Jump to content

Attacks? Or not Attacks? this is the question


vince_
 Share

Recommended Posts

This is constant every day second by second on a friends machine (taken from the firewall logs on the router)

Is it an on going attack? as I believe or something else? It has been going on for a long time and has slowly got more active, to the point of being constant as you can see from this short snippet. ( I have removed the IP and replaced as you can see with little stars **.**.**.** )

 

13:19:20, 07 Sep. IN: BLOCK [16] Remote administration (TCP 162.219.57.18:8937->**.**.**.** on ppp0)
13:09:17, 07 Sep. IN: BLOCK [9] Packet invalid in connection (TCP 208.64.202.69:80->**.**.**.**.179:61457 on ppp0)
13:09:03, 07 Sep. IN: BLOCK [9] Packet invalid in connection (TCP 208.64.202.69:80->**.**.**.**.179:64507 on ppp0)
13:01:41, 07 Sep. IN: BLOCK [16] Remote administration (TCP 71.6.151.167:65244->**.**.**.**.147:80 on ppp0)
12:55:03, 07 Sep. IN: ACCEPT [57] Connection closed (Port Forwarding: TCP 192.168.1.69:7547 <-->**.**.**.**:1024 [222.186.34.23:6000] CLOSED/SYN_SENT ppp0 NAPT)
12:53:02, 07 Sep. IN: ACCEPT [54] Connection opened (Port Forwarding: TCP 192.168.1.69:7547 <-->**.**.**.**:1024 [222.186.34.23:6000] CLOSED/SYN_SENT ppp0 NAPT)
12:48:28, 07 Sep. IN: BLOCK [9] Packet invalid in connection (TCP 149.20.54.15:80->**.**.**.**:59678 on ppp0)
12:07:21, 07 Sep. IN: BLOCK [16] Remote administration (TCP 188.241.179.171:8105->**.**.**.**:22 on ppp0)
12:04:50, 07 Sep. IN: BLOCK [16] Remote administration (TCP 173.192.55.2:32314->**.**.**.**:22 on ppp0)
11:55:49, 07 Sep. IN: BLOCK [16] Remote administration (TCP 202.162.221.220:64009->**.**.**.**:22 on ppp0)
11:42:21, 07 Sep. IN: BLOCK [16] Remote administration (TCP 219.235.126.174:45822->**.**.**.**:22 on ppp0)
10:44:28, 07 Sep. IN: BLOCK [12] Spoofing protection (IGMP **.**.**.**->224.0.0.22 on ppp0)
09:50:23, 07 Sep. IN: BLOCK [16] Remote administration (TCP 199.87.232.185:3291->**.**.**.**:8080 on ppp0)
09:30:23, 07 Sep. IN: BLOCK [9] Packet invalid in connection (TCP 216.218.228.119:80->**.**.**.**:60702 on ppp0)
09:30:23, 07 Sep. IN: BLOCK [9] Packet invalid in connection (TCP 216.218.228.119:80->**.**.**.**:60695 on ppp0)
09:30:19, 07 Sep. IN: BLOCK [9] Packet invalid in connection (TCP 216.218.228.119:80->**.**.**.**:60702 on ppp0)
09:30:19, 07 Sep. IN: BLOCK [9] Packet invalid in connection (TCP 216.218.228.119:80->**.**.**.**:60695 on ppp0)
09:30:19, 07 Sep. BLOCKED 1 more packets (because of Spoofing protection)
09:30:17, 07 Sep. IN: BLOCK [12] Spoofing protection (IGMP**.**.**.**->224.0.0.22 on ppp0)
09:30:17, 07 Sep. IN: BLOCK [9] Packet invalid in connection (TCP 216.218.228.119:80->**.**.**.**:60702 on ppp0)
09:30:17, 07 Sep. IN: BLOCK [9] Packet invalid in connection (TCP 216.218.228.119:80->**.**.**.**:60695 on ppp0)
09:22:43, 07 Sep. IN: BLOCK [15] Default policy (TCP 66.193.112.93:443->**.**.**.**:52367 on ppp0)
09:22:08, 07 Sep. IN: BLOCK [15] Default policy (TCP 66.193.112.93:443->**.**.**.**:54821 on ppp0)
02:20:28, 07 Sep. IN: BLOCK [16] Remote administration (TCP 61.164.126.91:6000->**.**.**.**:8080 on ppp0)
02:17:10, 07 Sep. IN: BLOCK [16] Remote administration (TCP 123.126.133.131:48755->**.**.**.**:22 on ppp0)
 
 
I looked some of the IP's up and most are from China, the spoofing is new this week and have also noticed some that the Comodo firewall stops I think an attempt at arp poisoning as it just says network attack stopped arp. Shes old and I dunno what to do any help here would be good.
Is (address resolution protocol) arp poisoning an internal thing ie you have to be on the network or not? This may explain the spoofing on the router fiewall log to but again I have no knowledge on networking or hacking or attacks or anything much really, thats why I'm coming to see you guys to help me clarify so I can take appropriate action. I almost forgot her Ip changed the otherday too to an ip beginging with 31 and thats abnormal for her IP range as I have been monitering it for over a year now
Thanks ever so for any help provided
 
Vince_
Link to post
Share on other sites

Thanks for the reply David it's appreciated indeed. :)

I did notice also that some arp spoofing attempts have been getting through to the machine it's self but been blocked by Comodo firewall. Is that OK or something to be concerned about?

thanks for your time David 

Link to post
Share on other sites

All I know is that Comodo flagged 2 network intrusions both spoofing of the address resolution protocol and a while ago she had more than her fair share of of cross site scripting attempts of which I think her security stopped as it flagged them every day while she browsed the net, they have since stopped. How can I be sure it is an attack is there a very simple way, as you can probably tell I'm a very very simple guy. I did type arp -d into cmd delete old arp and reset it if that's correct to do.

Link to post
Share on other sites

The thing is ARP Spoofing requires a node to be on the LAN side of the Router.  Therefore one has to look at the big picture of the total network setup.  For example if the un-named Router provides WiFi and said WiFi is unsecured and is allowing third parties to gain access to the LAN.

Link to post
Share on other sites

So it is probably a false poss then as it's only her machines that run on the network.

Well thanks for clearing that up David you have been very helpful, I will now see if I can tell what is causing the False reading on the network which is easier said than done as it has happened twice that I have seen myself as I'm not always around.

 

Thanks David for your time and help your a star a twinkly helpfull one  :)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.