Routers

Discussion in 'other firewalls' started by maze152, May 29, 2005.

Thread Status:
Not open for further replies.
  1. maze152

    maze152 Guest

    Hi

    Can anyone tell me if it is possible to by pass a NAT enabled router? I'm asking because someone keeps trying hack me - same constaint IP ADDRESS.

    Thank for any replys
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    What makes you say that someone is trying to hack you? Are you looking at the log from your router and you happen to see events from that same IP address? If so, post several samples of the log here for review - simply block out your own public IP address. Until the log is reviewed, it's not really possible to give any specific advice.
     
  3. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Do you have a software firewall?
     
  4. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Unless it is through an allowed connection it shouldn't be able to be bypassed I don't believe.
     
  5. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Right, but a 'hacker' might also try to exploit a vulnerability in the router (I don't believe this is the case, otherwise the hack would probably have occured already).
    The only allowed connections could come through portforwarding. If you configured this kind of function (like opeing an incoming communication for bittorrent or something like that, someone could try to hack that function.

    Best way: show the log.

    BTW: dns from your ISP could be the legal source of incoming packets!
     
  6. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I will agree with that, I am just mainly going by my own experience. I have been useing a router for several years now and nothing bad has gotten through yet. And i hope it stays that way.
     
  7. Maze152

    Maze152 Guest

    Evening all,

    I was on the net this morning an while i was using the router i was getting lots of hack attempts and denial of servuice attempts showing in the router log file. Alos when ichecked my software file some of the attempts had got through, but been block by my software firewall. The hack attempts were done by using the EDM MGR Cntrl program!! - This carried on right through out the day until about 6.00pm.

    Any ideas,

    Mazey
     
  8. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    As noted above by LowWaterMark, post samples from the log here for review - block out your own public IP address. Until that happens, there's really no useful information in front of us.

    Blue
     
  9. Maze

    Maze Guest

    do you want software or hardware firewall logs?
     
  10. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Both if possible ^_^
     
  11. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Try running Shields Up. one or more of your ports may be showing closed but not stealthed. In which case you are protected but visable on the net. There are other tests you can run but this should give you a quick indication of how your router is performing.
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Unsolicited UDP gets by NAT?

    -rich
     
  13. Maze

    Maze Guest

    hi guys,

    This is a log from my router:
    System Log

    2005-05-30 00:39:37 1498/TCP from 66.102.9.104:80 to :1498 3-Invalid TCP packet received, dropping packet

    The strange thins is all my router ports are closing and im not forwording any, but this hacker keeps trying.

    So worried about this, pls help!
    Mazeedited ip address==bigc
     
    Last edited by a moderator: May 29, 2005
  14. Maze

    Maze Guest

    Damn i shoulnt of give my ip adress should i?
     
  15. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Here is what I get on the first ip
     

    Attached Files:

  16. Maze

    Maze Guest

    what was that?
     
  17. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    that is the ip that is trying to connect with your comp.---google.
     
  18. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Closed or stealthed?
     
  19. sinbad370

    sinbad370 Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    68
    Location:
    Georgia
    Bigc did a whois it on 66.102.9.104:80 from the log you gave him. look at were it is coming from.
     
  20. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    It means that the "attack" was actually data received from a web server owned by Google, almost surely due to you visiting it and doing a search. For some reason your router took a dislike to the data sent back and dropped it. "3-Invalid TCP packet received" doesn't really offer much information so perhaps your router documentation has more details on this.
     
  21. Maze

    Maze Guest

    The source ip address of the attacker is:

    216:239:59:147 - event information - 'firefox'

    216:239:59:147 - event information - 'nsjtp-ctrl'

    216:239:59:147 - event information - 'ncpm-hip'

    This is the current info from my software firewall

    Thank

    maze
     
  22. maze

    maze Guest

    ''cant access my home page google!!''
     
  23. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    It just might not be in the whois data basa but here is what I get on that one.
     
  24. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Maze, that's just more Google traffic. The IP address 216.239.59.147 is also a Google owned address. (The ":" characters are incorrect, those should be ".")

    The reason I always ask for log entries first, before speculating about hackers getting through firewalls or routers, is because the terminology used by firewalls and many logging packages often calls things "attacks" when in fact they are just unexpected or delayed traffic. These aren't attacks.
     
  25. maze

    maze Guest

    LowWaterMark - what does all this mean im not getting hacked, why is my home page not working and i keep getting the same Ip address showing up with event information?

    can you explain?

    By the way thank guys/girls for helping me out here.

    Maze
     
Thread Status:
Not open for further replies.