#1  
Old October 20th, 2008, 11:44 AM
Netgearcust Netgearcust is offline
Junior Member
NETGEAR Newbie
 
Join Date: Oct 2008
Posts: 1
Netgearcust is on a distinguished road
Default Router Attacks

I bought a WPN-824-3 a couple months ago...I'm using it with a cable modem with Cox.net. Starting on Oct 9, I've gotten a number of DOS attacks and other funny stuff. Here's the log file This is not the full file--it wouldn't fit in the forum rules. But I can e-mail it:

[admin login] from source 192.168.1.2, Sunday, October 19,2008 21:12:18
[email failed] , Sunday, October 19,2008 21:03:12
[email sent to: xxxxxx94@gmail.com] Sunday, October 19,2008 21:02:12
[email failed] , Sunday, October 19,2008 20:59:34
[email sent to: xxxxxx94@gmail.com] Sunday, October 19,2008 20:58:34
[Time synchronized with NTP server] Sunday, October 19,2008 20:57:57
[admin login] from source 192.168.1.2, Sunday, October 19,2008 20:57:47
[Time synchronized with NTP server] Sunday, October 19,2008 20:57:37
[DoS Attack: RST Scan] from source: 216.205.80.54, port 80, Sunday, October 19,2008 20:39:10
[DoS Attack: RST Scan] from source: 63.111.24.126, port 80, Sunday, October 19,2008 20:37:14
[admin login] from source 192.168.1.2, Sunday, October 19,2008 20:28:52
[admin login failure] from source 192.168.1.2, Sunday, October 19,2008 20:26:05
[Time synchronized with NTP server] Sunday, October 19,2008 20:23:06
[UPnP set event: add_nat_rule] from source 192.168.1.2, Sunday, October 19,2008 20:21:00
[DoS Attack: ACK Scan] from source: 38.99.76.164, port 80, Sunday, October 19,2008 20:17:20
[DHCP IP: 192.168.1.2] to MAC address 00:0c:f1:56:98:ad, Sunday, October 19,2008 20:16:00
[DoS Attack: ACK Scan] from source: 38.99.76.164, port 80, Sunday, October 19,2008 20:14:11
[DHCP IP: 192.168.1.10] to MAC address 00:19:7e:5e:39:e2, Sunday, October 19,2008 20:02:25
[DHCP IP: 192.168.1.4] to MAC address 00:0c:41:24:ea:a8, Sunday, October 19,2008 19:39:04

[DoS Attack: ACK Scan] from source: 137.xxxxxxxxx, port 22, Friday, October 17,2008 13:28:01
[DoS Attack: RST Scan] from source: 75.249.253.16, port 1416, Friday, October 17,2008 13:02:06
[Internet connected] IP address: 68.xxxxxxxxxx, Friday, October 17,2008 12:46:58

[DHCP IP: 192.168.1.2] to MAC address 00:0c:f1:56:98:ad, Thursday, October 16,2008 12:22:27
[Internet connected] IP address: 68xxxxxxxxx, Thursday, October 16,2008 00:46:57
[DHCP IP: 192.168.1.2] to MAC address 00:0c:f1:56:98:ad, Thursday, October 16,2008 00:22:27
[DoS Attack: RST Scan] from source: 208.117.236.73, port 80, Wednesday, October 15,2008 21:32:16
[DoS Attack: RST Scan] from source: 207.171.166.23, port 80, Wednesday, October 15,2008 21:31:06
[DoS Attack: RST Scan] from source: 65.207.183.126, port 80, Wednesday, October 15,2008 21:18:55
[DoS Attack: RST Scan] from source: 12.129.147.125, port 80, Wednesday, October 15,2008 21:12:16
[DoS Attack: RST Scan] from source: 17.250.236.65, port 443, Wednesday, October 15,2008 21:04:01
[Time synchronized with NTP server] Wednesday, October 15,2008 20:23:01
[DHCP IP: 192.168.1.4] to MAC address 00:0c:41:24:ea:a8, Wednesday, October 15,2008 20:04:56
[DoS Attack: ACK Scan] from source: 137.xxxxxxxxx, port 22, Wednesday, October 15,2008 18:34:58
[DoS Attack: RST Scan] from source: 69.48.237.54, port 80, Wednesday, October 15,2008 18:23:53
[DoS Attack: RST Scan] from source: 208.117.236.70, port 80, Wednesday, October 15,2008 18:23:32
[DoS Attack: RST Scan] from source: 88.40.122.100, port 30203, Wednesday, October 15,2008 17:29:48
[DoS Attack: RST Scan] from source: 208.117.236.70, port 80, Wednesday, October 15,2008 17:27:11
[DHCP IP: 192.168.1.2] to MAC address 00:0c:f1:56:98:ad, Wednesday, October 15,2008 17:10:36
[DoS Attack: RST Scan] from source: 12.129.147.125, port 80, Wednesday, October 15,2008 16:19:35
[DoS Attack: RST Scan] from source: 17.149.160.45, port 80, Wednesday, October 15,2008 16:16:43
[DoS Attack: RST Scan] from source: 17.250.236.65, port 443, Wednesday, October 15,2008 16:15:48
[DHCP IP: 192.168.1.10] to MAC address 00:19:7e:5e:39:e2, Wednesday, October 15,2008 15:42:02
[DoS Attack: RST Scan] from source: 208.76.217.24, port 80, Wednesday, October 15,2008 15:08:58
[DoS Attack: RST Scan] from source: 207.171.166.72, port 80, Wednesday, October 15,2008 14:57:11
[DoS Attack: ACK Scan] from source: 67.228.60.143, port 443, Wednesday, October 15,2008 12:55:50
[Internet connected] IP address: 68.xxxxxxxx, Wednesday, October 15,2008 12:46:56
[DoS Attack: RST Scan] from source: 65.207.183.126, port 80, Wednesday, October 15,2008 11:23:07
[DHCP IP: 192.168.1.4] to MAC address 00:0c:41:24:ea:a8, Wednesday, October 15,2008 08:04:52
[DHCP IP: 192.168.1.2] to MAC address 00:0c:f1:56:98:ad, Wednesday, October 15,2008 05:10:36
[Internet connected] IP address: 68.xxxxxxxx, Wednesday, October 15,2008 00:46:56
[Time synchronized with NTP server] Tuesday, October 14,2008 20:22:59
[DoS Attack: RST Scan] from source: 72.21.206.134, port 80, Tuesday, October 14,2008 19:14:36
[DoS Attack: RST Scan] from source: 64.154.82.173, port 80, Tuesday, October 14,2008 19:01:22
[DoS Attack: RST Scan] from source: 208.117.236.74, port 80, Tuesday, October 14,2008 18:50:31
[DoS Attack: RST Scan] from source: 216.205.81.51, port 80, Tuesday, October 14,2008 18:50:10
[DHCP IP: 192.168.1.2] to MAC address 00:0c:f1:56:98:ad, Tuesday, October 14,2008 18:25:10

[DoS Attack: RST Scan] from source: 64.154.82.173, port 80, Monday, October 13,2008 07:44:52
[DoS Attack: RST Scan] from source: 65.212.121.26, port 80, Monday, October 13,2008 07:40:06
[DHCP IP: 192.168.1.2] to MAC address 00:0c:f1:56:98:ad, Monday, October 13,2008 07:14:58
[DoS Attack: RST Scan] from source: 193.227.4.92, port 65237, Monday, October 13,2008 06:32:33
[Internet connected] IP address: 68.xxxxxxxxxx, Monday, October 13,2008 00:46:53
[Time synchronized with NTP server] Sunday, October 12,2008 20:22:57
[DHCP IP: 192.168.1.2] to MAC address 00:0c:f1:56:98:ad, Sunday, October

[DoS Attack: RST Scan] from source: 12.129.147.125, port 80, Sunday, October 12,2008 10:44:15
[DoS Attack: RST Scan] from source: 64.154.82.173, port 80, Sunday, October 12,2008 10:34:51
[DoS Attack: RST Scan] from source: 208.117.236.69, port 80, Sunday, October 12,2008 10:20:54
[DoS Attack: RST Scan] from source: 64.154.82.173, port 80, Sunday, October 12,2008 10:09:25
[DoS Attack: RST Scan] from source: 208.117.236.70, port 80, Sunday, October 12,2008 09:44:34
[DoS Attack: RST Scan] from source: 64.154.82.173, port 80, Sunday, October 12,2008 09:19:50
[DoS Attack: RST Scan] from source: 64.191.203.30, port 80, Sunday, October 12,2008 07:45:58
[DoS Attack: RST Scan] from source: 63.241.84.101, port 80, Sunday, October 12,2008 07:36:26
[DoS Attack: RST Scan] from source: 64.191.203.30, port 80, Sunday, October 12,2008 07:31:52
[DHCP IP: 192.168.1.2] to MAC address 00:0c:f1:56:98:ad, Sunday, October 12,2008 07:14:55
[Internet connected] IP address: 68.xxxxxxxxxx, Sunday, October 12,2008 00:46:52
[DHCP IP: 192.168.1.2] to MAC address 00:0c:f1:56:98:ad, Saturday, October 11,2008 20:24:38
[Time synchronized with NTP server] Saturday, October 11,2008 20:22:55
[DoS Attack: ACK Scan] from source: 208.117.251.80, port 80, Saturday, October 11,2008 19:44:43
[DHCP IP: 192.168.1.10] to MAC address 00:19:7e:5e:39:e2, Saturday, October 11,2008 19:43:47
[DoS Attack: RST Scan] from source: 64.154.82.17, port 80, Saturday, October 11,2008 18:55:53
[DoS Attack: RST Scan] from source: 170.149.173.130, port 80, Saturday, October 11,2008 17:39:50
[DoS Attack: RST Scan] from source: 64.154.82.17, port 80, Saturday, October 11,2008 17:17:03

[DHCP IP: 192.168.1.2] to MAC address 00:0c:f1:56:98:ad, Thursday, October 09,2008 19:59:47
[DoS Attack: RST Scan] from source: 64.152.208.60, port 80, Thursday, October 09,2008 18:24:17
[DoS Attack: RST Scan] from source: 170.149.173.130, port 80, Thursday, October 09,2008 18:07:33
[DoS Attack: RST Scan] from source: 208.117.236.71, port 80, Thursday, October 09,2008 18:01:12
[DoS Attack: RST Scan] from source: 12.129.147.128, port 80, Thursday, October 09,2008 17:59:38
[DoS Attack: RST Scan] from source: 12.129.147.110, port 80, Thursday, October 09,2008 17:39:55
[DoS Attack: RST Scan] from source: 64.191.203.30, port 80, Thursday, October 09,2008 17:23:51
[DoS Attack: RST Scan] from source: 161.170.244.27, port 80, Thursday, October 09,2008 16:30:48
[DHCP IP: 192.168.1.10] to MAC address 00:19:7e:5e:39:e2, Thursday, October 09,2008 16:23:23
[DoS Attack: RST Scan] from source: 63.111.24.126, port 80, Thursday, October 09,2008 15:41:14

What I'm interested in is can anyone tell by this log whether or not these attacks were stopped by the Netgear router or did they get in. I xxxxx-ed out my ip address(and e-mail)...and the ip address (137...) of the person who might be behind this. The other ip addys are spoof but this one the person used their real one, so I'm working on that.

To be honest, my CPU has been really slow over that period and my mouse was flaky a lot, so right now I'm assuming they got in. Big questions:

How do I reconfig the router to stop this from happening?

This entry:
[UPnP set event: add_nat_rule] from source 192.168.1.2, Sunday, October 19,2008 20:21:00

has me kind of worried. What is this? I didn't add this.

My cable isp--cox--won't/can't change the IP address. They say to wait 24 hours and the system will assign me a new one, but this hasn't worked in the past. Should I spoof the MAC address?

All of the admin logins are mine.

Thanks everybody for whatever help you can give.
Reply With Quote
  #2  
Old October 20th, 2008, 12:15 PM
Mars Mug's Avatar
Mars Mug Mars Mug is offline
Moderator
NETGEAR Fanatic
 
Join Date: Nov 2006
Location: Stevenage UK
Posts: 12,554
Mars Mug is on a distinguished road
Default Re: Router Attacks

I have not been through your log line by line but here are some points;

1. If you run P2P software expect to see these things in logs when you shut the P2P application down.
2. When I run Zone Alarm without a router I get hundreds or thousands of hits per week.
3. If itís in the log it was blocked.
4. You can still run a software firewall for extra cover, particularly useful with a mobile PC or laptop.
5. If you donít use UPnP turn the option off in the router settings, P2P software can use UPnP, I prefer to configure port forwarding myself. If you donít understand the risks of UPnP turn it off
6. On many cable networks changing the MAC address the router reports will change your IP (there may be a delay during which time you lose the Internet). You can do this by alternating the router setting to use the router MAC or use the PC MAC.
7. Run a virus/spyware scan on your PC.
8. Much of the traffic you see in router logs or firewall logs is legitimate, only if you see the same IP address regularly should you take any real interest (if you want to).

Just my opinions
__________________
I don't work for Netgear.

My name is Andy.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -8. The time now is 01:55 PM.