Jump to content

Help with firewall/router logs..


danksy
 Share

Recommended Posts

Guys,

Should I be worried? Looks like my firewall has been working overtime the last few days!

2005.02.13 15:25:05 192.168.1.2 login success

2005.02.13 14:55:15 ATM get IP:84.9.68.97

2005.02.13 14:55:09 ATM start PPP

2005.02.13 14:55:09 Dial On Demand(ATM)

2005.02.13 14:54:55 sending ACK to 192.168.1.2

2005.02.13 12:12:16 ATM stop PPP

2005.02.13 11:50:25 ATM get IP:84.9.70.163

2005.02.13 11:50:21 ATM start PPP

2005.02.13 11:50:21 Dial On Demand(ATM)

2005.02.13 11:49:24 sending ACK to 192.168.1.2

2005.02.13 11:49:16 sending ACK to 192.168.1.2

2005.02.13 11:49:11 sending ACK to 192.168.1.2

2005.02.13 11:40:51 ATM stop PPP

2005.02.13 11:30:59 ATM get IP:84.9.79.40

2005.02.13 11:30:58 sending ACK to 192.168.1.2

2005.02.13 11:30:57 ATM start PPP

2005.02.13 11:30:57 Dial On Demand(ATM)

2005.02.13 11:07:53 ATM stop PPP

2005.02.13 10:54:34 sending ACK to 192.168.1.2

2005.02.13 10:54:31 ATM get IP:84.9.80.82

2005.02.13 10:54:29 ATM start PPP

2005.02.13 10:54:29 Dial On Demand(ATM)

2005.02.13 10:38:48 ATM stop PPP

2005.02.13 10:11:48 sending ACK to 192.168.1.3

2005.02.13 09:57:07 sending ACK to 192.168.1.2

2005.02.13 09:06:33 ATM get IP:84.9.80.238

2005.02.13 09:06:31 ATM start PPP

2005.02.13 09:06:31 Dial On Demand(ATM)

2005.02.13 09:06:01 sending ACK to 192.168.1.2

2005.02.13 09:05:54 sending ACK to 192.168.1.2

2005.02.13 09:05:49 sending ACK to 192.168.1.2

2005.02.13 00:19:56 ATM stop PPP

2005.02.13 00:14:51 ATM get IP:84.9.83.141

2005.02.13 00:14:46 ATM start PPP

2005.02.13 00:14:46 Dial On Demand(ATM)

2005.02.12 22:16:26 ATM stop PPP

2005.02.12 21:29:16 ATM get IP:84.9.81.147

2005.02.12 21:29:11 ATM start PPP

2005.02.12 21:29:11 Dial On Demand(ATM)

2005.02.12 21:28:42 sending ACK to 192.168.1.2

2005.02.12 21:28:33 sending ACK to 192.168.1.2

2005.02.12 21:28:29 sending ACK to 192.168.1.2

2005.02.12 21:22:11 ATM stop PPP

2005.02.12 21:16:16 **Ping of Death/Tear Drop** 213.37.87.212, 59238->> 192.168.1.3, 10973 (from ATM Inbound)

2005.02.12 21:12:56 **Smurf** 201.7.57.0, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.12 21:12:50 **Smurf** 201.7.57.0, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.12 21:12:44 **Smurf** 201.7.57.0, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.12 21:12:38 **Smurf** 201.7.57.0, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.12 21:12:31 **Smurf** 201.7.57.0, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.12 21:05:59 **UDP Flood to Host** 65.11.63.117, 50418->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.12 21:05:59 **UDP Flood to Host** 81.156.218.40, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.12 20:40:03 NTP Date/Time updated.

2005.02.12 20:47:40 ATM get IP:84.9.91.149

2005.02.12 20:47:36 ATM start PPP

2005.02.12 20:47:36 Dial On Demand(ATM)

2005.02.12 20:47:34 sending ACK to 192.168.1.3

2005.02.10 22:48:08 ATM stop PPP

2005.02.10 21:34:47 sending ACK to 192.168.1.2

2005.02.10 21:24:13 sending ACK to 192.168.1.2

2005.02.10 21:24:05 sending ACK to 192.168.1.2

2005.02.10 21:24:02 sending ACK to 192.168.1.2

2005.02.10 19:17:54 **ICMP Redirect** 80.142.242.144->> 84.9.70.53, Type:5, Code:1 (from ATM Inbound)

2005.02.10 19:17:48 **ICMP Redirect** 80.142.242.144->> 84.9.70.53, Type:5, Code:1 (from ATM Inbound)

2005.02.10 19:17:42 **ICMP Redirect** 80.142.242.144->> 84.9.70.53, Type:5, Code:1 (from ATM Inbound)

2005.02.10 19:17:35 **ICMP Redirect** 80.142.242.144->> 84.9.70.53, Type:5, Code:1 (from ATM Inbound)

2005.02.10 19:17:30 **ICMP Redirect** 80.142.242.144->> 84.9.70.53, Type:5, Code:1 (from ATM Inbound)

2005.02.10 18:58:49 sending ACK to 192.168.1.2

2005.02.10 18:58:40 sending ACK to 192.168.1.2

2005.02.10 18:58:35 sending ACK to 192.168.1.2

2005.02.10 18:04:59 **UDP Flood to Host** 192.168.1.3, 6346->> 24.8.6.142, 6346 (from ATM Outbound)

2005.02.10 18:04:59 **UDP Flood to Host** 192.168.1.3, 6346->> 80.213.124.54, 6346 (from ATM Outbound)

2005.02.10 18:04:59 **UDP Flood to Host** 192.168.1.3, 6346->> 80.137.72.108, 6346 (from ATM Outbound)

2005.02.10 18:04:59 **UDP Flood to Host** 192.168.1.3, 6346->> 61.50.169.82, 6346 (from ATM Outbound)

2005.02.10 18:04:59 **UDP Flood to Host** 192.168.1.3, 6346->> 82.75.68.163, 6346 (from ATM Outbound)

2005.02.10 18:04:59 **UDP Flood to Host** 192.168.1.3, 6346->> 84.27.47.203, 6346 (from ATM Outbound)

2005.02.10 18:04:59 **UDP Flood to Host** 192.168.1.3, 6346->> 68.147.173.70, 6346 (from ATM Outbound)

2005.02.10 18:04:59 **UDP Flood to Host** 192.168.1.3, 6346->> 162.40.219.157, 6346 (from ATM Outbound)

2005.02.10 18:04:59 **UDP Flood to Host** 192.168.1.3, 6346->> 83.173.242.124, 6346 (from ATM Outbound)

2005.02.10 18:04:59 **UDP Flood to Host** 192.168.1.3, 6346->> 81.244.176.80, 6346 (from ATM Outbound)

2005.02.10 18:04:59 **UDP Flood to Host** 192.168.1.3, 6346->> 84.82.236.247, 6346 (from ATM Outbound)

2005.02.10 18:04:59 **UDP Flood to Host** 192.168.1.3, 6346->> 203.130.226.203, 6346 (from ATM Outbound)

2005.02.10 18:04:59 **UDP Flood to Host** 192.168.1.3, 6346->> 81.205.222.212, 6346 (from ATM Outbound)

2005.02.10 18:04:59 **UDP Flood to Host** 192.168.1.3, 6346->> 68.221.238.249, 6346 (from ATM Outbound)

2005.02.10 18:04:59 **UDP Flood to Host** 192.168.1.3, 6346->> 83.32.157.24, 6346 (from ATM Outbound)

2005.02.10 18:04:59 **UDP Flood to Host** 192.168.1.3, 6346->> 205.250.119.28, 6346 (from ATM Outbound)

2005.02.10 17:58:25 sending ACK to 192.168.1.2

2005.02.10 17:58:17 sending ACK to 192.168.1.2

2005.02.10 17:58:13 sending ACK to 192.168.1.2

2005.02.10 17:16:38 **UDP Flood to Host** 192.168.1.3, 6346->> 82.65.170.56, 16523 (from ATM Outbound)

2005.02.10 16:46:15 **UDP Flood to Host** 192.168.1.3, 6346->> 81.58.115.243, 6346 (from ATM Outbound)

2005.02.10 16:46:15 **UDP Flood to Host** 192.168.1.3, 6346->> 83.118.233.132, 6346 (from ATM Outbound)

2005.02.10 16:46:15 **UDP Flood to Host** 192.168.1.3, 6346->> 82.65.176.146, 6346 (from ATM Outbound)

2005.02.10 16:01:51 **UDP Flood to Host** 84.28.61.233, 12748->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:51 **UDP Flood to Host** 81.53.179.138, 3108->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:51 **UDP Flood to Host** 24.86.163.67, 6572->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:51 **UDP Flood to Host** 201.12.131.215, 19304->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:51 **UDP Flood to Host** 82.7.228.94, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 217.132.68.15, 25657->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 83.82.74.83, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 69.195.144.167, 63938->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 81.211.218.231, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 82.227.36.30, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 67.168.96.241, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 154.20.191.148, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 84.25.38.71, 33687->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 82.0.183.177, 10974->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 69.210.248.157, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 24.220.151.197, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 80.223.73.128, 6837->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 200.93.97.192, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 201.1.37.31, 36644->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 24.43.155.51, 62774->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 81.192.199.132, 42123->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 82.34.19.137, 9856->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 172.176.228.9, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 151.41.76.35, 18973->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 210.24.124.98, 24789->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 200.163.192.22, 52672->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 68.234.90.24, 20->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 80.109.209.136, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 141.154.50.246, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 64.230.182.58, 61644->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 62.57.13.78, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 217.43.63.103, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 24.164.106.135, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 65.93.199.114, 6885->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 84.101.53.164, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 80.108.253.73, 35010->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 213.60.249.9, 1155->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 83.157.29.16, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 68.194.33.234, 1025->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 69.106.190.160, 17476->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 70.66.103.190, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 216.162.144.18, 40933->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 24.132.53.186, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 24.104.5.24, 47756->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 69.198.121.55, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 68.113.238.210, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 172.206.130.192, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 83.115.188.197, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:01:50 **UDP Flood to Host** 83.113.177.145, 6346->> 192.168.1.3, 6346 (from ATM Inbound)

2005.02.10 16:00:28 NTP Date/Time updated.

2004.10.01 00:00:56 ATM get IP:84.9.70.53

2004.10.01 00:00:51 ATM start PPP

2004.10.01 00:00:51 Dial On Demand(ATM)

2004.10.01 00:00:06 sending ACK to 192.168.1.3

2004.10.01 00:00:00 ATM start PPP

2004.10.01 00:00:00 Dial On Demand(ATM)

Link to comment
Share on other sites

Doesn't look healthy to me but you need someone like Phil-To to cast his expert eye over.

Are you running Gnutella or another P2p download program? something is accessing port 6346 which is the common port for these programs. Is your firewall configured to forward all requests on this port to an internal machine or something? if so and you're not running any of these download programs, then stop access to this port on the firewall.

is there a machine at Ip Address 192.168.1.3 inside your network?

run all the tests at https://grc.com/x/ne.dll?bh0bkyd2 to find any holes.

Link to comment
Share on other sites

Looks like someone from Brazil is trying to connect to your PC for a Gnutella P2P connection. IF you have a software Firewall like Norton then you can block the port here also and that would make sense. If you are using DHCP make a note of your IP address and then disconnect for a while. When you connect again you should have a different address and the connections may very well stop.

I had this a while ago with someone trying to access my PC every 10 mins.

Use the following links to check out your security

Symantec

http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym

Also grc.com

https://grc.com/x/ne.dll?bh0bkyd2

You can also see who is "hacking" you by using a IP lookup that tells you who the IP address is registered to .

http://psacake.com/web/eg.asp

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...