Exetel ACK Scans

Malware detection, cleaning and prevention

Exetel ACK Scans

Postby gondy on Thu Mar 20, 2014 10:33 pm

Hi - wondering if I can get any advice about ACK scans in my router log. I have quite a few of these (over the last few days):

[DOS Attack] : 2 [ACK Scan] packets detected in last 20 seconds, source ip [220.233.2.210]. Thursday, Mar 20,2014 16:59:23
[DOS Attack] : 1 [IP Spoof] packets detected in last 20 seconds, source ip [192.168.1.6]. Thursday, Mar 20,2014 00:23:04

in my router log. They first appears to be coming from an exetel internal server. Whois shows the owner as Exetel Hostmaster. The second is from who knows where!

Can anyone advise? Is this an external party trying to gain access to my home network? Or something not so sinister?

Thanks
Pete
That's my 2¢, which these days gets rounded to zero!
User avatar
gondy
 
Posts: 49
Joined: Mon Apr 25, 2005 7:40 pm
Location: Sydney, Australia

Re: Exetel ACK Scans

Postby angelos on Fri Mar 21, 2014 1:33 am

Hi Pete,

[DOS Attack] : 2 [ACK Scan] packets detected in last 20 seconds, source ip [220.233.2.210]. Thursday, Mar 20,2014 16:59:23
[DOS Attack] : 1 [IP Spoof] packets detected in last 20 seconds, source ip [192.168.1.6]. Thursday, Mar 20,2014 00:23:04


The logs do say DOS attack so we can't really say what is going on.

They first appears to be coming from an exetel internal server. Whois shows the owner as Exetel Hostmaster. The second is from who knows where!


You are right the first IP is an Exetel IP but the second is most likely an internal IP in your LAN.

Do you have security on your access control for your modem? Would be recommended to tighten that up first.
User avatar
angelos
Exetel Staff
 
Posts: 1068
Joined: Fri Nov 09, 2012 11:22 pm
Location: Australia

Re: Exetel ACK Scans

Postby angelos on Fri Mar 21, 2014 1:35 am

Adding to the above, you should check your internal devices for Malware or bot activity.
User avatar
angelos
Exetel Staff
 
Posts: 1068
Joined: Fri Nov 09, 2012 11:22 pm
Location: Australia

Re: Exetel ACK Scans

Postby LindaB on Fri Mar 21, 2014 1:43 am

It is nothing unusual unless they are hitting yr router every few seconds, I just checked my logs to see if that IP 220.233.2.210 comes up but the number that scans me is slightly different. It is normal for yr router to log scans from external IP's & yr log shows those that were dropped/blocked, when we see logs with [DoS attack: ACK Scan] in them we instantly think OMG I am being hacked when in fact it is quite common to be scanned & yr router blocked it.
You should use a strong password for your router instead of using the default that it was shipped with & make sure you also use something unusual for the Wireless network key, & do the Windows updates when they are available to remove vulnerabilities in the OS. If you have done all that along with decent AV installed on all machines using your network then you should be safe. If you must store sensitive data such as Tax, Bank or Credit Card details on yr computer it is advisable to use encryption just in case of theft. If it helps ease your concerns there is probably more chance of yr house being burgled than your computer being hacked. :)
LindaB
 
Posts: 73
Joined: Wed Feb 24, 2010 10:56 am
Location: Australia

Re: Exetel ACK Scans

Postby gondy on Fri Mar 21, 2014 2:20 am

Thanks all. Understand about the exetel one; it happens once every 24 hrs. Router and wireless passwords are both "unusual" and non-default.

As for what look like internal IPs, they are very strange. I don't actually allocate ip addresses in the 192.168.1.6 range. So it's not an internal machine.

[DOS Attack] : 1 [IP Spoof] packets detected in last 20 seconds, source ip [192.168.1.2]. Tuesday, Mar 18,2014 13:47:13 <-- again, not in my internal LAN ip's

I have had multiple echo requests and attempted LAN accesses in the logs too. The router provider gives no info on how to interpret. Felt better when I had my old ADSL1 draytek!

[Service blocked: ICMP_echo_req] from source 138.25.78.25, Tuesday, Mar 18,2014 23:28:47
Firewall: packet drop. 138.25.78.25 -->220.233.x.x, Protocol ICMP, Message type 3. Tuesday, Mar 18,2014 23:28:47
[Service blocked: ICMP_echo_req] from source 138.25.78.25, Tuesday, Mar 18,2014 23:28:45
Firewall: packet drop. 138.25.78.25 -->220.233.x.x, Protocol ICMP, Message type 3. Tuesday, Mar 18,2014 23:28:45
[Service blocked: ICMP_echo_req] from source 173.58.72.115, Tuesday, Mar 18,2014 22:31:56
Firewall: packet drop. 173.58.72.115 -->220.233.x.x, Protocol ICMP, Message type 3. Tuesday, Mar 18,2014 22:31:56
[Service blocked: ICMP_echo_req] from source 85.233.67.8, Tuesday, Mar 18,2014 20:04:33
Firewall: packet drop. 85.233.67.8 -->220.233.x.x, Protocol ICMP, Message type 8. Tuesday, Mar 18,2014 20:04:33
[LAN access from remote] from 91.152.239.26:54936 to 192.168.x.x:34096 Tuesday, Mar 18,2014 15:49:01
[LAN access from remote] from 188.113.87.1:49506 to 192.168.x.x:34096 Tuesday, Mar 18,2014 15:48:56

I shut off UPnP yesterday (I know, I shouldn't have had it on...) which stopped the attempts at LAN access from remote. I checked those ports on the targeted machine. They seemed to be open, but there was nothing there. Firewalls on both my machines are denying incoming connection attempts. What's bizarre is that 138.25.78.25 is apnic.net. The 188. address seems to be from Norway. http://myip.ms/info/whois/188.113.87.1

Not sure what else to do. Just keep watching the log. Home machines are not windows machines.
That's my 2¢, which these days gets rounded to zero!
User avatar
gondy
 
Posts: 49
Joined: Mon Apr 25, 2005 7:40 pm
Location: Sydney, Australia

Re: Exetel ACK Scans

Postby Dazzled on Fri Mar 21, 2014 8:13 am

Is this from a Netgear? These routers may modify the default iptables logged messages, with a consequent reduction in information. Someone at Netgear mistakenly thought he was helpful.

You can read about various port scans at http://en.wikipedia.org/wiki/Port_scanner

It's normal to receive one about every ten or 15 minutes, usually first looking for a hint to the presence of a Windows machine behind. Further probes may then follow to further test vulnerability. Other external probes may look for an accessible telnet port on the modem-router, which they hope has a default password. These are mainly criminal and are more likely to come from overseas than from Australia.

The one from within the LAN would have me checking the router DHCP table for connected devices and following up on that device.
User avatar
Dazzled
Volunteer Site Admin
 
Posts: 6525
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney


Return to Virus / spam / spyware issues

Who is online

Users browsing this forum: No registered users and 1 guest