Router Access & Security - Netgear N600

palmerg

Distinguished
Jan 27, 2005
403
0
18,780
Hello,

Recently been getting router logs filled with:

[LAN access from remote] from <foreign address:non-std port> to <192.168..:2876> date

After doing some digging I found my router (Netgear WNDR3400 v1 - latest firmware) had UPnP enabled by default. Figuring that may be an issue I disabled it and that seemed to help. Now I am getting a steady but decreasing stream of:

[Service blocked: ICMP_echo_req] from source 67.16.146.26, Thursday, Jul 26,2012 03:21:34 - and others ( the amount of messages is decreasing since I disabled UPnP)

However there is one pesky message I still get and it worries me a little. It is:

[LAN access from remote] from 8.7.94.65:35363 to 192.168.n.n:5001 Thursday, Jul 26,2012 03:27:49

Facts that me be related to this log entry:
1 - I live in Italy (Torino) and use a SlingBox (SB) back at my home in FL.
2 - The SB uses TCP ports 5000/5001 to service requests for streaming video to me
3 - I have Port Forwarding set for that service request and it is associated with those TCP Ports
4 - I do have Remote Management set on the router - Strong PW protected and only from my Italian WAN IP.
5 - 192.168.n.n in the log entry above is the IP of the SB on my LAN
6 - The IP "8.7.94.65" resolves to a company called Level 3 Communications in Broomfield CO. I have sent a message to the misuse email but no response yet. This may be spoofed anyway.

My feeling is that this one access request is getting through the disabled UPnP service because I still have requests to TCP port 5001 enabled an sent to the SB. There seems to be a couple of old Trojans (back Door Setup and "a french name") that used to exploit that port on win 95/98 boxes. I think the SB runs a variation of Linux although I can not be certain, but if it is then these old exploits won't work, right? Maybe there is another threat I am just not aware of? I have asked on the SB forums if it is possible to reassign the service port used for the SB service. No answer yet.

So, Should I be worried? All the old messages that were removed due to UPnP being on were using a port that I read was related sometimes to bit torrent clients. I do have relatives living at the house in FL and maybe they were using the torrent but I never asked. Now because UPnP is off that may nor work anyway.

Is there anything I am missing? Is there a way that I can block that IP? Is this a viable threat that would cause you concern?
Any of your inputs are greatly appreciated.

Thanks,
Gary
 

palmerg

Distinguished
Jan 27, 2005
403
0
18,780


Well I finally got a reply from the owner of the domain for the IP that seems to be successfully hitting the Slingbox. They basically said they would investigate.



I am still getting the log event every day although now the time of the "attack" has shifted from 0300 to 0030.

My SlingBox service does not seem to have been compromised although I do seem to get more pixelization but its probably my imagination. If I was home where the SB resides I could do a deeper analysis with WireShark and such but I am not so I can't.



Looks like no one here has any insight to offer but thanks for all the views. It's a pretty esoteric issue I know but it is troublesome to me when someone can get onto my home net because a well known service port cannot be reassigned. Maybe I am sweating the small stuff here but these days with the sophistication of attacks I don't think you can be too careful.

So, I will leave this "unanswered" for a little while longer and then close it out or delete it.



"So long and thanks for all the fish"



Ciao