Flash Flash Revolution - View Single Post - Belkin router showing UDP Flood, loop, TCP FIN Scans

Choofers · 08-23-2012, 07:44 PM

Quote:

Originally Posted by PsYcHoZeRoSk8eR

Based on the little information that you have given, it could be the result of a DDoS Trojan. I'd honestly need to see more logs and know more about your current network topology. Is there any chance that you could run a packet capture while this is going on, it would provide a lot more information. Specifically after disconnecting and then reconnecting to your network. Also, is there any way that you could turn up the logging, from what you've posted there is barely enough for very detailed analysis.

All the home network is, is a wireless router hooked up directly to the modem. It's password protected.

I actually have wireshark downloaded for packet capturing, but I haven't used it. Lemme boot that up and get it working.

Unfortunately, there's no way to increase logging. I saved the log to a text file, this is what it contains (not much else than what I already posted). It only shows the most recent stuff it seems.

Code:

08/23/2012  17:27:23 sending OFFER to 192.168.2.3
08/23/2012  17:25:53 sending ACK to 192.168.2.60
08/23/2012  17:25:52 sending ACK to 192.168.2.18
08/23/2012  17:02:04 **TCP FIN Scan** 192.168.2.60, 56675->> 208.81.191.110, 80 (from WAN Outbound)
08/23/2012  17:02:04 **TCP FIN Scan** 192.168.2.60, 56523->> 208.81.191.113, 80 (from WAN Outbound)
08/23/2012  17:02:04 **TCP FIN Scan** 192.168.2.60, 56645->> 64.212.100.99, 80 (from WAN Outbound)
08/23/2012  17:02:04 **TCP FIN Scan** 192.168.2.60, 56673->> 64.212.100.102, 80 (from WAN Outbound)
08/23/2012  17:02:04 **TCP FIN Scan** 192.168.2.60, 56669->> 68.142.93.133, 80 (from WAN Outbound)
08/23/2012  17:02:04 **TCP FIN Scan** 192.168.2.60, 56686->> 208.81.191.111, 80 (from WAN Outbound)
08/23/2012  17:02:04 **TCP FIN Scan** 192.168.2.60, 56657->> 173.194.69.102, 80 (from WAN Outbound)
08/23/2012  17:02:04 **TCP FIN Scan** 192.168.2.60, 56661->> 93.184.220.39, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56247->> 31.13.77.58, 443 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56277->> 31.13.77.42, 443 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56624->> 208.81.191.110, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56594->> 173.194.69.95, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56583->> 173.194.69.139, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56588->> 81.31.99.13, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56596->> 192.221.106.126, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56226->> 69.171.247.37, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56600->> 204.9.163.163, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56562->> 96.30.8.143, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56603->> 199.93.52.126, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56607->> 204.160.107.126, 80 (from WAN Outbound)
08/23/2012  17:01:44 **TCP FIN Scan** 192.168.2.60, 56617->> 93.184.220.79, 80 (from WAN Outbound)
08/23/2012  17:01:43 **TCP FIN Scan** 192.168.2.60, 56569->> 93.184.221.133, 80 (from WAN Outbound)
08/23/2012  17:01:43 **TCP FIN Scan** 192.168.2.60, 56573->> 69.63.189.70, 80 (from WAN Outbound)
08/23/2012  17:01:43 **TCP FIN Scan** 192.168.2.60, 56586->> 207.171.163.162, 80 (from WAN Outbound)
08/23/2012  16:55:37 DHCP Client: [WAN]Receive Ack from 172.19.41.16,Lease time=86400
08/23/2012  16:55:37 DHCP Client: [WAN]Domain name = lv.cox.net
08/23/2012  16:55:37 DHCP Client: [WAN]Send Request, Request IP=68.224.31.31
08/23/2012  16:55:37 DHCP Client: [WAN]Receive Offer from 172.19.41.16
08/23/2012  16:55:37 DHCP Client: [WAN]Domain name = lv.cox.net
08/23/2012  16:55:36 DHCP Client: [WAN]Send Discover
08/23/2012  16:55:34 DHCP Client: [WAN]Send Release
08/23/2012  16:53:53 **TCP FIN Scan** 192.168.2.60, 55956->> 173.194.69.18, 80 (from WAN Outbound)
08/23/2012  16:53:53 **TCP FIN Scan** 192.168.2.60, 55963->> 173.194.69.138, 80 (from WAN Outbound)
08/23/2012  16:53:53 **TCP FIN Scan** 192.168.2.60, 55965->> 173.194.69.100, 80 (from WAN Outbound)
08/23/2012  16:52:08 192.168.2.60 login success
08/23/2012  16:52:03 User from 192.168.2.60 timed out
08/23/2012  16:51:54 sending ACK to 192.168.2.60
08/23/2012  16:25:15 192.168.2.60 login success
08/23/2012  16:19:33 sending ACK to 192.168.2.2
08/23/2012  16:17:48 NTP Date/Time updated.
08/23/2012  16:17:25 sending ACK to 192.168.2.60
08/23/2012  16:17:23 DHCP Client: [WAN]Receive Ack from 172.19.41.16,Lease time=86400
08/23/2012  16:17:23 DHCP Client: [WAN]Domain name = lv.cox.net
08/23/2012  16:17:23 DHCP Client: [WAN]Send Request, Request IP=68.224.31.31
08/23/2012  16:17:23 DHCP Client: [WAN]Receive Offer from 172.19.41.16
08/23/2012  16:17:23 DHCP Client: [WAN]Domain name = lv.cox.net
08/23/2012  16:17:23 DHCP Client: [WAN]Send Discover
08/23/2012  16:17:21 DHCP Client: [WAN]Send Discover
08/23/2012  16:17:19 DHCP Client: [WAN]Send Discover
08/23/2012  16:17:17 DHCP Client: [WAN]Send Discover

Quote:

Also, is this activity currently ongoing, or does it occur at seemingly random times? If it's consistently ongoing, then there is most certainly a problem. This might sound stupid, but have you tried turning everything (entire network) off for a little while to see if the problem persists? Not something that I would normally prescribe, but in a small enough home network it might be useful to see where/when this activity is occurring. I would also run a rootkit/malware scanner to see if that pulls anything on your device.

It happens at seemingly random times, the last time it occured was at 17:02:04, I'll keep checking for when it starts again. I've tried powering down both the router and modem, which didn't do anything.

@prefx: Alright, I'll send you a pm in a bit.