manda1
join:2003-01-23
New Lebanon, OH
| Router Logs - Is someone trying to hack me?
 log.zip 1,991 bytes
Here's the Log File
(log.txt) |
I have noticed a big spike in my T-1 Usage (mostly outgoing though) lately. Is this someone trying to hack me or ? Is this affecting my traffic? Looks like the router is doing the proper thing by dropping the packets, so I guess its doing its job, could this be causing me outgoing traffic spikes on my T-1?
Thanks for any input/Help in advance.
Mike Rogers |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
| Really wild guess - employees doing a bit of file sharing or listening to on-line radio stations? I'd start by a check of the spike times as one wanders the office to see what's going on ... Followed by an audit of the workstations to see what's installed.
This assumes you have AV/AT in place and no botnet infections.
|
|
manda1
join:2003-01-23
New Lebanon, OH
| This is a very small office out of my home, there are only a total of 5 PC's behind the router, 2 of which are really not even used.
So I know whats installed on them and theres no File sharing programs running, was streaming a radio station yesterday for a bit, but thats it. I'm going to shut them all off for about 30 minutes and see what happens, I'll let you know. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| Be sure to monitor logs for w while while it's down to differentiate between normal unsolicited traffic and that which might be triggered by systems inside your net. Also, bring up the systems one at a time and check logs to see which systems(if any) may trigger activity.
If you have ZA or other application firewall on the PCs, you might set them to display a popup or log entry for every program request to see what may be initiating connections. |
|
manda1
join:2003-01-23
New Lebanon, OH
| I definately believe its an outside source, I had all the PC's Shut down from 03:10 to 03:50 and here's a small sample of the log:
Jan/15/2005 03:36:21
Drop TCP packet from WAN src:69.73.168.222:80 dst:12.34.567.8:61044 Rule: Default deny
Jan/15/2005 03:36:21
Drop TCP packet from WAN src:68.22.73.145:80 dst:12.34.567.8:60461 Rule: Default deny
Jan/15/2005 03:36:10
Drop TCP packet from WAN src:67.15.35.16:80 dst:12.34.567.8:60403 Rule: Default deny
Jan/15/2005 03:36:06
Drop TCP packet from WAN src:64.69.68.158:80 dst:12.34.567.8:60367 Rule: Default deny
Jan/15/2005 03:36:05
Drop TCP packet from WAN src:64.69.68.158:80 dst:12.34.567.8:60353 Rule: Default deny
Jan/15/2005 03:35:54
Drop TCP packet from WAN src:66.98.212.2:80 dst:12.34.567.8:60222 Rule: Default deny
Jan/15/2005 03:35:51
Drop TCP packet from WAN src:12.29.165.68:80 dst:12.34.567.8:60567 Rule: Default deny
Jan/15/2005 03:35:48
Drop TCP packet from WAN src:66.132.238.197:80 dst:12.34.567.8:60267 Rule: Default deny
Jan/15/2005 03:35:46
Drop TCP packet from WAN src:216.234.186.14:80 dst:12.34.567.8:60232 Rule: Default deny
Jan/15/2005 03:35:46
Drop TCP packet from WAN src:66.132.238.197:80 dst:12.34.567.8:60240 Rule: Default deny
Jan/15/2005 03:35:28
Drop TCP packet from WAN src:12.29.165.68:80 dst:12.34.567.8:60567 Rule: Default deny
Jan/15/2005 03:35:24
Drop UDP packet from WAN src:12.22.179.156:10488 dst:12.34.567.8:33436 Rule: Default deny
Jan/15/2005 03:35:20
Drop UDP packet from WAN src:12.22.179.156:10488 dst:12.34.567.8:33436 Rule: Default deny
Jan/15/2005 03:35:18
Drop TCP packet from WAN src:84.97.19.133:1173 dst:12.34.567.8:445 Rule: Default deny
Jan/15/2005 03:35:16
Drop TCP packet from WAN src:12.29.165.68:80 dst:12.34.567.8:60567 Rule: Default deny
Jan/15/2005 03:35:16
Drop UDP packet from WAN src:12.22.179.156:10488 dst:12.34.567.8:33436 Rule: Default deny
Jan/15/2005 03:35:11
Drop UDP packet from WAN src:12.22.179.156:10488 dst:12.34.567.8:33436 Rule: Default deny
Jan/15/2005 03:35:09
Drop UDP packet from WAN src:69.7.175.21:10436 dst:12.34.567.8:33435 Rule: Default deny
Jan/15/2005 03:35:09
Drop TCP packet from WAN src:12.29.165.68:80 dst:12.34.567.8:60567 Rule: Default deny
Jan/15/2005 03:35:08
Drop UDP packet from WAN src:12.22.179.156:10488 dst:12.34.567.8:33436 Rule: Default deny
Jan/15/2005 03:35:05
Drop TCP packet from WAN src:66.132.238.197:80 dst:12.34.567.8:60267 Rule: Default deny |
|
TerryMiller
Premium
join:2003-10-23
| reply to manda1
The funny thing is that a lot of these are web sites. Tetra corporation is the 12.29.165.68, arbitrage software on 66.132.238.197.
Your router is blocking and your traffic while heavy isn't unheard of. The 12.x network is home to a lot of AT&T dial up users so I'd expect the unsolicited traffic to be heavier there than other places.
--
My family site |
|
manda1
join:2003-01-23
New Lebanon, OH
| That is really wierd, the thing is these logs are coming to me every 10-30 minutes or so when the router gets full, which I think is like 220 log entries, so maybe thats not a TON of traffic, but it still makes no sense to me...
BTW, I changed the DEST IP In my logs for further Protection, my IP really isn't 12.34.567.8, so the reference to the 12.x network in your above post really doesn't apply. My Network is a full T-1 / full Class C IP block that I've owned for almost 1 year.
Maybe that many entries are normal from constant scans, maybe I'm not being targeted? |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| One set of possibilities I'd explore is that these aren't scans.
That they might be timed-out connections.
That possibly distro-hackers have hidden some variety of file server on one of your machines.
Microsoft Baseline Security Analyser and Belarc Advisor are two tools that might reveal hacker activity on your machines.
There is more on pustro forensics here:
»www.mynetwatchman.com/kb/securit···ndex.htm
--
(Virus&Hijacking FAQ + Submit suspected malware + Backups FAQ + Security FAQ TOC) |
|
TerryMiller
Premium
join:2003-10-23
| reply to manda1
440 hits per hour isn't the worst I've ever had but if it's sustained like that for weeks then it's pretty bad.
I'd follow the instructions here just to be certain that one of your computers is not causing the problem.
Traffic from file sharing programs can take a long time to go away. Being on a dynamic IP I inherited an Emule user's address and started with several hundred connection attempts per hour. After a day it was just cut in half.
--
My family site |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| reply to manda1
The UDP packets are most likely UDP traceroutes. In a UDP traceroute the default starting Destination port number is 33434.
As TerryMiller  the TCP packets with a source of Port 80 indicate that it may be from a Web Site. 66.132.238.197 is RiskFreeProfit. As keith2468 it is possible that these are late arriving packets from Web Sites you are surfing.
--
Dog and Butterfly |
|
