Wierd Router Log entries
Results 1 to 6 of 6

Thread: Wierd Router Log entries

  1. #1
    Senior Member
    Join Date
    Oct 2004
    Posts
    172

    Wierd Router Log entries

    basically, i need help with my screwy router log and i want to know if i should be worried about these entries. i'm especially curious about the entry where the router tries to connect to itself on tpc 1145.

    -The router seems to think that the current date is Jan 04 2000, so the log entries are actually from today.
    -The log page is only showing entries for the current date, i dont know why.(i have a hard time believing that the log was totally empty yesterday).
    -If i hit the "refresh" button(it's an actual form button on the log page) it sometimes displays a new entry if it has one and sometimes it changes the time of the old entries. for example it will take an entry that is already in the log and change the seconds in the date and time, i dont know why.

    anyway, i'm getting all of these "unrecognized access"(what exactly does that mean?) entries from a few different places:

    this one is especially wierd to me because it seems like the router tried to connect to itself on a wierd port. anybody know whats up with this?
    Tuesday, January 04, 2000 13:26:08 Unrecognized access from 127.0.0.1:80 to TCP port 1145
    a bunch of them are from china, according to a whois lookup, and they want to connect to me on UDP 1026 and 1027 for some reason
    Tuesday, January 04, 2000 12:36:30 Unrecognized access from 222.189.38.34:32803 to UDP port 1026
    Tuesday, January 04, 2000 12:36:41 Unrecognized access from 196.22.26.238:8937 to UDP port 1026
    Tuesday, January 04, 2000 12:38:53 Unrecognized access from 218.92.11.43:33003 to UDP port 1026
    Tuesday, January 04, 2000 12:39:24 Unrecognized access from 218.92.11.40:32897 to UDP port 1026
    Tuesday, January 04, 2000 12:39:24 Unrecognized access from 218.92.11.40:32897 to UDP port 1027
    Tuesday, January 04, 2000 12:41:09 Unrecognized access from 221.208.208.195:33124 to UDP port 1026
    Tuesday, January 04, 2000 12:43:07 Unrecognized access from 218.92.11.44:33718 to UDP port 1026
    Tuesday, January 04, 2000 12:48:53 Unrecognized access from 61.138.137.9:54741 to UDP port 1026
    then there are some ohther random connections:

    this one also tried to connect to me on UDP 1026:
    Tuesday, January 04, 2000 13:30:17 Unrecognized access from 70.85.178.66:35469 to UDP port 1026
    this one tried to connect on port 80:
    Tuesday, January 04, 2000 13:41:40 Unrecognized access from 24.125.97.213:4148 to TCP port 80

  2. #2
    Senior Member
    Join Date
    Dec 2004
    Posts
    107
    Slinky,

    Take a gander at this:

    http://www.linklogger.com/UDP1026.htm

    Typically inbound traffic to this port is Messenger Spam which is more annoying then anything else, and hence not really worthy of a Link Logger alert, but still there is enough of this traffic that an explanation would be helpful.

    ...which led me to http://www.dslreports.com/forum/rema...9685~mode=flat

    Given the Spammer no longer has to hit a sequence of ports required for a Net Send delivery of Spam, but now only have to hit a single UDP port, they can dramatically increase their spamming rates. SQL Slammer for example hit one UDP port with a single packet and was the fastest propagating worm of all time (note UDP ports do not have any handshaking overhead like TCP ports), so now Spammers are using the same concept to rapidly distribute their spam, with single packet spam messages sent to a single UDP port. This increase in speed would explain the sudden increase in UDP port 1026 traffic. The best defense is to use a firewall to hide all ports from the internet, but at some time perhaps more will have to be done as spammers continue to increased their spamming rates and bandwidth usage to all time new highs.

    Hope this helps.

    -ik
    Alright Brain, you don\'t like me, and I don\'t like you. But let\'s just do this, and I can get back to killing you with beer.
    -- Homer S.

  3. #3
    Senior Member
    Join Date
    Oct 2004
    Posts
    172
    so i guess they're just spammers, thx. but what about this one?
    Tuesday, January 04, 2000 13:26:08 Unrecognized access from 127.0.0.1:80 to TCP port 1145
    and whats up with my router? the date is off, the log is screwy...

  4. #4
    Senior Member
    Join Date
    Dec 2004
    Posts
    107
    Slinky,

    Hits on port 1145 could be related to a number of things. Among others, it is related to the Backdoor.CHCP (google "port 1145").

    Judging from your router's log, I would advise you to run your Anti-Virus software and your Anti-Spyware software with the most current definitions.

    An incoming connection to port 80 means someone thinks you are a webserver and they're trying to either pull a page off your ip or possibly trying to do other mean things.

    As far as your router time, did you ever set the router's time? I'm not sure if your router automatically set their date/time to some server on the internet or not. I would bet not. So you would probably need to manually set its date/time.

    Your log files might be getting purged daily. Check your router's settings.

    -ik
    Alright Brain, you don\'t like me, and I don\'t like you. But let\'s just do this, and I can get back to killing you with beer.
    -- Homer S.

  5. #5
    Senior Member
    Join Date
    Oct 2004
    Posts
    172
    well, the only thing as far as setting the time in my router configuration is a "refresh date/time" button, which refreshes the date to Jan 04 2000 . the log settings dont have very many options either, nothing involving clearing/not clearing the log, etc.

    as far as this:
    Tuesday, January 04, 2000 13:26:08 Unrecognized access from 127.0.0.1:80 to TCP port 1145
    doesnt the loopback address indicate that the router was sending this hit to itself? if it was a computer on my network, wouldnt it show up as 192.168.x.x?

  6. #6
    Senior Member
    Join Date
    Dec 2004
    Posts
    107
    Whoops, I totally missed the 127.0.0.1 portion. You are correct sir. Honestly, I think I'd have to step down from this particular problem because clearly I'm really not sure why that would be happening... If anyone has any idea, please let slinky (and me!) know.. thanks

    I'm just curious, what router are you using?
    Alright Brain, you don\'t like me, and I don\'t like you. But let\'s just do this, and I can get back to killing you with beer.
    -- Homer S.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides