Solved

Router log contains "LAN access from remote" - Network intrusion?

Posted on 2008-06-20
23
16,542 Views
Last Modified: 2013-11-16
This log on my newly installed Netgear Router (firewall enabled) connected to 3 XP Boxes (Firewall enabled) and Windows server 2003 SBS (Single NIC, NO Firewall).  I am concerned - have some of these connections from foreign countries [LAN Access from remote] actually succeeded?
192.168.1.6 is my server, these other IP's from which the LAN access were initiated (ie 118.165.72.203) certainly are NOT me.  I looked these IP's up on http://www.dshield.org/ - these IP's are from China and UAE, etc!  Please let me know what else I need to do to lock down my server.

[LAN access from remote] from 118.165.72.203:3821 to 192.168.1.6:25
Thursday, Jun 19,2008 11:28:47
[Service blocked: ICMP_echo_req] from source 71.103.203.182, Thursday,
Jun 19,2008 10:13:04
[Service blocked: ICMP_echo_req] from source 71.103.105.208, Thursday,
Jun 19,2008 08:32:36
[LAN access from remote] from 221.139.104.39:42780 to 192.168.1.6:21
Thursday, Jun 19,2008 08:28:12
[Service blocked: ICMP_echo_req] from source 71.101.195.99, Thursday,
Jun 19,2008 07:52:37
[LAN access from remote] from 83.111.63.226:12024 to 192.168.1.6:3389
Thursday, Jun 19,2008 07:24:46
[Service blocked: ICMP_echo_req] from source 71.102.223.193, Thursday,
Jun 19,2008 06:21:52
[Service blocked: ICMP_echo_req] from source 71.102.223.193, Thursday,
Jun 19,2008 05:12:25
[Service blocked: ICMP_echo_req] from source 71.105.24.141, Thursday,
Jun 19,2008 02:46:08
[Service blocked: ICMP_echo_req] from source 71.105.183.154, Thursday,
Jun 19,2008 00:46:38
[LAN access from remote] from 118.169.198.85:39293 to 192.168.1.6:25
Wednesday, Jun 18,2008 23:51:56
[Service blocked: ICMP_echo_req] from source 71.103.173.182, Wednesday,
Jun 18,2008 22:18:56
[Service blocked: ICMP_echo_req] from source 71.100.169.111, Wednesday,
Jun 18,2008 22:04:52
[LAN access from remote] from 61.225.15.213:1103 to 192.168.1.6:25
Wednesday, Jun 18,2008 19:55:15
[Service blocked: ICMP_echo_req] from source 71.102.223.193, Wednesday,
Jun 18,2008 19:16:05
[Service blocked: ICMP_echo_req] from source 71.105.183.154, Wednesday,
Jun 18,2008 18:43:30
[Service blocked: ICMP_echo_req] from source 71.105.24.141, Wednesday,
Jun 18,2008 18:24:57
[LAN access from remote] from 203.95.109.29:35737 to 192.168.1.6:21
Wednesday, Jun 18,2008 18:19:31
[Service blocked: ICMP_echo_req] from source 71.103.233.234, Wednesday,
Jun 18,2008 17:46:10
[Service blocked: ICMP_echo_req] from source 71.102.225.97, Wednesday,
Jun 18,2008 16:53:51
[LAN access from remote] from 83.111.63.226:24036 to 192.168.1.6:3389
Wednesday, Jun 18,2008 16:48:19
[Service blocked: ICMP_echo_req] from source 71.103.64.184, Wednesday,
Jun 18,2008 16:20:29
[LAN access from remote] from 118.169.196.60:59823 to 192.168.1.6:25
Wednesday, Jun 18,2008 15:01:10
[Service blocked: ICMP_echo_req] from source 71.103.212.189, Wednesday,
Jun 18,2008 14:39:56
[Service blocked: ICMP_echo_req] from source 71.105.183.154, Wednesday,
Jun 18,2008 14:22:32
[Service blocked: ICMP_echo_req] from source 71.105.24.141, Wednesday,
Jun 18,2008 14:12:51
[Service blocked: ICMP_echo_req] from source 71.101.129.82, Wednesday,
Jun 18,2008 12:43:47
[Service blocked: ICMP_echo_req] from source 71.103.212.189, Wednesday,
Jun 18,2008 12:05:19
[LAN access from remote] from 218.97.254.203:33690 to 192.168.1.6:21
Wednesday, Jun 18,2008 11:38:31
[Service blocked: ICMP_echo_req] from source 71.103.212.189, Wednesday,
Jun 18,2008 11:03:50
[Service blocked: ICMP_echo_req] from source 71.103.223.130, Wednesday,
Jun 18,2008 10:55:38
[Service blocked: ICMP_echo_req] from source 71.103.206.98, Wednesday,
Jun 18,2008 10:51:15
[Service blocked: ICMP_echo_req] from source 71.101.124.160, Wednesday,
Jun 18,2008 10:49:51
[UPnP set event: Public_UPNP_C5] from source 192.168.1.6, Wednesday, Jun
18,2008 10:11:22
[Service blocked: ICMP_echo_req] from source 71.105.24.141, Wednesday,
Jun 18,2008 10:00:08
[Service blocked: ICMP_echo_req] from source 71.103.82.66, Wednesday,
Jun 18,2008 08:34:34
[Service blocked: ICMP_echo_req] from source 71.105.24.141, Wednesday,
Jun 18,2008 05:50:58
[Service blocked: ICMP_echo_req] from source 71.100.228.109, Wednesday,
Jun 18,2008 02:50:36
[Service blocked: ICMP_echo_req] from source 71.105.24.141, Wednesday,
Jun 18,2008 01:42:08
[Service blocked: ICMP_echo_req] from source 71.103.9.190, Tuesday, Jun
17,2008 22:50:16
[Service blocked: ICMP_echo_req] from source 71.105.24.141, Tuesday, Jun
17,2008 21:32:51
[Service blocked: ICMP_echo_req] from source 71.105.191.224, Tuesday,
Jun 17,2008 21:19:16
[Service blocked: ICMP_echo_req] from source 71.105.87.184, Tuesday, Jun
17,2008 18:06:25
[Service blocked: ICMP_echo_req] from source 71.101.177.146, Tuesday,
Jun 17,2008 17:02:29
[Service blocked: ICMP_echo_req] from source 71.104.155.194, Tuesday,
Jun 17,2008 11:41:33
[Service blocked: ICMP_echo_req] from source 71.104.252.102, Tuesday,
Jun 17,2008 11:19:04
[Service blocked: ICMP_echo_req] from source 71.101.177.6, Tuesday, Jun
17,2008 11:07:08
[Service blocked: ICMP_echo_req] from source 71.105.191.224, Tuesday,
Jun 17,2008 10:00:12
[Service blocked: ICMP_echo_req] from source 71.106.187.76, Tuesday, Jun
17,2008 09:57:20
[Service blocked: ICMP_echo_req] from source 71.103.195.212, Tuesday,
Jun 17,2008 09:39:03
[Service blocked: ICMP_echo_req] from source 71.102.90.176, Tuesday, Jun
17,2008 09:01:43
[Service blocked: ICMP_echo_req] from source 71.105.24.141, Tuesday, Jun
17,2008 08:55:17
[Service blocked: ICMP_echo_req] from source 71.104.155.194, Tuesday,
Jun 17,2008 07:45:14
[Service blocked: ICMP_echo_req] from source 71.105.49.38, Tuesday, Jun
17,2008 06:58:41
[Service blocked: ICMP_echo_req] from source 71.105.24.141, Tuesday, Jun
17,2008 04:46:33
[Service blocked: ICMP_echo_req] from source 71.101.124.160, Tuesday,
Jun 17,2008 02:33:34
[Service blocked: ICMP_echo_req] from source 71.105.24.141, Tuesday, Jun
17,2008 00:43:15
[Service blocked: ICMP_echo_req] from source 71.104.155.115, Monday, Jun
16,2008 21:20:50
[Service blocked: ICMP_echo_req] from source 71.105.96.203, Monday, Jun
16,2008 20:12:23
[Service blocked: ICMP_echo_req] from source 4.79.142.206, Monday, Jun
16,2008 18:20:38
0
Comment
Question by:erkwong
  • 11
  • 10
  • 2
23 Comments
 
LVL 12

Expert Comment

by:alikaz3
Comment Utility
118.169.196.60 taiwan
218.97.254.203 china
203.95.109.29 china
83.111.63.226 UAE

>>>[UPnP set event: Public_UPNP_C5] from source 192.168.1.6, Wednesday, Jun
18,2008 10:11:22

Looks like your server is using uPNP, which is disabled by default....... So I would be under the assumption that somebody turned it on for your server, installed something that turned it on, or your server is compromised. Read through this:

http://www.updatexp.com/upnp_security.html
0
 
LVL 12

Expert Comment

by:alikaz3
Comment Utility
>>>>Looks like your server is using uPNP, which is disabled by default. (on server 2003)
0
 
LVL 10

Expert Comment

by:rynox
Comment Utility
By the way it reads it looks at thought he router is allowing connections to SMTP (port 25), Telnet (port 21) and RDP (port 3389) through the router to the server. Is this by design, meaning have you specifically alolowed these connections through the router?  If UPnP is on on the server and on the router, and these services are running on the server, that my be why they are being opened.
0
 

Author Comment

by:erkwong
Comment Utility
Yes, I did use uPNP to allow server to setup the router - this is what allowed the access to the server?
If I run CIEIW (sp? Internet) wizard again without Upnp, will this close the holes?  
What could be the damage here?
0
 

Author Comment

by:erkwong
Comment Utility
I do plan to use RDP in the future, so I had selected that option to be enabled, but to my knowledge, the port list on the netgear firewall was blank - as in no ports forwarded to server - I will check again.  My server is OFF right now.
So if someone is able to access my server, are they able to access it's HD contents or do they still need to log in with my credentials?
0
 
LVL 10

Expert Comment

by:rynox
Comment Utility
Turn off UPnP on the server and the router, I recommend never using it, and would rather poke holes in my own firewall, not let some protocal decide what I need.,

Your router has a web interface, just go through the setup there, if you don't need port forwarding, don't enable any.  Turn off servises on the server that you don't need.  If you don't need SMTP, telnet or RDP, disable those services.

The damage?  Well if someone managed to connect via telnet or RDP and figured out a valid username and password, your server could be compromised.  Check the logs to determine if they did.  An open SMTP server may or may not cause you issues, depending on how it is configured, spammers could potentially use your server as a relay, and your IP could potentially be blacklisted.
0
 
LVL 12

Expert Comment

by:alikaz3
Comment Utility
looks like rynox has the explanation covered there, disabling it on just the router should take care of it.
0
 
LVL 12

Expert Comment

by:alikaz3
Comment Utility
* take care of turning off uPNP. once you get that far we can determine if it is the source of the issue.
0
 

Author Comment

by:erkwong
Comment Utility
Since I initially set Windows Server to enable the UPNP, shouldn't I go in there are disable it?
Would your recommend a reformat of the server?  It is brand new - I just finished setting it up.  So I will be sad to do that, but this sounds sufficiently serious to warrant that?
0
 
LVL 12

Expert Comment

by:alikaz3
Comment Utility
Reformat as a last resort. I'm still not sure what kind of issue we are dealing with here, note the ports that have been accessed

21 - FTP
25 - email
3389 RDP - [LAN access from remote] from 83.111.63.226:12024 to 192.168.1.6:3389
Thursday, Jun 19,2008 07:24:46

check that time there, see if you have any security logs showing a successful/unsuccessful login via RDP. If someone successfully got in...... big trouble
0
 

Author Comment

by:erkwong
Comment Utility
Which log is that?  
i have noticed TONS of security logs and thought that was weird - 20MB+ of "success audit" login.
I thought those were windows processes doing that, but now I am very concerned.

The thing is, Scanning the server with virus / spy software might not tell me anything if the hacker is trying to use the server for spamming or something else right?  

I am not at the server now, so I'll have to do this tonite / this weekend.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 12

Expert Comment

by:alikaz3
Comment Utility
I would say it's probably more likely that you were attacked by a bot or spyware, than actually a person. The internet is totally crawling with bots and malware that can mass infect whole networks, and create "botnets".

http://en.wikipedia.org/wiki/Botnet

I remember reading an article somewhere talking about a newer internet bot that took over 400,000 systems.
0
 
LVL 12

Expert Comment

by:alikaz3
Comment Utility
Just open the security logs, and sort by date. Cross reference the date of the :3389 connection, and see if you can find if it succeeds or fails. There are probably tons of more requests on that port as well.... Try to find more and look up the security logs
0
 

Author Comment

by:erkwong
Comment Utility
OK, thanks I will check.
but is 20MB+ of security logs in the space of 3-4 days outside the realm of normal?
0
 
LVL 12

Expert Comment

by:alikaz3
Comment Utility
Ya that's alot.... if you have a bot in your server, that would definitely explain it.
0
 

Author Comment

by:erkwong
Comment Utility
OK, that settles it...reformat time.  #$%^&*!!!!!!!  Thanks.
0
 
LVL 12

Expert Comment

by:alikaz3
Comment Utility
Now looking at my security logs, it appears that I am using 20MB for ALL of my security logs (server has been up for 3+ mo)
0
 

Author Comment

by:erkwong
Comment Utility
Thanks for looking.  I will take a closer look at those logs.  From memory, i remember they were titled "Security Audit Success" and some had (when double clicked) - mentions of sucessful login / logout and one that mentioned Kerberos.  It is curious, however how this bot / people got in - I used fairly complex passwords with letters and numbers.  Or is the whole point that once exploiting the uPNP flaw, they are able to circumvent passwords and such?
0
 
LVL 12

Expert Comment

by:alikaz3
Comment Utility
I am really not sure of the details of how they got in, I am just speculating from the observations we've made. I've read on many sites that uPNP is a major security issue, and many system admins make common practice of disabling it. It's great on home networks, makes P2P software really easy to set up.

It could be that your system caught some spyware/malware right after windows installation, and before windows updates. You don't recall accidentally typo'ing a URL and hitting a typosquatted site do you?

And I am still not convinced enough to warrant a reinstall. Could you get a better router that would give you some more information than "LAN access from remote"? It's about the vaguest internet related message I've ever seen lol. How could it be LAN if it is remote?? You don't happen to have VPN on that router do you?
0
 

Author Comment

by:erkwong
Comment Utility
Yes I am looking at some other routers now.  Are cisco 851 very difficult to config?

No, I don't think I went to any random sites after windowsupdate.  IE was pretty restrictive when I even tried to d/l and install acrobat.  I had to d/l acrobat off of another computer to install.

0
 
LVL 12

Accepted Solution

by:
alikaz3 earned 500 total points
Comment Utility
I have never set up a cisco so I'm not sure how difficult it is. I know they are the best, but looking at their site for configuration, it looks like most of it is config file based, like this:

!
interface BVI1
ip address 171.68.1.1 255.255.255.240
ip nat outside

!--- This is the inside global IP address.
!--- This is your public IP address and it is provided to you by your ISP.


So if you are comfortable with that, I'd say go for it. If you need help you can always ask on here.

If you want a sure-fire easy setup though, you might want to consider a simpler router. I like the Dlink DIR-655 http://www.dlink.com/products/?pid=530  about $115. Really easy to setup, and seems prett secure. Definitely a lot better than Netgear.

Did you have exchange running on the server? Have you set up any email accounts? I ask because you may have picked up malware through email. Did you have antivirus on the server? And if you are concerned about security, you should probably activate the server's software firewall. It is going to take some configuration to make sure all necessary ports are opened for lan/internet services. This will give you another layer of security, just in case your router's security is compromised.
0
 

Author Comment

by:erkwong
Comment Utility
Using one NIC - I cannot activate the SBS server windows firewall.  I was concerned about that.  
Now I am sitting here in front of the server - all I see is "Success Audit"
No explicit accesses via 3389 as you suggested I look for.

I am not running exchange yet.
But it is on my server.
0
 

Author Comment

by:erkwong
Comment Utility
I don't think anyone actually logged into the server - I didn't see any evidence of that in the logs.
However I did turn off UPnP on the router and disabled remote login / everything remote of the server until I can get a better hardware vpn and a better understanding of this setup.  Thanks.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now