Hello,
Recently been getting router logs filled with:
[LAN access from remote] from <foreign address:non-std port> to <192.168..:2876> date
After doing some digging I found my router (Netgear WNDR3400 v1 - latest firmware) had UPnP enabled by default. Figuring that may be an issue I disabled it and that seemed to help. Now I am getting a steady but decreasing stream of:
[Service blocked: ICMP_echo_req] from source 67.16.146.26, Thursday, Jul 26,2012 03:21:34 - and others ( the amount of messages is decreasing since I disabled UPnP)
However there is one pesky message I still get and it worries me a little. It is:
[LAN access from remote] from 8.7.94.65:35363 to 192.168.n.n:5001 Thursday, Jul 26,2012 03:27:49
Facts that me be related to this log entry:
1 - I live in Italy (Torino) and use a SlingBox (SB) back at my home in FL.
2 - The SB uses TCP ports 5000/5001 to service requests for streaming video to me
3 - I have Port Forwarding set for that service request and it is associated with those TCP Ports
4 - I do have Remote Management set on the router - Strong PW protected and only from my Italian WAN IP.
5 - 192.168.n.n in the log entry above is the IP of the SB on my LAN
6 - The IP "8.7.94.65" resolves to a company called Level 3 Communications in Broomfield CO. I have sent a message to the misuse email but no response yet. This may be spoofed anyway.
My feeling is that this one access request is getting through the disabled UPnP service because I still have requests to TCP port 5001 enabled an sent to the SB. There seems to be a couple of old Trojans (back Door Setup and "a french name") that used to exploit that port on win 95/98 boxes. I think the SB runs a variation of Linux although I can not be certain, but if it is then these old exploits won't work, right? Maybe there is another threat I am just not aware of? I have asked on the SB forums if it is possible to reassign the service port used for the SB service. No answer yet.
So, Should I be worried? All the old messages that were removed due to UPnP being on were using a port that I read was related sometimes to bit torrent clients. I do have relatives living at the house in FL and maybe they were using the torrent but I never asked. Now because UPnP is off that may nor work anyway.
Is there anything I am missing? Is there a way that I can block that IP? Is this a viable threat that would cause you concern?
Any of your inputs are greatly appreciated.
Thanks,
Gary
Recently been getting router logs filled with:
[LAN access from remote] from <foreign address:non-std port> to <192.168..:2876> date
After doing some digging I found my router (Netgear WNDR3400 v1 - latest firmware) had UPnP enabled by default. Figuring that may be an issue I disabled it and that seemed to help. Now I am getting a steady but decreasing stream of:
[Service blocked: ICMP_echo_req] from source 67.16.146.26, Thursday, Jul 26,2012 03:21:34 - and others ( the amount of messages is decreasing since I disabled UPnP)
However there is one pesky message I still get and it worries me a little. It is:
[LAN access from remote] from 8.7.94.65:35363 to 192.168.n.n:5001 Thursday, Jul 26,2012 03:27:49
Facts that me be related to this log entry:
1 - I live in Italy (Torino) and use a SlingBox (SB) back at my home in FL.
2 - The SB uses TCP ports 5000/5001 to service requests for streaming video to me
3 - I have Port Forwarding set for that service request and it is associated with those TCP Ports
4 - I do have Remote Management set on the router - Strong PW protected and only from my Italian WAN IP.
5 - 192.168.n.n in the log entry above is the IP of the SB on my LAN
6 - The IP "8.7.94.65" resolves to a company called Level 3 Communications in Broomfield CO. I have sent a message to the misuse email but no response yet. This may be spoofed anyway.
My feeling is that this one access request is getting through the disabled UPnP service because I still have requests to TCP port 5001 enabled an sent to the SB. There seems to be a couple of old Trojans (back Door Setup and "a french name") that used to exploit that port on win 95/98 boxes. I think the SB runs a variation of Linux although I can not be certain, but if it is then these old exploits won't work, right? Maybe there is another threat I am just not aware of? I have asked on the SB forums if it is possible to reassign the service port used for the SB service. No answer yet.
So, Should I be worried? All the old messages that were removed due to UPnP being on were using a port that I read was related sometimes to bit torrent clients. I do have relatives living at the house in FL and maybe they were using the torrent but I never asked. Now because UPnP is off that may nor work anyway.
Is there anything I am missing? Is there a way that I can block that IP? Is this a viable threat that would cause you concern?
Any of your inputs are greatly appreciated.
Thanks,
Gary