadband router logs (suspicious activity?)

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Does this activity found accidentally in my home broadband
wireless router logs seem suspicious to you?

Here is a screenshot of the suspicious log entries:
https://i.imgur.com/iZm1CCq.jpg

When "I" log into my router, I see a line like this:
[Admin login] from source 192.168.1.16, Tuesday, Dec 22,2015 19:16:15

But, I see the following (suspicious?) activity in my log file:
[LAN access from remote] from 93.38.179.187:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:42:41
[LAN access from remote] from 177.206.146.201:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:41:54
[LAN access from remote] from 101.176.44.21:1026 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 181.164.218.29:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 2.133.67.47:11233 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 186.206.138.72:62531 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 148.246.193.87:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 195.67.252.183:49076 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 1.78.16.174:47891 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 178.116.59.223:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 82.237.141.86:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 107.223.217.54:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:11
[LAN access from remote] from 216.98.48.95:11020 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:32:31

I don't know what this really means: "LAN access from remote".

Looking at the router wired & wireless list of devices, 192.168.1.5
seems to not be attached at the moment.  

But, looking back, I can determine (from the MAC address) that it's  
my child's Sony Playstation (which has "UPNP events" whatever they are):
[UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Saturday, Dec 19,2015 06:32:28
[DHCP IP: (192.168.1.5)] to MAC address F8:D0:AC:B1:D4:A3, Monday, Dec 21,2015 12:26:18
[DHCP IP: (192.168.1.5)] to MAC address F8:D0:AC:B1:D4:A3, Tuesday, Dec 22,2015 16:17:47
[UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Tuesday, Dec 22,2015 16:46:15
*****************************************************************
Can you advise me whether I should be worried that there are many
LAN accesses from a remote IP address to a kid's Sony Playstation?
*****************************************************************

Re: Review of my home broadband router logs (suspicious activity?)
On Tue, 22 Dec 2015 22:53:30 -0500, Paul M. Cook wrote:

Quoted text here. Click to load it

The IP addresses seem to belong to the following (from a whois):
--------------------------------------------------
inetnum:        93.38.176.0 - 93.38.183.255
netname:        FASTWEB-DPPU
descr:          Infrastructure for Fastwebs main location
descr:          NAT POOL 7 for residential customer POP 4106,
country:        IT
--------------------------------------------------
inetnum:     177.204/14
aut-num:     AS18881
abuse-c:     GOI
owner:       Global Village Telecom
country:     BR
--------------------------------------------------
inetnum:        101.160.0.0 - 101.191.255.255
netname:        TELSTRAINTERNET50-AU
descr:          Telstra
descr:          Level 12, 242 Exhibition St
descr:          Melbourne
descr:          VIC  3000
country:        AU
--------------------------------------------------
inetnum:     181.164/14
status:      allocated
aut-num:     N/A
owner:       CABLEVISION S.A.
ownerid:     AR-CASA10-LACNIC
responsible: Esteban Poggio
address:     Aguero, 3440,  
address:     1605 - Munro - BA
country:     AR
--------------------------------------------------
inetnum:        2.133.64.0 - 2.133.71.255
netname:        TALDYKMETRO
descr:          JSC Kazakhtelecom, Taldykorgan
descr:          Metro Ethernet Network
country:        KZ
--------------------------------------------------
inetnum:     186.204/14
aut-num:     AS28573
abuse-c:     GRSVI
owner:       CLARO S.A.
ownerid:     040.432.544/0835-06
responsible: CLARO S.A.
country:     BR
--------------------------------------------------
inetnum:     148.246/16
status:      allocated
aut-num:     N/A
owner:       Mexico Red de Telecomunicaciones, S. de R.L. de C.V.
ownerid:     MX-MRTS1-LACNIC

address:     Bosque de Duraznos, 55, PB, Bosques de las Lomas
address:     11700 - Miguel Hidalgo - DF
country:     MX
--------------------------------------------------
inetnum:        195.67.224.0 - 195.67.255.255
netname:        TELIANET
descr:          TeliaSonera AB Networks
descr:          ISP
country:        SE
--------------------------------------------------
inetnum:        1.72.0.0 - 1.79.255.255
netname:        NTTDoCoMo
descr:          NTT DOCOMO,INC.
descr:          Sannno Park Tower Bldg.11-1 Nagatacho 2-chome
descr:          hiyoda-ku,Tokyo Japan
country:        JP
--------------------------------------------------
inetnum:        1.72.0.0 - 1.79.255.255
netname:        MAPS
descr:          NTT DoCoMo, Inc.
country:        JP
--------------------------------------------------
inetnum:        178.116.0.0 - 178.116.255.255
netname:        TELENET
descr:          Telenet N.V. Residentials
remarks:        INFRA-AW
country:        BE
--------------------------------------------------
inetnum:        82.237.140.0 - 82.237.143.255
netname:        FR-PROXAD-ADSL
descr:          Proxad / Free SAS
descr:          Static pool (Freebox)
descr:          deu95-3 (mours)
descr:          NCC#2005090519
country:        FR
--------------------------------------------------
NetRange:       107.192.0.0 - 107.223.255.255
NetName:        SIS-80-4-2012
NetHandle:      NET-107-192-0-0-1
Parent:         NET107 (NET-107-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS7132
Organization:   AT&T Internet Services (SIS-80)
City:           Richardson
StateProv:      TX
--------------------------------------------------
NetRange:       216.98.48.0 - 216.98.63.255
CIDR:           216.98.48.0/20
NetName:        UBICOM
NetHandle:      NET-216-98-48-0-1
Parent:         NET216 (NET-216-0-0-0-0)
NetType:        Direct Assignment
OriginAS:        
Organization:   Ubisoft Entertainment (UBISOF-2)
--------------------------------------------------


Re: Review of my home broadband router logs (suspicious activity?)

Quoted text here. Click to load it

I'm not a gamer, never even seen a Playstation, let alone used or
configured one.  

But, don't many of the games have multi-user, across the Internet, modes
of play?  

If you're concerned, and if your router has the capability, you could
block inbound UPnP traffic from outside your home LAN.  

Why is alt.os.linux included in this discussion?

--  
bert@iphouse.com    St. Paul, MN

Re: Review of my home broadband router logs (suspicious activity?)
On Wed, 23 Dec 2015 15:14:46 +0000, Bert wrote:

Quoted text here. Click to load it

They know more about security than anyone, and, the machine
that could be connected is Linux (as is a Windowsm, iOS, and
Android - but Linux people are often smarter than the others).

Besides, there is no router group that I can find.


Re: Review of my home broadband router logs (suspicious activity?)
wrote:

Quoted text here. Click to load it

Perhaps you might explain why you also posted the same question to:
alt.home.repair and sci.electronics.repair?


--  
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: Review of my home broadband router logs (suspicious activity?)
On Wed, 23 Dec 2015 10:11:56 -0800, Jeff Liebermann wrote:

Quoted text here. Click to load it

The news server doesn't allow certain newsgroups to be xposted.


Re: Review of my home broadband router logs (suspicious activity?)
wrote:

Quoted text here. Click to load it

That's something new.  Usually the usenet news server software limits
the number of newsgroups that can be crossposted.  Anything posted to
over about 5 groups is usually considered spam.  Unless someone has
rewritten INN (again), I don't know of any way to limit cross posting
by specific newsgroups.  

This may also explain why you're being restricted:
<http://blueworldhosting.com
   "I am recovering from a major server failure. Please  
   contact me at jesse.rehmer@gmail.com until things are  
   back online."

Good luck.

--  
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: Review of my home broadband router logs (suspicious activity?)

Quoted text here. Click to load it


http://www.gnucitizen.org/blog/hacking-the-interwebs/

The upnp "feature" is broken by design. It should be turned off
in all routers.

Regards, Dave Hodgins

--  
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.

Re: Review of my home broadband router logs (suspicious activity?)
On Wed, 23 Dec 2015 11:38:12 -0500, David W. Hodgins wrote:

Quoted text here. Click to load it

I have always been very confused by UPNP.

If it's not useful, then why do all routers default to having it on?

Does anything *need* it?

Specifically does a playstation or Ooma or Skype or whatever need upnp?


Re: Review of my home broadband router logs (suspicious activity?)

Quoted text here. Click to load it

It would be useful if it didn't open up security holes.

Quoted text here. Click to load it

It makes things easier, as you have to learn how to manually open
needed ports, and configure security within the router and the lan.
It's enabled as a marketing feature. The designers of upnp either
didn't understand the security implications, or didn't care, and it
became a standard feature of most routers, with consumers expecting
it.

There are multiple ways upnp opens up security attacks. Some only affect
certain routers, while others affect any router that has upnp enabled.

For some of the attacks, run a search on "upnp soap attack", without
the quotes.

The basic concept of most of the attacks, is going to a web site
that's been hacked, or is intentionally sending html code to your
browser causing the browser to send a soap attack back to the
router (without any intervention by you), so it's being attacked from
inside the lan, as far as the router can tell. Both the router, and
the browser are working as designed, but the concept is bad. Changing
the router admin password will block some of the attacks, but not all
of them.

Regards, Dave Hodgins

--  
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.

Re: Review of my home broadband router logs (suspicious activity?)
On Wed, 23 Dec 2015 18:52:54 -0500, David W. Hodgins wrote:

Quoted text here. Click to load it

I googled this UPNP thing and I found out that it's absolutely evil.

Apparently "corporate" routers have it turned off, by default; but
home broadband routers have it turned on by default. Go figure.

Anyway, I couldn't understand UPNP until I looked up port forwarding.

Correct me if I'm wrong, but, let's say your external IP address is  
1.2.3.4 but that you have a Playstation on 192.168.1.2 behind your
router. And say that you want port 12345 on your playstation to  
"do something" (I'm not sure what).

From what I can gather, port forwarding is the act of you purposefully
going into your router and setting the router up so that if anyone on  
the Internet goes to your IP address (1.2.3.4) and that port (12345),  
I guess by typing "1.2.3.4:12345", then your router will connect  
that person on the Internet to your playstation at 192.168.1.2:12345
as far as I can tell (even if you have a dozen other machines on your
local LAN).

That is, port forwarding seems to be the act of opening up a specific
*hole* in your router firewall to a specific machine inside your
local network.

The port forwarding action somehow allows someone from the Internet  
to specify a certain machine and port on your local LAN simply by
specifying your external IP address and a particular port:
 1.2.3.4:12345 ---> is forwarded to ---> 192.168.1.2:12345

If that's correct, then UPNP is merely the act of doing all that
totally automatically (as far as I can tell).

I'm not sure *how* that's done, but, that's what I understood from
reading about port forwarding and UPNP.  

So, I just turned *off* UPNP on my router.

I have no idea what that will do to whatever was being port forwarded
before, which is this list below:

Active Protocol Int.  Port Ext. Port IP Address
YES    UDP    9000  9000    192.168.1.5 (Sony Playstation)
YES    UDP    2550  2550    192.168.1.12 (Android cellphone)
YES    TCP    2550  2550    192.168.1.12 (Android cellphone)
YES    UDP    64941 64941    192.168.1.15 (Windows PC)

Did I get the description of Port Forwarding & UPNP correct yet?


Re: Review of my home broadband router logs (suspicious activity?)
Quoted text here. Click to load it

Well, no. If it is restricted to your home network, then it allows your
computer to find the network printer without you having to go through a
bunch of setup. (or for your comptuer to find your refigerator, so when
it needs a snack it can get one without it having to be explicitly set
up). If it automatically opens ports to the outside world that is a bit
dangerous.  


Quoted text here. Click to load it

More likely it would go for example to 1.2.3.4:25 ( the standard email port) it
would be forwarded to 192.168.1.2:25. or similarly for ssh.

Quoted text here. Click to load it

Usually only specific ports.  

Quoted text here. Click to load it

Re: Review of my home broadband router logs (suspicious activity?)

Quoted text here. Click to load it

If you mean ensuring that router does not have access to the internet,
that would work, keeping in mind the computer would have to use a
second nic and router, for it's internet access, with upnp disabled,
assuming internet access is wanted for it.

Regards. Dave Hodgins

--  
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.

Re: Review of my home broadband router logs (suspicious activity?)
Quoted text here. Click to load it


That's "zeroconf" or "avahi"  

Quoted text here. Click to load it

"upnp" is about messing with the router.  it's used by peer-to-peer
services including "windows update" and (historically) "skype", to  
turn your pc into a server.

--  
  \_(?)_

Re: Review of my home broadband router logs (suspicious activity?)

Quoted text here. Click to load it

Yes. It is useful to open a port and forward it to a specific computer
within the lan, for example to allow skype to receive incoming calls.
That should be decided and manually configured by the system admin.

The main problem with upnp, is that, while it makes it easier for
people who don't understand how a router works to get things like
skype working, it opens the hole where a malicious website can get
a browser to send the request to the router, to open whatever port
the malicious site wants. For example, ftp. People within a lan may
want to have an ftp server running, with no password required, as
it's only intended to be used by people within the lan. By having
upnp turned on, the malicious site would be able to get access.
There are a lot of other ports that should not be opened to the
general internet, without proper security configurations.

If you have one computer running ftp, sure go ahead and open port
22, and forward it to the appropriate computer, if that's what
you want to do. With upnp, you are no longer have complete control
of what's open.

Regards, Dave Hodgins

--  
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.

Re: Review of my home broadband router logs (suspicious activity?)
On Tuesday, December 22nd, 2015, at 22:53:30h -0500, Paul M. Cook reported:

Quoted text here. Click to load it

Is your child playing any of the following games with other players
out on the Internet?

   From <http://www.speedguide.NET/port.php?port=9000

QUOTE

        Games that use this port:
        Port 9000 is used by the EverQuest World server.
        Dungeons & Dragons Online uses ports 9000-9010 (TCP/UDP)
        Lord of the Rings Online uses ports 9000-9010

UNQUOTE

Quoted text here. Click to load it

Only if your child is NOT authorized (preferably in writing) to not
play games in Internet mode.

Do you really want your child to be potentially radicalized by
foreigners in foreign countries who have not vetted by dedicated
patriots?

--  

   "dedicated patriots working around the clock all around
    the country to protect us all."  
    -- President Obama on Thursday, December 17th, 2015

Re: Review of my home broadband router logs (suspicious activity?)
On Wed, 23 Dec 2015 16:53:20 +0000, J G Miller wrote:

Quoted text here. Click to load it

Not those, but one of the "attackers" was "Ubisoft Entertainment"
which does make the "Assasins Creed" game he plays a lot.

I told him to play games (which he's doing now, without much more
prompting from me) where I just noticed an older "Smurf" attack:
  https://i.imgur.com/0WHiS9A.jpg
Which shows up as this error:
  [DoS attack: Smurf] attack packets in last 20 sec from ip  
  [114.254.105.255], Sunday, Dec 20,2015 04:02:28

But, I don't see any more of those original attacks into port  
9000. But I'll keep watching the log.


Re: Review of my home broadband router logs (suspicious activity?)
On Wednesday, December 23rd, 2015, at 12:33:13h -0500,
Paul M. Cook wrote:

Quoted text here. Click to load it

Well if you looked further down the page at the link I provided,
you would have seen quite a few more games, although I do not
see "Assasins Creed".

You will also see on that page that there are quite a few
exploits/trojans being used for this port.

If the port is needed to be opened for this game and for Internet
playing, it would be wise to ensure that your router only forwards
traffic on this port to the IP address assigned to the Playstation.

If somebody has come up with a crack to gain access via 9000 to the
Playstation then you will need to update the latest firmware with
a fix for the crack.

Having uPnP enabled on your router is rather dangerous unless you
have secured all the hosts, which includes devices, not just computers,
eg your ethernet connected refrigerator, your WiFi connected coffee
machine, on your LAN.

Crackers have easily been able, thanks to lax security by people
who just buy and connect these things, to monitor conversations
and/or view household rooms, by accessing baby-monitoring-web-cams.

The first rule of Internet security is deny access to all, and only
open up specific ports as necessary, preferably (but not always
possible) limited to specific incoming IP ranges, and always forwarded
towards specific single local host IPs.

Re: Review of my home broadband router logs (suspicious activity?)
On Wed, 23 Dec 2015 18:39:50 +0000, J G Miller wrote:

Quoted text here. Click to load it

I looked at my router UPNP settings, and it looks like there are a few
ports that are reporting something. But what are they reporting here?
    https://i.imgur.com/YDR7kWO.jpg

Active Protocol Int.  Port Ext. Port IP Address
YES    UDP    9000  9000    192.168.1.5
YES    UDP    2550  2550    192.168.1.12
YES    TCP    2550  2550    192.168.1.12
YES    UDP    64941 64941    192.168.1.15

192.168.1.5 is the Sony Playstation.
192.168.1.12 is an Android cellphone  
192.168.1.15 is a Windows PC

What is this UPNP report page actually trying to tell me?
If I turn off UPNP from the router, what bad things happen?


Re: Review of my home broadband router logs (suspicious activity?)
On Wednesday, December 23rd, 2015, at 15:24:47h -0500,
Paul M. Cook wrote:

Quoted text here. Click to load it

It is telling your that uPnP is active on your router and that
your router has used the uPnP method of automatically connecting
your playstation port 9000 (just UDP) to the router's incoming/outgoing
port 9000 port, and similarly for your Android cellphone for
2550 (both TCP and UDP), and your PC for 64941 (just UDP).

Port 2550 may be related to Active Directory Authentication.

Quoted text here. Click to load it

Without manually setting up the appropriate port forwarding, the
services which use these ports may have problems talking to
whoever on the Internet.

The usual way port opening on a router is set up, is that if a local
host, on the LAN side of the router, initiates a connection to an
external site on a particular port, then that port stays open in order
to get the remote response.

If a remote site, on the WAN side of the router, initiates a connection
on a port which the router has not opened due to a host trying
to talk outbound, then that port stays closed and the incoming
message is not received.

The two most important thing with respect to your router are these:

(1) Always set a strong password for Admin and unless it is absolutely
    needed, turn off external administrative access, which has been
    the most common way that routers have been compromised.

(2) Regularly check that you have the latest firmware installed to
    ensure that bugs and security holes (which the manufacturer of
    the router cares to do something about) get fixed.

With regard to enabling uPnP, have a read of this article to see
why uPnP enabled is risky, and check to see if your router is affected
(certain Netgear models did have a real vulnerability in the past).

<https://threatpost.COM/upnp-trouble-puts-devices-behind-firewall-at-risk/114493/

Also take a look at

<http://www.tomsguide.com/us/home-router-security,news-19245.html

And if you want to run an external test, you can use the GRC uPnP test at

<https://www.grc.com/su/upnp-rejected.htm

Be sure to click on the red "do real test" though.

Site Timeline