Just Checked My Router Logs

Last · November 2003

I'm scared. I checked my router settings and saw this on the log:

2003/11/02 15:03:38 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1660 ->> 81.2.137.243:22
2003/11/02 15:03:38 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2453 ->> 81.2.137.243:22
2003/11/02 15:03:38 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3056 ->> 81.2.137.243:22
2003/11/02 15:03:38 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4065 ->> 81.2.137.243:22
2003/11/02 15:03:38 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1927 ->> 81.2.137.243:22
2003/11/02 15:03:39 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3332 ->> 81.2.137.243:22
2003/11/02 15:03:39 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3731 ->> 81.2.137.243:22
2003/11/02 15:03:39 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4542 ->> 81.2.137.243:22
2003/11/02 15:03:39 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1631 ->> 81.2.137.243:22
2003/11/02 15:03:39 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1894 ->> 81.2.137.243:22
2003/11/02 15:03:40 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2893 ->> 81.2.137.243:22
2003/11/02 15:03:40 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3286 ->> 81.2.137.243:22
2003/11/02 15:03:40 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4160 ->> 81.2.137.243:22
2003/11/02 15:03:40 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1920 ->> 81.2.137.243:22
2003/11/02 15:03:40 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2322 ->> 81.2.137.243:22
2003/11/02 15:03:40 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3126 ->> 81.2.137.243:22
2003/11/02 15:03:40 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3929 ->> 81.2.137.243:22
2003/11/02 15:03:40 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4881 ->> 81.2.137.243:22
2003/11/02 15:03:40 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1268 ->> 81.2.137.243:22
2003/11/02 15:03:40 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1869 ->> 81.2.137.243:22
2003/11/02 15:03:40 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3043 ->> 81.2.137.243:22
2003/11/02 15:03:40 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3490 ->> 81.2.137.243:22
2003/11/02 15:03:42 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4289 ->> 81.2.137.243:22
2003/11/02 15:03:42 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1687 ->> 81.2.137.243:22
2003/11/02 15:03:42 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2490 ->> 81.2.137.243:22
2003/11/02 15:03:42 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3490 ->> 81.2.137.243:22
2003/11/02 15:03:42 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4093 ->> 81.2.137.243:22
2003/11/02 15:03:42 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1749 ->> 81.2.137.243:22
2003/11/02 15:03:42 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2296 ->> 81.2.137.243:22
2003/11/02 15:03:43 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3096 ->> 81.2.137.243:22
2003/11/02 15:03:43 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4292 ->> 81.2.137.243:22
2003/11/02 15:03:43 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1056 ->> 81.2.137.243:22
2003/11/02 15:03:43 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1882 ->> 81.2.137.243:22
2003/11/02 15:03:43 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2101 ->> 81.2.137.243:22
2003/11/02 15:03:43 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2952 ->> 81.2.137.243:22
2003/11/02 15:03:43 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3605 ->> 81.2.137.243:22
2003/11/02 15:03:44 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1305 ->> 81.2.137.243:22
2003/11/02 15:03:44 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2601 ->> 81.2.137.243:22
2003/11/02 15:03:45 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4285 ->> 81.2.137.243:22
2003/11/02 15:03:45 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1247 ->> 81.2.137.243:22
2003/11/02 15:03:45 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2477 ->> 81.2.137.243:22
2003/11/02 15:03:46 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3680 ->> 81.2.137.243:22
2003/11/02 15:03:46 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3879 ->> 81.2.137.243:22
2003/11/02 15:03:46 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4652 ->> 81.2.137.243:22
2003/11/02 15:03:46 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1284 ->> 81.2.137.243:22
2003/11/02 15:03:46 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2485 ->> 81.2.137.243:22
2003/11/02 15:03:46 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2884 ->> 81.2.137.243:22
2003/11/02 15:03:46 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3291 ->> 81.2.137.243:22
2003/11/02 15:03:46 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4224 ->> 81.2.137.243:22
2003/11/02 15:03:46 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1089 ->> 81.2.137.243:22
2003/11/02 15:03:47 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2085 ->> 81.2.137.243:22
2003/11/02 15:03:47 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2485 ->> 81.2.137.243:22
2003/11/02 15:03:47 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3007 ->> 81.2.137.243:22
2003/11/02 15:03:47 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3704 ->> 81.2.137.243:22
2003/11/02 15:03:47 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4059 ->> 81.2.137.243:22
2003/11/02 15:03:47 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1066 ->> 81.2.137.243:22
2003/11/02 15:03:47 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1497 ->> 81.2.137.243:22
2003/11/02 15:03:48 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1883 ->> 81.2.137.243:22
2003/11/02 15:03:48 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2778 ->> 81.2.137.243:22
2003/11/02 15:03:48 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2965 ->> 81.2.137.243:22
2003/11/02 15:03:48 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3374 ->> 81.2.137.243:22
2003/11/02 15:03:48 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4070 ->> 81.2.137.243:22
2003/11/02 15:03:48 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1072 ->> 81.2.137.243:22
2003/11/02 15:03:49 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1472 ->> 81.2.137.243:22
2003/11/02 15:03:49 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2395 ->> 81.2.137.243:22
2003/11/02 15:03:49 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3000 ->> 81.2.137.243:22
2003/11/02 15:03:49 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3612 ->> 81.2.137.243:22
2003/11/02 15:03:49 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3987 ->> 81.2.137.243:22
2003/11/02 15:03:50 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4482 ->> 81.2.137.243:22
2003/11/02 15:03:51 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1770 ->> 81.2.137.243:22
2003/11/02 15:03:51 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1876 ->> 81.2.137.243:22
2003/11/02 15:03:51 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2598 ->> 81.2.137.243:22
2003/11/02 15:03:51 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2887 ->> 81.2.137.243:22
2003/11/02 15:03:51 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3231 ->> 81.2.137.243:22
2003/11/02 15:03:52 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3487 ->> 81.2.137.243:22
2003/11/02 15:03:52 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4157 ->> 81.2.137.243:22
2003/11/02 15:03:52 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4618 ->> 81.2.137.243:22
2003/11/02 15:03:52 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1142 ->> 81.2.137.243:22
2003/11/02 15:03:52 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1701 ->> 81.2.137.243:22
2003/11/02 15:03:52 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1941 ->> 81.2.137.243:22
2003/11/02 15:03:53 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2340 ->> 81.2.137.243:22
2003/11/02 15:03:53 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2740 ->> 81.2.137.243:22
2003/11/02 15:03:53 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2945 ->> 81.2.137.243:22
2003/11/02 15:03:53 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3825 ->> 81.2.137.243:22
2003/11/02 15:03:53 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4833 ->> 81.2.137.243:22
2003/11/02 15:03:53 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1551 ->> 81.2.137.243:22
2003/11/02 15:03:53 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1951 ->> 81.2.137.243:22
2003/11/02 15:03:53 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2438 ->> 81.2.137.243:22
2003/11/02 15:03:53 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2953 ->> 81.2.137.243:22
2003/11/02 15:03:53 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3811 ->> 81.2.137.243:22
2003/11/02 15:03:53 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4336 ->> 81.2.137.243:22
2003/11/02 15:03:53 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4775 ->> 81.2.137.243:22
2003/11/02 15:03:53 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1291 ->> 81.2.137.243:22
2003/11/02 15:03:53 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2049 ->> 81.2.137.243:22
2003/11/02 15:03:55 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2510 ->> 81.2.137.243:22
2003/11/02 15:03:55 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3066 ->> 81.2.137.243:22
2003/11/02 15:03:55 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3285 ->> 81.2.137.243:22
2003/11/02 15:03:55 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:3640 ->> 81.2.137.243:22
2003/11/02 15:03:55 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4068 ->> 81.2.137.243:22
2003/11/02 15:03:55 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:4441 ->> 81.2.137.243:22
2003/11/02 15:03:56 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:1460 ->> 81.2.137.243:22
2003/11/02 15:03:56 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2344 ->> 81.2.137.243:22
2003/11/02 15:03:56 ** TCP SYN Flooding ** <IP/TCP> 192.168.254.26:2661 ->> 81.2.137.243:22

Should I be scared? Has my computer been h4xor3d? Ack, someone tell me what this means!

Supra_Soldier · November 2003

Wow, I have no idea. How do you "check" router logs? maybe I should do this to. Do you run a firewall of any kind of anti-virus software?

Marik_Steele · November 2003

You think <i>that's</i> scary? Once my software firewall went nuts giving "serious warning" type messages. The logs said the "attacks" came from an address ending in ".gov". Approx. 1 week after I first mentioned it to a friend, showing a sceenshot via an instant-messaging program, the screenshot .bmp <i>disappeared entirely.</i>

Then I realized it was because I was trying to ping a .gov server with my atomic-clock synchronization software, and the screenshot was most likely deleted by myself during a routine system cleanup.

[edit]Anyway, on to a productive/helpful message: if you know how to do a "traceroute" or can find a website on Google that'll show you a traceroute-type output for a given IP address, you can try to find out where (as in what country or state, possibly even county/province) the flooding came from.

SkulkBait · November 2003

I'm no expert, but it looks as though your system is being used to help DDoS another one. In other words: You->Trojan'd. Sub7 veriants seem to be popular for this sort of thing. Check your logs for IRC connections you know you didn't make. ...Odd, I don't hear much of DDoSs attacking SSH... The address seems to be registered as www.futurebots.de.

Necrotic · November 2003

192.168.254.26 looks like the normal IP for your computer behind a router, 81.2.137.243:22 is the FTP connection for "www.futurebots.de - #futurebots @ Qnet - coming soon!" So have you tried connecting to that FTP at all? The cycling of the port your computer was attempting to use could be your FTP software trying to get past your router but its unlikely that it wouldn't just use the standard port 22 which is normally open. So my second guess would be the same as SkulkBait somebody is using your computer to attempt to be t3h l33tz0r h4x0r

Vulgar_Menace · November 2003

ooh, coming up on 666 there necro!

Infinitum · November 2003

127.0.0.1 for life

That_Annoying_Kid · November 2003

</span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (Infinitum @ Nov 16 2003, 01:08 AM)</td></tr><tr><td id='QUOTE'> 127.0.0.1 for life  </td></tr></table><span class='postcolor'> 
yup, no place like 127.0.0.1

it's sad that I know what you mean...

ooh marik, dos can be used to tracert, check out how elite I am...

Last · November 2003

</span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (SkulkBait @ Nov 15 2003, 08:56 PM)</td></tr><tr><td id='QUOTE'> I'm no expert, but it looks as though your system is being used to help DDoS another one. In other words: You->Trojan'd. Sub7 veriants seem to be popular for this sort of thing. Check your logs for IRC connections you know you didn't make. ...Odd, I don't hear much of DDoSs attacking SSH... The address seems to be registered as www.futurebots.de.  </td></tr></table><span class='postcolor'> 
??!!??!! Sorry, in english please! <img src='http://www.unknownworlds.com/forums/html/emoticons/sad.gif' border='0' style='vertical-align:middle' alt='sad.gif'>

Let me get this right. I have a trojan on my computer -- and it's trying to DOS attack futurebots.de. Am I correct?

CForrester · November 2003

DDoS. Distributed Denial of Service. Basically, ping flooding.

SkulkBait · November 2003

</span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (Last. @ Nov 16 2003, 10:38 PM)</td></tr><tr><td id='QUOTE'> </span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (SkulkBait @ Nov 15 2003, 08:56 PM)</td></tr><tr><td id='QUOTE'> I'm no expert, but it looks as though your system is being used to help DDoS another one. In other words: You->Trojan'd. Sub7 veriants seem to be popular for this sort of thing. Check your logs for IRC connections you know you didn't make. ...Odd, I don't hear much of DDoSs attacking SSH... The address seems to be registered as www.futurebots.de. </td></tr></table><span class='postcolor'>
??!!??!! Sorry, in english please! <img src='http://www.unknownworlds.com/forums/html/emoticons/sad.gif' border='0' style='vertical-align:middle' alt='sad.gif'>

Let me get this right. I have a trojan on my computer -- and it's trying to DOS attack futurebots.de. Am I correct? </td></tr></table><span class='postcolor'>
Yes, you were infected with a trojan and your computer is now a zombie responding to commands given to it through an IRC channel. At least, thats what I think is happening.

This <a href='http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=10566' target='_blank'>info</a> might help, though if you didn't understand my post it might be over your head. Try using some free virus scanning software (if you don't have any already) to find it.

</span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'> DDoS. Distributed Denial of Service. Basically, ping flooding.</td></tr></table><span class='postcolor'>

Yeah sort of. Its distributed flooding of TCP/SYN packets in this case (you don't have to know what that means, just know that its worse then regular ping flooding).

</span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'>The cycling of the port your computer was attempting to use could be your FTP software trying to get past your router but its unlikely that it wouldn't just use the standard port 22 which is normally open.</td></tr></table><span class='postcolor'>

Standard for port 22 is SSH (Secure SHell). Standard for port 20 is FTP Data, and 21 is FTP. Heres a handy list if you want: <a href='http://www.iana.org/assignments/port-numbers' target='_blank'>List</a>. The cyclling of ports is normal when trying to initiate more than one connection, which in this case the trojan is doing so it can flood faster.

You may want to take a look at www.grc.com. There are articles there dealing with DDoS attacks and Sub7 variants. Theres also a utility to kill Windows Messenger Service (which shouldn't exist inthe first place really) and test your system to see if the DCOM vulnerability was actually fixed by the MS patch. If you don't have a fully patched system, get that done. BTW, I'm assuming you are using WinXP, since its trivial to get raw sockets in XP and thus preform a TCP/SYN flood which is somewhat more dificult otherwise (if you didn't understand any of that, just ignore it).

Just Checked My Router Logs

Comments