|
help with these logsi was looking at the log files in my netgear r7000 and see alot of this. can someone help me figure out whats going on.
i know a little about networing so i know that 192.168.1.10:6881 is the port its trying to access through. i do not have any port forwarding with that port. im guessing that its just logging where its trying to come in through but im not sure
i had looked at this in the last and seen the same thing. its only logging stuff from today but im guess thats because it only logs so much
[LAN access from remote] from 178.65.250.225:52011 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:33 [LAN access from remote] from 95.222.26.185:45471 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:33 [LAN access from remote] from 180.146.222.82:47068 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:33 [LAN access from remote] from 77.122.254.7:46956 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:33 [LAN access from remote] from 221.13.239.226:1265 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:32 [LAN access from remote] from 178.222.11.92:18831 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:32 [LAN access from remote] from 39.41.63.166:26301 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:32 [LAN access from remote] from 181.168.136.36:25021 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:32 [LAN access from remote] from 67.18.1.143:62490 to 192.168.1.30:3389, Wednesday, Apr 01,2015 12:13:32 [LAN access from remote] from 176.125.109.68:49001 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:31 [LAN access from remote] from 46.35.235.119:6881 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:31 [LAN access from remote] from 172.56.7.219:33666 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:31 [LAN access from remote] from 142.217.139.38:6881 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:31 |
|
Wily_One Premium Member join:2002-11-24 San Jose, CA |
Wily_One
Premium Member
2015-Apr-1 4:45 pm
6881/tcp is the default port used by BitTorrent. Are you using that? What host is using 192.168.1.10? |
|
|
No bit torent running on my pc. Haven't used that in like 5 years and not even this computeR |
|
Wily_One Premium Member join:2002-11-24 San Jose, CA |
Wily_One
Premium Member
2015-Apr-1 4:54 pm
Then you're probably just being probed. What would concern me is the traffic looks like it's getting inside, which is why I asked what device has 192.168.1.10. |
|
|
to nyrrule27
do you have a synology nas by chance? |
|
|
|
No. I qnap. And that's not the ip of my nas. It's the ip of my computer. Hmmmm. |
|
Wily_One Premium Member join:2002-11-24 San Jose, CA |
Wily_One
Premium Member
2015-Apr-1 5:45 pm
said by nyrrule27:It's the ip of my computer. Hmmmm. If you're running Windows, open a Command Prompt window and type this: netstat -n If you see :6881 in the output, then you are indeed running something using that port. |
|
1 recommendation |
to nyrrule27
2nd Wiley_One ... 6881 TYPICALLY is bittorrent, but if you're not running it, do a "netstat -abn > (filename here)" ASAP. You may also want to check the config of your netgear... maybe you had the port forward setup before? If you're not using it, good idea to turn it off. My 00000010bits Regards |
|
1 recommendation |
So I did. Netstat -n and I get a lot of stuff but the stuff I'm getting in for my ceton TV tuner card. 192.168.201.3
The netgear is only 3 months old. Only poet forwarding I'm doing is for rdp and for the ceton TV app to manage my recording and it doesn't use that port listed in my first post
Hellfire. You said netstat -abn and a file name. Which file name do I put in |
|
stormbowFreedom isn't FREE Premium Member join:2002-07-31 Simi Valley, CA
1 recommendation |
stormbow
Premium Member
2015-Apr-2 5:19 pm
It is a text file so anyname.txt, as long as you remember what you call it. You then open it and look through it for something LISTENING on 6881. |
|
|
Ok so that command is gonna create the file? Ok I got it |
|
Wily_One Premium Member join:2002-11-24 San Jose, CA |
to nyrrule27
said by nyrrule27:So I did. Netstat -n and I get a lot of stuff... And was anything using port 6881??? |
|
HarryH3 Premium Member join:2005-02-21
1 recommendation |
to nyrrule27
said by nyrrule27:Hellfire. You said netstat -abn and a file name. Which file name do I put in The ">" in the string that Hellfire posted is a redirect. It tells the shell to "redirect" output from the screen to the filename that you provide. As stormbow hinted, the name can be whatever YOU want it to be. It is quite handy to use when the output dumps too much data to easily scroll through in the command window. The output also becomes searchable so opening the file and searching for 6881 will get you to the right place very quickly. |
|
1 recommendation |
to nyrrule27
3rd stormbow and HarryH3 , the intent was to direct the output to a text file you could search later on, especially if the output from "netstat" was pretty long / verbose. If you're sure about the netgear's config... it may be worthwhile to back up the netgear's config and reset it to default, just to be sure. My 00000010bits Regards |
|
|
to nyrrule27
said by nyrrule27:67.18.1.143:62490 to 192.168.1.30:3389 Do you have remote desktop port forwarded? 3389 is RDP. Good number of those IPs are Russian or Ukraine. |
|
|
Ok. So I did it and searched the doc and nothing came up on 6881. And yes I am using rdp |
|
|
From Houston (67.18.1.143)? |
|
|
No but I'm guess these log files aren't actual breaches past the router, they are just attempts to. And that's why I'm not seeing 6881 in the netstat output |
|
1 recommendation |
to nyrrule27
Any way to tell for sure from the netgear whether they are permits or denies? You may call it paranoia, I call it covering your one and only backside.
Could also setup wireshark to capture any traffic matching the 192.168.1.10 address and port 6881, just to be sure.
My 00000010bits
Regards |
|