What the **** is going on?!

Here’s my router’s log:

Friday May 30, 2008 13:29:41 Dos Attack type : Syn flood!!
Friday May 30, 2008 13:29:49 Dos Attack type : Syn flood!!
Friday May 30, 2008 13:29:50 Dos Attack type : Syn flood!!
Friday May 30, 2008 13:29:58 Dos Attack type : Syn flood!!
Friday May 30, 2008 13:29:59 Dos Attack type : Syn flood!!
Friday May 30, 2008 13:30:01 Dos Attack type : Syn flood!!
Friday May 30, 2008 13:30:02 Dos Attack type : Syn flood!!
Friday May 30, 2008 13:30:04 Dos Attack type : Syn flood!!
Friday May 30, 2008 13:30:05 Dos Attack type : Syn flood!!
Friday May 30, 2008 13:30:07 Dos Attack type : Syn flood!!

I know it’s not uncommon to have a few of these entries in your logs, but ten in a row?!
Also, take a look at the log of CFP 3:

http://img98.imageshack.us/img98/8506/wtfdl0.png

I have around 200+ of the above entries.
I enter the IP-adress in my adress bar, and what do I get? A login to ZyXEL Prestige 660HW-T1. Password is default one, so I successfully log in.
Anyone have any idea of what’s going on?

Cheers,
Ragwing

[attachment deleted by admin]

Based on CFPs Log, the attached text file (what is this btw?) & the port numbers… it looks like torrents. What’s port 1729… anything specific?

What do you mean by entering the IP address into your address bar… do you mean “190.143.121.167”, effectively “190.143.121.167:80”? ZyXEL? Your router?

Seems like I didn’t explain it good enough, sorry for that.
The text file is the log for the ZyXEL router. It’s not my router, I’m using a D-Link. I were using uTorrent to download something when this started to flood my Event Log. I don’t know what port 1729 is.
This is what I get from GRC on port 1729:
Name:
citynl
Purpose:
CityNL License Management

And if I enter ‘190.43.121.167’ in the adress bar of Firefox, I get this:

http://img124.imageshack.us/img124/1589/wthoe3.png

190.43.121.167 is, as far as I can find out, an IP-adress from Lima in Peru.

[b]whois query for 190.43.121.167…

Results returned from whois.arin.net:

OrgName: Latin American and Caribbean IP address Regional Registry
OrgID: LACNIC
Address: Rambla Republica de Mexico 6125
City: Montevideo
StateProv:
PostalCode: 11400
Country: UY

ReferralServer: whois://whois.lacnic.net

NetRange: 190.0.0.0 - 190.255.255.255
CIDR: 190.0.0.0/8
NetName: NET190
NetHandle: NET-190-0-0-0-1
Parent:
NetType: Allocated to LACNIC
NameServer: NS.LACNIC.NET
NameServer: NS2.DNS.BR
NameServer: NS3.AFRINIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
Comment: This IP address range is under LACNIC responsibility for further
Comment: allocations to users in LACNIC region.
Comment: Please see http://www.lacnic.net/ for further details, or check the
Comment: WHOIS server located at http://whois.lacnic.net
RegDate: 2005-06-17
Updated: 2007-12-17

OrgTechHandle: LACNIC-ARIN
OrgTechName: LACNIC Whois Info
OrgTechPhone:
OrgTechEmail: whois-contact[ at ]lacnic.net

ARIN WHOIS database, last updated 2008-05-29 19:10

Enter ? for additional hints on searching ARIN’s WHOIS database.

Results returned from whois.lacnic.net:

% Joint Whois - whois.lacnic.net
% This server accepts single ASN, IPv4 or IPv6 queries

% LACNIC resource: whois.lacnic.net

% Copyright LACNIC lacnic.net
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to AS and IP numbers registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2008-05-30 19:48:53 (BRT -03:00)

inetnum: 190.43/16
status: reallocated
owner: PE-TDP-GRS
ownerid: PE-PETD2-LACNIC
responsible: Telefonica del Peru
address: Calle San Felipe 1144 - Surquillo, 1144,
address: LI34 - Lima -
country: PE
phone: +51 1 2106771 []
owner-c: GRT2
tech-c: GRT2
created: 20070813
changed: 20070813
inetnum-up: 190.42/15

nic-hdl: GRT2
person: Gestion Dir. IP Telef�nica del Per�
e-mail: gestionip[ at ]TELEFONICA.NET.PE
address: Calle San Felipe 1144, 1144,
address: LI34 - Lima - LI
country: PE
phone: +51 1 2106771 []
created: 20021204
changed: 20030923

% whois.lacnic.net accepts only direct match queries.
% Types of queries are: POCs, ownerid, CIDR blocks, IP
% and AS numbers.
[/b]

Cheers,
Ragwing

Okay… Let me get this right: You’re running a P2P client & whilst you are either downloading/uploading with some chap in Peru, you hacked into his router & nicked his log? Sweet. 8) So, what’s the problem… specifically? ;D

On a serious note… I also looked up the port 1729 & instantly wrote that off as a bad lead. I also looked up, as you did, 190.143.121.167. But, did you discover that some WHOIS services report that IP as “unallocated”?

Are you really running a torrent/P2P-thingy? When did all this start? When you first connected perhaps?

I don’t know when it started. I downloaded some torrents and ran it. Then by mistake I clicked CFP instead of uTorrent, and saw some blocked intrusions, but before I closed it I saw that the number of intrusions grew, so I thought I should investigate it.
And yes, I’m really running a P2P-software (uTorrent). My port for incoming connections isn’t 1729…
From CFP’s logs, we see that 190.43.121.167 is trying to connect to me on port 1729. Another mysterious thing, is that’s there’s some Comodo-related things in his/her log.

I know nothing about hacking, so I doubt I hacked him/her :stuck_out_tongue:

Cheers,
Ragwing

Was one of the trackers using port 1729?

I know, that chap in Peru is running CAVS!!

No tracker’s using port 1729… Now this is becoming even more mysterious…

Cheers,
Ragwing

According to the log (you “borrowed” 88) ) there are 2 users behind 190.143.121.167 & only one of them is using P2P (the sensible CAVS user is just browsing).

So we know it’s a network with more than one people. The year is set to year 2000, so they can’t have too much technical knowledge… Maybe, somehow, we travelled back in time?

Cheers,
Ragwing

EDIT: No serious. Really, what is this? How can I log into a router in Peru?

Most routers have a web interface that is usually accessed via 127.0.0.1 & on some weird port number . Some can also be accessed via the Internet. But… on port 80 with the default password? That’s nutty. Of course, the opposite might be true & they might have lots of knowledge… it could be a Honey Pot for instance.

What’s it about? No idea, sorry. The source port numbers (CFPs log) for 190.143.121.167 look wrong for default windows allocation of normal P2P action I think.

Hi RagWing, ol’ mate,

I always told you not to dl sh***y things, but no one would ever listen…

Blah.

Cheers

The REBOL

LOL

I tried to log into this “router”, but I don’t have any default login username or password. This is what it looks like in Opera: SpeedTouch Server. WTF is that ??? Why does mine require a username as well while yours only requires a password?

[attachment deleted by admin]

Music’s not sh*t. Maybe he/she works for IFPI or something… I think they have hired some hackers to get me. But they’ll need to get thru CFP3 first…

Yes, most routers can be accessed via a reserved IP-adress like 192.168.x.x, but you can’t really access someone else’s router by writing the router’s Internal IP-adress if you’re not connected to it. In this case, I used the external IP-adress to gain access.

It seems like the router was using default settings, so remote management should be disabled by default. And it was set to year 2000, so how can they be smart? :o

Because I’m a professional hacker :wink:
Seems like the person’s IP-adress has changed, so I can no longer access it. But I changed his year to 2008 yesterday, so he/she should really say thanks to me. But maybe not for changing his/her login password. I think he/she most likely has reset the router. And I who wanted to try my UDP-flooder on port 80 and see if I could crash it :frowning:
Still, the question why it would connect to me on port 1729 remains…

Cheers,
Ragwing

Ok, let’s see if you can hack my modem. I’ll even reveal its IP address. It’s 192.168.2.2

Good luck!

I can get your IP easy, I’ll only have to do a ultra track reverse lookup (:WIN)