|
|
Just noticed this entrie in the huawei log, anything to worry about?
2012-3-13 16:18:6 Alert 10400 Intrusion -> IN=ptm1.301 OUT= MAC=bc:76:70:ae:d1:c7:00:14:f6:68:68:78:08:00:45:00:00:34 SRC=10.160.168.136 DST=30.117.147.202 LEN=52 TOS=0x00 PREC=0x00 TTL=61 ID=60811 DF PROTO=TCP SPT=51043 DPT=161 WINDOW=5840 RES=0x00 SYN URGP=0
|
|
|
asbokid is probably the only person on here who would know.............
|
|
|
Hi looks like a port scan, the source IP is from the range reserved for private networking (i.e. the LAN side of a NAT router)
If its a modem/router you are using then it probably got a firewall and would have either responded the ports were closed or did not respond at all.
Either way I wouldn't worry.
If you can advise of the make/model of Modem or router I can advise a little further or is this in the logs of the Huawei modem?
Virgin (ADSL) => Namesco => Newnet => O2 => Plusnet => Zen => Newnet => Zen Lite 8000
Note: I don't lay turf for anyone. astro or otherwise, all views and opinions expressed are my own based on experience.
Edited by techguy (Wed 28-Mar-12 14:18:17)
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
IN=ptm1.301 The interface that the traffic hit. OUT= The traffic was not passed to another interface. MAC=bc:76:70:ae:d1:c7:00:14:f6:68:68:78:08:00:45:00:00:34 MAC Address. SRC=10.160.168.136 The source IP Address of the traffic DST=30.117.147.202 The destination IP Address LEN=52 TOS=0x00 PREC=0x00 TTL=61 ID=60811 DF Length, Type of Service, Precedence, Time To Live, Packet number, Don't Fragment. PROTO=TCP Protocol SPT=51043 The source port of the traffic DPT=161 The destination port. WINDOW=5840 RES=0x00 SYN URGP=0 Window size, Reserved field value, Synchronise flag is set and 'Urgent' flag status.
It's possible to spoof many of the fields to give false or nonsensical values, so the information is not necessarily accurate.
Eats shoots and leaves.
|
|
|
Sub-interface 301 tends to be used for remote management, so this could be a packet from BT's management platform (hence the private address of the source).
[Further thoughts]
As the Destination port was 161 (which is used for SNMP) and it arrived on the management interface, I'm fairly sure this would be BT originated.
Eats shoots and leaves.
Edited by panda (Wed 28-Mar-12 14:56:13)
|
|
|
|
Moradin, I had asbokid in mind but there are also lots of other knowledgable and clever chaps on this wonderfull site.
techguy, indeed it is the Huawei modem HG612.
panda, thanks for the detailed reply. I hope it was BT, I wonder what they were up to, everything is as normal and stable atm fingers crossed.
Anyway, thanks all.
|
|
|
Just noticed this entrie in the huawei log, anything to worry about?
2012-3-13 16:18:6 Alert 10400 Intrusion -> IN=ptm1.301 OUT= MAC=bc:76:70:ae:d1:c7:00:14:f6:68:68:78:08:00:45:00:00:34 SRC=10.160.168.136 DST=30.117.147.202 LEN=52 TOS=0x00 PREC=0x00 TTL=61 ID=60811 DF PROTO=TCP SPT=51043 DPT=161 WINDOW=5840 RES=0x00 SYN URGP=0 I realise this is from a few months ago but have you performed a whois (or the equivalent in BillyGatesWare) on the destination IP address logged? OrgName: DoD Network Information Center
OrgId: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
RegDate:
Updated: 2011-08-17
Ref: http://whois.arin.net/rest/org/DNIC Eh ? . . . Uncle Sam's Department of Defence ??
Here is a link to an interesting blog [1]. Perhaps someone with a GEA service might like to investigate further?
[1] http://ukinfinity.wordpress.com/2012/06/05/welcome/
100% Linux and, previously, Unix.
|
|
|
Eh ? . . . Uncle Sam's Department of Defence ??
Guess - Some US Govt time server - wonder why DPT (Destination Port) is 161 (snmp) too !
James be* pro (16.8 / 1.2 sync) - BQM - FTTC cab installed 18-jun-2012 - not yet active - est 44.6 / 6.5
Edited by jchamier (Wed 18-Jul-12 23:11:23)
|
|
|
wonder why DPT (Destination Port) is 161 (snmp) too ! The Huawei modem has a daemon called BTAgent listening on port 161.
_____________________________________________________________________________________________ this is not usenet __________________
|
|
|
wonder why DPT (Destination Port) is 161 (snmp) too ! The Huawei modem has a daemon called BTAgent listening on port 161.
That'll do it 
James be* pro (16.8 / 1.2 sync) - BQM - FTTC cab installed 18-jun-2012 - not yet active - est 44.6 / 6.5
|
|
|
I had yes which is what made me post, as techguy points out though it's in a private range so nothing to worry about.
Still a bit miffed why it's flagged as an "alert" and "Intrusion", but it's disabled now so doesn't really matter.
Thanks for the link, it confirms private range and has some other interesting info that I don't quite understand. What exactly has he acheived in this post?
|
|
|
Thanks for the link, it confirms private range and has some other interesting info that I don't quite understand. What exactly has he acheived in this post? Hi Croftie,
I am not absolutely sure and feel it is not sensible to speculate (especially on this forum, where things can rapidly go off at a tangent and then spiral out of control with the help of trolls). To gain a clear insight into what he reports, I would need to have access to an Openreach GEA service and then work through each step, carefully analysing the results that I obtain.
100% Linux and, previously, Unix.
|
|
|
|
Hey, if you don't know, you don't know.
|
|
|
100% Linux and, previously, Unix.
|
Pages in this thread: 
Print Thread
