Review of my home broadband router logs (suspicious activity?)

Page 1 of 6  
Does this activity found accidentally in my home broadband wireless router log seem suspicious to you?
Here is a screenshot of the suspicious log entries:
https://i.imgur.com/iZm1CCq.jpg
When "I" log into my router, I see a line like this: [Admin login] from source 192.168.1.16, Tuesday, Dec 22,2015 19:16:15
But, I see the following (suspicious?) activity in my log file: [LAN access from remote] from 93.38.179.187:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:42:41 [LAN access from remote] from 177.206.146.201:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:41:54 [LAN access from remote] from 101.176.44.21:1026 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from remote] from 181.164.218.29:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from remote] from 2.133.67.47:11233 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from remote] from 186.206.138.72:62531 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from remote] from 148.246.193.87:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from remote] from 195.67.252.183:49076 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16 [LAN access from remote] from 1.78.16.174:47891 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16 [LAN access from remote] from 178.116.59.223:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16 [LAN access from remote] from 82.237.141.86:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16 [LAN access from remote] from 107.223.217.54:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:11 [LAN access from remote] from 216.98.48.95:11020 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:32:31
I don't know what this really means: "LAN access from remote".
Looking at the router wired & wireless list of devices, 192.168.1.5 seems to not be attached at the moment.
But, looking back, I can determine (from the MAC address) that it's my child's Sony Playstation (which has "UPNP events" whatever they are):
[UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Saturday, Dec 19,2015 06:32:28 [DHCP IP: (192.168.1.5)] to MAC address F8:D0:AC:B1:D4:A3, Monday, Dec 21,2015 12:26:18 [DHCP IP: (192.168.1.5)] to MAC address F8:D0:AC:B1:D4:A3, Tuesday, Dec 22,2015 16:17:47 [UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Tuesday, Dec 22,2015 16:46:15 ***************************************************************** Can you advise me whether I should be worried that there are many LAN accesses from a remote IP address to a kid's Sony Playstation? *****************************************************************
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
<snip> > *****************************************************************

Are you afraid of, what, exactly?
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Tue, 22 Dec 2015 23:11:38 -0500, ng_reader wrote:

To answer why I ask about these activities, it's that I did not elicit these transactions, nor do I understand them.
The IP addresses seem to belong to the following (from a whois): -------------------------------------------------- inetnum: 93.38.176.0 - 93.38.183.255 netname: FASTWEB-DPPU descr: Infrastructure for Fastwebs main location descr: NAT POOL 7 for residential customer POP 4106, country: IT -------------------------------------------------- inetnum: 177.204/14 aut-num: AS18881 abuse-c: GOI owner: Global Village Telecom country: BR -------------------------------------------------- inetnum: 101.160.0.0 - 101.191.255.255 netname: TELSTRAINTERNET50-AU descr: Telstra descr: Level 12, 242 Exhibition St descr: Melbourne descr: VIC 3000 country: AU -------------------------------------------------- inetnum: 181.164/14 status: allocated aut-num: N/A owner: CABLEVISION S.A. ownerid: AR-CASA10-LACNIC responsible: Esteban Poggio address: Aguero, 3440, address: 1605 - Munro - BA country: AR -------------------------------------------------- inetnum: 2.133.64.0 - 2.133.71.255 netname: TALDYKMETRO descr: JSC Kazakhtelecom, Taldykorgan descr: Metro Ethernet Network country: KZ -------------------------------------------------- inetnum: 186.204/14 aut-num: AS28573 abuse-c: GRSVI owner: CLARO S.A. ownerid: 040.432.544/0835-06 responsible: CLARO S.A. country: BR -------------------------------------------------- inetnum: 148.246/16 status: allocated aut-num: N/A owner: Mexico Red de Telecomunicaciones, S. de R.L. de C.V. ownerid: MX-MRTS1-LACNIC responsible: Ana María Solorzano Luna Parra address: Bosque de Duraznos, 55, PB, Bosques de las Lomas address: 11700 - Miguel Hidalgo - DF country: MX -------------------------------------------------- inetnum: 195.67.224.0 - 195.67.255.255 netname: TELIANET descr: TeliaSonera AB Networks descr: ISP country: SE -------------------------------------------------- inetnum: 1.72.0.0 - 1.79.255.255 netname: NTTDoCoMo descr: NTT DOCOMO,INC. descr: Sannno Park Tower Bldg.11-1 Nagatacho 2-chome descr: hiyoda-ku,Tokyo Japan country: JP -------------------------------------------------- inetnum: 1.72.0.0 - 1.79.255.255 netname: MAPS descr: NTT DoCoMo, Inc. country: JP -------------------------------------------------- inetnum: 178.116.0.0 - 178.116.255.255 netname: TELENET descr: Telenet N.V. Residentials remarks: INFRA-AW country: BE -------------------------------------------------- inetnum: 82.237.140.0 - 82.237.143.255 netname: FR-PROXAD-ADSL descr: Proxad / Free SAS descr: Static pool (Freebox) descr: deu95-3 (mours) descr: NCC#2005090519 country: FR -------------------------------------------------- NetRange: 107.192.0.0 - 107.223.255.255 NetName: SIS-80-4-2012 NetHandle: NET-107-192-0-0-1 Parent: NET107 (NET-107-0-0-0-0) NetType: Direct Allocation OriginAS: AS7132 Organization: AT&T Internet Services (SIS-80) City: Richardson StateProv: TX -------------------------------------------------- NetRange: 216.98.48.0 - 216.98.63.255 CIDR: 216.98.48.0/20 NetName: UBICOM NetHandle: NET-216-98-48-0-1 Parent: NET216 (NET-216-0-0-0-0) NetType: Direct Assignment OriginAS: Organization: Ubisoft Entertainment (UBISOF-2) --------------------------------------------------
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
ng_reader wrote:

Ask the kid if he is playing on line game.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Tue, 22 Dec 2015 22:00:40 -0700, Tony Hwang wrote:

He does play online, but I don't know if *those* are activities *he* initiated, or if they are attempts to attack us.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 12/22/2015 10:11 PM, Paul M. Cook wrote:

They are attempted connections from the outside (remote) *to* your (his) machine. Whether they have effectively been prompted by his actions is another issue.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 12/23/2015 2:24 AM, Don Y wrote:

I confess. I was parking in your driveway, and playing video games. It's all my fault.
--
.
Christopher A. Young
learn more about Jesus
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

Maybe you could ask him and you could also have him play a game at a recorded time and then check your log to see if the entries are similar.
AIUI, the average desktop gets thousands of pings a day. When I had that famous software firewall whose name escapes me, it would record and count them.
But thhat doesn't mean the outside ip is targeting your kid specifically. Maybe it just goes through IP numbers consecutively, looking for those that are unprotected.
And it doesn't mean that it can do anything to your kid's device. Isn'tt the software in a game or insertable game hard-coded?
And it doesn't mean the pinger wants to. A lot of my pings were from my own ISP iirc. i don't know why it was doing this when I was already connected.
What could an outside force do to your kid? Can the game display messages on it, like "Come to Syria and kill the infidels. Call 1-800-KIL-L-INF". Frankly I think the people whos say that 12 or 10 is not too young to talk to their children about sex, drugs, etc. are missing the mark. What parents should do is talk during dinner to each other about how stupid drug users are and how stupid and selfish those who get someone pregnant when they're not married, and they can do this when the kid is 4 and up and kids will listen to everything their parents say. But if they are 12 and the parent is telling them what to do, it will be for some kids a challenge to do the opposite, because they dont' like being lectured. That's why parents should talk to each other in front of the kids. There are adequate conversation starters in the news.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wednesday, December 23, 2015 at 3:39:07 AM UTC-5, Micky wrote:

Targeting the home network for use by a hacker is an important consideration. It' snot just about the people, it's also about the equipment.

It's not a question of what could be done to the device, it's whether or not that device is allowing access to the home's network. Once inside the network it may be possible to gain access to other computers. I'm not saying it's possible, I'm just pointing out that the access issue may not be related only to the device used for the access.

One of the known "access" points to the kiddies is via the chat feature of on-line games. In many cases it is impossible to track these conversations or monitor them for keywords like in an email, phone call, etc.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 23 Dec 2015 04:19:59 -0800, DerbyDad03 wrote:

Exactly. I'm not worried about the kid being attacked.
I'm worried about the attacker coming in through the port 9000 of the IP address 192.168.1.5 which, at least today, is the Sony Playstation (but it could have been any computer on the day of the attack since I have DHCP).
Once the attacker is on the router, they can potentially get to any computer or monitor anything or watch or whatever the reason they got in for.
That there were *many* similar attacks at roughly the same time is what worries me also.
But, mostly, I am just wanting to know *what* happened, which, from the log files, I can't tell - but that's why I asked. I don't know how to correctly *interpret* this particular set of errors.
We're all just guessing. And that's bad.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Paul M. Cook wrote:

Playing on-line game? Kids do most of time.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 23 Dec 2015 07:58:33 -0700, Tony Hwang wrote:

Maybe. But is *that* what the error message says?
I guess I need to *experiment*, by asking the kid to play a few games and then watch the router log file.
What is worrisome is that some of the entries don't come from what I'd expect an online game to come from, e.g., Brazil, Mexico, Japan, France, etc.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

Good idea.

When I went to France in 1974, I thought I could impress girls with hershey bars and nylon stockings, but instead I couldnt' afford to eat in a real restaurant.
(though I did eat in an expensive restaurant in Amsterdam before the flight home, rijstafel, and it was only meal I shared with a girl I met the previous day, and we were on the same plane the day after the meal and we were both sick. From the expensive meal)
IOW, despite the impression we're oftren given, they have civilization in those places, and even infra-civilization like games. I'm sure there are gamers in all those countries, but there may also be hackers .
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 23 Dec 2015 08:22:08 -0800, Oren wrote:

I have never not used DHCP.    
How do we do assign permanent IP addresses when devices come on and off the network all the time?
Do we attach the IP address to the MAC address of the device?
For example, if the Android phone is MAC address DE:AD:BE:EF:CA:FE, do we attach the IP address 192.168.1.10 to *that* MAC address from the router?
Or, is there some other way of doing it from the device itself?
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 12/23/2015 10:39 AM, Paul M. Cook wrote:

IP addresses are assigned to the devices and "told" to the outside world whenever a device tries to communicate. Each message essentially says, "Hi, I am A.B.C.D trying to contact E.F.G.H on port X". The network "fabric" (routers, etc.) arranges for the message to be delivered to the *expected* home of E.F.G.H (the fabric is SMART!). When E.F.G.H receives the message, it creates a reply that essentially says, "Hi, A.B.C.D, this is E.F.G.H responding to your request..."
DHCP is a hack that allows addresses to be DYNAMICALLY (the D in DHCP) assigned *from* an external agency (the DHCP server inside your router, in this case). This allows the client machines to be ignorant of their actual IP addresses and makes address management a bit easier.
[Imagine if you wanted to rearrange the addresses that you'd assigned to machines. You wouldn't want to walk up to each individual machine and invoke it's "setup" program, type in a new FIXED address/netmask (gateway, name server, etc. -- lots of things involved besides just IP address!) and then record all of this on a tattered scrap of paper (to ensure you don't screw up and assign the same address to two different machines!!).]
DHCP lets you create "pools" of addresses (your pool is probably something like 192.168.1.1 through 192.168.1.100 -- or some other arbitrary upper limit) and have "something" (the DHCP service) keep track of which ones are currently in use along with which machines are using each of them. It does this by accepting a DHCP *request* from each machine/client and, if "unused" addresses remain in the pool, it picks one of those and assigns it to that client -- informing the client of this assignment in its reply *to* the client: "Your IP address will currently be A.B.C.D. Please make a note of it!"
Each assignment is accompanied by a "lease time" -- i.e., this is yours for, AT MOST, X hours (typically 24). If you intend to keep it beyond that time, you'd best RENEW your lease or I am liable to give it out to some other client who comes along tomorrow!
This greatly simplifies network management. Connect a client to the network, tell it to use DHCP and then walk away!
It also lets you connect more devices to your network than you have addresses available -- by allowing addresses to be REUSED. (but, the maximum number of machines AT ANY INSTANT is still determined by the number of available IP's)
The alternative is to go to each individual machine (PC, game console, printer, VoIP phone, etc.) on the network and manually specify these parameters (IP address, netmask, gateway, name server(s), etc.). And, in doing so, making sure you don't create any conflicts (two machines with the same IP address, incompatible netmasks, DNS servers that are unreachable, etc.).
OTOH, by doing so, you *know* where each machine is "located" on the network! A.B.C.D is the PC. A.B.C.E is the Smart TV. A.B.C.F is the game console. So, you don't have to ask <something> (the DHCP server) "where is the game console, today?" before trying to talk to it.
Taken a step further, you can then assign names to each of these predefined IP addresses. For example, my printers are named Curly, Larry, Moe, Shemp and Joe. Each has a label affixed to the front in case I forget which is which. And, my *name* server (DNS) knows that Curly is 10.0.1.101, Larry is 10.0.1.102, etc. If I want to send something to the Phaser 8200DP (Shemp), I can just refer to it by name -- instead of having to remember an P address *or* "lookup" it's CURRENT IP address.
But, when I bring a new printer (for example) into the house, I have to find a spot for it in the IP addresses (and come up with a name that I'll be able to remember -- I've run out of Stooges! :> )
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 12/23/2015 7:06 AM, Paul M. Cook wrote:

Turn OFF PING BACK.
In case it isn't already off. Then ask your IP for a new address - which can be as simple as turning off your broadband router for five minutes.
John :-#)#
--
(Please post followups or tech inquiries to the USENET newsgroup)
John's Jukes Ltd. 2343 Main St., Vancouver, BC, Canada V5T 3C9
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
John Robertson wrote:

If you are worried, block the port and see what happens.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 23 Dec 2015 09:07:46 -0800, Oren wrote:

I have run wifi-radar, kismet, and iwscanner, but the output is horrendously cryptic.
I hear there is Wireshark, AirShark, netstumbler, & netcrumbler, so, maybe one of those has easier to read output?
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 12/23/2015 7:54 AM, Paul M. Cook wrote:

Your attack surface is *anything* that can be exposed and/or infiltrated from the outside.
There may be an exploit *on* the PlayStation that is being probed (or, actively being USED!). If <something> can get a foothold, anywhere, then it can advance from there further into your internet.
Your son's -- along with your own -- activities OUTSIDE your personal internet make your "public" IP address (the one on the upstream side of your router) visible to external entities.
[unless you are double NAT'ed by your upstream provider]
Anything that your "house" (network) talks to now knows where you are. Likewise for anything you talk *through* (e.g., any of your provider's equipment, any other routers on The Internet, etc.). You've in effect, said, "Here We Are!"
This is just common sense: if you wanted something *from* something (else) on The Internet, you had to contact that <something> and, in doing so, provide a means by which it could deliver a REPLY to *you* (and not your neighbor, the guy down the block, etc.)

They may not be "attacks". They may be *probes* -- machines trying to connect to the machine in question to determine if an exploit is "available", there ("Hmmm... let me see if I can infiltrate this particular machine at this particular IP address by taking advantage of a BUG that exists in its software; a bug that I can tickle by doing THIS!...")
It may also be "normal operation" for some application that is running on that machine. Or, that *was* running, there.
You'd actually have to use a packet sniffer to examine the actual messages being sent to the machine/port in question and hope to recognize them as hostile or benign.
Of course, if the messages originate at HackersRUs.com, that cold give you a heads up! :>

Some possible scenarios (without examining the IP's in detail) without trying to be exhaustive nor in any particular order:
- Someone (your son?) is participating in an online, multiagent activity (e.g., game) and the nature of the activity requires others to share information about each participant's actions, etc.
This can be done with a large, single-server that handles every player currently engaged in that activity. Each person (player) connects to that server and learns what is happening in the activity, interacts with that server which, in turn, informs the other players of his activities while informing *him* of their activities.
This would manifest (in your logs) as lots of traffic to a single IP; the IP of the "server" for that activity (game).
But, this sort of approach doesn't "scale well". It requires a single server to handle all of the activities of EVERYONE participating in that shared event! As more folks want to participate, things can get sluggish -- more work for the server in the same amount of time!
This can be alleviated, to some extent, by hiding a BUNCH of servers behind a single address (a "cluster") and *internally* splitting out the work to different physical machines. This is how google can appear to be so fast -- there are literally thousands of machines handling all those requests yet giving the illusion of a single one!
But, it still funnels all network traffic to a single point. So, makes the "shared activity" more vulnerable to network congestion. A bottleneck at any point is reflected back to the participants as a "pause"/hiccup in normal operation. For an INTERACTIVE activity, this is highly undesireable. You don't want the activity to appear to progress in fits and spurts!
And, it's not very reliable: the server crashes (or, it's single external contact point) and the world ends!
So, you *distribute* the activity to other servers -- potentially in physically distant locations! They talk with each other (directly or indirectly) to coordinate their knowledge of The Activity and also communicate with the participants to inform them of the current state of the activity as well as get input regarding their desired actions.
This could explain why several different IP's are connecting to your machine -- each trying to update some information about your actions *or* update the software in your machine regarding their "models" of the current state of the activity, from their individual points of view.
They may simply be trying to determine if you're "still playing".
- Something has made some *other* thing aware of your presence and that other thing has informed still others of your location. E.g., you connected to an application's server and it has told other entities about your whereabouts -- for whatever purpose. They are then attempting to connect to an application in your machine (one that is expected to be listening on port 9000) to offer their services. E.g., they may be "advertising" shared activities (see above) that are currently happening on their servers so you can opt to join in.
- Something is aware of your presence and is trying to probe a potential weakness/exploit on your system by connecting to some buggy software that is currently listening on port 9000. Based on how/if you respond to its probes, it may refine its probes to more specifically target your particular version of said software ("Ah, he's running version XYZ! That one has patched this old bug but hasn't, yet, patched this *new* bug! Let me try to get in using this OTHER trick...")
- Something is just hammering away at everything it finds in the hope that it encounters something that it can use (abuse). This, for example, is how spam works: send it to EVERYONE and hope *someone* is foolish enough to reply!
- Something in your machine (malware?) is reaching out and INVITING others to connect to it -- for whatever purpose. It may be part of a distributed command and control cluster that is delivering SPAM to folks. Or, actively targeting a defense contractor. Or...

That's why network security is hard! Most folks don't have the tools *or* the expertise to understand what is happening. Nor the vigilance to catch it *as* it is happening!
Next time you grumble about some highly publicized "breach", imagine what it's like for the security folks at some of these "ripe targets" trying to sort through millions of contacts each hour and determine which are malicious vs. benign!
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 12/23/2015 3:39 AM, Micky wrote:

You have a good point. When my son was in his late teens my wife was cleaning in his bedroom and found condoms. She said I should have a talk with our son. I replied, "I did and evidently he listened".
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Related Threads

    HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.