D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Help!

 

On 15/05/13 14:27, Viv Griffin wrote:
> The reason I think it is being hacked is that the opendns report files are
> showing web sites accessed that have not been accessed by the computers in
> this house, and activity at times when the internet was not in use at all.
>
> Additionally, here is an except from my router log. I am not sure if these
> kernel intrusions may be someone trying to log into the network,
> unsuccessfully.
>
> This is an excerpt from the log.
>
> May 15 11:25:52 user alert kernel: Intrusion -> IN=pppoa0 OUT= MAC=
> SRC=4.79.142.206 DST=*************** LEN=44 TOS=0x00 PREC=0x80 TTL=225
> ID=61440 PROTO=TCP SPT=44471 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0  May
> 15 11:25:52 user alert kernel: Intrusion -> IN=pppoa0 OUT= MAC=
> SRC=4.79.142.206 DST=**************** LEN=44 TOS=0x00 PREC=0x80 TTL=225
> ID=61440 PROTO=TCP SPT=44471 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0
> There are a lot of these at different times, night and day. However, the
> src addresses are not all the same - many different ones so, thinking about
> it, it doesn't sound like these are indicating one person trying to hack
> into the system.
>

Gordon's reply is spot on: regarding this little snippet of log, the
relevant bit is the "DPT=139". Random machines, in this case a
(presumably) compromised zombie box in the States, is port scanning you.
They are sending packets to your local destination TCP port 139 which is
used by the Microsoft NetBIOS protocol. This and port 445 are both very
common targets for botnets scanning for weak Microsoft machines to
exploit, and this is what you are seeing in your log files.
Encouragingly, despite the rather dramatic sounding warnings ("user
alert kernel: intrusion...") your router is obviously correctly flagging
them as malicious and dropping them. It's entirely likely that you'll
see many other addresses probing many other ports, including 22 (for
SSH), 80 (for a webserver), 53 (DNS server) and so on. It's nothing to
worry about. What you do need to worry about is traffic passing out from
your network to unusual hosts, but I am not seeing any evidence of that
from the short chunk of log you have posted here.

Regarding your ADSL router, a quick check on Amazon reveals it does
indeed have WPS so you need to ensure that this has been disabled from
within the administration panel, which it sounds like you are now pretty
familiar with.

I can't tell if you're implying that you have definite proof of others
being inside your network - with WPA2 and a 60 character password it
doesn't seem likely. Watch the connected machines section of your
administration panel closely, and record the MAC addresses of any
connected devices. You should compare them with your actual devices MAC
addresses to see if you have any unwanted guests.

Feel free to post any more information supporting your conclusions, but
this is looking very much like you have a healthy dose of paranoia but
maybe not quite the sufficient technical skills to actually understand
that the scary looking log output of your networking equipment is
actually completely normal and not really scary at all. On the other
hand you should probably be commended for even noticing in the first
place and then venturing on to a Linux mailing list to find out from
experts... Well played.

Regards

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq