General Discussion
  >> Fibre Broadband


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | (show all)   Print Thread
Standard User Croftie
(member) Tue 27-Mar-12 21:59:09
Print Post

Alert in modem log


[link to this post]
 
Just noticed this entrie in the huawei log, anything to worry about?

2012-3-13 16:18:6 Alert 10400 Intrusion -> IN=ptm1.301 OUT= MAC=bc:76:70:ae:d1:c7:00:14:f6:68:68:78:08:00:45:00:00:34 SRC=10.160.168.136 DST=30.117.147.202 LEN=52 TOS=0x00 PREC=0x00 TTL=61 ID=60811 DF PROTO=TCP SPT=51043 DPT=161 WINDOW=5840 RES=0x00 SYN URGP=0
Standard User Moradin
(member) Wed 28-Mar-12 13:24:46
Print Post

Re: Alert in modem log


[re: Croftie] [link to this post]
 
asbokid is probably the only person on here who would know.............

-----------------------------------------------
December PCP to postcode checker
https://www.google.com/fusiontables/DataSource?snapi...
My Broadband Speed Test
Standard User techguy
(committed) Wed 28-Mar-12 14:17:22
Print Post

Re: Alert in modem log


[re: Moradin] [link to this post]
 
Hi looks like a port scan, the source IP is from the range reserved for private networking (i.e. the LAN side of a NAT router)

If its a modem/router you are using then it probably got a firewall and would have either responded the ports were closed or did not respond at all.

Either way I wouldn't worry.

If you can advise of the make/model of Modem or router I can advise a little further or is this in the logs of the Huawei modem?

Virgin (ADSL) => Namesco => Newnet => O2 => Plusnet => Zen => Newnet => Zen Lite 8000
Note: I don't lay turf for anyone. astro or otherwise, all views and opinions expressed are my own based on experience.

Edited by techguy (Wed 28-Mar-12 14:18:17)


Register (or login) on our website and you will not see this ad.

Standard User panda
(committed) Wed 28-Mar-12 14:21:05
Print Post

Re: Alert in modem log


[re: Croftie] [link to this post]
 
IN=ptm1.301
The interface that the traffic hit.
OUT=
The traffic was not passed to another interface.
MAC=bc:76:70:ae:d1:c7:00:14:f6:68:68:78:08:00:45:00:00:34
MAC Address.
SRC=10.160.168.136
The source IP Address of the traffic
DST=30.117.147.202
The destination IP Address
LEN=52 TOS=0x00 PREC=0x00 TTL=61 ID=60811 DF
Length, Type of Service, Precedence, Time To Live, Packet number, Don't Fragment.
PROTO=TCP
Protocol
SPT=51043
The source port of the traffic
DPT=161
The destination port.
WINDOW=5840 RES=0x00 SYN URGP=0
Window size, Reserved field value, Synchronise flag is set and 'Urgent' flag status.

It's possible to spoof many of the fields to give false or nonsensical values, so the information is not necessarily accurate.


Eats shoots and leaves.
Standard User panda
(committed) Wed 28-Mar-12 14:45:27
Print Post

Re: Alert in modem log


[re: techguy] [link to this post]
 
Sub-interface 301 tends to be used for remote management, so this could be a packet from BT's management platform (hence the private address of the source).
[Further thoughts]
As the Destination port was 161 (which is used for SNMP) and it arrived on the management interface, I'm fairly sure this would be BT originated.


Eats shoots and leaves.

Edited by panda (Wed 28-Mar-12 14:56:13)

Standard User Croftie
(member) Wed 28-Mar-12 16:20:32
Print Post

Re: Alert in modem log


[re: panda] [link to this post]
 
Moradin, I had asbokid in mind but there are also lots of other knowledgable and clever chaps on this wonderfull site.

techguy, indeed it is the Huawei modem HG612.

panda, thanks for the detailed reply. I hope it was BT, I wonder what they were up to, everything is as normal and stable atm fingers crossed.

Anyway, thanks all.
Standard User burakkucat
(experienced) Wed 18-Jul-12 20:04:11
Print Post

Re: Alert in modem log


[re: Croftie] [link to this post]
 
In reply to a post by Croftie:
Just noticed this entrie in the huawei log, anything to worry about?
2012-3-13 16:18:6 Alert 10400 Intrusion -> IN=ptm1.301 OUT= MAC=bc:76:70:ae:d1:c7:00:14:f6:68:68:78:08:00:45:00:00:34 SRC=10.160.168.136 DST=30.117.147.202 LEN=52 TOS=0x00 PREC=0x00 TTL=61 ID=60811 DF PROTO=TCP SPT=51043 DPT=161 WINDOW=5840 RES=0x00 SYN URGP=0
I realise this is from a few months ago but have you performed a whois (or the equivalent in BillyGatesWare) on the destination IP address logged?
OrgName: DoD Network Information Center
OrgId: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
RegDate:
Updated: 2011-08-17
Ref: http://whois.arin.net/rest/org/DNIC
Eh ? . . . Uncle Sam's Department of Defence ??

Here is a link to an interesting blog [1]. Perhaps someone with a GEA service might like to investigate further?

[1] http://ukinfinity.wordpress.com/2012/06/05/welcome/

100% Linux and, previously, Unix.
Standard User jchamier
(knowledge is power) Wed 18-Jul-12 23:10:45
Print Post

Re: Alert in modem log


[re: burakkucat] [link to this post]
 
In reply to a post by burakkucat:
Eh ? . . . Uncle Sam's Department of Defence ??


Guess - Some US Govt time server - wonder why DPT (Destination Port) is 161 (snmp) too !

James be* pro (16.8 / 1.2 sync) - BQM - FTTC cab installed 18-jun-2012 - not yet active - est 44.6 / 6.5

Edited by jchamier (Wed 18-Jul-12 23:11:23)

Standard User BatBoy
(legend) Wed 18-Jul-12 23:21:44
Print Post

Re: Alert in modem log


[re: jchamier] [link to this post]
 
In reply to a post by jchamier:
wonder why DPT (Destination Port) is 161 (snmp) too !
The Huawei modem has a daemon called BTAgent listening on port 161.


_____________________________________________________________________________________________ this is not usenet __________________
Standard User jchamier
(knowledge is power) Thu 19-Jul-12 08:17:57
Print Post

Re: Alert in modem log


[re: BatBoy] [link to this post]
 
In reply to a post by BatBoy:
In reply to a post by jchamier:
wonder why DPT (Destination Port) is 161 (snmp) too !
The Huawei modem has a daemon called BTAgent listening on port 161.


That'll do it smile

James be* pro (16.8 / 1.2 sync) - BQM - FTTC cab installed 18-jun-2012 - not yet active - est 44.6 / 6.5
Standard User Croftie
(member) Fri 24-Aug-12 08:14:05
Print Post

Re: Alert in modem log


[re: burakkucat] [link to this post]
 
I had yes which is what made me post, as techguy points out though it's in a private range so nothing to worry about.

Still a bit miffed why it's flagged as an "alert" and "Intrusion", but it's disabled now so doesn't really matter.

Thanks for the link, it confirms private range and has some other interesting info that I don't quite understand. What exactly has he acheived in this post?
Standard User burakkucat
(experienced) Fri 24-Aug-12 14:36:52
Print Post

Re: Alert in modem log


[re: Croftie] [link to this post]
 
In reply to a post by Croftie:
Thanks for the link, it confirms private range and has some other interesting info that I don't quite understand. What exactly has he acheived in this post?
Hi Croftie,

I am not absolutely sure and feel it is not sensible to speculate (especially on this forum, where things can rapidly go off at a tangent and then spiral out of control with the help of trolls). To gain a clear insight into what he reports, I would need to have access to an Openreach GEA service and then work through each step, carefully analysing the results that I obtain.

100% Linux and, previously, Unix.
Standard User Croftie
(member) Fri 24-Aug-12 19:41:37
Print Post

Re: Alert in modem log


[re: burakkucat] [link to this post]
 
Hey, if you don't know, you don't know.
Standard User burakkucat
(experienced) Fri 24-Aug-12 19:46:52
Print Post

Re: Alert in modem log


[re: Croftie] [link to this post]
 
wink

100% Linux and, previously, Unix.
Pages in this thread: 1 | 2 | (show all)   Print Thread

Jump to