Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Router/BB Issue

Options
  • 25-01-2006 9:51pm
    #1
    Ziycon
    Registered Users Posts: 1,987 ✭✭✭


    This is a buffalo router, anyone know what the below means? Is it an attack or what?

    Jan 25 20:46:05 user alert klogd: Intrusion -> IN=ppp_8_35_1 OUT= MAC= SRC=213.202.35.36 DST=213.202.135.205 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=13280 DF PROTO=TCP SPT=2174 DPT=139 WINDOW=64240 RES=0x00 SYN URGP=0

    Jan 25 20:46:08 user alert klogd: Intrusion -> IN=ppp_8_35_1 OUT= MAC= SRC=213.202.35.36 DST=213.202.135.205 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=13379 DF PROTO=TCP SPT=2174 DPT=139 WINDOW=64240 RES=0x00 SYN URGP=0

    Jan 25 20:49:25 user alert klogd: Intrusion -> IN=ppp_8_35_1 OUT= MAC= SRC=69.208.238.210 DST=213.202.135.205 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=47719 DF PROTO=TCP SPT=33794 DPT=4000 WINDOW=5840 RES=0x00 SYN URGP=0


Comments

  • Options
    #2
    winegum
    Closed Accounts Posts: 12 winegum


    Ziycon wrote:
    This is a buffalo router, anyone know what the below means? Is it an attack or what?

    Jan 25 20:46:05 user alert klogd: Intrusion -> IN=ppp_8_35_1 OUT= MAC= SRC=213.202.35.36 DST=213.202.135.205 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=13280 DF PROTO=TCP SPT=2174 DPT=139 WINDOW=64240 RES=0x00 SYN URGP=0

    Jan 25 20:46:08 user alert klogd: Intrusion -> IN=ppp_8_35_1 OUT= MAC= SRC=213.202.35.36 DST=213.202.135.205 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=13379 DF PROTO=TCP SPT=2174 DPT=139 WINDOW=64240 RES=0x00 SYN URGP=0

    Jan 25 20:49:25 user alert klogd: Intrusion -> IN=ppp_8_35_1 OUT= MAC= SRC=69.208.238.210 DST=213.202.135.205 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=47719 DF PROTO=TCP SPT=33794 DPT=4000 WINDOW=5840 RES=0x00 SYN URGP=0


    SRC is the source
    DST is the destination (you)
    PROTO is the protocol
    SPT is the source port
    DPT is the detination port (you)

    Port 139 is used in windows networking , port 4000 is probably a worm/trojian or someone scanning for one. Probably not someone scanning you in particular, you'll see a lot more of that type of thing


  • Options
    #3
    azzeretti
    Registered Users Posts: 1,477 ✭✭✭azzeretti


    I wouldn't worry about this at all. In fact, it could be that you initiated these connections (can't be sure without looking at the logs more). Port 139 is a Netbios request, which your router should drop and TCP 4000 is commonly used with streaming audio and video services. Uptodate AV software and OS patches on your clients and you'll be grand ;)


Advertisement