dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
312
nyrrule27
join:2007-12-06
Howell, NJ

nyrrule27

Member

help with these logs

i was looking at the log files in my netgear r7000 and see alot of this. can someone help me figure out whats going on.

i know a little about networing so i know that 192.168.1.10:6881 is the port its trying to access through. i do not have any port forwarding with that port. im guessing that its just logging where its trying to come in through but im not sure

i had looked at this in the last and seen the same thing. its only logging stuff from today but im guess thats because it only logs so much

[LAN access from remote] from 178.65.250.225:52011 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:33
[LAN access from remote] from 95.222.26.185:45471 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:33
[LAN access from remote] from 180.146.222.82:47068 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:33
[LAN access from remote] from 77.122.254.7:46956 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:33
[LAN access from remote] from 221.13.239.226:1265 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:32
[LAN access from remote] from 178.222.11.92:18831 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:32
[LAN access from remote] from 39.41.63.166:26301 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:32
[LAN access from remote] from 181.168.136.36:25021 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:32
[LAN access from remote] from 67.18.1.143:62490 to 192.168.1.30:3389, Wednesday, Apr 01,2015 12:13:32
[LAN access from remote] from 176.125.109.68:49001 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:31
[LAN access from remote] from 46.35.235.119:6881 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:31
[LAN access from remote] from 172.56.7.219:33666 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:31
[LAN access from remote] from 142.217.139.38:6881 to 192.168.1.10:6881, Wednesday, Apr 01,2015 12:13:31

Wily_One
Premium Member
join:2002-11-24
San Jose, CA

Wily_One

Premium Member

6881/tcp is the default port used by BitTorrent. Are you using that? What host is using 192.168.1.10?
nyrrule27
join:2007-12-06
Howell, NJ

nyrrule27

Member

No bit torent running on my pc. Haven't used that in like 5 years and not even this computeR

Wily_One
Premium Member
join:2002-11-24
San Jose, CA

Wily_One

Premium Member

Then you're probably just being probed. What would concern me is the traffic looks like it's getting inside, which is why I asked what device has 192.168.1.10.
LittleBill
join:2013-05-24

LittleBill to nyrrule27

Member

to nyrrule27
do you have a synology nas by chance?
nyrrule27
join:2007-12-06
Howell, NJ

nyrrule27

Member

No. I qnap. And that's not the ip of my nas. It's the ip of my computer. Hmmmm.

Wily_One
Premium Member
join:2002-11-24
San Jose, CA

Wily_One

Premium Member

said by nyrrule27:

It's the ip of my computer. Hmmmm.

If you're running Windows, open a Command Prompt window and type this: netstat -n

If you see :6881 in the output, then you are indeed running something using that port.
HELLFIRE
MVM
join:2009-11-25

1 recommendation

HELLFIRE to nyrrule27

MVM

to nyrrule27
2nd Wiley_One See Profile ... 6881 TYPICALLY is bittorrent, but if you're not running it, do a "netstat -abn > (filename here)" ASAP.

You may also want to check the config of your netgear... maybe you had the port forward setup before? If you're not using it,
good idea to turn it off.

My 00000010bits

Regards
nyrrule27
join:2007-12-06
Howell, NJ

1 recommendation

nyrrule27

Member

So I did. Netstat -n and I get a lot of stuff but the stuff I'm getting in for my ceton TV tuner card. 192.168.201.3

The netgear is only 3 months old. Only poet forwarding I'm doing is for rdp and for the ceton TV app to manage my recording and it doesn't use that port listed in my first post

Hellfire. You said netstat -abn and a file name. Which file name do I put in

stormbow
Freedom isn't FREE
Premium Member
join:2002-07-31
Simi Valley, CA

1 recommendation

stormbow

Premium Member

It is a text file so anyname.txt, as long as you remember what you call it. You then open it and look through it for something LISTENING on 6881.
nyrrule27
join:2007-12-06
Howell, NJ

nyrrule27

Member

Ok so that command is gonna create the file? Ok I got it

Wily_One
Premium Member
join:2002-11-24
San Jose, CA

Wily_One to nyrrule27

Premium Member

to nyrrule27
said by nyrrule27:

So I did. Netstat -n and I get a lot of stuff...

And was anything using port 6881???
HarryH3
Premium Member
join:2005-02-21

1 recommendation

HarryH3 to nyrrule27

Premium Member

to nyrrule27
said by nyrrule27:

Hellfire. You said netstat -abn and a file name. Which file name do I put in

The ">" in the string that Hellfire posted is a redirect. It tells the shell to "redirect" output from the screen to the filename that you provide. As stormbow hinted, the name can be whatever YOU want it to be. It is quite handy to use when the output dumps too much data to easily scroll through in the command window. The output also becomes searchable so opening the file and searching for 6881 will get you to the right place very quickly.
HELLFIRE
MVM
join:2009-11-25

1 recommendation

HELLFIRE to nyrrule27

MVM

to nyrrule27
3rd stormbow See Profile and HarryH3 See Profile , the intent was to direct the output to a text file you could search later on, especially if the output from "netstat" was pretty long / verbose.

If you're sure about the netgear's config... it may be worthwhile to back up the netgear's config and reset it to default, just to be sure.

My 00000010bits

Regards
lawsoncl
join:2008-10-28
Spirit Lake, ID

lawsoncl to nyrrule27

Member

to nyrrule27
said by nyrrule27:

67.18.1.143:62490 to 192.168.1.30:3389

Do you have remote desktop port forwarded? 3389 is RDP. Good number of those IPs are Russian or Ukraine.
nyrrule27
join:2007-12-06
Howell, NJ

nyrrule27

Member

Ok. So I did it and searched the doc and nothing came up on 6881. And yes I am using rdp
lawsoncl
join:2008-10-28
Spirit Lake, ID

lawsoncl

Member

said by nyrrule27:

And yes I am using rdp

From Houston (67.18.1.143)?
nyrrule27
join:2007-12-06
Howell, NJ

nyrrule27

Member

No but I'm guess these log files aren't actual breaches past the router, they are just attempts to. And that's why I'm not seeing 6881 in the netstat output
HELLFIRE
MVM
join:2009-11-25

1 recommendation

HELLFIRE to nyrrule27

MVM

to nyrrule27
Any way to tell for sure from the netgear whether they are permits or denies? You may call it paranoia, I call it covering
your one and only backside.

Could also setup wireshark to capture any traffic matching the 192.168.1.10 address and port 6881, just to be sure.

My 00000010bits

Regards