[Dshield] Interesting log entries on Netgear FR114P

John Dalton dubuque1 at mchsi.com
Sat Mar 15 17:12:20 GMT 2003


In looking through last nights log entries (trying to make sure that the new
CVTWIN is parsing right) I found the following

Sat, 2003-03-15 05:40:58 - TCP packet - Source:61.187.156.252,4083,WAN -
Destination:192.168.0.2,8080,LAN [Forward] - [Inbound Rule(1) match]
Sat, 2003-03-15 05:40:58 - Administrator login fail, Access deny -
IP:61.187.156.252
Sat, 2003-03-15 05:40:58 - TCP connection - Source:61.187.156.252,4083,WAN -
Destination:10.219.102.11,8080,LAN [Drop] - [Inbound Default rule match]
Sat, 2003-03-15 05:40:58 - TCP packet - Source:61.187.156.252,4084,WAN -
Destination:10.219.102.11,80,[HTTP],LAN [Drop] - [Inbound Default rule
match]
Sat, 2003-03-15 05:40:58 - TCP packet - Source:61.187.156.252,4085,WAN -
Destination:10.219.102.11,8000,LAN [Drop] - [Inbound Default rule match]
Sat, 2003-03-15 05:40:58 - TCP packet - Source:61.187.156.252,4086,WAN -
Destination:10.219.102.11,3128,LAN [Drop] - [Inbound Default rule match]
Sat, 2003-03-15 05:41:01 - Administrator login fail, Access deny -
IP:61.187.156.252

The 192.168.0.2 is my local machine where syslog dumps its data, and is the
only one runing right now, runing all the time. The 10.219.102.11 is my
address changed to 10.*.*.*. The Netgear Router/Firewall has the ability to
be remote administered, but that is shut off. I just thought this might be
of interest the ports the subject tried to come in through, and the fact I
am showing a failed administrator login attempt at a time I would be asleep,
and how they would get that far with remote administration shut off. Logs
are submitted to Dshield nightly at 1:00 A.m., and I am going to start
submitting about 1 P.M. daily also.

Sam Spade traceroute shows:
03/15/03 11:08:53 Fast traceroute 61.187.156.252
Trace 61.187.156.252 ...
 1 10.19.96.1       20ms   20ms   40ms  TTL:  0  (No rDNS)
 2 12.215.9.33      20ms   90ms   30ms  TTL:  0
(12-215-9-33.client.mchsi.com ok)
 3 12.215.0.146     50ms   20ms   30ms  TTL:  0
(12-215-0-146.client.mchsi.com ok)
 4 12.123.216.34    30ms   30ms   30ms  TTL:  0  (gbr5-p57.cgcil.ip.att.net
bogus rDNS: host not found [authoritative])
 5 12.122.11.57     60ms   60ms   50ms  TTL:  0
(tbr2-p013501.cgcil.ip.att.net bogus rDNS: host not found [authoritative])
 6 12.122.10.10     61ms   50ms   30ms  TTL:  0
(tbr2-p012501.sl9mo.ip.att.net bogus rDNS: host not found [authoritative])
 7 12.122.10.14     70ms 1553ms  130ms  TTL:  0
(tbr2-p013701.la2ca.ip.att.net bogus rDNS: host not found [authoritative])
 8 12.123.199.242   90ms   80ms   91ms  TTL:  0  (gar1-p370.lsrca.ip.att.net
bogus rDNS: host not found [authoritative])
 9 12.119.9.42      70ms   90ms   70ms  TTL:  0  (No rDNS)
10 202.97.51.197  2654ms 2554ms 2454ms  TTL:  0  (No rDNS)
11 219.158.3.25   2684ms 2604ms 2624ms  TTL:  0  (No rDNS)
12 202.97.37.10   1802ms 1832ms 1883ms  TTL:  0  (p-6-0-r4-c-bjbj-1.cn.net
bogus rDNS: host not found [authoritative])
13 202.97.34.162  1833ms 1802ms 1813ms  TTL:  0  (p-2-0-r1-c-hbwh-1.cn.net
bogus rDNS: host not found [authoritative])
14 202.97.42.154  1793ms 1792ms 1842ms  TTL:  0  (p-0-0-r1-a-hnhy-1.cn.net
bogus rDNS: host not found [authoritative])
15 61.187.255.97  1853ms 1843ms 1842ms  TTL:  0  (No rDNS)
16 61.187.255.190 1803ms 1803ms 1923ms  TTL:  0  (No rDNS)
17 61.187.171.241 1842ms 1863ms 1833ms  TTL:  0  (No rDNS)
18 61.187.171.74  1763ms 1812ms 1793ms  TTL:  0  (No rDNS)
19 61.187.156.252 1762ms 1802ms 1783ms  TTL: 47  (No rDNS)


Any comments.

I will probably see if there is a place at Netgear where I can inform them
of this type of activity as well, and see if it is something to be concerned
about.

John Dalton



More information about the list mailing list