Kernel Intrusion

Jonners · 1 Mar 2010 at 13:05

Some ****** in China is causing my Sky Sagem router to report the following:

Mar 1 12:54:53 (none) user.alert kernel: Intrusion -> IN=ppp_0_38_1 OUT= MAC= SRC=97.81.165.234 DST=90.218.118.181 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=4856 DF PROTO=TCP SPT=4743 DPT=2926 WINDOW=16384 RES=0x00 SYN URGP=0

Mar 1 12:54:56 (none) user.alert kernel: Intrusion -> IN=ppp_0_38_1 OUT= MAC= SRC=97.81.165.234 DST=90.218.118.181 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=5070 DF PROTO=TCP SPT=4743 DPT=2926 WINDOW=16384 RES=0x00 SYN URGP=0

Mar 1 12:54:59 (none) user.alert kernel: Intrusion -> IN=ppp_0_38_1 OUT= MAC= SRC=97.81.165.234 DST=90.218.118.181 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=5197 DF PROTO=TCP SPT=4744 DPT=2926 WINDOW=16384 RES=0x00 SYN URGP=0

Mar 1 12:55:02 (none) user.alert kernel: Intrusion -> IN=ppp_0_38_1 OUT= MAC= SRC=97.81.165.234 DST=90.218.118.181 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=5455 DF PROTO=TCP SPT=4744 DPT=2926 WINDOW=16384 RES=0x00 SYN URGP=0

Mar 1 12:55:08 (none) user.alert kernel: Intrusion -> IN=ppp_0_38_1 OUT= MAC= SRC=97.81.165.234 DST=90.218.118.181 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=5949 DF PROTO=TCP SPT=4744 DPT=2926 WINDOW=16384 RES=0x00 SYN URGP=0

Mar 1 12:57:00 (none) user.alert kernel: Intrusion -> IN=ppp_0_38_1 OUT= MAC= SRC=222.208.183.218 DST=90.218.118.181 LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=256 DF PROTO=TCP SPT=12200 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0

Mar 1 12:57:31 (none) user.alert kernel: Intrusion -> IN=ppp_0_38_1 OUT= MAC= SRC=222.208.183.218 DST=90.218.118.181 LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=256 DF PROTO=TCP SPT=12200 DPT=8000 WINDOW=8192 RES=0x00 SYN URGP=0

Mar 1 12:58:03 (none) user.alert kernel: Intrusion -> IN=ppp_0_38_1 OUT= MAC= SRC=222.208.183.218 DST=90.218.118.181 LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=256 DF PROTO=TCP SPT=12200 DPT=1080 WINDOW=8192 RES=0x00 SYN URGP=0

What do I do now? Could it be a general fault with my line why my broadband is running so badly or are these idiots causing it by keep bashing my router?

I'm not the only one to have suffered this, someone on skyuser also reported it... :confused:

How do I close any ports?

NathanE · 1 Mar 2010 at 14:01

It is just reporting a connection attempt to a port that is already closed...

Don't know what ports 4743, 4733 are off to of my head. But 8080 and 1080 are ports commonly associated with web proxy servers - and hence you're being tested for public proxies...

The reason it says "zomg ALERT ALERT CODE RED we're being intruded!" everywhere is to, frankly, scare you and to make sure you don't sue the manufacturer for having an "Intrusion Detection" tick box on the side of the shiny box when really it doesn't.

PistolPete · 1 Mar 2010 at 15:42

You've slightly misread that log - 4743 & 4733 were the source ports, not the destination ports. Still have no idea what port 2926 is.

Sp00n · 1 Mar 2010 at 15:48

Probably nothing more than some kiddie doing a port scan on an IP range, nothing to worry about

Jonners · 1 Mar 2010 at 16:01

Not sure why people get kicks from scanning IP's but nevermind...

Sp00n · 1 Mar 2010 at 16:02

It's not about getting kick's, it's about finding vulnerable systems to take advantage of

Rameses · 1 Mar 2010 at 16:58

Is it having an effect on Jays performance though, he's told me its like timing out sometimes. I've said to him to check for firmware for the router and give it a restart, check filter and run adaware/virus check on his system.

He doesn't use wireless on his main PC just Ethernet.

PistolPete · 1 Mar 2010 at 17:06

I used to see hundred of scans, SSH brute forces & web server vunerablity scans a minute on my 3.5Mb ADSL line and it barely touched my router so I'm not sure the scans and his problems are related - He's seeing 1 or 2 probes every few minutes.

Dist · 1 Mar 2010 at 18:40

My router no longer bothers recording these type of events. Port scans are always going to happen, only way to stop them is to not connect to the internet. The reason why I turned off this type of logging for my router is that if I use a torrent client, as soon as I close the client everyone else still tries to connect to me, not realising my client is now offline and so no connection can be established, which causes thousands of lines in my log file within a few min.

Jonners · 2 Mar 2010 at 16:25

Well to go indepth about my connection problem, Sky say my line has lots of errors, blaming the filters for it...failing that the router is to blame

PistolPete · 2 Mar 2010 at 20:21

You on a long line? I used to get 3.5Mb with 56dB loss, but I was getting 16k FECs a second and that caused massive instabilty for me. When the FECs disappeared I was nice and stable.

Jonners · 3 Mar 2010 at 17:14

PistolPete said:
You on a long line? I used to get 3.5Mb with 56dB loss, but I was getting 16k FECs a second and that caused massive instabilty for me. When the FECs disappeared I was nice and stable.

ADSL Link Downstream Upstream
Connection Speed 6141 kbps 796 kbps
Line Attenuation 48.0 db 25.8 db
Noise Margin 6.6 db 11.0 db

I had my own actual line installed in the bedroom, so the cabling runs from one end of the house to the other being a bungalow...

Invictus · 8 Mar 2010 at 14:32

if it is a dynamic ip address then reset the router and a new ip will be issued.