Review of my home broadband router logs (suspicious activity?)

Does this activity found accidentally in my home broadband wireless router log seem suspicious to you?

Here is a screenshot of the suspicious log entries:

formatting link

When "I" log into my router, I see a line like this: [Admin login] from source 192.168.1.16, Tuesday, Dec 22,2015 19:16:15

But, I see the following (suspicious?) activity in my log file: [LAN access from remote] from 93.38.179.187:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:42:41 [LAN access from remote] from 177.206.146.201:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:41:54 [LAN access from remote] from 101.176.44.21:1026 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from remote] from 181.164.218.29:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from remote] from 2.133.67.47:11233 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from remote] from 186.206.138.72:62531 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from remote] from 148.246.193.87:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from remote] from 195.67.252.183:49076 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16 [LAN access from remote] from 1.78.16.174:47891 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16 [LAN access from remote] from 178.116.59.223:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16 [LAN access from remote] from 82.237.141.86:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16 [LAN access from remote] from 107.223.217.54:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:11 [LAN access from remote] from 216.98.48.95:11020 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:32:31

I don't know what this really means: "LAN access from remote".

Looking at the router wired & wireless list of devices, 192.168.1.5 seems to not be attached at the moment.

But, looking back, I can determine (from the MAC address) that it's my child's Sony Playstation (which has "UPNP events" whatever they are):

[UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Saturday, Dec 19,2015 06:32:28 [DHCP IP: (192.168.1.5)] to MAC address F8:D0:AC:B1:D4:A3, Monday, Dec 21,2015 12:26:18 [DHCP IP: (192.168.1.5)] to MAC address F8:D0:AC:B1:D4:A3, Tuesday, Dec 22,2015 16:17:47 [UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Tuesday, Dec 22,2015 16:46:15 ***************************************************************** Can you advise me whether I should be worried that there are many LAN accesses from a remote IP address to a kid's Sony Playstation? *****************************************************************
Reply to
Paul M. Cook
Loading thread data ...

Are you afraid of, what, exactly?

Reply to
ng_reader

To answer why I ask about these activities, it's that I did not elicit these transactions, nor do I understand them.

The IP addresses seem to belong to the following (from a whois):

-------------------------------------------------- inetnum: 93.38.176.0 - 93.38.183.255 netname: FASTWEB-DPPU descr: Infrastructure for Fastwebs main location descr: NAT POOL 7 for residential customer POP 4106, country: IT

-------------------------------------------------- inetnum: 177.204/14 aut-num: AS18881 abuse-c: GOI owner: Global Village Telecom country: BR

-------------------------------------------------- inetnum: 101.160.0.0 - 101.191.255.255 netname: TELSTRAINTERNET50-AU descr: Telstra descr: Level 12, 242 Exhibition St descr: Melbourne descr: VIC 3000 country: AU

-------------------------------------------------- inetnum: 181.164/14 status: allocated aut-num: N/A owner: CABLEVISION S.A. ownerid: AR-CASA10-LACNIC responsible: Esteban Poggio address: Aguero, 3440, address: 1605 - Munro - BA country: AR

-------------------------------------------------- inetnum: 2.133.64.0 - 2.133.71.255 netname: TALDYKMETRO descr: JSC Kazakhtelecom, Taldykorgan descr: Metro Ethernet Network country: KZ

-------------------------------------------------- inetnum: 186.204/14 aut-num: AS28573 abuse-c: GRSVI owner: CLARO S.A. ownerid: 040.432.544/0835-06 responsible: CLARO S.A. country: BR

-------------------------------------------------- inetnum: 148.246/16 status: allocated aut-num: N/A owner: Mexico Red de Telecomunicaciones, S. de R.L. de C.V. ownerid: MX-MRTS1-LACNIC responsible: Ana María Solorzano Luna Parra address: Bosque de Duraznos, 55, PB, Bosques de las Lomas address: 11700 - Miguel Hidalgo - DF country: MX

-------------------------------------------------- inetnum: 195.67.224.0 - 195.67.255.255 netname: TELIANET descr: TeliaSonera AB Networks descr: ISP country: SE

-------------------------------------------------- inetnum: 1.72.0.0 - 1.79.255.255 netname: NTTDoCoMo descr: NTT DOCOMO,INC. descr: Sannno Park Tower Bldg.11-1 Nagatacho 2-chome descr: hiyoda-ku,Tokyo Japan country: JP

-------------------------------------------------- inetnum: 1.72.0.0 - 1.79.255.255 netname: MAPS descr: NTT DoCoMo, Inc. country: JP

-------------------------------------------------- inetnum: 178.116.0.0 - 178.116.255.255 netname: TELENET descr: Telenet N.V. Residentials remarks: INFRA-AW country: BE

-------------------------------------------------- inetnum: 82.237.140.0 - 82.237.143.255 netname: FR-PROXAD-ADSL descr: Proxad / Free SAS descr: Static pool (Freebox) descr: deu95-3 (mours) descr: NCC#2005090519 country: FR

-------------------------------------------------- NetRange: 107.192.0.0 - 107.223.255.255 NetName: SIS-80-4-2012 NetHandle: NET-107-192-0-0-1 Parent: NET107 (NET-107-0-0-0-0) NetType: Direct Allocation OriginAS: AS7132 Organization: AT&T Internet Services (SIS-80) City: Richardson StateProv: TX

-------------------------------------------------- NetRange: 216.98.48.0 - 216.98.63.255 CIDR: 216.98.48.0/20 NetName: UBICOM NetHandle: NET-216-98-48-0-1 Parent: NET216 (NET-216-0-0-0-0) NetType: Direct Assignment OriginAS: Organization: Ubisoft Entertainment (UBISOF-2)

--------------------------------------------------

Reply to
Paul M. Cook

Ask the kid if he is playing on line game.

Reply to
Tony Hwang

He does play online, but I don't know if *those* are activities *he* initiated, or if they are attempts to attack us.

Reply to
Paul M. Cook

Have you edited your log, here? Are there other activities not shown? Do you see just these sporadic accesses?

(your) LAN (is being) access(ed) from a remote device. The first address listed in each of these lines (the one that is NOT 192.168.1.5) represents the "remote" device. The device on *your* LAN is the second address listed (192.168.1.5).

Chances are, it's a DHCP assigned IP address. If doesn't reconnect to the router within the lease time, the IP address may get reallocated to some other device. 192.168/16 (i.e., 192.168.xxx.yyy) is a private network address -- damn near everyone here is using the same address (but *behind* a router/NATd of some sort). So, the IP addresses of all of your "computers" will be in that same general range.

Most routers will provide a (DHCP?) page that show where the current IP addresses that *it* has doled out are being used. (I suspect "Attached Devices" in your router).

This is the DHCP request *from* the F8:D0:AC:B1:D4:A3 device being satisfied by the router with the issuance/renewal of a lease (usually good for 24 hours; longer if the device renews the request) on the IP address 192.168.1.5

You want to look at the IP's in question. As 9000 is not a privileged port, it's possible any application can be using it, friend or foe:

If you feel ambitious, you can install a rule to block inbound/outbound connections to/from that port and see if that you WANT suddenly stops working. Probably under "Security"?

Reply to
Don Y

They are attempted connections from the outside (remote)

*to* your (his) machine. Whether they have effectively been prompted by his actions is another issue.
Reply to
Don Y

Maybe you could ask him and you could also have him play a game at a recorded time and then check your log to see if the entries are similar.

AIUI, the average desktop gets thousands of pings a day. When I had that famous software firewall whose name escapes me, it would record and count them.

But thhat doesn't mean the outside ip is targeting your kid specifically. Maybe it just goes through IP numbers consecutively, looking for those that are unprotected.

And it doesn't mean that it can do anything to your kid's device. Isn'tt the software in a game or insertable game hard-coded?

And it doesn't mean the pinger wants to. A lot of my pings were from my own ISP iirc. i don't know why it was doing this when I was already connected.

What could an outside force do to your kid? Can the game display messages on it, like "Come to Syria and kill the infidels. Call

1-800-KIL-L-INF". Frankly I think the people whos say that 12 or 10 is not too young to talk to their children about sex, drugs, etc. are missing the mark. What parents should do is talk during dinner to each other about how stupid drug users are and how stupid and selfish those who get someone pregnant when they're not married, and they can do this when the kid is 4 and up and kids will listen to everything their parents say. But if they are 12 and the parent is telling them what to do, it will be for some kids a challenge to do the opposite, because they dont' like being lectured. That's why parents should talk to each other in front of the kids. There are adequate conversation starters in the news.
Reply to
Micky

Targeting the home network for use by a hacker is an important consideration. It' snot just about the people, it's also about the equipment.

It's not a question of what could be done to the device, it's whether or not that device is allowing access to the home's network. Once inside the network it may be possible to gain access to other computers. I'm not saying it's possible, I'm just pointing out that the access issue may not be related only to the device used for the access.

One of the known "access" points to the kiddies is via the chat feature of on-line games. In many cases it is impossible to track these conversations or monitor them for keywords like in an email, phone call, etc.

Reply to
DerbyDad03

I confess. I was parking in your driveway, and playing video games. It's all my fault.

Reply to
Stormin Mormon

Exactly. I'm not worried about the kid being attacked.

I'm worried about the attacker coming in through the port 9000 of the IP address 192.168.1.5 which, at least today, is the Sony Playstation (but it could have been any computer on the day of the attack since I have DHCP).

Once the attacker is on the router, they can potentially get to any computer or monitor anything or watch or whatever the reason they got in for.

That there were *many* similar attacks at roughly the same time is what worries me also.

But, mostly, I am just wanting to know *what* happened, which, from the log files, I can't tell - but that's why I asked. I don't know how to correctly *interpret* this particular set of errors.

We're all just guessing. And that's bad.

Reply to
Paul M. Cook

Playing on-line game? Kids do most of time.

Reply to
Tony Hwang

That's an excerpt only but those were the only messages listed with the prefix of "[LAN access from remote]".

At the moment, there are no "attached devices" with the DHCP IP address of 192.168.1.5, and the log file doesn't say which device in the house was 192.168.1.5 on that day.

But, looking at the log file, at some point thereafter, the IP address of 192.168.1.5 was the MAC address which is the Sony Playstation.

I can't tell, from the log, what device had the DHCP given address of 192.168.1.5 on the day of the attack.

The router shows "attached devices" but it doesn't show a history.

Reply to
Paul M. Cook

Maybe. But is *that* what the error message says?

I guess I need to *experiment*, by asking the kid to play a few games and then watch the router log file.

What is worrisome is that some of the entries don't come from what I'd expect an online game to come from, e.g., Brazil, Mexico, Japan, France, etc.

Reply to
Paul M. Cook

You have a good point. When my son was in his late teens my wife was cleaning in his bedroom and found condoms. She said I should have a talk with our son. I replied, "I did and evidently he listened".

Reply to
Ed Pawlowski

Good idea.

When I went to France in 1974, I thought I could impress girls with hershey bars and nylon stockings, but instead I couldnt' afford to eat in a real restaurant.

(though I did eat in an expensive restaurant in Amsterdam before the flight home, rijstafel, and it was only meal I shared with a girl I met the previous day, and we were on the same plane the day after the meal and we were both sick. From the expensive meal)

IOW, despite the impression we're oftren given, they have civilization in those places, and even infra-civilization like games. I'm sure there are gamers in all those countries, but there may also be hackers .

Reply to
Micky

That's interesting. I didn't know routers kept logs. Did you find that by logging in to the "control panel"?

I used to get a lot of attempts to get into my computer when I had dialup. That mostly stopped with cable, though I have caught my cable company, RCN, trying to get in. I have no idea why. Apparently they just go around snooping on customers, perhaps tracking how many machines are at each address, or some such.

First, do you have a good, long password for your router? You should. Maybe 20 characters.

You didn't mention what computers you have. Assuming Windows...

It's important to understand that most Windows computers are full of holes. The default configuration has numerous unsafe services running. Many people now also enable remote Desktop functionality for tech support. You should have a firewall that blocks all incoming and asks permission for all outgoing processes. (In many cases it's also possible to block svchost from going out, which takes care of most or all Microsoft spyware.)

Some may remember there was a problem with XP in the early days. A service called Messenger (not Windows Messenger) was running by default. It was intended for sys admin people in corporations to be able to pop up notices to employees on the network. (Like "Don't forget: Company picnic on Saturday.") It was being used to show people ads. The problem is that Windows NT (2000/XP/Vista/7/8/10) is designed to be a corporate workstation. It's a sieve, set up with the assumption that the network is safe while the users can't be trusted. If you want to set up reasonable security see here:

formatting link

You can use that site to adjust services. And get a firewall.

I don't know much about Playstation, but that's a good example of increasing intrusion online. Online services and spyware operating systems are changing the norm. Most software is now designed to call home without asking. A few years ago that was known as spyware. Windows 10 is a new level of spyware. It now has a privacy policy and TOS that claim Microsoft has a legal right to spy on virtually everything you do. (I suspect Playstation is probably worse in that regard.)

At the same time, more people want more of those services. Without selling out to Apple you can't get all those nifty apps. Without selling out to Adobe you can no longer use Photoshop without it spying on you. The latest version is still installed on your computer, but it's officially marketed as an online service. The difference is not so much in the software but in the fact that you have to accept it as spyware. MS Office and many other programs are going the same way. They want to steal your car and rent you a taxi.

So there may be different, conflicting concerns for you. One concern is preventing malware/spyware intrusion by strengthening your security. But then there's also the issue of whether you're actually willing and able to do that in the context of how you want to use your connected devices. If you want to accept and use online services then you must accept that you're now in a shopping mall. The mall cameras, marketing data collectors and security guards will be watching. You're on their property, not your own.

Reply to
Mayayana

I thought I'd look at my log, for the first time in 8 years. The only wireless device I use is a printer.

Dec/21/2015 18:59:18 DHCP lease IP 192.168.0.106 to android-fce7fa4f93da6881 64-89-9A-6E-9C-85 Dec/21/2015 18:59:09 DHCP lease IP 192.168.0.106 to android-fce7fa4f93da6881 64-89-9A-6E-9C-85 Dec/21/2015 18:59:04 DHCP lease IP 192.168.0.106 to android-fce7fa4f93da6881 64-89-9A-6E-9C-85

Dec/20/2015 05:20:07 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2

70-3E-AC-DE-14-94 Dec/20/2015 05:20:06 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2 70-3E-AC-DE-14-94

So who is Dennis? 5 in the morning? That's my time, right? or GMT?

Dec/20/2015 05:20:05 Wireless PC connected 70-3E-AC-DE-14-94 Dec/19/2015 23:51:38 Wireless PC connected A4-EE-57-E3-09-E4

Whose is this wireless PC? I have one, but haven't used it in weeks.

Dec/19/2015 21:48:06 DHCP Request success 192.168.1.46 Dec/19/2015 21:48:06 DHCP Request 192.168.1.46 Dec/19/2015 15:16:58 DHCP lease IP 192.168.0.100 to EPSONE309E4 A4-EE-57-E3-09-E4 Dec/19/2015 10:13:04 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2

70-3E-AC-DE-14-94 Dec/19/2015 10:13:02 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2 70-3E-AC-DE-14-94

The Epson is my printer. I was probably printing the crossword puzzle. But more Dennis!

Dec/19/2015 10:13:02 Wireless PC connected 70-3E-AC-DE-14-94 Dec/19/2015 07:51:01 DHCP lease IP 192.168.0.105 to android_a1d17253796b3c9c 14-7D-C5-A7-E9-5C

I have a cell phone that runs android, but I don't think I've had it on in the house on the 19th. I haven't tried to connect to wifi with it for a year or more.

Could something like this cause interruptions in my internet, which I get sometimes? The router light for the jack I use flickers all the time, but sometimes no data gets dl'd. I have DSL.

Dec/16/2015 15:12:23 DHCP lease IP 192.168.0.103 to Tiyes-Iphone-2

20-A2-E4-E7-81-36

Dec/16/2015 08:49:25 Wireless PC connected A4-EE-57-E3-09-E4 Dec/16/2015 06:25:38 Wireless PC connected A4-EE-57-E3-09-E4 Dec/16/2015 05:27:09 Wireless PC connected A4-EE-57-E3-09-E4 Dec/16/2015 05:26:17 Wireless PC connected A4-EE-57-E3-09-E4

Dec/13/2015 20:22:09 Wireless PC connected A4-EE-57-E3-09-E4 Dec/13/2015 20:21:49 Wireless PC connected A4-EE-57-E3-09-E4 Dec/13/2015 12:27:17 DHCP lease IP 192.168.0.103 to Tiyes-Iphone-2

20-A2-E4-E7-81-36 Dec/13/2015 12:27:16 Wireless PC connected 20-A2-E4-E7-81-36

Dec/09/2015 08:06:17 DHCP lease IP 192.168.0.106 to Sharlenes-iPad

34-C0-59-19-F9-46

Hmmm..

To send myself the log it asks for SMTP Server / IP Address .

Does that mean the smtp server is enough, or do I need its IP address too, which I don't know?

Help says "SMTP Server - The address of the SMTP (Simple Mail Transfer Protocol) server that will be used to send the logs." but I haven't gotten the email I sent yet, and I should have by now.

Reply to
Micky

I saw the send-log command, but I just copy-and-pasted my router log into a text file on the computer.

  1. While looking at the router log file from within your browser: Control-A to select all Control-C to copy
  2. Then paste that into any open text file: Control-V to paste
Reply to
Paul M. Cook

I just logged into my Netgear WNDR3400v2 router, and went to the advanced tab of Administration > Logs

It says on top of the window what time it "thinks" it is: Current Time: Wednesday, Dec 23,2015 08:03:08

Looking at the clock, that's the local time in my time zone.

Reply to
Paul M. Cook

HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.