I have these lines in my router's activity log:
Intrusion _> IN=ppp0.1 OUT= SRC=94.139.999.999 DST= Masked.xxx.xxx.xx9 PROTO=TCP SPT=49454 DPT=85
There is a new log every second. The numbers change a bit each time.
What is going on?
-
For the future, if you again post logs from your system, make sure to always mask IP addresses. They may be static or still valid when you post your question and might in theory expose vulnerabilities in your system, just like a "here, look, at Example Street No. 5 we have a broken window and are on vacation". :)– MarioCommented Jul 20, 2018 at 6:12
Add a comment
|
2 Answers
You shouldn't worry much about that message.
It just says that somebody with the specified source IP tried to get into your router, if that is the full message. If the message also includes ports, then the source IP most probably just scanned your network for your open ports.
The message is quite common in any firewall, there are whole botnets that are dedicated to just scanning your ports and trying to get into your router by using the default username/password. That does not mean that somebody actually got into your router.
Make sure you've changed your password and just to make sure, you can restart your router afterwards. If you should not have downtime, then it's fine.
Similar posts about this:
@superuser.com - What is a kernel intrusion on my router?
Kernel intrusion on my router
Generally, it's the "big bad internet knocking on your door". And unless you open that door, all is fine.
Without knowing the specific vendor/model of your router, I'd say your router detected an intrusion attempt and logged that. Nothing to worry about.
Just in case you're interested, the entries in the line reveal some more details:
IN: The interface used,ppp0.1here probably refers to the WAN port towards your ISP.OUT: The outgoing interface, since there's nothing to be passed/sent, it's not set.SRC: The source IP of the offending connection.DST: The destination IP of the offending connection (should be your router's WAN IP).PROTO: The protocol used, TCP/IP here.SPT: The source port of the offending connection (usually means nothing, since it's automatically assigned by the system based on unused ports).DPT: The destination port, i.e. what was tried to connect to on your end.
Port 85 is typically used by "ML MIT Device" (no idea what that is, actually :)), but it's also used by trojans.
So what happened here? Nothing uncommon, really. In combination with the other log entries (which should typically include different entries for DPT, potentially different SRC as well), this is usually really just a so-called port scan. Some other computer (or network of computers), looking for open ports, i.e. ports accepting connections. These may indicate potential attack surface for exploits etc.
Should you be worried? No, clearly not. Your router identified the attempted port scan (which is considered a potential intrusion attempt; therefore the log entries), so probably automatically denied all further incoming connections from those ports, even if they'd be open. Double check to see whether you have any ports forwarded (you shouldn't, unless you provide specific servers/services to the public). It's important to mention, that too many game support websites and departments tell their players to "forward ports", even if they're only used in outgoing direction and the forward only adds attack surface without any gains.
