Has my router been hacked?

Hello All

This morning, my ADSL wi-fi router's wired connection would not connect to
http or email services (nntp was OK though). My wi-fi connections through
the router were unaffected. Rebooting the router cured the problem but the
router log said the following (snipped for brevity):

09/20/2004 00:01:33 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
(from ATM Outbound)
09/20/2004 00:01:33 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.49, 53
(from ATM Outbound)
09/20/2004 00:01:29 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
(from ATM Outbound)
09/20/2004 00:01:29 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.49, 53
(from ATM Outbound)
09/20/2004 00:01:28 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
(from ATM Outbound)
09/20/2004 00:01:28 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.49, 53
(from ATM Outbound)
09/20/2004 00:01:26 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
(from ATM Outbound)
09/20/2004 00:01:26 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.49, 53
(from ATM Outbound)
09/20/2004 00:01:25 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
(from ATM Outbound)
09/20/2004 00:01:25 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.49, 53
(from ATM Outbound)
09/20/2004 00:01:06 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
(from ATM Outbound)
09/20/2004 00:01:06 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.49, 53
(from ATM Outbound)
09/20/2004 00:01:02 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
(from ATM Outbound)
09/19/2004 23:59:51 192.168.1.10 login success

This last line is interesting - my login port is supposed to be a different
address!

What do all these smurfs mean? There were hundreds and hundreds of them.

My Wi-Fi has got 128 bit WEP enabled with a hex password (i.e. not a
passphrase)and my router firewall is enabled.

I have antivirus protection which is up-to-date and I run Adaware and Spybot
S&D almost daily.

I recognise the 212.159.XXX. octets as part of my ISP (Plusnet) issued IP
range (thus the 212.159.XXX.0 used is the base address), and I recognise
the PN DNS addresses in this list too.


The questions I want to put to you are:

1) What else can I glean from this log? Port 53 is the DNS port, and port
32768 according to http://grc.com is "Filenet TMS"


2) What do I need to do to stop this happening again? If someone can confirm
my suspicions i.e. it is a "smurf" hack attempt, I can get on Google and
read up of course.

Thanks in advance for your advice


Cheers

RMC

"(E-Mail Removed)" (E-Mail Removed) wrote in message
news:4153f543$0$747$(E-Mail Removed)
> Hello All
>
> This morning, my ADSL wi-fi router's wired connection would not
> connect to http or email services (nntp was OK though). My wi-fi
> connections through the router were unaffected. Rebooting the router
> cured the problem but the router log said the following (snipped for
> brevity):
>
> 09/20/2004 00:01:33 **Smurf** 212.159.XXX.0, 32768->>
> 212.159.13.50, 53 (from ATM Outbound)

Do I spot a 3Com router log? Looks very similar to mine.....

> What do all these smurfs mean? There were hundreds and hundreds of
> them.

http://www.cert.org/advisories/CA-1998-01.html

In a smurf attack, hacker using IP address A sends pings to your IP address
B. Your server is supposed to respond back to A with a "I'm here". However,
the hacker forges the source address of the ping and instead of your machine
sending it back to A, you send it on to C - who, the hacker hopes, gets
overwhelmed by incoming traffic.

> 2) What do I need to do to stop this happening again? If someone can
> confirm my suspicions i.e. it is a "smurf" hack attempt, I can get on
> Google and read up of course.

If it is a 3Com 754, Admin > Firewall > Advanced > WAN Ping Blocking - make
sure it's ticked.

You'll still see the smurf attempts in your log but you'll no longer respond
to external pings.

Grant

> Do I spot a 3Com router log? Looks very similar to mine.....

Spot on!
> If it is a 3Com 754, Admin > Firewall > Advanced > WAN Ping Blocking -
make
> sure it's ticked.

It is that model - I had already set it to ignore incoming ICMPs. I'll
double check it all tonight though. Thanks for the URL and advice.

On Fri, 24 Sep 2004 11:22:41 +0100, RMC wrote:

> Hello All
>
> I have antivirus protection which is up-to-date and I run Adaware and
> Spybot S&D almost daily.
>
Wow, why not get a decent OS?

Steve wrote:
> On Fri, 24 Sep 2004 11:22:41 +0100, RMC wrote:
>
>> Hello All
>>
>> I have antivirus protection which is up-to-date and I run Adaware
>> and Spybot S&D almost daily.
>>
> Wow, why not get a decent OS?

More to the point, how is any of that (including a different OS) going to
prevent hacking attempts into/onto a router??

On Sat, 25 Sep 2004 00:04:03 +0100, Kráftéé wrote:

> Steve wrote:
>> On Fri, 24 Sep 2004 11:22:41 +0100, RMC wrote:
>>
>>> Hello All
>>>
>>> I have antivirus protection which is up-to-date and I run Adaware and
>>> Spybot S&D almost daily.
>>>
>> Wow, why not get a decent OS?
>
> More to the point, how is any of that (including a different OS) going to
> prevent hacking attempts into/onto a router??

Never said it would, but if the OP feels the need to run the above
programmes daily then my advice stands - although changing email and web
browser maybe less disruptive.

On 24 Sep 2004 in uk.telecom.broadband, Steve wrote:

>Wow, why not get a decent OS?

belongs in alt.I.am.a.part-time.troll :-)

Steve <(E-Mail Removed)> wrote in newsan.2004.09.24.22.15.18.120988
@nospam.invalid:

>> I have antivirus protection which is up-to-date and I run Adaware and
>> Spybot S&D almost daily.
>>
> Wow, why not get a decent OS?

Because like it or not, Microsoft OSes are easy to use - especially if
people are familiar with them. I personally still run MS OSes at home
because everytime I have tried a different flavour of Linux, something
has broken that would take more knowledge than I have to fix and leave me
without a computer for that time.

Now the server platform I just built for work, that is running OpenBSD.

As for Spybot, that sucks. We had loads of PCs brought back from clients
over the past few weeks riddled with spyware that Spybot didn't even
blink at. Adaware cleaned it all off without any troubles.

--
Colin
*Drop DEAD from the email address to reply*

On Sat, 25 Sep 2004 22:37:07 +0000, cw wrote:

> Steve <(E-Mail Removed)> wrote in newsan.2004.09.24.22.15.18.120988
> @nospam.invalid:
>
>>> I have antivirus protection which is up-to-date and I run Adaware and
>>> Spybot S&D almost daily.
>>>
>> Wow, why not get a decent OS?
>
> Because like it or not, Microsoft OSes are easy to use - especially if
> people are familiar with them. I personally still run MS OSes at home
> because everytime I have tried a different flavour of Linux, something has
> broken that would take more knowledge than I have to fix and leave me
> without a computer for that time.

Winmodems being the main culprit - however, you can buy real modems
for less that the cost of licenses for windows and office apps etc - add
the additional hardware costs because your on-access virus scanner eats
CPU cycles.

But, as the OP feels the need to run these tools daily, however does that
compare to the one off hit of getting up and running? Linux these days is
pretty good at supporting devices and with mandrake installation can be a
breeze, you rarely get an installation that does not works, i.e. keyboard
screen, mouse and networking, compare that to installing windows and the
20 minute windows you have to install patches before you are hacked.

I have found that while MS systems mostly install okay (I still need to
download video and sound drivers separately), they tend to break; where as
linux, I sometime have to do some initial research it remains rock solid.

I agree people want to be up and running, which is why MS preinstalled is
of course easy (so would pre-installed linux), you just plug in and get
surfing, even if you have enabled automatic updates compare:


http://www.theregister.co.uk/2004/08..._in20_minutes/

With a bit so research trying to get up and running, who is better off
after an hour?

> Now the server platform I just built for work, that is running OpenBSD.

I looked at *bsd for my server but ruled it out because Java was so old.


> As for Spybot, that sucks. We had loads of PCs brought back from clients
> over the past few weeks riddled with spyware that Spybot didn't even
> blink at. Adaware cleaned it all off without any troubles.

Having had to clean up infected PCs, I have found spyware to find
things that adaware does not.

Anyway, I later said the OP should just change mail client and browser if
an new OS is beyond them, there is no reason to run a browser that gives
OS ownership because it duped the user into pressing yes to install some
ActiveX control or just viewing a JPEG.

As for trolling (not your accusation), just ask anyone that has lost data,
performance or receives spam if they are bothered about some peoples
sensitivities because I suggest using a cheaper, more secure and better
performant OS. Sure you spent money buying the latest "most secure, most
stable OS", then installed additional software like personal firewalls,
email filters and virus scanners - it does not necessarily mean better.

>>>> I have antivirus protection which is up-to-date and I run Adaware and
>>>> Spybot S&D almost daily.


I *am* the original poster.

Firstly, I said that I run the programs almost daily, so please don't
exaggerate. To say that I "feel the need" is also a bit of an overstatement
(possibly my fault for giving that impression I agree) - it is something I
do as a matter of rote habit and in actuality I run them less frquently than
I alluded to.

Secondly, the point of my post is a different subject. I would rather you
had started a fresh post instead of hijacking this one.

Thirdly, thanks to the people who came up with *helpful* comments - I have
not seen any repeat of the behaviour that caused my initial concern.

Best wishes

RMC