D-Link Forums
The Graveyard - Products No Longer Supported => Routers / COVR => DIR-655 => Topic started by: krex on January 30, 2009, 02:22:56 PM
-
Can anyone answer me, why is full of my router's log with this:
"Blocked incoming TCP connection request from xxx.xxx.xxx.xxx:yyyy to 85.66.51.76:xxxx"
..where xxx.xxx.xxx.xxx is an arbitrary ip address from outside and 85.66.51.76 is my ISP's host.
-
and the same with "Blocked incoming UDP packet..."? ???
-
What ports? If you use BT on the internal IP/port in the log, it means your still announced as a file share (peer), but the router denies the data because you have already closed your BT client (which uses UPnP to open ports on the router)
Otherwise it just denied request from the outside (http website) to a port on your PC that is not 'open'.
No worries, esp. when you set MAC filtering and security. :)
-
What ports? If you use BT on the internal IP/port in the log, it means your still announced as a file share (peer), but the router denies the data because you have already closed your BT client (which uses UPnP to open ports on the router)
Otherwise it just denied request from the outside (http website) to a port on your PC that is not 'open'.
No worries, esp. when you set MAC filtering and security. :)
Thanks for your response
It needs no torrent for these messages. It comes during browsing. And yes, I use MAC filtering. But these messages mess up the log and fill it with unusable infos. Everyone should live with this together? Sad... :(
-
Thanks for your response
It needs no torrent for these messages. It comes during browsing. And yes, I use MAC filtering. But these messages mess up the log and fill it with unusable infos. Everyone should live with this together? Sad... :(
If you had given it a good look you would have noticed that you can select/deslect the kind of infos you want you record in the log. Use it...
-
If you had given it a good look you would have noticed that you can select/deslect the kind of infos you want you record in the log. Use it...
Yes, I've noticed. But these are categorized into [INFO] priority. Should I deselect [INFO] category? Since I've bought this router I didn't noticed any other log entry priority like [INFO]...
And is there nothing weird, that the destination is my ISP's host? Why isn't this my router/computer?
-
Could be your PC is connecting your ISP DNS.... when you show the port numbers there's more to tell perhaps.
When deselecting [info] you'll loose all the [info] labeled lines, so you only get informed when really important stuff happens.
-
Could be your PC is connecting your ISP DNS.... when you show the port numbers there's more to tell perhaps.
When deselecting [info] you'll loose all the [info] labeled lines, so you only get informed when really important stuff happens.
hello again...
some examples from the log. That is interesting, all the log entries I've copied now in are created last night while I was sleeping and the computer was switched off. So it isn't because I browsed the net...
Blocked incoming TCP connection request from 190.154.44.174:4154 to 85.66.51.76:4899
Blocked incoming TCP connection request from 210.47.224.6:4802 to 85.66.51.76:5906
Blocked incoming TCP connection request from 189.154.98.237:55321 to 85.66.51.76:5900
Blocked incoming TCP connection request from 61.164.112.200:6000 to 85.66.51.76:1433
Blocked incoming TCP connection request from 202.102.254.93:6000 to 85.66.51.76:2967
Blocked incoming TCP connection request from 99.243.230.206:52199 to 85.66.51.76:80
Blocked incoming TCP connection request from 99.243.230.206:52196 to 85.66.51.76:21
Blocked incoming TCP connection request from 221.176.4.19:111 to 85.66.51.76:111
Blocked incoming ICMP packet (ICMP type 8) from 85.66.15.235 to 85.66.51.76
Blocked incoming TCP packet from 60.28.2.79:80 to 85.66.51.76:2869 as RST:ACK received but there is no active connection
Blocked incoming TCP packet from 221.5.47.132:80 to 85.66.51.76:2869 as SYN:ACK received but there is no active connection
-
Today the most (99%) messages are Blocked incoming TCP connection request from [variable ipaddress] to 85.66.51.76:17241 (the port is the same, 17241 in every message)
I checked, this port is used by my torrent client...
-
So most questions answered I guess :)
There are some strange ports trying to connect to your PC. Please do a thourough virus- and malware scan.
-
So most questions answered I guess :)
There are some strange ports trying to connect to your PC. Please do a thourough virus- and malware scan.
Ok, I've started a scan, but please explain me where/how does the virus run when my computer was switched off at night?
-
Possible scenario is that you have some infection on your PC which has reported the IP it is on to a 'server'. This server will use that Ip/location to send more infected data or newer versions of the infection. :-) Basically a zombie network.
Not saying it is, but this way your PC does not have to be turned on to receive connections attempts.
-
Yes, it could be a possible scenario. I think I will renew my ip. Thanks.
[edit]
Isn't it possible that this is caused by a torrent tracker server?
-
Looking at the ports involved I don't think so. I guess you don't actually host (I don't mean acting as a temporary peer while downloading) torrents on your machine. This is a no-no for private home connections and will absolutely kill your connection.
-
I think this is pretty average...probably just random port scans from China. You can reverse lookup the IP's (http://whois.domaintools.com/) but if they resolve to anything it's probably just a slave machine anyway. Could be leftover traffic from a previous owner of your dynamically assigned IP as well.
-
Could be...the probed ports are kind of unexpected and there does not seem to be a clear pattern though.
-
Had a quick look: Ecuador and Mexico...the narcos are coming :)
-
Those regions are known for Zombie/Black Hat traffic. I had a FTP server have a dictionary hack attempt on it as well as port scan from that region.
-
I would advise you to run some additional tools other than your virus scanner:
- RUbotted, free from Trendmicro.com (install and keep running on all PC's, it will pick up very quickly any outgoing stuff that a virus scanner will sometimes NOT pickup. This might find something is running that is sending out information you are unaware of.
- Hijackthis (google it). Run it and look for any weird DLL's that are hapening at startup - check the DLL's/ I had a malware one in a startp DLL once that was never picked up by AVG or spybot
- A free rootkit checker (sophos do one I think) run it to check for stuff that, again, some virus scanners don't find
- Spybot, search and destroy (again free). Run at least once a week,
Also, if you are using norton or Mcafee, you may want to consider changing virus scanner.
In addition to known filesharing programs there are other downloaders that you may not realise are P2P. For example some MMORPG loaders (world of warcraft, lottro), video download service running kontiki which never shut down (sky, bbc etc video downloaders). All of these will have propagated your IP and someone other downloader might be running while you are asleep with cached IPs.
There is a lot more to security than your router ;)
-
Run a WAN side packet capture. All you need is a PC and a hub. Then you'll know everything