Dumbass knows nothing.
May 28, 2006 3:59 PM Subscribe
Help this ignoramus understand his netgear admin log.
I can understand most of what's going on in the log. But then there's this jargon in the middle that I don't understand. Who are RIPE? Who are APNIC? Who's Len? Why is he 470? What are they doing in my netgear's log?
03:40:12 [DOS]IN=ppp0 OUT= MAC= SRC=221.208.208.104 DST=**.**.**.*** LEN=490 TOS=0x00 PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=32976 DPT=1027 LEN=470
05:42:52 [DOS]IN=ppp0 OUT= MAC= SRC=221.208.208.104 DST=**.**.**.*** LEN=490 TOS=0x00 PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=32988 DPT=1027 LEN=470
07:03:46 [DOS]IN=ppp0 OUT= MAC= SRC=61.180.228.244 DST=**.**.**.*** LEN=485 TOS=0x00 PREC=0x00 TTL=42 ID=0 DF PROTO=UDP SPT=38005 DPT=1027 LEN=465
08:25:14 [DOS]IN=ppp0 OUT= MAC= SRC=221.208.208.104 DST=**.**.**.*** LEN=490 TOS=0x00 PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=32988 DPT=1027 LEN=470
09:05:21 [DOS]IN=ppp0 OUT= MAC= SRC=221.208.208.104 DST=**.**.**.*** LEN=490 TOS=0x00 PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=32988 DPT=1027 LEN=470
11:07:32 [DOS]IN=ppp0 OUT= MAC= SRC=221.208.208.104 DST=**.**.**.*** LEN=490 TOS=0x00 PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=32990 DPT=1027 LEN=470
11:10:54 [DOS]IN=ppp0 OUT= MAC= SRC=62.56.99.198 DST=**.**.**.*** LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=8041 DF PROTO=TCP SPT=1141 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
11:10:57 [DOS]IN=ppp0 OUT= MAC= SRC=62.56.99.198 DST=**.**.**.*** LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=8354 DF PROTO=TCP SPT=1135 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
11:10:57 [DOS]IN=ppp0 OUT= MAC= SRC=62.56.99.198 DST=**.**.**.*** LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=8355 DF PROTO=TCP SPT=1136 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
11:10:57 [DOS]IN=ppp0 OUT= MAC= SRC=62.56.99.198 DST=**.**.**.*** LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=8356 DF PROTO=TCP SPT=1138 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
11:10:57 [DOS]IN=ppp0 OUT= MAC= SRC=62.56.99.198 DST=**.**.**.*** LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=8357 DF PROTO=TCP
Finally, am I such an ignoramus that I've posted anything that could compromise my computer's security?
I can understand most of what's going on in the log. But then there's this jargon in the middle that I don't understand. Who are RIPE? Who are APNIC? Who's Len? Why is he 470? What are they doing in my netgear's log?
03:40:12 [DOS]IN=ppp0 OUT= MAC= SRC=221.208.208.104 DST=**.**.**.*** LEN=490 TOS=0x00 PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=32976 DPT=1027 LEN=470
05:42:52 [DOS]IN=ppp0 OUT= MAC= SRC=221.208.208.104 DST=**.**.**.*** LEN=490 TOS=0x00 PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=32988 DPT=1027 LEN=470
07:03:46 [DOS]IN=ppp0 OUT= MAC= SRC=61.180.228.244 DST=**.**.**.*** LEN=485 TOS=0x00 PREC=0x00 TTL=42 ID=0 DF PROTO=UDP SPT=38005 DPT=1027 LEN=465
08:25:14 [DOS]IN=ppp0 OUT= MAC= SRC=221.208.208.104 DST=**.**.**.*** LEN=490 TOS=0x00 PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=32988 DPT=1027 LEN=470
09:05:21 [DOS]IN=ppp0 OUT= MAC= SRC=221.208.208.104 DST=**.**.**.*** LEN=490 TOS=0x00 PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=32988 DPT=1027 LEN=470
11:07:32 [DOS]IN=ppp0 OUT= MAC= SRC=221.208.208.104 DST=**.**.**.*** LEN=490 TOS=0x00 PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=32990 DPT=1027 LEN=470
11:10:54 [DOS]IN=ppp0 OUT= MAC= SRC=62.56.99.198 DST=**.**.**.*** LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=8041 DF PROTO=TCP SPT=1141 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
11:10:57 [DOS]IN=ppp0 OUT= MAC= SRC=62.56.99.198 DST=**.**.**.*** LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=8354 DF PROTO=TCP SPT=1135 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
11:10:57 [DOS]IN=ppp0 OUT= MAC= SRC=62.56.99.198 DST=**.**.**.*** LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=8355 DF PROTO=TCP SPT=1136 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
11:10:57 [DOS]IN=ppp0 OUT= MAC= SRC=62.56.99.198 DST=**.**.**.*** LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=8356 DF PROTO=TCP SPT=1138 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
11:10:57 [DOS]IN=ppp0 OUT= MAC= SRC=62.56.99.198 DST=**.**.**.*** LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=8357 DF PROTO=TCP
Finally, am I such an ignoramus that I've posted anything that could compromise my computer's security?
APNIC and RIPE assign IP addresses in the Asia-Pacific and Europe, respectively.
LEN doesn't make a whole lot of sense to me. best guess is that it's the length of the packet.
from the looks of the ports they were trying to connect to (DPT) someone was either trying to browse the network (are you on a cable modem? those 62.56 IPs are originating from Demon Interent in London) or looking for a hole somewhere. specifically, port posted by mrg at 4:12 PM on May 28, 2006
LEN doesn't make a whole lot of sense to me. best guess is that it's the length of the packet.
from the looks of the ports they were trying to connect to (DPT) someone was either trying to browse the network (are you on a cable modem? those 62.56 IPs are originating from Demon Interent in London) or looking for a hole somewhere. specifically, port posted by mrg at 4:12 PM on May 28, 2006
Response by poster: I'm not on cable, I'm on broadband. Demon is my ISP.
mrg: Do you mean someone's trying to connect to my home network?
posted by popcassady at 4:19 PM on May 28, 2006
mrg: Do you mean someone's trying to connect to my home network?
posted by popcassady at 4:19 PM on May 28, 2006
pop, cable is broadband. Anything faster than a 56K modem is broadband, essentially. So, for consumers this is typically DSL or cable.
posted by Dunwitty at 4:22 PM on May 28, 2006
posted by Dunwitty at 4:22 PM on May 28, 2006
what kind of broadband do you have? (I brought up cable because those kinds of scans are a bit infamous on cable networks - on most cable internet systems, you're pretty much on a LAN with everyone else in the general area, so if you're hooked straight into the modem and you've turned on file sharing, your neighbors may be able to get into your computer.)
yes, that's pretty much what's going on I think. doubtful it's malicious, though - probably someone just opening up My Network Places and browsing through there. since you're behind a router, they won't actually be able to get to anything, unless your router's borked.
posted by mrg at 4:24 PM on May 28, 2006
yes, that's pretty much what's going on I think. doubtful it's malicious, though - probably someone just opening up My Network Places and browsing through there. since you're behind a router, they won't actually be able to get to anything, unless your router's borked.
posted by mrg at 4:24 PM on May 28, 2006
Response by poster: Sorry, showing my ignorance; my broadband is ADSL.
I access my router via wi-fi... could that help explain the log?
posted by popcassady at 4:30 PM on May 28, 2006
I access my router via wi-fi... could that help explain the log?
posted by popcassady at 4:30 PM on May 28, 2006
Two of those IPs are in China, and they're probably looking for open proxies and/or worm-infected PCs. Broadband zombies are much prized by spammers, scammers and internet bad guys in general.
posted by Steven C. Den Beste at 4:30 PM on May 28, 2006
posted by Steven C. Den Beste at 4:30 PM on May 28, 2006
nope; your router'll give you an IP on a private network (usually 192.168.x.x). also, the IN is marked as ppp0, which would be your DSL box. (if it were coming from the internal network, it'd probably look more like eth0 or so.)
posted by mrg at 4:34 PM on May 28, 2006
posted by mrg at 4:34 PM on May 28, 2006
Best answer: The main things of interest in a log like this are usually the source ip, which may or may not tell you where these things are coming from and the destination port, which might give you a hint about what they hope to find at your end.
You're seeing two different kinds of transmissions here:
In the first they're trying to make connections to port 1027 (DPT=1027) this is a port that the windows messaging service (not the same as msn messenger) used to run on.
It's basically a direct form of spam: If you were running an unpatched version of Windows XP and had it connected directly to the internet then you would receive a windows dialog box advertising some website on your screen. For this kind of spam the source IP could easily be spoofed.
The second kind is a connection to port 445 (DPT=445) This is a port used by windows file sharing. If you had your system directly connected to the internet and you had file shares then they would be able to access them. The source IPs here have to be genuine but they probably belong to systems infected by a worm which is trying to spread.
Executive summary: You're seeing spam and what is likely to be some form of worm. In both cases you are safe as your system is connected through the netgear router which will just drop the stuff they send you and log it.
posted by Olli at 4:58 PM on May 28, 2006
You're seeing two different kinds of transmissions here:
In the first they're trying to make connections to port 1027 (DPT=1027) this is a port that the windows messaging service (not the same as msn messenger) used to run on.
It's basically a direct form of spam: If you were running an unpatched version of Windows XP and had it connected directly to the internet then you would receive a windows dialog box advertising some website on your screen. For this kind of spam the source IP could easily be spoofed.
The second kind is a connection to port 445 (DPT=445) This is a port used by windows file sharing. If you had your system directly connected to the internet and you had file shares then they would be able to access them. The source IPs here have to be genuine but they probably belong to systems infected by a worm which is trying to spread.
Executive summary: You're seeing spam and what is likely to be some form of worm. In both cases you are safe as your system is connected through the netgear router which will just drop the stuff they send you and log it.
posted by Olli at 4:58 PM on May 28, 2006
This thread is closed to new comments.
RIPE is the regional internet registry for Europe, based in Amsterdam. APNIC is the regional internet registry for Asia Pacific, based in Australia.
ARIN is North America, LACNIC is Latin America, JAPNIC is Japan, AFRINIC is Africa.
They're the folks who are responsible for deciding who gets to use particular blocks of IPs, so as to make sure there are no duplicates anywhere in the world.
posted by Steven C. Den Beste at 4:08 PM on May 28, 2006