Firewall query

Discussion in 'Computer Support' started by Andy Kelly, Sep 7, 2004.

  1. Andy Kelly

    Andy Kelly Guest

    I've just checked my firewall log for the first time.

    There are loads of entries like this:
    07 September 2004 18:20:12 Unrecognized access from 61.150.xx.y:zzzzz to TCP
    port 21
    07 September 2004 18:21:17 Unrecognized access from 82.120.xxx.yyy:zzzz to
    UDP port 1680
    07 September 2004 18:43:55 Unrecognized access from 222.138.xxx.yyy:zzzz to
    TCP port 9898
    07 September 2004 18:51:19 Unrecognized access from 12.188.xxx.yyy:zzzzz to
    UDP port 1028

    Are these hackers trying to look at my LAN? And if so, are they getting
    through?

    The firewall is part of my D-Link DI-604 broadband router.

    Andy
    Andy Kelly, Sep 7, 2004
    #1
    1. Advertising

  2. Andy Kelly

    why? Guest

    On Tue, 07 Sep 2004 20:18:09 GMT, Andy Kelly wrote:

    >I've just checked my firewall log for the first time.
    >
    >There are loads of entries like this:
    >07 September 2004 18:20:12 Unrecognized access from 61.150.xx.y:zzzzz to TCP
    >port 21


    Port 21 - FTP, can't tell about the source as you blanked the 3rd and
    4th octets.

    >07 September 2004 18:21:17 Unrecognized access from 82.120.xxx.yyy:zzzz to
    >UDP port 1680


    The other port numbers are generally for any purpose, from the
    registered port range.
    http://www.iana.org/assignments/port-numbers

    >07 September 2004 18:43:55 Unrecognized access from 222.138.xxx.yyy:zzzz to
    >TCP port 9898
    >07 September 2004 18:51:19 Unrecognized access from 12.188.xxx.yyy:zzzzz to
    >UDP port 1028


    With so few examples different IPs, no pattern of IPs' / ports it's hard
    to tell.


    >Are these hackers trying to look at my LAN? And if so, are they getting
    >through?


    Doesn't your router manual tell you what it does with unrecognised
    access connections?

    >The firewall is part of my D-Link DI-604 broadband router.


    You could try a whois / samspade (search 24HSHD past posts, Google
    Groups) search on the full IP addresses and report the connections to
    the appropriate carrier / service provider.

    I use filtering on the router and Outpost on the PC works quite well.

    Me
    why?, Sep 7, 2004
    #2
    1. Advertising

  3. Andy Kelly

    Andy Kelly Guest

    > Port 21 - FTP, can't tell about the source as you blanked the 3rd and
    > 4th octets.


    I thought it would be a good idea to blank out anything to identify someone.
    How about this (just rebooted the router so not too many at the moment):

    07 September 2004 22:12:53 Unrecognized access from 221.143.42.254:41755 to
    UDP port 1026 07 September 2004 22:12:53 Unrecognized access from
    221.143.42.254:41755 to UDP port 1027 07 September 2004 22:12:53
    Unrecognized access from 221.143.42.254:41755 to UDP port 1028 07 September
    2004 22:20:44 Unrecognized access from 82.82.72.91:3108 to TCP port 2745
    07 September 2004 22:20:44 Unrecognized access from 82.82.72.91:3111 to TCP
    port 1025
    07 September 2004 22:20:44 Unrecognized access from 82.82.72.91:3114 to TCP
    port 3127
    07 September 2004 22:20:44 Unrecognized access from 82.82.72.91:3115 to TCP
    port 6129
    07 September 2004 22:20:44 Unrecognized access from 82.82.72.91:3117 to TCP
    port 80
    07 September 2004 22:23:49 Unrecognized access from 12.115.161.85:21960 to
    UDP port 1028

    > >Are these hackers trying to look at my LAN? And if so, are they getting
    > >through?

    >
    > Doesn't your router manual tell you what it does with unrecognised
    > access connections?
    >


    The manual is appalling. It tells you how to set the options but not what
    they actually do.
    Andy Kelly, Sep 7, 2004
    #3
  4. Andy Kelly

    why? Guest

    On Tue, 07 Sep 2004 21:27:52 GMT, Andy Kelly wrote:

    >> Port 21 - FTP, can't tell about the source as you blanked the 3rd and
    >> 4th octets.

    >
    >I thought it would be a good idea to blank out anything to identify someone.


    Expected that, it's sometimes a grey area.

    >How about this (just rebooted the router so not too many at the moment):
    >


    The line wraps make it difficult to read....

    >07 September 2004 22:12:53 Unrecognized access from 221.143.42.254:41755 to

    UDP port 1026

    07 September 2004 22:12:53 Unrecognized access from
    221.143.42.254:41755 to UDP port 1027

    07 September 2004 22:12:53 Unrecognized access from 221.143.42.254:41755
    to UDP port 1028

    The above at the same time look like a scan with consecutive ports , the
    IP (using Visual Route) is

    inetnum: 221.138.0.0 - 221.143.255.255
    netname: HANANET
    descr: Hanaro Telecom, Inc.
    descr: 726, JangHang-2dong, ILSAN-Gu, Goyang-Si, Kyonggi-Do
    country: KR
    admin-c: IS37-AP
    tech-c: SH243-AP
    descr: ************************************************
    descr: Allocated to KRNIC Member.
    descr: If you would like to find assignment
    descr: information in detail please refer to
    descr: the KRNIC Whois Database at:
    descr: "http://whois.nic.or.kr/english/index.html"
    descr: ************************************************
    status: ALLOCATED PORTABLE
    mnt-by: MNT-KRNIC-AP




    07 September 2004 22:20:44 Unrecognized access from 82.82.72.91:3108 to
    TCP port 2745

    >07 September 2004 22:20:44 Unrecognized access from 82.82.72.91:3111 to TCP
    >port 1025


    >07 September 2004 22:20:44 Unrecognized access from 82.82.72.91:3114 to TCP
    >port 3127


    >07 September 2004 22:20:44 Unrecognized access from 82.82.72.91:3115 to TCP
    >port 6129


    >07 September 2004 22:20:44 Unrecognized access from 82.82.72.91:3117 to TCP
    >port 80


    Above , again timing and ports look like a scan.

    inetnum: 145.254.15.0 - 145.254.15.255
    netname: ARCOR-BACKBONE-KAR-NET1
    descr: Arcor AG & Co
    descr: Alfred-Herrhausen-Allee 1
    descr: D-65760 Eschborn
    descr: Germany
    country: DE


    >07 September 2004 22:23:49 Unrecognized access from 12.115.161.85:21960 to
    >UDP port 1028


    CustName: AT&T Worldnet Services
    Address: 412 Mount Kemble Ave.
    Address: P.O. Box 1995
    City: Morristown
    StateProv: NJ
    PostalCode: 07962
    Country: US
    RegDate: 2003-11-26
    Updated: 2003-11-26

    NetRange: 12.112.0.0 - 12.119.255.255
    CIDR: 12.112.0.0/13
    NetName: ATTSVI-12-112-0-0
    NetHandle: NET-12-112-0-0-1
    Parent: NET-12-0-0-0-1
    NetType: Reassigned



    >> >Are these hackers trying to look at my LAN? And if so, are they getting


    The Korea ones usually are.

    >> >through?


    They shouldn't be. One way to tell is running a software firewall / IDS
    (Intrusion Detection System) like BlackIce http://www.iss.net/ on the
    PC. It's shouldn't see anything the router FW blocks.

    >> Doesn't your router manual tell you what it does with unrecognised
    >> access connections?
    >>

    >
    >The manual is appalling. It tells you how to set the options but not what
    >they actually do.
    >


    Generally if the router / firewall warns it should also be dropping the
    attempts.

    Me
    why?, Sep 7, 2004
    #4
  5. Andy Kelly

    Andy Kelly Guest

    Thanks for that. Very informative.

    Andy
    Andy Kelly, Sep 8, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Phil
    Replies:
    1
    Views:
    2,090
    Walter Roberson
    Dec 11, 2004
  2. Replies:
    1
    Views:
    538
    Walter Roberson
    Jun 14, 2005
  3. Steve

    ADSL / XP / Firewall Query

    Steve, Jul 25, 2003, in forum: Computer Support
    Replies:
    3
    Views:
    463
    vernon simkins
    Jul 26, 2003
  4. Charle Magne

    Outpost Firewall query

    Charle Magne, Apr 26, 2005, in forum: Computer Support
    Replies:
    5
    Views:
    415
    ┬░Mike┬░
    Apr 26, 2005
  5. Maxime Ducharme

    Re: query about firewall log entries

    Maxime Ducharme, Aug 25, 2003, in forum: Computer Security
    Replies:
    0
    Views:
    398
    Maxime Ducharme
    Aug 25, 2003
Loading...

Share This Page