• November 01, 2024, 02:24:13 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: how to detect botnet activity in the log  (Read 4065 times)

flipsetien

  • Level 1 Member
  • *
  • Posts: 1
how to detect botnet activity in the log
« on: July 28, 2013, 05:01:16 AM »

My internet has been blocked by our provider because they have detected botnet activity in their routine check. I am now trying to find out which device in our network causes this because. Alle devices are scanned and found clean.

I'm using a DIR-655 with the latest firmware (2012)

Ik would think that something must be visible in the log of the botnet activity. But it all looks fairly normal. The parts in the log that i don't understand are:

Jul 28 00:06:46     info     UDHCPD sending OFFER of 192.168.0.111
Jul 28 00:06:46     debug     UDHCPD sendOffer : client is in lease/offered table
Jul 28 00:06:46     info     UDHCPD sendOffer : device_lan_ip=192.168.0.1 , device_lan_subnet_mask=255.255.255.0


the part below names ip adresses from our provider so i think this is their check session
Jul 27 19:17:30     info     using nameserver 62.238.255.69#53   
Jul 27 19:17:30     info     using nameserver 212.115.192.100#53   
Jul 27 19:17:30     info     reading /etc/resolv.conf      
Jul 27 19:17:29     debug     No DHCP ACK with option DHCP_STATIC_ROUTE
Jul 27 19:17:29     info     Lease of 213.34.238.239 obtained, lease time 86400



Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: how to detect botnet activity in the log
« Reply #1 on: July 29, 2013, 08:45:09 AM »

Link>Welcome!
  • What region are you located?

UDHCP sending offer is a status message for when a device connects, it sends out a IP address to the connecting device.
Using nameserver is just status messages for DNS on what it found from your ISP.

All these are not bots or anything suspicious are log entries being reporting by the router. These routers don't report bot specific activity or like access, attack and network behavior. [/list]
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: how to detect botnet activity in the log
« Reply #2 on: September 19, 2013, 12:03:35 PM »

Any status on this?  ???
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.