Has my router been hacked?

Discussion in 'Broadband' started by Guest, Sep 24, 2004.

  1. Guest

    Guest Guest

    Hello All

    This morning, my ADSL wi-fi router's wired connection would not connect to
    http or email services (nntp was OK though). My wi-fi connections through
    the router were unaffected. Rebooting the router cured the problem but the
    router log said the following (snipped for brevity):

    09/20/2004 00:01:33 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
    (from ATM Outbound)
    09/20/2004 00:01:33 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.49, 53
    (from ATM Outbound)
    09/20/2004 00:01:29 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
    (from ATM Outbound)
    09/20/2004 00:01:29 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.49, 53
    (from ATM Outbound)
    09/20/2004 00:01:28 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
    (from ATM Outbound)
    09/20/2004 00:01:28 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.49, 53
    (from ATM Outbound)
    09/20/2004 00:01:26 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
    (from ATM Outbound)
    09/20/2004 00:01:26 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.49, 53
    (from ATM Outbound)
    09/20/2004 00:01:25 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
    (from ATM Outbound)
    09/20/2004 00:01:25 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.49, 53
    (from ATM Outbound)
    09/20/2004 00:01:06 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
    (from ATM Outbound)
    09/20/2004 00:01:06 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.49, 53
    (from ATM Outbound)
    09/20/2004 00:01:02 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
    (from ATM Outbound)
    09/19/2004 23:59:51 192.168.1.10 login success

    This last line is interesting - my login port is supposed to be a different
    address!

    What do all these smurfs mean? There were hundreds and hundreds of them.

    My Wi-Fi has got 128 bit WEP enabled with a hex password (i.e. not a
    passphrase)and my router firewall is enabled.

    I have antivirus protection which is up-to-date and I run Adaware and Spybot
    S&D almost daily.

    I recognise the 212.159.XXX. octets as part of my ISP (Plusnet) issued IP
    range (thus the 212.159.XXX.0 used is the base address), and I recognise
    the PN DNS addresses in this list too.


    The questions I want to put to you are:

    1) What else can I glean from this log? Port 53 is the DNS port, and port
    32768 according to http://grc.com is "Filenet TMS"


    2) What do I need to do to stop this happening again? If someone can confirm
    my suspicions i.e. it is a "smurf" hack attempt, I can get on Google and
    read up of course.

    Thanks in advance for your advice


    Cheers

    RMC
     
    Guest, Sep 24, 2004
    #1
    1. Advertisements

  2. Guest

    Grant Guest

    "" wrote in message
    Do I spot a 3Com router log? Looks very similar to mine.....
    http://www.cert.org/advisories/CA-1998-01.html

    In a smurf attack, hacker using IP address A sends pings to your IP address
    B. Your server is supposed to respond back to A with a "I'm here". However,
    the hacker forges the source address of the ping and instead of your machine
    sending it back to A, you send it on to C - who, the hacker hopes, gets
    overwhelmed by incoming traffic.
    If it is a 3Com 754, Admin > Firewall > Advanced > WAN Ping Blocking - make
    sure it's ticked.

    You'll still see the smurf attempts in your log but you'll no longer respond
    to external pings.
     
    Grant, Sep 24, 2004
    #2
    1. Advertisements

  3. Guest

    Guest Guest

    Grant
    Spot on!
    It is that model - I had already set it to ignore incoming ICMPs. I'll
    double check it all tonight though. Thanks for the URL and advice.
     
    Guest, Sep 24, 2004
    #3
  4. Guest

    Steve Guest

    Wow, why not get a decent OS?
     
    Steve, Sep 24, 2004
    #4
  5. Guest

    Kráftéé Guest

    More to the point, how is any of that (including a different OS) going to
    prevent hacking attempts into/onto a router??
     
    Kráftéé, Sep 25, 2004
    #5
  6. Guest

    Steve Guest

    Never said it would, but if the OP feels the need to run the above
    programmes daily then my advice stands - although changing email and web
    browser maybe less disruptive.
     
    Steve, Sep 25, 2004
    #6
  7. Guest

    poster Guest

    belongs in alt.I.am.a.part-time.troll :)
     
    poster, Sep 25, 2004
    #7
  8. Guest

    cw Guest

    Because like it or not, Microsoft OSes are easy to use - especially if
    people are familiar with them. I personally still run MS OSes at home
    because everytime I have tried a different flavour of Linux, something
    has broken that would take more knowledge than I have to fix and leave me
    without a computer for that time.

    Now the server platform I just built for work, that is running OpenBSD.

    As for Spybot, that sucks. We had loads of PCs brought back from clients
    over the past few weeks riddled with spyware that Spybot didn't even
    blink at. Adaware cleaned it all off without any troubles.
     
    cw, Sep 25, 2004
    #8
  9. Guest

    Steve Guest

    Winmodems being the main culprit - however, you can buy real modems
    for less that the cost of licenses for windows and office apps etc - add
    the additional hardware costs because your on-access virus scanner eats
    CPU cycles.

    But, as the OP feels the need to run these tools daily, however does that
    compare to the one off hit of getting up and running? Linux these days is
    pretty good at supporting devices and with mandrake installation can be a
    breeze, you rarely get an installation that does not works, i.e. keyboard
    screen, mouse and networking, compare that to installing windows and the
    20 minute windows you have to install patches before you are hacked.

    I have found that while MS systems mostly install okay (I still need to
    download video and sound drivers separately), they tend to break; where as
    linux, I sometime have to do some initial research it remains rock solid.

    I agree people want to be up and running, which is why MS preinstalled is
    of course easy (so would pre-installed linux), you just plug in and get
    surfing, even if you have enabled automatic updates compare:


    http://www.theregister.co.uk/2004/08/19/infected_in20_minutes/

    With a bit so research trying to get up and running, who is better off
    after an hour?
    I looked at *bsd for my server but ruled it out because Java was so old.

    Having had to clean up infected PCs, I have found spyware to find
    things that adaware does not.

    Anyway, I later said the OP should just change mail client and browser if
    an new OS is beyond them, there is no reason to run a browser that gives
    OS ownership because it duped the user into pressing yes to install some
    ActiveX control or just viewing a JPEG.

    As for trolling (not your accusation), just ask anyone that has lost data,
    performance or receives spam if they are bothered about some peoples
    sensitivities because I suggest using a cheaper, more secure and better
    performant OS. Sure you spent money buying the latest "most secure, most
    stable OS", then installed additional software like personal firewalls,
    email filters and virus scanners - it does not necessarily mean better.
     
    Steve, Sep 26, 2004
    #9
  10. Guest

    RMC Guest

    I have antivirus protection which is up-to-date and I run Adaware and

    I *am* the original poster.

    Firstly, I said that I run the programs almost daily, so please don't
    exaggerate. To say that I "feel the need" is also a bit of an overstatement
    (possibly my fault for giving that impression I agree) - it is something I
    do as a matter of rote habit and in actuality I run them less frquently than
    I alluded to.

    Secondly, the point of my post is a different subject. I would rather you
    had started a fresh post instead of hijacking this one.

    Thirdly, thanks to the people who came up with *helpful* comments - I have
    not seen any repeat of the behaviour that caused my initial concern.

    Best wishes

    RMC
     
    RMC, Sep 26, 2004
    #10
  11. As the saying goes - Linux is only free if your time is worthless. I have
    been forced to use Linux in the past, and much prefer the simplicity of
    Windows. Drag and drop, everything looking the same and working the same
    (office suites, browsers etc), much easier for pretty much anyone to use.
    I`ve got better things to do with my time than fanny about trying to figure
    out which text file to edit, or how to re-compile my kernel, to get some
    obscure piece of hardware working. I`d much rather just let Windows find
    the driver from the supplied CD, which in my experience works almost every
    time.
     
    Simon Finnigan, Sep 26, 2004
    #11
  12. To be fair to the penguin,, Linux has come on a fair bit in the last
    few years. Installation is no longer a job for a unix guru or serious
    nethead as it was when I installed RedHat the first time (1995 for the
    record). Nor is it quite so likely to be lacking driver support or to
    damage nonstandard hardware (said linux distro literally fried my
    Matrox card) tho its still trickier to find and use drivers for many
    bits of kit. And consider MacOS, which is essentially another *nix
    clone and which is definitely in the "do not touch this button again"
    camp (ah, DA, we do miss him...).

    That said tho, even the latest Linux distros are still a way behind
    MS's offering when it comes to homogenous look and feel, installing
    hardware etc.
     
    Mark McIntyre, Sep 26, 2004
    #12
  13. Guest

    cw Guest

    I mostly had problems with sound, video and RAID controllors. The one
    winmodem I had problems with was built into a laptop and not easy or
    cheap to change.
    Well to be honest if someone needs to run tools like that daily, I'd
    suggest there's something wrong with the way they are keeping their PC. I
    hardly ever bother running either of those programs because when I do
    they never find anything.
    20 minutes is lucky, but if you know enough to reinstall windows you
    should know enough to make sure that you have a firewall ready before you
    put it on the net to patch. If you had a firewall running, then you could
    leave it on the net for hours and any intrusion attempts would be blocked
    anyway.
    Are you saying the bundled version of Java was out of date or they use
    Java which is an antiquated technology? Different 'flavours' of BSD will
    have different versions of software just as different distros of Linux
    do. It wouldn't exactly take much to upgrade.
    People have said that in the past however from my experience I have never
    had Adaware miss anything. This compared to last week when we had 5 pcs
    brought in during one morning. All were riddled with a variety of spyware
    that spybot did not detect. Adaware cleaned them all with no problems.
    Spybot seems to be lagging in updates lately (no update since the 15th)
    whilst Adaware has updates listed on Thursday and yesterday.
    You kinda have to be careful with statements like that, not all *nix are
    secure out of the box and with some getting patches isn't as easy as
    clicking Windows Update from the start menu.

    I'm not getting into the which OS is better debate, just that when people
    are used to something it is difficult for them to adapt to something
    different.
    I know that with a lot of the various Linux distros you still have to
    shut off services and uninstall redundant stuff (my experience with
    Mandrake and Redhat was they installed multiple copies of different
    pieces of software that did exactly the same thing.)

    Like it or not, I can pretty much fix most of the things that go wrong
    with Windows OSes because I've spent so much time on it. I can easily get
    a box running to a point where I can say it is locked down and safe
    whilst all I can do so far with *nix is stop services running and then
    portscan it to see what is still listening.

    I'm waiting for the next version of Debian and then I'll give it a try.
    By then I should have enough cash to put together a cheap machine so it
    won't matter if I break things whilst my main PC is still running. Out of
    all the distros I tried, Debian seemed to feel the nicest and have the
    least amount of crap to it.

    Linux is not for everyone though. If it comes preinstalled and with
    support from the supplier then great - it would be no different to
    supporting a windows pc. Lack of accessible support is a major problem
    though.

    Christ that was an essay...I'm off
     
    cw, Sep 26, 2004
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.