A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

Has my router been hacked?



 
 
Thread Tools Display Modes
  #1  
Old September 24th 04, 11:22 AM posted to uk.telecom.broadband
external usenet poster
 
Posts: n/a
Default Has my router been hacked?

Hello All

This morning, my ADSL wi-fi router's wired connection would not connect to
http or email services (nntp was OK though). My wi-fi connections through
the router were unaffected. Rebooting the router cured the problem but the
router log said the following (snipped for brevity):

09/20/2004 00:01:33 **Smurf** 212.159.XXX.0, 32768- 212.159.13.50, 53
(from ATM Outbound)
09/20/2004 00:01:33 **Smurf** 212.159.XXX.0, 32768- 212.159.13.49, 53
(from ATM Outbound)
09/20/2004 00:01:29 **Smurf** 212.159.XXX.0, 32768- 212.159.13.50, 53
(from ATM Outbound)
09/20/2004 00:01:29 **Smurf** 212.159.XXX.0, 32768- 212.159.13.49, 53
(from ATM Outbound)
09/20/2004 00:01:28 **Smurf** 212.159.XXX.0, 32768- 212.159.13.50, 53
(from ATM Outbound)
09/20/2004 00:01:28 **Smurf** 212.159.XXX.0, 32768- 212.159.13.49, 53
(from ATM Outbound)
09/20/2004 00:01:26 **Smurf** 212.159.XXX.0, 32768- 212.159.13.50, 53
(from ATM Outbound)
09/20/2004 00:01:26 **Smurf** 212.159.XXX.0, 32768- 212.159.13.49, 53
(from ATM Outbound)
09/20/2004 00:01:25 **Smurf** 212.159.XXX.0, 32768- 212.159.13.50, 53
(from ATM Outbound)
09/20/2004 00:01:25 **Smurf** 212.159.XXX.0, 32768- 212.159.13.49, 53
(from ATM Outbound)
09/20/2004 00:01:06 **Smurf** 212.159.XXX.0, 32768- 212.159.13.50, 53
(from ATM Outbound)
09/20/2004 00:01:06 **Smurf** 212.159.XXX.0, 32768- 212.159.13.49, 53
(from ATM Outbound)
09/20/2004 00:01:02 **Smurf** 212.159.XXX.0, 32768- 212.159.13.50, 53
(from ATM Outbound)
09/19/2004 23:59:51 192.168.1.10 login success

This last line is interesting - my login port is supposed to be a different
address!

What do all these smurfs mean? There were hundreds and hundreds of them.

My Wi-Fi has got 128 bit WEP enabled with a hex password (i.e. not a
passphrase)and my router firewall is enabled.

I have antivirus protection which is up-to-date and I run Adaware and Spybot
S&D almost daily.

I recognise the 212.159.XXX. octets as part of my ISP (Plusnet) issued IP
range (thus the 212.159.XXX.0 used is the base address), and I recognise
the PN DNS addresses in this list too.


The questions I want to put to you a

1) What else can I glean from this log? Port 53 is the DNS port, and port
32768 according to http://grc.com is "Filenet TMS"


2) What do I need to do to stop this happening again? If someone can confirm
my suspicions i.e. it is a "smurf" hack attempt, I can get on Google and
read up of course.

Thanks in advance for your advice


Cheers

RMC



  #2  
Old September 24th 04, 12:17 PM posted to uk.telecom.broadband
Grant
external usenet poster
 
Posts: 230
Default Has my router been hacked?

" wrote in message

Hello All

This morning, my ADSL wi-fi router's wired connection would not
connect to http or email services (nntp was OK though). My wi-fi
connections through the router were unaffected. Rebooting the router
cured the problem but the router log said the following (snipped for
brevity):

09/20/2004 00:01:33 **Smurf** 212.159.XXX.0, 32768-
212.159.13.50, 53 (from ATM Outbound)


Do I spot a 3Com router log? Looks very similar to mine.....

What do all these smurfs mean? There were hundreds and hundreds of
them.


http://www.cert.org/advisories/CA-1998-01.html

In a smurf attack, hacker using IP address A sends pings to your IP address
B. Your server is supposed to respond back to A with a "I'm here". However,
the hacker forges the source address of the ping and instead of your machine
sending it back to A, you send it on to C - who, the hacker hopes, gets
overwhelmed by incoming traffic.

2) What do I need to do to stop this happening again? If someone can
confirm my suspicions i.e. it is a "smurf" hack attempt, I can get on
Google and read up of course.


If it is a 3Com 754, Admin Firewall Advanced WAN Ping Blocking - make
sure it's ticked.

You'll still see the smurf attempts in your log but you'll no longer respond
to external pings.


  #3  
Old September 24th 04, 01:06 PM posted to uk.telecom.broadband
external usenet poster
 
Posts: n/a
Default Has my router been hacked?

Grant

Do I spot a 3Com router log? Looks very similar to mine.....


Spot on!
If it is a 3Com 754, Admin Firewall Advanced WAN Ping Blocking -

make
sure it's ticked.


It is that model - I had already set it to ignore incoming ICMPs. I'll
double check it all tonight though. Thanks for the URL and advice.


  #4  
Old September 24th 04, 11:15 PM posted to uk.telecom.broadband
Steve
external usenet poster
 
Posts: 69
Default Has my router been hacked?

On Fri, 24 Sep 2004 11:22:41 +0100, RMC wrote:

Hello All

I have antivirus protection which is up-to-date and I run Adaware and
Spybot S&D almost daily.

Wow, why not get a decent OS?


  #5  
Old September 25th 04, 12:04 AM posted to uk.telecom.broadband
Kráftéé
external usenet poster
 
Posts: 126
Default Has my router been hacked?

Steve wrote:
On Fri, 24 Sep 2004 11:22:41 +0100, RMC wrote:

Hello All

I have antivirus protection which is up-to-date and I run Adaware
and Spybot S&D almost daily.

Wow, why not get a decent OS?


More to the point, how is any of that (including a different OS) going to
prevent hacking attempts into/onto a router??


  #6  
Old September 25th 04, 07:45 PM posted to uk.telecom.broadband
Steve
external usenet poster
 
Posts: 69
Default Has my router been hacked?

On Sat, 25 Sep 2004 00:04:03 +0100, Kráftéé wrote:

Steve wrote:
On Fri, 24 Sep 2004 11:22:41 +0100, RMC wrote:

Hello All

I have antivirus protection which is up-to-date and I run Adaware and
Spybot S&D almost daily.

Wow, why not get a decent OS?


More to the point, how is any of that (including a different OS) going to
prevent hacking attempts into/onto a router??


Never said it would, but if the OP feels the need to run the above
programmes daily then my advice stands - although changing email and web
browser maybe less disruptive.
  #7  
Old September 25th 04, 08:56 PM posted to uk.telecom.broadband
poster
external usenet poster
 
Posts: 1,542
Default Has my router been hacked?

On 24 Sep 2004 in uk.telecom.broadband, Steve wrote:

Wow, why not get a decent OS?


belongs in alt.I.am.a.part-time.troll :-)
  #8  
Old September 25th 04, 11:37 PM posted to uk.telecom.broadband
cw
external usenet poster
 
Posts: 62
Default Has my router been hacked?

Steve wrote in newsan.2004.09.24.22.15.18.120988
@nospam.invalid:

I have antivirus protection which is up-to-date and I run Adaware and
Spybot S&D almost daily.

Wow, why not get a decent OS?


Because like it or not, Microsoft OSes are easy to use - especially if
people are familiar with them. I personally still run MS OSes at home
because everytime I have tried a different flavour of Linux, something
has broken that would take more knowledge than I have to fix and leave me
without a computer for that time.

Now the server platform I just built for work, that is running OpenBSD.

As for Spybot, that sucks. We had loads of PCs brought back from clients
over the past few weeks riddled with spyware that Spybot didn't even
blink at. Adaware cleaned it all off without any troubles.

--
Colin
*Drop DEAD from the email address to reply*
  #9  
Old September 26th 04, 11:59 AM posted to uk.telecom.broadband
Steve
external usenet poster
 
Posts: 69
Default Has my router been hacked?

On Sat, 25 Sep 2004 22:37:07 +0000, cw wrote:

Steve wrote in newsan.2004.09.24.22.15.18.120988
@nospam.invalid:

I have antivirus protection which is up-to-date and I run Adaware and
Spybot S&D almost daily.

Wow, why not get a decent OS?


Because like it or not, Microsoft OSes are easy to use - especially if
people are familiar with them. I personally still run MS OSes at home
because everytime I have tried a different flavour of Linux, something has
broken that would take more knowledge than I have to fix and leave me
without a computer for that time.


Winmodems being the main culprit - however, you can buy real modems
for less that the cost of licenses for windows and office apps etc - add
the additional hardware costs because your on-access virus scanner eats
CPU cycles.

But, as the OP feels the need to run these tools daily, however does that
compare to the one off hit of getting up and running? Linux these days is
pretty good at supporting devices and with mandrake installation can be a
breeze, you rarely get an installation that does not works, i.e. keyboard
screen, mouse and networking, compare that to installing windows and the
20 minute windows you have to install patches before you are hacked.

I have found that while MS systems mostly install okay (I still need to
download video and sound drivers separately), they tend to break; where as
linux, I sometime have to do some initial research it remains rock solid.

I agree people want to be up and running, which is why MS preinstalled is
of course easy (so would pre-installed linux), you just plug in and get
surfing, even if you have enabled automatic updates compa


http://www.theregister.co.uk/2004/08..._in20_minutes/

With a bit so research trying to get up and running, who is better off
after an hour?

Now the server platform I just built for work, that is running OpenBSD.


I looked at *bsd for my server but ruled it out because Java was so old.


As for Spybot, that sucks. We had loads of PCs brought back from clients
over the past few weeks riddled with spyware that Spybot didn't even
blink at. Adaware cleaned it all off without any troubles.


Having had to clean up infected PCs, I have found spyware to find
things that adaware does not.

Anyway, I later said the OP should just change mail client and browser if
an new OS is beyond them, there is no reason to run a browser that gives
OS ownership because it duped the user into pressing yes to install some
ActiveX control or just viewing a JPEG.

As for trolling (not your accusation), just ask anyone that has lost data,
performance or receives spam if they are bothered about some peoples
sensitivities because I suggest using a cheaper, more secure and better
performant OS. Sure you spent money buying the latest "most secure, most
stable OS", then installed additional software like personal firewalls,
email filters and virus scanners - it does not necessarily mean better.
  #10  
Old September 26th 04, 12:11 PM posted to uk.telecom.broadband
RMC
external usenet poster
 
Posts: 21
Default Has my router been hacked?

I have antivirus protection which is up-to-date and I run Adaware and
Spybot S&D almost daily.



I *am* the original poster.

Firstly, I said that I run the programs almost daily, so please don't
exaggerate. To say that I "feel the need" is also a bit of an overstatement
(possibly my fault for giving that impression I agree) - it is something I
do as a matter of rote habit and in actuality I run them less frquently than
I alluded to.

Secondly, the point of my post is a different subject. I would rather you
had started a fresh post instead of hijacking this one.

Thirdly, thanks to the people who came up with *helpful* comments - I have
not seen any repeat of the behaviour that caused my initial concern.

Best wishes

RMC


 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 10:06 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright ©2004-2019 BroadbanterBanter.
The comments are property of their posters.