TransWikia.com

Network intrusion security warning in router logs

Information Security Asked by helpme123 on January 15, 2021

I found this in the logs of my router

Intrusion -> SRC=198.20.70.114 DST=(here was my own ip) LEN=44 TOS=0x00 PREC=0x00 TTL=111 ID=43361 PROTO=TCP SPT=1940 DPT=49152 WINDOW=34917 RES=0x00 SYNURGP=0

I went to check IP geolocation to see if it’s just my own IP or something and here is the result https://gyazo.com/9edf54b3e052a43316c2f8bdaaa75b5b

What is this? I live in Finland and I got this warning of intrusion from Chicago? The weird thing is, as I noticed this when I was just exploring the logs and found this, it got removed like 5 mins after I saw it? Sometimes my ping went to 600-700 when I was not doing anything on my internet except playing a game that shows ping, and I was home alone, not downloading anything. Is someone using my internet?

Should I be worried about this?

Also there is something like this CWMP:Cwmp post inform success.

IPPing diagnostic is complete.

CWMP inform message: event: 8 DIAGNOSTICS COMPLETE.

CWMP:Cwmp post inform success.

User ACS(195.197.95.135) modify IPPingDiagnostics.Host,IPPingDiagnostics.NumberOfRepetitions,IPPingDiagnostics.Timeout,IPPingDiagnostics.DataBlockSize,IPPingDiagnostics.DiagnosticsState

Detect UDP port scan attack, scan packet from 192.168.100.14.
router

2 Answers

No, you should not be worried because everyone gets stuff like this all the time and it looks like your router handled the problem.

The log says SRC= which is where the traffic is coming from, and these events come from all over the world. That does not mean someone is using your Internet. It means someone is trying to connect to whatever might be listening on your IP. Nothing in your own home needs to be even turned on for people from the outside to try to connect to things. You do not need to be home for someone to knock on your front door.

The worry should start if you see this traffic coming inside your network, and that will take some tools to install and some technical knowledge to set up. But because your router is alerting on them, you can assume that it is blocking them, but confirm with the router manual or your router's vendor's support.

Answered by schroeder on January 15, 2021

This can be just something like a system inside your network doing auto-update. You already have the clue.

PROTO=TCP SPT=1940 DPT=49152

Searching source port will give you the agent which is jetVision client.

http://www.adminsub.net/tcp-udp-port-finder/1940

If still you really feel that it is some form of intrusion or its not the jetVision client then try to isolate this source agent to identify where its from your home network by doing the following.

  • Isolate your router, disconnect all devices to your router and see if this intrusion log is still reflecting. If there is then your router is the culprit, check manuals for any references to this source port.
  • If the intrusion log is no longer reflecting after you disconnect all devices to your router, then connect one device at a time and check for the intrusion log again.
  • At the end congrats yourself, you just did a forensic investigation.

Answered by Winnnn on January 15, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Questions

Recent Answers

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP