need help reading router logs

Discussion in 'Computer Security' started by RadarG, Sep 11, 2004.

  1. RadarG

    RadarG Guest

    I have a dlink router and I get entrys like this I was wondering how do I
    read this and find out who or what is causing this? Thanks Justin

    Sep/10/2004 15:26:07

    Ping of Death Detect src:69.107.67.197:6918 dst:68.230.162.xxx:63749 Packet
    Dropped

    Sep/10/2004 15:26:06

    TearDrop Attack Detect src:69.107.67.197:6918 dst:68.230.162.xxx:63748
    Packet Dropped

    Sep/10/2004 15:24:04

    SMTP: send mail succeed

    Sep/10/2004 15:24:01

    Ping of Death Detect src:69.107.67.197:6918 dst:68.230.162.xxx:60699 Packet
    Dropped

    Sep/10/2004 15:22:49

    Drop TCP packet from WAN src:63.135.13.209:17565 dst:68.230.162.xxx:63777
    Rule: Default deny

    Sep/10/2004 15:22:23

    Drop TCP packet from WAN src:63.135.13.209:17565 dst:68.230.162.xxx:63771
    Rule: Default deny

    Sep/10/2004 15:20:25

    Drop ICMP packet from WAN src:83.16.17.154:3 dst:68.230.162.xxx:1 Rule:
    Default deny

    Sep/10/2004 15:20:24

    Drop TCP packet from WAN src:81.86.80.203:6882 dst:68.230.162.xxx:63884
    Rule: Default deny

    Sep/10/2004 15:20:20
    RadarG, Sep 11, 2004
    #1
    1. Advertising

  2. In article <URs0d.39210$xu6.14863@okepread02>, on Fri, 10 Sep 2004 21:50:42 -0400, "RadarG"
    <> wrote:

    | I have a dlink router and I get entrys like this I was wondering how do I
    | read this and find out who or what is causing this? Thanks Justin

    <snip />

    <http://www.robertgraham.com/pubs/firewall-seen.html>

    <davidp />

    --
    David Postill
    David Postill, Sep 11, 2004
    #2
    1. Advertising

  3. RadarG

    Moe Trin Guest

    In article <URs0d.39210$xu6.14863@okepread02>, RadarG wrote:
    >I have a dlink router and I get entrys like this I was wondering how do I
    >read this and find out who or what is causing this? Thanks Justin


    Your router is blocking crap from the Internet. It's working fine, but
    you have enabled logging when you don't need it. If it were really
    important to you, a search at google.com would provide TONS of answers.

    >Ping of Death Detect src:69.107.67.197:6918 dst:68.230.162.xxx:63749
    >TearDrop Attack Detect src:69.107.67.197:6918 dst:68.230.162.xxx:63748
    >Ping of Death Detect src:69.107.67.197:6918 dst:68.230.162.xxx:60699


    Some 8 year old skript kiddie on pacbell.net found a 1337 h4x0r kit
    with exploits to crash a windoze95 box. Pathetic.

    >SMTP: send mail succeed


    COMMENT: You seem to have sent an e-mail. Many people are nor blocking
    mail from home IPs like yours because 99.99999% of it is spam. You may
    want to check that your mail tool is using the Smarthosts at your ISP,
    rather than sending direct.

    >Drop TCP packet from WAN src:63.135.13.209:17565 dst:68.230.162.xxx:63777
    >Drop TCP packet from WAN src:63.135.13.209:17565 dst:68.230.162.xxx:63771


    Not enough detail - host looks like cable modem in Sudbury Onterio, CA.

    >Drop ICMP packet from WAN src:83.16.17.154:3 dst:68.230.162.xxx:1 Rule:
    >Default deny


    ICMP is different - the source "port" is the "Type" number of the message,
    and the destination "port" is the "Code" number. A Type 3 Code 1 is

    3 Destination Unreachable (see below)
    0 Network unreachable
    1 Host unreachable
    2 Protocol unreachable
    3 Port unreachable
    4 Fragmentation needed, but don't fragment bit set

    so a host in Poland is refusing to allow you to connect. Why were you
    trying to do so? NOTE: You are blocking this by default. Some people
    feel that blocking ICMP type 3 codes 0 to 4 is not a good idea, but it's
    only inconveniencing you, not anyone on the Internet.

    >Drop TCP packet from WAN src:81.86.80.203:6882 dst:68.230.162.xxx:63884


    Not enough detail, Host looks like DSL in the UK.

    Old guy
    Moe Trin, Sep 12, 2004
    #3
  4. RadarG

    RadarG Guest

    "Moe Trin" <> wrote in message
    news:...
    > In article <URs0d.39210$xu6.14863@okepread02>, RadarG wrote:
    >>I have a dlink router and I get entrys like this I was wondering how do I
    >>read this and find out who or what is causing this? Thanks Justin

    >
    > Your router is blocking crap from the Internet. It's working fine, but
    > you have enabled logging when you don't need it. If it were really
    > important to you, a search at google.com would provide TONS of answers.
    >
    >>Ping of Death Detect src:69.107.67.197:6918 dst:68.230.162.xxx:63749
    >>TearDrop Attack Detect src:69.107.67.197:6918 dst:68.230.162.xxx:63748
    >>Ping of Death Detect src:69.107.67.197:6918 dst:68.230.162.xxx:60699

    >
    > Some 8 year old skript kiddie on pacbell.net found a 1337 h4x0r kit
    > with exploits to crash a windoze95 box. Pathetic.
    >
    >>SMTP: send mail succeed

    >
    > COMMENT: You seem to have sent an e-mail. Many people are nor blocking
    > mail from home IPs like yours because 99.99999% of it is spam. You may
    > want to check that your mail tool is using the Smarthosts at your ISP,
    > rather than sending direct.
    >
    >>Drop TCP packet from WAN src:63.135.13.209:17565 dst:68.230.162.xxx:63777
    >>Drop TCP packet from WAN src:63.135.13.209:17565 dst:68.230.162.xxx:63771

    >
    > Not enough detail - host looks like cable modem in Sudbury Onterio, CA.
    >
    >>Drop ICMP packet from WAN src:83.16.17.154:3 dst:68.230.162.xxx:1 Rule:
    >>Default deny

    >
    > ICMP is different - the source "port" is the "Type" number of the message,
    > and the destination "port" is the "Code" number. A Type 3 Code 1 is
    >
    > 3 Destination Unreachable (see below)
    > 0 Network unreachable
    > 1 Host unreachable
    > 2 Protocol unreachable
    > 3 Port unreachable
    > 4 Fragmentation needed, but don't fragment bit set
    >
    > so a host in Poland is refusing to allow you to connect. Why were you
    > trying to do so? NOTE: You are blocking this by default. Some people
    > feel that blocking ICMP type 3 codes 0 to 4 is not a good idea, but it's
    > only inconveniencing you, not anyone on the Internet.
    >
    >>Drop TCP packet from WAN src:81.86.80.203:6882 dst:68.230.162.xxx:63884

    >
    > Not enough detail, Host looks like DSL in the UK.
    >
    > Old guy
    >

    I'm not trying to connect to polland. I turned off all of my computers and
    i'm still getting crap on my logs
    RadarG, Sep 13, 2004
    #4
  5. RadarG

    RadarG Guest

    "Moe Trin" <> wrote in message
    news:...
    > In article <URs0d.39210$xu6.14863@okepread02>, RadarG wrote:
    >>I have a dlink router and I get entrys like this I was wondering how do I
    >>read this and find out who or what is causing this? Thanks Justin

    >
    > Your router is blocking crap from the Internet. It's working fine, but
    > you have enabled logging when you don't need it. If it were really
    > important to you, a search at google.com would provide TONS of answers.
    >
    >>Ping of Death Detect src:69.107.67.197:6918 dst:68.230.162.xxx:63749
    >>TearDrop Attack Detect src:69.107.67.197:6918 dst:68.230.162.xxx:63748
    >>Ping of Death Detect src:69.107.67.197:6918 dst:68.230.162.xxx:60699

    >
    > Some 8 year old skript kiddie on pacbell.net found a 1337 h4x0r kit
    > with exploits to crash a windoze95 box. Pathetic.
    >
    >>SMTP: send mail succeed

    >
    > COMMENT: You seem to have sent an e-mail. Many people are nor blocking
    > mail from home IPs like yours because 99.99999% of it is spam. You may
    > want to check that your mail tool is using the Smarthosts at your ISP,
    > rather than sending direct.
    >
    >>Drop TCP packet from WAN src:63.135.13.209:17565 dst:68.230.162.xxx:63777
    >>Drop TCP packet from WAN src:63.135.13.209:17565 dst:68.230.162.xxx:63771

    >
    > Not enough detail - host looks like cable modem in Sudbury Onterio, CA.
    >
    >>Drop ICMP packet from WAN src:83.16.17.154:3 dst:68.230.162.xxx:1 Rule:
    >>Default deny

    >
    > ICMP is different - the source "port" is the "Type" number of the message,
    > and the destination "port" is the "Code" number. A Type 3 Code 1 is
    >
    > 3 Destination Unreachable (see below)
    > 0 Network unreachable
    > 1 Host unreachable
    > 2 Protocol unreachable
    > 3 Port unreachable
    > 4 Fragmentation needed, but don't fragment bit set
    >
    > so a host in Poland is refusing to allow you to connect. Why were you
    > trying to do so? NOTE: You are blocking this by default. Some people
    > feel that blocking ICMP type 3 codes 0 to 4 is not a good idea, but it's
    > only inconveniencing you, not anyone on the Internet.
    >
    >>Drop TCP packet from WAN src:81.86.80.203:6882 dst:68.230.162.xxx:63884

    >
    > Not enough detail, Host looks like DSL in the UK.
    >
    > Old guy
    > Thanks for the info Old guy. RadarG
    RadarG, Sep 13, 2004
    #5
  6. RadarG

    Moe Trin Guest

    In article <3z41d.39752$xu6.38600@okepread02>, RadarG wrote:
    >I'm not trying to connect to polland.


    OK, what might have happened is that some one some where sent a packet
    to a host in Poland... 83.16.17.154 is a DSL connection in a big block
    administered by the Polish Telecom authority, that _claimed_ to have
    come from your host. This is called IP Spoofing, and there really isn't
    that much you can do about it. The good news is that even if this
    error message had reached your computer, it would be ignored (because
    it's not related to something you are doing). If you _had_ been trying
    to connect to 'aar154.internetdsl.tpnet.pl' for some reason, your O/S
    would have given you an error saying you can't get there from here,
    and that would be the end of that.

    >I turned off all of my computers and i'm still getting crap on my logs


    Well, yeah... I said:

    >> Some 8 year old skript kiddie on pacbell.net found a 1337 h4x0r kit
    >> with exploits to crash a windoze95 box. Pathetic.


    >> Not enough detail - host looks like cable modem in Sudbury Onterio, CA.


    >> Not enough detail, Host looks like DSL in the UK.


    so the only way you're going to stop this is to get into a tank, drive
    to Pleasanton California (roughly the junction between I-580 and I-680,
    about 25 miles/40 KM East of San Francisco) find the house of the skript
    kiddie, then drive the tank through the house and make a "pivot" turn
    on top of his computer. Then drive to Sudbury Onterio, Canada, and
    find _that_ klown. Getting to the guy in England may be a bit harder.
    Given the cost of fuel, the fact that tanks get really lousy gas mileage,
    _nevermind_ getting said vehicle (neither Hertz, Avis or National have
    that many, and the rental costs are extremely high), this may not be a
    viable solution.

    Honest and true - your firewall is protecting you from the crap, and
    that's about all you need to know. It's really not _practical_ for you
    to do anything else (pacbell.net, along with the rest of SBC, has a
    pretty poor reputation for doing _anything_ about abuse complaints, and
    I've not heard much good about in the UK - I can't
    speak about Cyber Beach Communications in Onterio). Your best bet
    might just be to turn off the _logging_ function on your router, as
    it's not really doing anything good for you.

    Old guy
    Moe Trin, Sep 13, 2004
    #6
  7. RadarG

    RadarG Guest

    "RadarG" <> wrote in message news:<Ivc1d.39776$xu6.19315@okepread02>...
    > "Moe Trin" <> wrote in message
    > news:...
    > > In article <URs0d.39210$xu6.14863@okepread02>, RadarG wrote:
    > >>I have a dlink router and I get entrys like this I was wondering how do I
    > >>read this and find out who or what is causing this? Thanks Justin

    > >
    > > Your router is blocking crap from the Internet. It's working fine, but
    > > you have enabled logging when you don't need it. If it were really
    > > important to you, a search at google.com would provide TONS of answers.
    > >
    > >>Ping of Death Detect src:69.107.67.197:6918 dst:68.230.162.xxx:63749
    > >>TearDrop Attack Detect src:69.107.67.197:6918 dst:68.230.162.xxx:63748
    > >>Ping of Death Detect src:69.107.67.197:6918 dst:68.230.162.xxx:60699

    > >
    > > Some 8 year old skript kiddie on pacbell.net found a 1337 h4x0r kit
    > > with exploits to crash a windoze95 box. Pathetic.
    > >
    > >>SMTP: send mail succeed

    > >
    > > COMMENT: You seem to have sent an e-mail. Many people are nor blocking
    > > mail from home IPs like yours because 99.99999% of it is spam. You may
    > > want to check that your mail tool is using the Smarthosts at your ISP,
    > > rather than sending direct.
    > >
    > >>Drop TCP packet from WAN src:63.135.13.209:17565 dst:68.230.162.xxx:63777
    > >>Drop TCP packet from WAN src:63.135.13.209:17565 dst:68.230.162.xxx:63771

    > >
    > > Not enough detail - host looks like cable modem in Sudbury Onterio, CA.
    > >
    > >>Drop ICMP packet from WAN src:83.16.17.154:3 dst:68.230.162.xxx:1 Rule:
    > >>Default deny

    > >
    > > ICMP is different - the source "port" is the "Type" number of the message,
    > > and the destination "port" is the "Code" number. A Type 3 Code 1 is
    > >
    > > 3 Destination Unreachable (see below)
    > > 0 Network unreachable
    > > 1 Host unreachable
    > > 2 Protocol unreachable
    > > 3 Port unreachable
    > > 4 Fragmentation needed, but don't fragment bit set
    > >
    > > so a host in Poland is refusing to allow you to connect. Why were you
    > > trying to do so? NOTE: You are blocking this by default. Some people
    > > feel that blocking ICMP type 3 codes 0 to 4 is not a good idea, but it's
    > > only inconveniencing you, not anyone on the Internet.
    > >
    > >>Drop TCP packet from WAN src:81.86.80.203:6882 dst:68.230.162.xxx:63884

    > >
    > > Not enough detail, Host looks like DSL in the UK.
    > >
    > > Old guy
    > > Thanks for the info Old guy. RadarG


    I have been running ethereal and I dont see anything strange inside my
    network RadarG
    RadarG, Sep 16, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. awallwork at sign gmail dot com

    WinXP Home SP2 Logs on then Logs off

    awallwork at sign gmail dot com, Oct 13, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    1,886
    Andrew
    Oct 16, 2004
  2. awallwork at sign gmail dot com

    Win XP SP2 Logs in then Logs out

    awallwork at sign gmail dot com, Oct 14, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    2,275
    Andrew
    Oct 16, 2004
  3. Andrew

    Win XP SP2 Logs in then Logs out

    Andrew, Oct 16, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    597
    mhicaoidh
    Oct 16, 2004
  4. Andrew
    Replies:
    15
    Views:
    7,042
    Gus Webb
    Oct 19, 2004
  5. Lester Lane

    Logs button not opening Logs GUI

    Lester Lane, Jun 29, 2009, in forum: Cisco
    Replies:
    6
    Views:
    500
    Lester Lane
    Aug 28, 2009
Loading...

Share This Page