Review of my home broadband router logs (suspicious activity

[Oscar]

On Wed, 23 Dec 2015 18:19:36 -0500, Micky wrote:

I went out for a couple hours and when I tried it just now, the time
the log showed was 11 minutes later than the current time.

How do you know which one was right?

This is the current time...

http://www.time.gov/

 

[Micky]

On Wed, 23 Dec 2015 12:43:31 -0500, "Paul M. Cook" <pmcook@gte.net>
wrote:

On Wed, 23 Dec 2015 11:19:48 -0500, Micky wrote:

Plus there are 20 pages of data, each requiring separate copying, so I
was hoping to get all 20 pages in one email.

Makes sense.

Let me know if you figure out the email because I didn't figure it
out myself on mine, and my firmware is fully up to date.

Well, I just googled and there is something called
SMTP Server / IP Address


How to Find My SMTP Server IP Address
http://www.ehow.com/how_5810894_smtp-server-ip-address.html
Click "Start," then "Run" and type "cmd" in the box that appears.

Press enter. A command window will appear.

Type "ping," a space and then the name of your SMTP Server. For
example, type "ping smtp.server.com" and press "Enter." The window
will then try to contact the SMTP server by the IP address. It will
say, "Pinging x.x.x.x with 32 bytes of data." The "x.x.x.x" will be
the SMTP server's IP address.


So I'm debating whether I should put [ ] around the number and then it
turns out, even without the [ ] there isn't enough room for the
entire number!! Even thnough it's the standard length 3,2,3,3 = 11
plus 3 dots. So I removed the smtp value and put only the IP
address, and sent it, and that didnt' work either.

 

[Sam E]

[snip]

> Encrypted packets will be scrabbled, so it is even more secure...

Scrabbled? You mean your router adds randomly-chosen letters to make new
words?

[snip]

--
2 days until the winter celebration (Friday December 25, 2015 12:00:00
AM for 1 day).

"[O]ld beliefs die hard even when demonstrably false." Edward O. Wilson,
Consilience: The Unity of Knowledge, (First edition, New York: Alfred A.
Knopf, 1998), p. 256.

 

[Oren]

On Wed, 23 Dec 2015 14:50:21 -0600, Sam E
<why.should.this@be.email.invalid> wrote:

Encrypted packets will be scrabbled, so it is even more secure...

Scrabbled? You mean your router adds randomly-chosen letters to make new
words?

My bad. I should have said gibberish that looks like Japanese
arithmetic.

 

[John Robertson]

On 12/23/2015 7:06 AM, Paul M. Cook wrote:

On Wed, 23 Dec 2015 07:58:33 -0700, Tony Hwang wrote:

Playing on-line game? Kids do most of time.

Maybe. But is *that* what the error message says?

I guess I need to *experiment*, by asking the kid to play a few
games and then watch the router log file.

What is worrisome is that some of the entries don't come from
what I'd expect an online game to come from, e.g., Brazil,
Mexico, Japan, France, etc.

Turn OFF PING BACK.

In case it isn't already off. Then ask your IP for a new address - which
can be as simple as turning off your broadband router for five minutes.

John :-#)#

--
(Please post followups or tech inquiries to the USENET newsgroup)
John's Jukes Ltd. 2343 Main St., Vancouver, BC, Canada V5T 3C9
(604)872-5757 or Fax 872-2010 (Pinballs, Jukes, Video Games)
www.flippers.com
"Old pinballers never die, they just flip out."

 

[Tony Hwang]

John Robertson wrote:

On 12/23/2015 7:06 AM, Paul M. Cook wrote:
On Wed, 23 Dec 2015 07:58:33 -0700, Tony Hwang wrote:

Playing on-line game? Kids do most of time.

Maybe. But is *that* what the error message says?

I guess I need to *experiment*, by asking the kid to play a few
games and then watch the router log file.

What is worrisome is that some of the entries don't come from
what I'd expect an online game to come from, e.g., Brazil,
Mexico, Japan, France, etc.



Turn OFF PING BACK.

In case it isn't already off. Then ask your IP for a new address - which
can be as simple as turning off your broadband router for five minutes.

John :-#)#

If you are worried, block the port and see what happens.

 

[ssinzig]

Paul M. Cook wrote:

Does this activity found accidentally in my home broadband wireless
router log seem suspicious to you?

Here is a screenshot of the suspicious log entries:
https://i.imgur.com/iZm1CCq.jpg

When "I" log into my router, I see a line like this: [Admin login]
from source 192.168.1.16, Tuesday, Dec 22,2015 19:16:15

But, I see the following (suspicious?) activity in my log file: [LAN
access from remote] from 93.38.179.187:9000 to 192.168.1.5:9000,
Saturday, Dec 19,2015 06:42:41 [LAN access from remote] from
177.206.146.201:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015
06:41:54 [LAN access from remote] from 101.176.44.21:1026 to
192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from
remote] from 181.164.218.29:9000 to 192.168.1.5:9000, Saturday, Dec
19,2015 06:34:19 [LAN access from remote] from 2.133.67.47:11233 to
192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from
remote] from 186.206.138.72:62531 to 192.168.1.5:9000, Saturday, Dec
19,2015 06:34:19 [LAN access from remote] from 148.246.193.87:9000 to
192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19 [LAN access from
remote] from 195.67.252.183:49076 to 192.168.1.5:9000, Saturday, Dec
19,2015 06:34:16 [LAN access from remote] from 1.78.16.174:47891 to
192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16 [LAN access from
remote] from 178.116.59.223:9000 to 192.168.1.5:9000, Saturday, Dec
19,2015 06:34:16 [LAN access from remote] from 82.237.141.86:9000 to
192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16 [LAN access from
remote] from 107.223.217.54:9000 to 192.168.1.5:9000, Saturday, Dec
19,2015 06:34:11 [LAN access from remote] from 216.98.48.95:11020 to
192.168.1.5:9000, Saturday, Dec 19,2015 06:32:31

I don't know what this really means: "LAN access from remote".

Looking at the router wired & wireless list of devices, 192.168.1.5
seems to not be attached at the moment.

But, looking back, I can determine (from the MAC address) that it's
my child's Sony Playstation (which has "UPNP events" whatever they
are):

[UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Saturday,
Dec 19,2015 06:32:28 [DHCP IP: (192.168.1.5)] to MAC address
F80:AC:B14:A3, Monday, Dec 21,2015 12:26:18 [DHCP IP:
(192.168.1.5)] to MAC address F80:AC:B14:A3, Tuesday, Dec 22,2015
16:17:47 [UPnP set event: Public_UPNP_C3] from source 192.168.1.5,
Tuesday, Dec 22,2015 16:46:15
***************************************************************** Can
you advise me whether I should be worried that there are many LAN
accesses from a remote IP address to a kid's Sony Playstation?
*****************************************************************

You are seeing outside devices the "[LAN access from remote] from
93.38.179.187:9000" part, using port 9000 the ":9000 " part and trying
to connect to your child's sony playstation. Presumably he or she is
playing a game on-line and there is some sort of interactive content,
maybe voice or video message chat or something.

Since your router appears to support UPNP, it is probably automatically
opening connections on this port to allow network traffic like I
described above (some sort of online in-game chat or something).

I don't think it is something to be too concerned about, but if you are
concerned about this type of network traffic, you could either disable
UPNP on your router or maybe disable port 9000 in the firewall rules (if
the router supports this) of course this may disable the online gaming
capability of the sony playstation, much to your childs' dismay.

Video games consoles that connect to the internet are likely sending all
sorts of traffic back and forth through your router. You might try
looking up what types of services typically use port 9000. I bet you
find that it is a typical port used by sony playstions for on-line
gaming. As everything from refrigerators to thermostats go online there
will be much more unidentifiable traffic going through our routers.


Best of luck,

S Sinzig.

 

[Paul M. Cook]

On Wed, 23 Dec 2015 17:22:30 -0500, ssinzig wrote:

I don't think it is something to be too concerned about, but if you are
concerned about this type of network traffic, you could either disable
UPNP on your router or maybe disable port 9000 in the firewall rules

I disabled UPNP.
I'll tell the kid to watch out for stuff not working.

 

[Micky]

On Wed, 23 Dec 2015 11:24:16 -0500, Micky <NONONOmisc07@bigfoot.com>
wrote:

On Wed, 23 Dec 2015 11:02:44 -0500, "Paul M. Cook" <pmcook@gte.net
wrote:

On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:

Dec/20/2015 05:20:07 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94
Dec/20/2015 05:20:06 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94

So who is Dennis? 5 in the morning?
That's my time, right? or GMT?

I just logged into my Netgear WNDR3400v2 router, and went to the
advanced tab of Administration > Logs

It says on top of the window what time it "thinks" it is:
Current Time: Wednesday, Dec 23,2015 08:03:08

Mine doesn't show the time anywhere, but if yours shows the current
time, that's good enough for me.

I figured out a way to verify the time zone, and that's to watch the
log for a new event, or to create a new event, like by trying to send
an email (since I have all 5 kinds of events checked now).

So I did that a couple hours ago and the time that showed in the log
was 7 minutes later than the current time!

I went out for a couple hours and when I tried it just now, the time
the log showed was 11 minutes later than the current time.

Put that in your pipe and smoke it.

>>Looking at the clock, that's the local time in my time zone.

 

[Micky]

On Wed, 23 Dec 2015 23:50:41 -0000 (UTC), Oscar <oscar@notme.invalid>
wrote:

On Wed, 23 Dec 2015 18:19:36 -0500, Micky wrote:

I went out for a couple hours and when I tried it just now, the time
the log showed was 11 minutes later than the current time.

How do you know which one was right?

The current time was my computer which has maybe never been wrong, but
I checked it with my atomic clock, satellite clock whatever it is.

So, how was it 7 minutes later in the log than in reality? Later
meaning it had not yet reached that time.

And why did that change to 11 minutes?

This is the current time...

http://www.time.gov/

 

[Adrian Caspersz]

On 23/12/15 22:31, Paul M. Cook wrote:

On Wed, 23 Dec 2015 17:22:30 -0500, ssinzig wrote:

I don't think it is something to be too concerned about, but if you are
concerned about this type of network traffic, you could either disable
UPNP on your router or maybe disable port 9000 in the firewall rules

I disabled UPNP.
I'll tell the kid to watch out for stuff not working.

I suspect he'll tell you first ...

If you are that worried about it, why not put the Playstation in your
DMZ and firewall everything else reaching your LAN? Your kid would get
better gameplay that way.

--
Adrian C

 

[Tony Hwang]

Paul M. Cook wrote:

On Wed, 23 Dec 2015 17:22:30 -0500, ssinzig wrote:

I don't think it is something to be too concerned about, but if you are
concerned about this type of network traffic, you could either disable
UPNP on your router or maybe disable port 9000 in the firewall rules

I disabled UPNP.
I'll tell the kid to watch out for stuff not working.

Some one is connceting to one of your device connected. (192.168.1.5
what is this in your family?) using port 9000. You can trace route the
other ip address to see what or who this belongs to. Trace route is a
DOS command.

 

[Paul M. Cook]

On Thu, 24 Dec 2015 17:06:18 +0000, Adrian Caspersz wrote:

I suspect he'll tell you first ...

If you are that worried about it, why not put the Playstation in your
DMZ and firewall everything else reaching your LAN? Your kid would get
better gameplay that way.

I've heard the word "DMZ" for years, but I really don't know what it is.
So, AFAIK, I don't even *have* a DMZ.

My router is set up like most home routers, which is to say the only
thing that is not default is the SSID login/password and admin login/password.

 

[Paul M. Cook]

On Thu, 24 Dec 2015 18:34:58 -0700, Tony Hwang wrote:

Some one is connceting to one of your device connected. (
what is this in your family?) using port 9000. You can trace route the
other ip address to see what or who this belongs to. Trace route is a
DOS command.

The 192.168.1.5 IP address belonged to the Sony Playstation.
So, for some reason, the port 9000 was being used.

What does this mean though?
Is this correct?

Assuming my static public IP address was 1.2.3.4, does this mean that someone,
on the Internet, was going to 1.2.3.4:9000, which, somehow (via magic of upnp?)
hit my router and then the router "port forwarded" it to the Sony Playstation at
192.168.1.5 at port 9000?

 

[Paul M. Cook]

On Thu, 24 Dec 2015 14:56:48 -0600, Mark Lloyd wrote:

Yes, it will. The point of what I posted is that SSID blocking is NOT
useless. I didn't say anything about it being better than anything else.

Seems to me, that's a lousy tradeoff.

1. You turn off SSID broadcast at home, but that doesn't deter anyone
who knows what he's doing (since your laptop & phone has to broadcast
your hidden SSID to the router, since the router isn't broadcasting
the SSID to the laptop & phone).

2. And, since your laptop or phone doesn't know when it's at home or
at a local hotspot, your laptop and phone end up broadcasting your
SSID to the whole world when you're away from home.

Seems to me, that's a lousy tradeoff.

It's not privacy.
It's just stupidity.

Or ignorance.

 

[Tony Hwang]

Paul M. Cook wrote:

On Thu, 24 Dec 2015 17:06:18 +0000, Adrian Caspersz wrote:

I suspect he'll tell you first ...

If you are that worried about it, why not put the Playstation in your
DMZ and firewall everything else reaching your LAN? Your kid would get
better gameplay that way.

I've heard the word "DMZ" for years, but I really don't know what it is.
So, AFAIK, I don't even *have* a DMZ.

My router is set up like most home routers, which is to say the only
thing that is not default is the SSID login/password and admin login/password.

Lots of Googling. Practice makes perfection. Port can be open or closed.
When you close a port, something may not work because some ports are
used ad default for certain things. ip address is just like unique
address, port is like a gate. Even if you are knocking on the right
address, if gate is not open, you can't get in(or communicate)
Sounds like you are just using the router with default settings.
Do you use ad blocker, pop up blocker, etc. on your browser or
router?You use W10?

 

[Paul M. Cook]

On Thu, 24 Dec 2015 21:49:08 -0700, Don Y wrote:

An SSID that's not being broadcast will not disclose your AP when
you're not using it. But, it doesn't buy you much of anything.

I think we're sort of saying the same thing, but, I don't know if
we agree on the broadcast details.

We both agree that telling your ROUTER not to broadcast the SSID
is a false security measure.

But, fact is, you *must* broadcast your SSID somehow.

a. So, either the router broadcasts your SSID.
b. Or your mobile device broadcasts your SSID.

Here's how I understand it to work:

1. Let's assume your SSID is "DonY".
2. Let's assume you told your router *not* to broadcast your SSID.
3. Guess what happens when you boot your laptop?
a. Your laptop shouts out "Hey DonY, are you there?"
b. Your router answers "Yes. I am here. I was being quiet".
c. Your laptop connects to your router by that so-called hidden SSID.

Now, guess what your cellphone does?
HINT: Same thing.

So, guess what happens when you boot your laptop at a starbucks?
HINT: Your laptop shouts out "Hey DonY, are you here?"

So, in effect, an SSID that is not being broadcast *by your router*
at home, is broadcast *by your laptop* both at home, and at Starbucks.

If I'm wrong - someone will explain where - but that's how I understand it.

a. Either the router broadcasts the SSID,
b. Or the device does.

 

[Tony Hwang]

Paul M. Cook wrote:

On Thu, 24 Dec 2015 14:56:48 -0600, Mark Lloyd wrote:

Yes, it will. The point of what I posted is that SSID blocking is NOT
useless. I didn't say anything about it being better than anything else.

Seems to me, that's a lousy tradeoff.

1. You turn off SSID broadcast at home, but that doesn't deter anyone
who knows what he's doing (since your laptop & phone has to broadcast
your hidden SSID to the router, since the router isn't broadcasting
the SSID to the laptop & phone).

2. And, since your laptop or phone doesn't know when it's at home or
at a local hotspot, your laptop and phone end up broadcasting your
SSID to the whole world when you're away from home.

Seems to me, that's a lousy tradeoff.

It's not privacy.
It's just stupidity.

Or ignorance.

Hiding SSID increases security? Wrong. Not much really.
Modem/router combo is always worse than separate router.
Put the supplied modem in bridge mode and use your own router.
If you can't or ISP won't put in to bridge mode for you , there is
another way using DMZ in your modem. I have only DOCIS III cable modem,
my router at present is Linksys EA8500 which never went down since
I first boot in summer time. Very stable router.

 

[Adrian Caspersz]

On 25/12/15 04:36, Paul M. Cook wrote:

On Thu, 24 Dec 2015 17:06:18 +0000, Adrian Caspersz wrote:

I suspect he'll tell you first ...

If you are that worried about it, why not put the Playstation in your
DMZ and firewall everything else reaching your LAN? Your kid would get
better gameplay that way.

I've heard the word "DMZ" for years, but I really don't know what it is.
So, AFAIK, I don't even *have* a DMZ.

My router is set up like most home routers, which is to say the only
thing that is not default is the SSID login/password and admin login/password.

Well, out of the box is not going to do what you want.

However the WNDR3400v2 does support DMZ configuration. There's loads of
netgear, web site and youtube resources to help you do this.

But you must worry about other things. Are you sure letting a child play
some of these (mostly violent) video games is a sensible introduction to
becoming an adult?

--
Adrian C

 

[whit3rd]

On Thursday, December 24, 2015 at 8:35:57 PM UTC-8, Paul M. Cook wrote:

On Thu, 24 Dec 2015 18:34:58 -0700, Tony Hwang wrote:

Some one is connceting to one of your device connected. (
what is this in your family?) using port 9000.

The 192.168.1.5 IP address belonged to the Sony Playstation.
So, for some reason, the port 9000 was being used.

Right. The router is accepting back-traffic to one device (the Playstation)
on that one port.

Assuming my static public IP address was 1.2.3.4, does this mean that someone,
on the Internet, was going to 1.2.3.4:9000, which, somehow (via magic of upnp?)
hit my router and then the router "port forwarded" it to the Sony Playstation at
192.168.1.5 at port 9000?

Basically, yes. As long as it's ONLY talking to the Playstation, that probably means
that a game is soliciting the feedback (and not that anyone is
trying to attack your network). There's nothing special about '9000', it's
possible that other games use other ports.