Router problem: LAN access from remote

[luismendez]

Hi everyone

I am concerned with the following problem that I discovered in my log. I'm not sure if this is some kind of trojan attacking my computer or someone hacking into it.

This is what it says:

[LAN access from remote] from 88.134.49.80:63595 to 192.168.1.5:19623, Monday, March 01,2010 05:46:44
[LAN access from remote] from 93.103.233.187:57267 to 192.168.1.67:19625, Monday, March 01,2010 05:46:38
[LAN access from remote] from 174.7.59.211:3418 to 192.168.1.67:19625, Monday, March 01,2010 05:46:33
[LAN access from remote] from 89.143.165.185:2182 to 192.168.1.67:19625, Monday, March 01,2010 05:46:29
[LAN access from remote] from 76.228.40.111:2844 to 192.168.1.67:19625, Monday, March 01,2010 05:46:23
[UPnP set event: del_nat_rule] from source 192.168.1.67 Monday, March 01,2010 05:46:20
[UPnP set event: add_nat_rule] from source 192.168.1.67 Monday, March 01,2010 05:46:20
[UPnP set event: del_nat_rule] from source 192.168.1.67 Monday, March 01,2010 05:46:20
[UPnP set event: add_nat_rule] from source 192.168.1.67 Monday, March 01,2010 05:46:20
[UPnP set event: del_nat_rule] from source 192.168.1.67 Monday, March 01,2010 05:46:20
[UPnP set event: add_nat_rule] from source 192.168.1.67 Monday, March 01,2010 05:46:19
[LAN access from remote] from 89.212.41.23:6901 to 192.168.1.5:19623, Monday, March 01,2010 05:46:19
[LAN access from remote] from 195.210.243.121:2633 to 192.168.1.5:19623, Monday, March 01,2010 05:46:14
[admin login] from source 192.168.1.67, Monday, March 01,2010 05:46:13
[LAN access from remote] from 89.212.36.103:4212 to 192.168.1.67:19625, Monday, March 01,2010 05:46:09
[LAN access from remote] from 77.38.9.66:24818 to 192.168.1.67:19625, Monday, March 01,2010 05:46:04
[LAN access from remote] from 118.100.39.94:55209 to 192.168.1.5:19623, Monday, March 01,2010 05:45:58
[LAN access from remote] from 89.142.91.147:1236 to 192.168.1.67:19625, Monday, March 01,2010 05:45:56
[LAN access from remote] from 70.31.155.76:3960 to 192.168.1.67:19625, Monday, March 01,2010 05:45:48
[LAN access from remote] from 93.103.233.187:57191 to 192.168.1.67:19625, Monday, March 01,2010 05:45:43
[LAN access from remote] from 195.210.199.147:3930 to 192.168.1.67:19625, Monday, March 01,2010 05:45:40
[LAN access from remote] from 92.37.84.194:60610 to 192.168.1.67:19625, Monday, March 01,2010 05:45:37
[LAN access from remote] from 89.143.165.185:2139 to 192.168.1.67:19625, Monday, March 01,2010 05:45:31
[LAN access from remote] from 96.252.212.39:49333 to 192.168.1.67:19625, Monday, March 01,2010 05:45:24
[LAN access from remote] from 193.111.222.32:32946 to 192.168.1.5:19623, Monday, March 01,2010 05:45:20
[LAN access from remote] from 89.142.199.198:2126 to 192.168.1.67:19625, Monday, March 01,2010 05:45:13
[LAN access from remote] from 89.142.144.35:11189 to 192.168.1.67:19625, Monday, March 01,2010 05:45:08
[LAN access from remote] from 60.241.26.82:50389 to 192.168.1.67:19625, Monday, March 01,2010 05:45:03
[LAN access from remote] from 85.132.218.141:56609 to 192.168.1.5:19623, Monday, March 01,2010 05:44:58
[LAN access from remote] from 86.61.60.92:60436 to 192.168.1.67:19625, Monday, March 01,2010 05:44:56
[LAN access from remote] from 193.95.219.163:29209 to 192.168.1.67:19625, Monday, March 01,2010 05:44:50
[LAN access from remote] from 24.224.179.87:61443 to 192.168.1.5:19623, Monday, March 01,2010 05:44:44
[LAN access from remote] from 90.157.183.222:2103 to 192.168.1.67:19625, Monday, March 01,2010 05:44:40
[LAN access from remote] from 85.201.172.121:46544 to 192.168.1.67:19625, Monday, March 01,2010 05:44:33


Can anyone tell me if this is harmful and how do I fix it? Thanks for your time.

 

[eibgrad]

[UPnP set event: del_nat_rule] from source 192.168.1.67 Monday, March 01,2010 05:46:20
[UPnP set event: add_nat_rule] from source 192.168.1.67 Monday, March 01,2010 05:46:20
[UPnP set event: del_nat_rule] from source 192.168.1.67 Monday, March 01,2010 05:46:20
[UPnP set event: add_nat_rule] from source 192.168.1.67 Monday, March 01,2010 05:46:20
[UPnP set event: del_nat_rule] from source 192.168.1.67 Monday, March 01,2010 05:46:20
[UPnP set event: add_nat_rule] from source 192.168.1.67 Monday, March 01,2010 05:46:19

The above entries indicate the some device w/ IP address 192.168.1.67 is using UPnP (Universal Plug N Play) to open/close ports on the firewall. That could be completely legitimate (e.g., your PC or an XBOX is using an online game, perhaps torrents) or malware using UPnP for its own evil intent. It’s impossible to say which since I don't know anything about the device @ 192.168.1.67.

That’s why UPnP is considered a bit of a security risk. It’s wonderfully convenient when used by your applications for legitimate purposes, but if malware finds its way into your system, it too can manipulate the router’s firewall.

All but a couple of the other lines are remote access back to that same 192.168.1.67 (4-5 are to 192.168.1.5). So you have to identify these machines and determine if it makes sense. What are these machines and does it make sense they would need to open ports and have traffic coming inbound that you didn’t request (i.e., unsolicited) at that time. If you’re unsure, then disable UPnP on the router (which might not be a bad idea anyway) and see what breaks (if anything). IOW, add the security of having UPnP disabled until you can determine if there’s a legitimate reason it needs to be enabled.

As always, it doesn’t hurt to run your malware scans to see if something has found its way in.

 

[luismendez]

I've disabled UPnP, i don't get the warning anymore, or whatever should I call it.

What bothers me further is that the IP's below are being assigned to MAC addresses - I don't know much about routers and such but I think these are unique codes that every PC has? So does this mean someone is accessing my router or something? There are only 3 people on this router (me, and my two roommates) and nobody from our appartment has the MAC address xxxxxxxx:b5 which is weird.


[DHCP IP: 192.168.1.53] to MAC address 00:25:b3:51:f2:b5, Tuesday, March 02,2010 15:36:54
[DHCP IP: 192.168.1.85] to MAC address 00:25:56:9d:39:d2, Tuesday, March 02,2010 15:36:53
[DoS Attack: ACK Scan] from source: 72.14.221.100, port 80, Tuesday, March 02,2010 15:22:22
[DHCP IP: 192.168.1.84] to MAC address 00:25:56:9d:39:d2, Tuesday, March 02,2010 13:36:26
[DoS Attack: ACK Scan] from source: 93.151.225.136, port 49703, Tuesday, March 02,2010 12:30:06
[DHCP IP: 192.168.1.83] to MAC address 00:25:56:9d:39:d2, Tuesday, March 02,2010 11:36:02
[DHCP IP: 192.168.1.82] to MAC address 00:25:56:9d:39:d2, Tuesday, March 02,2010 10:33:56
[DHCP IP: 192.168.1.3] to MAC address 00:1b:fc:c2:95:c5, Tuesday, March 02,2010 07:21:43


Your thoughts?


Thanks for helping,

d

 

[eibgrad]

Let’s start fresh and make sure there’s no chance anything has been done to the router by someone who may have gained access to it without your knowledge.

1. Disconnect the router from the modem by removing the Internet cable between them. There should be only one PC connected on the LAN side, yours, and only by wire.

2. Hold the reset button on your router for 30 secs (while powered on, of course) and release. This will reset the router to factory defaults. Give it a couple minutes to reboot.

3. Immediately login to router’s administrative interface and change the username/password. Use something unlikely to be guessed. Ideally only you (or whoever is responsible) should be allowed to make changes.

4. Go to the wireless security section and specify WPA2 (or at least WPA) w/ a high quality key/password. It should be long, random, and use a larger character set ( see http://grc.com/password ). Nothing says you have to use the full length examples at that website, but use at least 14 chars. Keep a copy of that key/password stashed away on a file (on a USB flash drive is ideal).

5. Verify that UPnP is disabled.

6. Reconnect the router to the modem.

7. Reconnect your authorized wireless clients using the new network key.

8. OPTIONAL: Once you all the permitted wired and wireless clients are connected, you could enabled MAC filtering as a sort of secondary level of protection. Strictly speaking this shouldn’t be necessary, esp. if you have wireless security enabled using a high quality key/password. But even so, you can use it as sort of a whitelist where nothing is permitted, wired or wireless, unless you’ve specifically identified it and added it to MAC filtering. Again, this is bit of overkill and maybe not worth doing if you’ve done everything else previously, but at least you’ll gain a little more control over who has access. Of course, make sure your PC’s MAC address is the first to be added so you don’t lock yourself out!

Now monitor the log and see what happens. If ppl complain about the lack of access from this or that device (maybe an XBOX or handheld device), deal w/ them individually and give them the network key (if applicable) and add them to the MAC filter.

If after a while things appear to return to normal (no strange devices appearing) and you find MAC filtering to be more of an annoyance (as I and many ppl do), then you could just disable it.

All we’re trying to do here is start w/ a clean slate, make sure everything is as safe as we can make it, and regain control.

 

[luismendez]

Thank you man, I will monitor the log through the night and see what happens. I've made a complete protection just like you described it, including number 8 - you can never be too sure .

I'll get back to you to let you know what happens.


Thanks again,

d

 

[lesley_62]

Thank you man, I will monitor the log through the night and see what happens. I've made a complete protection just like you described it, including number 8 - you can never be too sure .

I'll get back to you to let you know what happens.


Thanks again,

d[/quote

Do you have a box on your Tv such as BT vision etc or any electrical wireless adapter as i think yull find that it is the ip or mac re those cos i have the same on my router etc and it is connected to those. Hope it helps.

 

[lesley_62]

I have my Pc upstairs but Vision box downstairs so use two electrical wireless adapters joined to my hub via ethernet to take the signal to downstairs.Each of the electric wireless mini adapters have the address 192.168.1.67 and the other is the same but with 68 at the end. The vision itself has a different address. Because part of it is used wirelessly, the firewall rules change in the router/hub.Im not sure if it is used via the UPnP which is why the firewall changes. Not a Pc boff but i have studied inside he hub/router and so know factually that the address above 192.168.1.67 is linked to one of my mini adaptersfor my vision box.Hope it helps.

 

[lesley_62]

If you dont have, im not sure if its able to pick up a neighbours signal if they have any of the above elctrical wireless adapters.Maybe depending on your living status ie all in the same hse but renting rooms so thus the same electrical circuits hence why your hub could be picking up someone elses signal if close proximity ? Have no clue otherwise sorry ! <<3

 

[sec_engineer]

The [LAN Access from remote] message occurs when a system from the WAN Side of the Router (out in the global Internet space) contacts a system that you have exposed to the Internet via the Port Forwarding/Port Triggering setting in the router. It's telling you that contact was made and the connection request (most likely TCP) was passed back to that system for action - hence "LAN Access from Remote". You need to look at the system on your LAN that was contacted and the log files on that system to see if a connection was actually completed. When you set up the Port Forwarding/Port Triggering you can select a predefined service like FTP, HTTP, Telnet, etc... or you can define your own custom range for your application.

In my situation, I had a Raspberry Pi running SSH as the only service that I had enabled in this manner (for port 22 in this case rather than a range of ports). Within 5 hours of enabling Internet access it was scanned and attacked. Logins were unsuccessful (verified via the lastlog -u <userid> command) as I had locked down the port and removed all banners that gave any clue as to what this device was - and the root account was disabled from network logins (console access only to root) ... But the fact was that the presence of this system was discovered pretty quickly and port 22 was an inviting target.

Personally, I highly recommend that if you use this feature, disable Remote Management and uPnP capabilities and make sure you have a strong admin password set. Also, only expose the specific ports you need to access and block everything else on the exposed system.

Kudos !!! on monitoring your logs - too many people install these devices right out of the box and never realize they are being scanned and attacked on a regular basis.

Applies to WNDR3400 V1 in my case.