D-Link Forums

D-Link DSL Modem/Routers => DSL-2740B => Topic started by: Marninger on January 16, 2012, 01:26:47 AM

Title: Hacked?
Post by: Marninger on January 16, 2012, 01:26:47 AM

In the log of my DSL-2740B (HW E1, SW EU_5.14) there are several records of intrusion in red, - some of them pasted below.

Does this indicate the devise is hacked or something . . and what can I do about it?

Jan 15 22:50:23    user    alert    kernel: Intrusion -> IN=atm0 OUT= MAC=1c:af:f7:bc:3e:80:00:1a:e3:dc:3f:80:08:00 SRC=85.25.135.70 DST=90.229.234.142 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=6201 PROTO=TCP SPT=55458 DPT=443 WINDOW=65535 RES=0x00 SYN URG

Jan 15 23:51:29    user    alert    kernel: Intrusion -> IN=atm0 OUT= MAC=1c:af:f7:bc:3e:80:00:1a:e3:dc:3f:80:08:00 SRC=124.133.243.65 DST=90.229.234.142 LEN=40 TOS=0x00 PREC=0x00 TTL=102 ID=256 PROTO=TCP SPT=6000 DPT=3389 WINDOW=16384 RES=0x00 SYN UR

Jan 16 02:34:30    user    alert    kernel: Intrusion -> IN=atm0 OUT= MAC=1c:af:f7:bc:3e:80:00:1a:e3:dc:3f:80:08:00 SRC=62.61.152.19 DST=90.229.234.142 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=4801 PROTO=TCP SPT=54942 DPT=443 WINDOW=65535 RES=0x00 SYN URG

Jan 16 04:38:43    user    alert    kernel: Intrusion -> IN=atm0 OUT= MAC=1c:af:f7:bc:3e:80:00:1a:e3:dc:3f:80:08:00 SRC=46.24.87.145 DST=90.229.234.142 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=44177 DF PROTO=TCP SPT=2212 DPT=5900 WINDOW=16384 RES=0x00 SYN

Jan 16 06:55:37    user    alert    kernel: Intrusion -> IN=atm0 OUT= MAC=1c:af:f7:bc:3e:80:00:1a:e3:dc:3f:80:08:00 SRC=144.16.64.2 DST=90.229.234.142 LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=25193 DF PROTO=TCP SPT=9469 DPT=22 WINDOW=5840 RES=0x00 SYN URGP

Jan 16 08:36:34    user    alert    kernel: Intrusion -> IN=atm0 OUT= MAC=1c:af:f7:bc:3e:80:00:1a:e3:dc:3f:80:08:00 SRC=60.190.222.143 DST=90.229.234.142 LEN=40 TOS=0x00 PREC=0x00 TTL=101 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN UR

Title: Re: Hacked?
Post by: FurryNutz on January 17, 2012, 11:01:08 AM

You need to identify the MAC address if it's on our current LAN side network and identify where the SRC ip addresses is coming from.
Is 90.229.234.142 your WAN side address by chance?
Use Domaintools.com to look up IP address and there domains.

Title: Re: Hacked?
Post by: Marninger on January 17, 2012, 01:37:28 PM

Thank's for trying to help out FurryNutz!

I am not very competent in this field but when I try to follow your advice this is what I have found out . . . but it still does not make much sense to meand if you can provide further advice I would be very greatfull!

The WAN side address is 90.229.234.142 as you supposed.

This is the list of MAC adresses of connected clients
00:0d:c5:d5:45:92
00:04:20:1a:cb:79
00:12:f0:76:82:51 
00:0d:c5:d5:21:2c
00:04:20:12:6a:82 
00:04:20:16:ca:40 
00:0f:fe:6b:3c:4e 
00:0d:9d:9a:93:97
. . . and two more not longer connected (IP-Cams)

For the first Intrusion
MAC is 1c:af:f7:bc:3e:80:00:1a:e3:dc:3f:80:08:00 . . .too many groups to be just one client?
          1c:af:f7:bc:3e:7e/f are the MAC of the LAN and WiFi interfaces . . ?
SRC IP is pointing towards serverforyou.de . . . and I have no business with this company

For the second intrusion
MAC is the same
SRC IP is pointing towards China Jinan Jinan-jinanqixiangbinwangba . . . and again i do not know this company

For the third intrusion
MAC is the same
SRC Ip is pointing towards Denmark Copenhagen Arrowhead A/s . . a Danish comapny I don't know any thing more of

For the fourth intrusion
MAc is the same
SRC IP is for Spain Vodafone Espana S.a.u (I am in Sweden!??)

For the fifth Intrusion
Mac is the same
SRC Ip is for India Hyderabad Electrical Communication Engineering . . . ?

Then for the sixth and last intrusion
MAc is the same
SRC IP is for China Zhejiang Ninbo Lanzhong Network Ltd  . . . ?

Title: Re: Hacked?
Post by: FurryNutz on January 17, 2012, 01:48:59 PM

These are probably firewall detection entries made by the modem. I would call D-Link and ask about these entries and if the Modem's firewall is working to protect against them and just logging them as such. Most modems and routers have very good firewall programming and it's the job of the modem and router to report attacks to the logs. Ask them what the Kernel Intrusion means. You might also have to contact your ISP and ask them too.

I don't have this modem however we do see firewall log entries on D-Link routers that give IP addresses of who is trying to come in and such who trying to attack or gain access or send junk packets. We don't see Kernel Intrusions on routers so I would be curious on what D-Link says about this particular word and the meaning of it. I would talk to a level 2 tech person if possible and ask.

Let us know what they say.