somebodeez
Premium,MVM
join:2001-09-24
here
 ·Verizon FIOS
1 edit |  [northeast] Log From My Router - I'm Curious and Concerned
There are a lot of red "Blocked - Remote Administration" entries (a lot more than what is visible in my screen shot), 2 green "Accepted Remote Administration" entries  and 1 "WBM unknown has changed security settings" .
I'm curious about what all of these entries may mean and concerned that there may be something going on that's not good and wondering if there are some security settings I should take care of?
Edit:
I have that default open port closed now.
|
|
WileEC
mindtaker, macky cat, etc.
join:2002-02-07
Yonkers, NY
4 edits | nevermind |
|
somebodeez
Premium,MVM
join:2001-09-24
here
·Verizon FIOS
| This is a screen of my router's Remote Administration page. I don't have anything selected. This means that Remote Administration isn't activated, yes? (fingers crossed) |
|
ProFiOSDude
Premium
join:2005-05-27
Chesapeake, VA
| reply to somebodeez
First off, you are blocking traffic that has not yet occurred. It's May 25th throughout the FiOS footprint and the latest possible time as of my post is 14:40:05 Those entries are from tomorrow. Reset your router and get you clock straight first.
PFD |
|
ProFiOSDude
Premium
join:2005-05-27
Chesapeake, VA | reply to somebodeez
The majority of those attempts were from China, or have IP's that ARIN says are from China. The successful one (socket-designated) points to your ISP.
PFD |
|
somebodeez
Premium,MVM
join:2001-09-24
here
·Verizon FIOS
| reply to ProFiOSDude
said by ProFiOSDude  :First off, you are blocking traffic that has not yet occurred. It's May 25th throughout the FiOS footprint and the latest possible time as of my post is 14:40:05 Those entries are from tomorrow. Reset your router and get you clock straight first. PFD Whoa I didn't even notice that.
I logged back in and took another look at the security log. Latest entry now dated May 25 13:46:48 2007 ect.
The only thing I did after posting was to close that port that's open by default.
That's odd. |
|
ProFiOSDude
Premium
join:2005-05-27
Chesapeake, VA | reply to somebodeez
I'd email that to abuse@level3.com
PFD |
|
somebodeez
Premium,MVM
join:2001-09-24
here
·Verizon FIOS
| said by ProFiOSDude :I'd email that to abuse@level3.com PFD Thank you for your help! I have sent them an email and attached the screenshot.
There's more entries today from other IPs - even Verizon.
What's going on? |
|
ProFiOSDude
Premium
join:2005-05-27
Chesapeake, VA | Same thing that happens to all of us...general curiosity. People go fishing for all kinds of stuff. If most people looked at their logs they'd see their routers firewall doing what it's supposed to be doing...just like yours.
PFD |
|
rtcy
FACTS only please
Premium
join:1999-10-16
Beverly Hills, CA
 ·Verizon west (ex G..
| reply to ProFiOSDude
said by ProFiOSDude :I'd email that to abuse@level3.com PFD I;m glad you noticed that the 4.x block was sold to level 3 and NOT a chinese location |
|
rtcy
FACTS only please
Premium
join:1999-10-16
Beverly Hills, CA
·Verizon west (ex G..
| reply to ProFiOSDude
said by ProFiOSDude :Same thing that happens to all of us...general curiosity. People go fishing for all kinds of stuff. If most people looked at their logs they'd see their routers firewall doing what it's supposed to be doing...just like yours. PFD he did say there's a entry about new settings accepted, does it show a address as who did the change? it should and I hope it's within his house or else......something is open |
|
ProFiOSDude
Premium
join:2005-05-27
Chesapeake, VA | That was before he reset the router...didn't see any followup regarding that...
PFD |
|
somebodeez
Premium,MVM
join:2001-09-24
here
·Verizon FIOS
1 edit | reply to rtcy
said by rtcy :he did say there's a entry about new settings accepted, does it show a address as who did the change? it should and I hope it's within his house or else......something is open Yes, in the first screen shot you can see 2 green colored "Accepted Remote Administration" entries w/IP 166.68.134.174 using the 4567 port that's open by default.
I've got that port closed now and I don't see any more green "Accepted Remote Administration" entries.
However I do still see one (not colored green or red)that I'm curious about. It says:
"Firewall Setup Configuration change WBM user Unknown (0.0.0.0) has changed security settings". (doesn't list an IP)
When I log into the router, it says "WBM Login User authentication success Username: admin" and I know (hopefully!) that's me.
|
|
somebodeez
Premium,MVM
join:2001-09-24
here
·Verizon FIOS
| reply to ProFiOSDude
said by ProFiOSDude :That was before he reset the router...didn't see any followup regarding that... PFD Sorry for taking so long to follow up. I reset the logs and wanted to wait a day or 2 and see what the entries would be like now.
The dates are still sometimes screwy I see. I don't know what's up with that.
In this screen shot, you can see that entry about the user unknown.
No more green Remote Admin entries though. 
BTW, Level 3 responded to my email the same day saying
"This message is to inform you that
the information you have provided us is being used to investigate this matter
and we will address the issue according to our Acceptable Use Policy."
I sure appreciate your time, analysis and advice! |
|
cdru
Go Colts
Premium,MVM
join:2003-05-14
Fort Wayne, IN
| said by somebodeez :No more green Remote Admin entries though. In case you didn't know, it looks like the majority of the blocked "remote admin" entires were just ping requests. Not exactly remote admin.
--
Go Colts |
|
somebodeez
Premium,MVM
join:2001-09-24
here
·Verizon FIOS
| said by cdru :said by somebodeez :No more green Remote Admin entries though. In case you didn't know, it looks like the majority of the blocked "remote admin" entires were just ping requests. Not exactly remote admin. Thanks for your reply.
Sorry for being a dense-head but what indicates that those are just ping requests? |
|
cdru
Go Colts
Premium,MVM
join:2003-05-14
Fort Wayne, IN
| said by somebodeez :Thanks for your reply. Sorry for being a dense-head but what indicates that those are just ping requests? Your not being dense. You just don't know. Where it says "ICMP Type 8". Type 8 indicates a ICMP echo request. This is some other computer saying "knock knock anyone home". If your computer was listening and wanted to reply, it would send a Type 0 response that would say "Yeah, I'm here".
--
Go Colts |
|
somebodeez
Premium,MVM
join:2001-09-24
here | Thanks, cdru
Now can anyone tell me about this "Configuration change - WBM user unknown has changed security settings" entry? |
|
cmthru
join:2005-03-19
Germantown, MD
| reply to somebodeez
I'd also like to know about this mysterious WBM user unknown business. The log shows changes being made when I know that I'm not using the PC or anyone else is connected. A number of the entries are being recorded overnight.
I though I had blocked all remote access yet I can still easily access the router from my wireless laptop. |
|
somebodeez
Premium,MVM
join:2001-09-24
here
·Verizon FIOS
| said by cmthru :I'd also like to know about this mysterious WBM user unknown business. The log shows changes being made when I know that I'm not using the PC or anyone else is connected. A number of the entries are being recorded overnight. Well, at least I'm not the only one with this!
I did some searches but was only able to find this and it wasn't very helpful to me:
»tinyurl.com/2vomwj
Cisco says WBM stands for "Web-Based Management".
I'm assuming that means how we access the router through a web browser.
That doesn't help me understand about Unknown though and how is he able to change security settings.
I went all through my settings and couldn't detect anything different from what I have specified myself. I wonder if it could have anything to do with Verizon being able to push the router's firmware (as reported by some)? |
|
