Has my router been hacked?

Hello All

This morning, my ADSL wi-fi router's wired connection would not connect to
http or email services (nntp was OK though). My wi-fi connections through
the router were unaffected. Rebooting the router cured the problem but the
router log said the following (snipped for brevity):

09/20/2004 00:01:33 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
(from ATM Outbound)
09/20/2004 00:01:33 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.49, 53
(from ATM Outbound)
09/20/2004 00:01:29 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
(from ATM Outbound)
09/20/2004 00:01:29 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.49, 53
(from ATM Outbound)
09/20/2004 00:01:28 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
(from ATM Outbound)
09/20/2004 00:01:28 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.49, 53
(from ATM Outbound)
09/20/2004 00:01:26 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
(from ATM Outbound)
09/20/2004 00:01:26 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.49, 53
(from ATM Outbound)
09/20/2004 00:01:25 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
(from ATM Outbound)
09/20/2004 00:01:25 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.49, 53
(from ATM Outbound)
09/20/2004 00:01:06 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
(from ATM Outbound)
09/20/2004 00:01:06 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.49, 53
(from ATM Outbound)
09/20/2004 00:01:02 **Smurf** 212.159.XXX.0, 32768->> 212.159.13.50, 53
(from ATM Outbound)
09/19/2004 23:59:51 192.168.1.10 login success

This last line is interesting - my login port is supposed to be a different
address!

What do all these smurfs mean? There were hundreds and hundreds of them.

My Wi-Fi has got 128 bit WEP enabled with a hex password (i.e. not a
passphrase)and my router firewall is enabled.

I have antivirus protection which is up-to-date and I run Adaware and Spybot
S&D almost daily.

I recognise the 212.159.XXX. octets as part of my ISP (Plusnet) issued IP
range (thus the 212.159.XXX.0 used is the base address), and I recognise
the PN DNS addresses in this list too.


The questions I want to put to you are:

1) What else can I glean from this log? Port 53 is the DNS port, and port
32768 according to http://grc.com is "Filenet TMS"


2) What do I need to do to stop this happening again? If someone can confirm
my suspicions i.e. it is a "smurf" hack attempt, I can get on Google and
read up of course.

Thanks in advance for your advice


Cheers

RMC

 

"" wrote in message

Do I spot a 3Com router log? Looks very similar to mine.....

http://www.cert.org/advisories/CA-1998-01.html

In a smurf attack, hacker using IP address A sends pings to your IP address
B. Your server is supposed to respond back to A with a "I'm here". However,
the hacker forges the source address of the ping and instead of your machine
sending it back to A, you send it on to C - who, the hacker hopes, gets
overwhelmed by incoming traffic.

If it is a 3Com 754, Admin > Firewall > Advanced > WAN Ping Blocking - make
sure it's ticked.

You'll still see the smurf attempts in your log but you'll no longer respond
to external pings.

 

Grant

Spot on!

It is that model - I had already set it to ignore incoming ICMPs. I'll
double check it all tonight though. Thanks for the URL and advice.

 

Wow, why not get a decent OS?

 

More to the point, how is any of that (including a different OS) going to
prevent hacking attempts into/onto a router??

 

Never said it would, but if the OP feels the need to run the above
programmes daily then my advice stands - although changing email and web
browser maybe less disruptive.

 

belongs in alt.I.am.a.part-time.troll

 

Because like it or not, Microsoft OSes are easy to use - especially if
people are familiar with them. I personally still run MS OSes at home
because everytime I have tried a different flavour of Linux, something
has broken that would take more knowledge than I have to fix and leave me
without a computer for that time.

Now the server platform I just built for work, that is running OpenBSD.

As for Spybot, that sucks. We had loads of PCs brought back from clients
over the past few weeks riddled with spyware that Spybot didn't even
blink at. Adaware cleaned it all off without any troubles.

 

Winmodems being the main culprit - however, you can buy real modems
for less that the cost of licenses for windows and office apps etc - add
the additional hardware costs because your on-access virus scanner eats
CPU cycles.

But, as the OP feels the need to run these tools daily, however does that
compare to the one off hit of getting up and running? Linux these days is
pretty good at supporting devices and with mandrake installation can be a
breeze, you rarely get an installation that does not works, i.e. keyboard
screen, mouse and networking, compare that to installing windows and the
20 minute windows you have to install patches before you are hacked.

I have found that while MS systems mostly install okay (I still need to
download video and sound drivers separately), they tend to break; where as
linux, I sometime have to do some initial research it remains rock solid.

I agree people want to be up and running, which is why MS preinstalled is
of course easy (so would pre-installed linux), you just plug in and get
surfing, even if you have enabled automatic updates compare:


http://www.theregister.co.uk/2004/08/19/infected_in20_minutes/

With a bit so research trying to get up and running, who is better off
after an hour?

I looked at *bsd for my server but ruled it out because Java was so old.

Having had to clean up infected PCs, I have found spyware to find
things that adaware does not.

Anyway, I later said the OP should just change mail client and browser if
an new OS is beyond them, there is no reason to run a browser that gives
OS ownership because it duped the user into pressing yes to install some
ActiveX control or just viewing a JPEG.

As for trolling (not your accusation), just ask anyone that has lost data,
performance or receives spam if they are bothered about some peoples
sensitivities because I suggest using a cheaper, more secure and better
performant OS. Sure you spent money buying the latest "most secure, most
stable OS", then installed additional software like personal firewalls,
email filters and virus scanners - it does not necessarily mean better.

 

I have antivirus protection which is up-to-date and I run Adaware and

I *am* the original poster.

Firstly, I said that I run the programs almost daily, so please don't
exaggerate. To say that I "feel the need" is also a bit of an overstatement
(possibly my fault for giving that impression I agree) - it is something I
do as a matter of rote habit and in actuality I run them less frquently than
I alluded to.

Secondly, the point of my post is a different subject. I would rather you
had started a fresh post instead of hijacking this one.

Thirdly, thanks to the people who came up with *helpful* comments - I have
not seen any repeat of the behaviour that caused my initial concern.

Best wishes

RMC

 

As the saying goes - Linux is only free if your time is worthless. I have
been forced to use Linux in the past, and much prefer the simplicity of
Windows. Drag and drop, everything looking the same and working the same
(office suites, browsers etc), much easier for pretty much anyone to use.
I`ve got better things to do with my time than fanny about trying to figure
out which text file to edit, or how to re-compile my kernel, to get some
obscure piece of hardware working. I`d much rather just let Windows find
the driver from the supplied CD, which in my experience works almost every
time.

 

To be fair to the penguin,, Linux has come on a fair bit in the last
few years. Installation is no longer a job for a unix guru or serious
nethead as it was when I installed RedHat the first time (1995 for the
record). Nor is it quite so likely to be lacking driver support or to
damage nonstandard hardware (said linux distro literally fried my
Matrox card) tho its still trickier to find and use drivers for many
bits of kit. And consider MacOS, which is essentially another *nix
clone and which is definitely in the "do not touch this button again"
camp (ah, DA, we do miss him...).

That said tho, even the latest Linux distros are still a way behind
MS's offering when it comes to homogenous look and feel, installing
hardware etc.

 

I mostly had problems with sound, video and RAID controllors. The one
winmodem I had problems with was built into a laptop and not easy or
cheap to change.

Well to be honest if someone needs to run tools like that daily, I'd
suggest there's something wrong with the way they are keeping their PC. I
hardly ever bother running either of those programs because when I do
they never find anything.

20 minutes is lucky, but if you know enough to reinstall windows you
should know enough to make sure that you have a firewall ready before you
put it on the net to patch. If you had a firewall running, then you could
leave it on the net for hours and any intrusion attempts would be blocked
anyway.

Are you saying the bundled version of Java was out of date or they use
Java which is an antiquated technology? Different 'flavours' of BSD will
have different versions of software just as different distros of Linux
do. It wouldn't exactly take much to upgrade.

People have said that in the past however from my experience I have never
had Adaware miss anything. This compared to last week when we had 5 pcs
brought in during one morning. All were riddled with a variety of spyware
that spybot did not detect. Adaware cleaned them all with no problems.
Spybot seems to be lagging in updates lately (no update since the 15th)
whilst Adaware has updates listed on Thursday and yesterday.

You kinda have to be careful with statements like that, not all *nix are
secure out of the box and with some getting patches isn't as easy as
clicking Windows Update from the start menu.

I'm not getting into the which OS is better debate, just that when people
are used to something it is difficult for them to adapt to something
different.
I know that with a lot of the various Linux distros you still have to
shut off services and uninstall redundant stuff (my experience with
Mandrake and Redhat was they installed multiple copies of different
pieces of software that did exactly the same thing.)

Like it or not, I can pretty much fix most of the things that go wrong
with Windows OSes because I've spent so much time on it. I can easily get
a box running to a point where I can say it is locked down and safe
whilst all I can do so far with *nix is stop services running and then
portscan it to see what is still listening.

I'm waiting for the next version of Debian and then I'll give it a try.
By then I should have enough cash to put together a cheap machine so it
won't matter if I break things whilst my main PC is still running. Out of
all the distros I tried, Debian seemed to feel the nicest and have the
least amount of crap to it.

Linux is not for everyone though. If it comes preinstalled and with
support from the supplier then great - it would be no different to
supporting a windows pc. Lack of accessible support is a major problem
though.

Christ that was an essay...I'm off