Review of my home broadband router logs (suspicious activity?)

Does this activity found accidentally in my home broadband wireless router logs seem suspicious to you?

Here is a screenshot of the suspicious log entries:

formatting link

When "I" log into my router, I see a line like this: [Admin login] from source 192.168.1.16, Tuesday, Dec 22,2015 19:16:15

But, I see the following (suspicious?) activity in my log file: [LAN access from remote] from 93.38.179.187:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:42:41 [LAN access from remote] from 177.206.146.201:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:41:54 [LAN access from remote] from 101.176.44.21:1026 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from remote] from 181.164.218.29:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from remote] from 2.133.67.47:11233 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from remote] from 186.206.138.72:62531 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from remote] from 148.246.193.87:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from remote] from 195.67.252.183:49076 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16 [LAN access from remote] from 1.78.16.174:47891 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16 [LAN access from remote] from 178.116.59.223:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16 [LAN access from remote] from 82.237.141.86:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16 [LAN access from remote] from 107.223.217.54:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:11 [LAN access from remote] from 216.98.48.95:11020 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:32:31

I don't know what this really means: "LAN access from remote".

Looking at the router wired & wireless list of devices, 192.168.1.5 seems to not be attached at the moment.

But, looking back, I can determine (from the MAC address) that it's my child's Sony Playstation (which has "UPNP events" whatever they are): [UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Saturday, Dec 19,2015 06:32:28 [DHCP IP: (192.168.1.5)] to MAC address F8:D0:AC:B1:D4:A3, Monday, Dec 21,2015 12:26:18 [DHCP IP: (192.168.1.5)] to MAC address F8:D0:AC:B1:D4:A3, Tuesday, Dec 22,2015 16:17:47 [UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Tuesday, Dec 22,2015 16:46:15

***************************************************************** Can you advise me whether I should be worried that there are many LAN accesses from a remote IP address to a kid's Sony Playstation? *****************************************************************
Reply to
Paul M. Cook
Loading thread data ...

The IP addresses seem to belong to the following (from a whois):

-------------------------------------------------- inetnum: 93.38.176.0 - 93.38.183.255 netname: FASTWEB-DPPU descr: Infrastructure for Fastwebs main location descr: NAT POOL 7 for residential customer POP 4106, country: IT

-------------------------------------------------- inetnum: 177.204/14 aut-num: AS18881 abuse-c: GOI owner: Global Village Telecom country: BR

-------------------------------------------------- inetnum: 101.160.0.0 - 101.191.255.255 netname: TELSTRAINTERNET50-AU descr: Telstra descr: Level 12, 242 Exhibition St descr: Melbourne descr: VIC 3000 country: AU

-------------------------------------------------- inetnum: 181.164/14 status: allocated aut-num: N/A owner: CABLEVISION S.A. ownerid: AR-CASA10-LACNIC responsible: Esteban Poggio address: Aguero, 3440, address: 1605 - Munro - BA country: AR

-------------------------------------------------- inetnum: 2.133.64.0 - 2.133.71.255 netname: TALDYKMETRO descr: JSC Kazakhtelecom, Taldykorgan descr: Metro Ethernet Network country: KZ

-------------------------------------------------- inetnum: 186.204/14 aut-num: AS28573 abuse-c: GRSVI owner: CLARO S.A. ownerid: 040.432.544/0835-06 responsible: CLARO S.A. country: BR

-------------------------------------------------- inetnum: 148.246/16 status: allocated aut-num: N/A owner: Mexico Red de Telecomunicaciones, S. de R.L. de C.V. ownerid: MX-MRTS1-LACNIC

address: Bosque de Duraznos, 55, PB, Bosques de las Lomas address: 11700 - Miguel Hidalgo - DF country: MX

-------------------------------------------------- inetnum: 195.67.224.0 - 195.67.255.255 netname: TELIANET descr: TeliaSonera AB Networks descr: ISP country: SE

-------------------------------------------------- inetnum: 1.72.0.0 - 1.79.255.255 netname: NTTDoCoMo descr: NTT DOCOMO,INC. descr: Sannno Park Tower Bldg.11-1 Nagatacho 2-chome descr: hiyoda-ku,Tokyo Japan country: JP

-------------------------------------------------- inetnum: 1.72.0.0 - 1.79.255.255 netname: MAPS descr: NTT DoCoMo, Inc. country: JP

-------------------------------------------------- inetnum: 178.116.0.0 - 178.116.255.255 netname: TELENET descr: Telenet N.V. Residentials remarks: INFRA-AW country: BE

-------------------------------------------------- inetnum: 82.237.140.0 - 82.237.143.255 netname: FR-PROXAD-ADSL descr: Proxad / Free SAS descr: Static pool (Freebox) descr: deu95-3 (mours) descr: NCC#2005090519 country: FR

-------------------------------------------------- NetRange: 107.192.0.0 - 107.223.255.255 NetName: SIS-80-4-2012 NetHandle: NET-107-192-0-0-1 Parent: NET107 (NET-107-0-0-0-0) NetType: Direct Allocation OriginAS: AS7132 Organization: AT&T Internet Services (SIS-80) City: Richardson StateProv: TX

-------------------------------------------------- NetRange: 216.98.48.0 - 216.98.63.255 CIDR: 216.98.48.0/20 NetName: UBICOM NetHandle: NET-216-98-48-0-1 Parent: NET216 (NET-216-0-0-0-0) NetType: Direct Assignment OriginAS: Organization: Ubisoft Entertainment (UBISOF-2)

--------------------------------------------------

Reply to
Paul M. Cook

I'm not a gamer, never even seen a Playstation, let alone used or configured one.

But, don't many of the games have multi-user, across the Internet, modes of play?

If you're concerned, and if your router has the capability, you could block inbound UPnP traffic from outside your home LAN.

Why is alt.os.linux included in this discussion?

Reply to
Bert

They know more about security than anyone, and, the machine that could be connected is Linux (as is a Windowsm, iOS, and Android - but Linux people are often smarter than the others).

Besides, there is no router group that I can find.

Reply to
Paul M. Cook

formatting link

The upnp "feature" is broken by design. It should be turned off in all routers.

Regards, Dave Hodgins

Reply to
David W. Hodgins

On Tuesday, December 22nd, 2015, at 22:53:30h -0500, Paul M. Cook reported:

Is your child playing any of the following games with other players out on the Internet?

From

QUOTE

Games that use this port: Port 9000 is used by the EverQuest World server. Dungeons & Dragons Online uses ports 9000-9010 (TCP/UDP) Lord of the Rings Online uses ports 9000-9010

UNQUOTE

Only if your child is NOT authorized (preferably in writing) to not play games in Internet mode.

Do you really want your child to be potentially radicalized by foreigners in foreign countries who have not vetted by dedicated patriots?

Reply to
J G Miller

Not those, but one of the "attackers" was "Ubisoft Entertainment" which does make the "Assasins Creed" game he plays a lot.

I told him to play games (which he's doing now, without much more prompting from me) where I just noticed an older "Smurf" attack:

formatting link
Which shows up as this error: [DoS attack: Smurf] attack packets in last 20 sec from ip [114.254.105.255], Sunday, Dec 20,2015 04:02:28

But, I don't see any more of those original attacks into port

9000. But I'll keep watching the log.
Reply to
Paul M. Cook

Perhaps you might explain why you also posted the same question to: alt.home.repair and sci.electronics.repair?

Reply to
Jeff Liebermann

Well if you looked further down the page at the link I provided, you would have seen quite a few more games, although I do not see "Assasins Creed".

You will also see on that page that there are quite a few exploits/trojans being used for this port.

If the port is needed to be opened for this game and for Internet playing, it would be wise to ensure that your router only forwards traffic on this port to the IP address assigned to the Playstation.

If somebody has come up with a crack to gain access via 9000 to the Playstation then you will need to update the latest firmware with a fix for the crack.

Having uPnP enabled on your router is rather dangerous unless you have secured all the hosts, which includes devices, not just computers, eg your ethernet connected refrigerator, your WiFi connected coffee machine, on your LAN.

Crackers have easily been able, thanks to lax security by people who just buy and connect these things, to monitor conversations and/or view household rooms, by accessing baby-monitoring-web-cams.

The first rule of Internet security is deny access to all, and only open up specific ports as necessary, preferably (but not always possible) limited to specific incoming IP ranges, and always forwarded towards specific single local host IPs.

Reply to
J G Miller

I have always been very confused by UPNP.

If it's not useful, then why do all routers default to having it on?

Does anything *need* it?

Specifically does a playstation or Ooma or Skype or whatever need upnp?

Reply to
Paul M. Cook

The news server doesn't allow certain newsgroups to be xposted.

Reply to
Paul M. Cook

I looked at my router UPNP settings, and it looks like there are a few ports that are reporting something. But what are they reporting here?

formatting link

Active Protocol Int. Port Ext. Port IP Address YES UDP 9000 9000 192.168.1.5 YES UDP 2550 2550 192.168.1.12 YES TCP 2550 2550 192.168.1.12 YES UDP 64941 64941 192.168.1.15

192.168.1.5 is the Sony Playstation. 192.168.1.12 is an Android cellphone 192.168.1.15 is a Windows PC

What is this UPNP report page actually trying to tell me? If I turn off UPNP from the router, what bad things happen?

Reply to
Paul M. Cook

It is telling your that uPnP is active on your router and that your router has used the uPnP method of automatically connecting your playstation port 9000 (just UDP) to the router's incoming/outgoing port 9000 port, and similarly for your Android cellphone for

2550 (both TCP and UDP), and your PC for 64941 (just UDP).

Port 2550 may be related to Active Directory Authentication.

Without manually setting up the appropriate port forwarding, the services which use these ports may have problems talking to whoever on the Internet.

The usual way port opening on a router is set up, is that if a local host, on the LAN side of the router, initiates a connection to an external site on a particular port, then that port stays open in order to get the remote response.

If a remote site, on the WAN side of the router, initiates a connection on a port which the router has not opened due to a host trying to talk outbound, then that port stays closed and the incoming message is not received.

The two most important thing with respect to your router are these:

(1) Always set a strong password for Admin and unless it is absolutely needed, turn off external administrative access, which has been the most common way that routers have been compromised.

(2) Regularly check that you have the latest firmware installed to ensure that bugs and security holes (which the manufacturer of the router cares to do something about) get fixed.

With regard to enabling uPnP, have a read of this article to see why uPnP enabled is risky, and check to see if your router is affected (certain Netgear models did have a real vulnerability in the past).

Also take a look at

And if you want to run an external test, you can use the GRC uPnP test at

Be sure to click on the red "do real test" though.

Reply to
J G Miller

It would be useful if it didn't open up security holes.

It makes things easier, as you have to learn how to manually open needed ports, and configure security within the router and the lan. It's enabled as a marketing feature. The designers of upnp either didn't understand the security implications, or didn't care, and it became a standard feature of most routers, with consumers expecting it.

There are multiple ways upnp opens up security attacks. Some only affect certain routers, while others affect any router that has upnp enabled.

For some of the attacks, run a search on "upnp soap attack", without the quotes.

The basic concept of most of the attacks, is going to a web site that's been hacked, or is intentionally sending html code to your browser causing the browser to send a soap attack back to the router (without any intervention by you), so it's being attacked from inside the lan, as far as the router can tell. Both the router, and the browser are working as designed, but the concept is bad. Changing the router admin password will block some of the attacks, but not all of them.

Regards, Dave Hodgins

Reply to
David W. Hodgins

You'll have to manually go into the router configuration screen, (have to anyway, to turn off upnp), and open up those ports.

Having those ports open isn't necessarily a bad thing, but it should be something you control, not websites you visit. I'd check to see what is listening to udp port 64941. It' not a standard port, though it may be used for skype incoming calls, or other applications that do need an open incoming port.

Regards, Dave Hodgins

Reply to
David W. Hodgins

That's something new. Usually the usenet news server software limits the number of newsgroups that can be crossposted. Anything posted to over about 5 groups is usually considered spam. Unless someone has rewritten INN (again), I don't know of any way to limit cross posting by specific newsgroups.

This may also explain why you're being restricted: "I am recovering from a major server failure. Please contact me at snipped-for-privacy@gmail.com until things are back online."

Good luck.

Reply to
Jeff Liebermann

I googled what upnp was, but understanding upnp requires already understanding port forwarding, so I googled that. Please correct where I err - but here is my summary of what I understood from googling both port forwarding and UPNP.

Apparently port forwarding is a way that the Internet can get to a device on your system by typing your external ip address and then a port number (e.g., 123.123.123.123:64941).

Somehow, that *knows* to go to a particular device on your LAN.

In order for *that* to work, you need to do something that they call *port forwarding* on your router, which points to the internal IP address of the device on your network that you want connected to the Internet.

So, once you "open" that port by "forwarding" it, when someone on the Internet goes to your IP address and that port, your router forwards the connection to a particular local 192.168.1.x IP address on your system that you had set up in the router.

Having said that, port forwarding is basically opening up a *hole* in your router, that allows someone from the Internet to get to a specific device on your system just by typing your IP address and that port that you had forwarded in your router setup.

Now if that's all correct, then UPNP is simply *automatically* opening up *that hole*.

I'm not sure *what* causes that automatic opening of the hole, but, if you don't turn off UPNP, then something from the Internet can somehow open up that hole to a device on your local LAN that has a 192.168.1.x address via whatever port it wants.

If that understanding above is correct, then UPNP is absolutely evil.

So I have it turned off now. I don't know what will break though.

Reply to
Paul M. Cook

I googled this UPNP thing and I found out that it's absolutely evil.

Apparently "corporate" routers have it turned off, by default; but home broadband routers have it turned on by default. Go figure.

Anyway, I couldn't understand UPNP until I looked up port forwarding.

Correct me if I'm wrong, but, let's say your external IP address is

1.2.3.4 but that you have a Playstation on 192.168.1.2 behind your router. And say that you want port 12345 on your playstation to "do something" (I'm not sure what).

From what I can gather, port forwarding is the act of you purposefully going into your router and setting the router up so that if anyone on the Internet goes to your IP address (1.2.3.4) and that port (12345), I guess by typing "1.2.3.4:12345", then your router will connect that person on the Internet to your playstation at 192.168.1.2:12345 as far as I can tell (even if you have a dozen other machines on your local LAN).

That is, port forwarding seems to be the act of opening up a specific

*hole* in your router firewall to a specific machine inside your local network.

The port forwarding action somehow allows someone from the Internet to specify a certain machine and port on your local LAN simply by specifying your external IP address and a particular port: 1.2.3.4:12345 ---> is forwarded to ---> 192.168.1.2:12345

If that's correct, then UPNP is merely the act of doing all that totally automatically (as far as I can tell).

I'm not sure *how* that's done, but, that's what I understood from reading about port forwarding and UPNP.

So, I just turned *off* UPNP on my router.

I have no idea what that will do to whatever was being port forwarded before, which is this list below:

Active Protocol Int. Port Ext. Port IP Address YES UDP 9000 9000 192.168.1.5 (Sony Playstation) YES UDP 2550 2550 192.168.1.12 (Android cellphone) YES TCP 2550 2550 192.168.1.12 (Android cellphone) YES UDP 64941 64941 192.168.1.15 (Windows PC)

Did I get the description of Port Forwarding & UPNP correct yet?

Reply to
Paul M. Cook

Well, no. If it is restricted to your home network, then it allows your computer to find the network printer without you having to go through a bunch of setup. (or for your comptuer to find your refigerator, so when it needs a snack it can get one without it having to be explicitly set up). If it automatically opens ports to the outside world that is a bit dangerous.

More likely it would go for example to 1.2.3.4:25 ( the standard email port) it would be forwarded to 192.168.1.2:25. or similarly for ssh.

Usually only specific ports.

Reply to
William Unruh

Yes. It is useful to open a port and forward it to a specific computer within the lan, for example to allow skype to receive incoming calls. That should be decided and manually configured by the system admin.

The main problem with upnp, is that, while it makes it easier for people who don't understand how a router works to get things like skype working, it opens the hole where a malicious website can get a browser to send the request to the router, to open whatever port the malicious site wants. For example, ftp. People within a lan may want to have an ftp server running, with no password required, as it's only intended to be used by people within the lan. By having upnp turned on, the malicious site would be able to get access. There are a lot of other ports that should not be opened to the general internet, without proper security configurations.

If you have one computer running ftp, sure go ahead and open port

22, and forward it to the appropriate computer, if that's what you want to do. With upnp, you are no longer have complete control of what's open.

Regards, Dave Hodgins

Reply to
David W. Hodgins

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.