DSL Modem or Router Cracked?

From: Klepinger, Aaron (Aaron.Klepingerat_private)
Date: Wed Jun 12 2002 - 13:03:44 PDT

  • Next message: Lic. Rodolfo Gonzalez Gonzalez: "remote openssh probe or crack?." 

    I believe my router or DSL modem has been compromised.  I'm basically a
newbie when it comes to security and setting up a server, but I set one up
just to mess around with it.  I'm not real worried about someone getting
info off of my machine, but they are really slowing down my connection and
it's annoying!  Here's my setup:

Win2K Server running IIS5, Exchange 2000, ZoneAlarm 3.x (with several shady
ports open:  113 and 25), Netshield w/latest defs, DNS2Go dns forwarding
enabled (advertising...come crack me!!!  bad, I know)
Mac OS X 10.1.5 with Brickhouse firewall
Alcatel Speed Touch Home with 3.2.7 firmware
Linksys BEFSR41 with 1.42.7 firmware (port 113 and 25 forwarded to LAN)

                ->Win2K Server
Alcatel->Linksys
                ->MacOS X

Anyone have any idea what happened?  Let me know if I missed anything.  I
found that port 1900 was SSDP, but I'm not sure what that even does.  Also,
my Win2K box has all the latest patches for Win2K, IIS, IE,
Exchange, etc., long & difficult admin password, iislockdown run, etc.

ZoneAlarm trusts the network (192.168.1.X...bad idea, I know) and doesn't
prompt when a new app hits the network (also bad, I know).  That feature was
crashing my ZoneAlarm.

I tried restarting the router, but the traffic seemed to just continue.
I'll try some of the Alcatel updates later:
http://security.sdsc.edu/self-help/alcatel
http://www.cert.org/advisories/CA-2001-08.html

http://online.securityfocus.com/bid/3851
http://online.securityfocus.com/bid/2566
http://online.securityfocus.com/bid/2568

Does anyone have any idea what could be causing this?

Thanks in advance,
Aaron


06/12-00:45:01.774507 192.168.1.1:1901 -> 239.255.255.250:1900
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:297
Len: 277
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-00:45:01.776151 192.168.1.1:1901 -> 239.255.255.250:1900
UDP TTL:150 TOS:0x0 ID:1 IpLen:20 DgmLen:353
Len: 333
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-00:45:01.777463 192.168.1.1:1901 -> 239.255.255.250:1900
UDP TTL:150 TOS:0x0 ID:2 IpLen:20 DgmLen:281
Len: 261
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-00:45:01.778811 192.168.1.1:1901 -> 239.255.255.250:1900
UDP TTL:150 TOS:0x0 ID:3 IpLen:20 DgmLen:273
Len: 253
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-00:45:01.780324 192.168.1.1:1901 -> 239.255.255.250:1900
UDP TTL:150 TOS:0x0 ID:4 IpLen:20 DgmLen:317
Len: 297
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-00:45:01.781755 192.168.1.1:1901 -> 239.255.255.250:1900
UDP TTL:150 TOS:0x0 ID:5 IpLen:20 DgmLen:293
Len: 273
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-00:45:01.783435 192.168.1.1:1901 -> 239.255.255.250:1900
UDP TTL:150 TOS:0x0 ID:6 IpLen:20 DgmLen:347
Len: 327
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-00:45:01.785052 192.168.1.1:1901 -> 239.255.255.250:1900
UDP TTL:150 TOS:0x0 ID:7 IpLen:20 DgmLen:345
Len: 325
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-00:45:01.786698 192.168.1.1:1901 -> 239.255.255.250:1900
UDP TTL:150 TOS:0x0 ID:8 IpLen:20 DgmLen:349
Len: 329
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-00:45:01.788292 192.168.1.1:1901 -> 239.255.255.250:1900
UDP TTL:150 TOS:0x0 ID:9 IpLen:20 DgmLen:341
Len: 321
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


ANOTHER SAMPLE


06/12-01:01:39.908498 192.168.1.1:5379 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:138
Len: 118
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:01:40.079716 192.168.1.1:5380 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:142
Len: 122
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:01:50.261005 192.168.1.1:5381 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:136
Len: 116
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:01:50.887075 192.168.1.1:5382 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:138
Len: 118
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:01:51.478953 192.168.1.1:5383 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:146
Len: 126
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:01:51.507745 192.168.1.1:5384 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:138
Len: 118
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:01:52.034929 192.168.1.1:5385 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:145
Len: 125
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:01:52.314608 192.168.1.1:5386 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:138
Len: 118
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:01:52.854714 192.168.1.1:5387 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:145
Len: 125
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:01:52.890565 192.168.1.1:5388 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:138
Len: 118
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:01:52.893106 192.168.1.1:5389 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:145
Len: 125
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:01:53.212231 192.168.1.1:5390 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:138
Len: 118
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:02:01.805711 192.168.1.1:5391 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:139
Len: 119
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:02:02.769345 192.168.1.1:5392 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:146
Len: 126
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:02:02.817137 192.168.1.1:5393 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:142
Len: 122
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:02:21.062060 192.168.1.1:5394 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:139
Len: 119
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:02:21.746554 192.168.1.1:5395 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:146
Len: 126
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:02:22.019646 192.168.1.1:5396 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:142
Len: 122
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:02:23.560202 192.168.1.1:5397 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:145
Len: 125
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:02:23.593550 192.168.1.1:5398 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:142
Len: 122
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:02:31.695081 192.168.1.1:5399 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:139
Len: 119
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:02:32.283182 192.168.1.1:5400 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:146
Len: 126
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:02:32.635583 192.168.1.1:5401 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:142
Len: 122
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:02:36.634359 192.168.1.1:5402 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:139
Len: 119
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:02:37.343330 192.168.1.1:5403 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:146
Len: 126
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:02:38.080323 192.168.1.1:5404 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:142
Len: 122
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:02:38.082884 192.168.1.1:5405 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:142
Len: 122
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:02:44.490302 192.168.1.1:5406 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:139
Len: 119
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:02:45.615498 192.168.1.1:5407 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:146
Len: 126
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:02:46.054853 192.168.1.1:5408 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:142
Len: 122
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



MORE PACKETS


06/12-01:09:56.891021 192.168.1.1:1049 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:140
Len: 120
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:09:59.628788 192.168.1.1:1050 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:159
Len: 139
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:10:09.161243 192.168.1.2:20752 -> 205.152.37.254:53
UDP TTL:128 TOS:0x0 ID:32269 IpLen:20 DgmLen:61
Len: 41
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:10:09.178139 205.152.37.254:53 -> 192.168.1.2:20752
UDP TTL:251 TOS:0x0 ID:8301 IpLen:20 DgmLen:155 DF
Len: 135
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:10:09.182068 192.168.1.2:20753 -> 129.6.15.29:123
UDP TTL:128 TOS:0x0 ID:32270 IpLen:20 DgmLen:76
Len: 56
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-01:10:09.184166 192.168.1.1:1051 -> 192.168.1.255:162
UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:144
Len: 124


==================================================
This message contains PRIVILEGED and CONFIDENTIAL
information that is intended only for use by the named recipient.
If you are not the named recipient, any disclosure, dissemination,
or action based on the contents of this message is prohibited.
In such case please notify us and destroy and delete all copies
of this transmission.  Thank you.
==================================================

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Wed Jun 12 2002 - 18:07:49 PDT