Author Topic: Is someone trying to hack me? (Read 3090 times)

never_retreat · « **on:** June 26, 2012, 08:15:00 PM »

Here is a section of the log from panda, any ides what it is?
Is there something I need to tighten up on my router?

Packets with incorrect SYN, ACK and ... Firewall protection 6/26/2012 7:48:16 PM Blocked Source IP address: 41.98.246.86
Packets with incorrect SYN, ACK and ... Firewall protection 6/26/2012 6:43:55 PM Blocked Source IP address: 41.98.246.86
Packets with incorrect SYN, ACK and ... Firewall protection 6/26/2012 3:14:07 PM Blocked Source IP address: 59.180.151.59
Packets with incorrect SYN, ACK and ... Firewall protection 6/26/2012 1:40:28 PM Blocked Source IP address: 201.86.109.248 Packets with incorrect SYN, ACK and ... Firewall protection 6/26/2012 6:32:52 AM Blocked Source IP address: 120.59.10.114
Packets with incorrect SYN, ACK and ... Firewall protection 6/26/2012 5:47:24 AM Blocked Source IP address: 41.103.122.77
Packets with incorrect SYN, ACK and ... Firewall protection 6/26/2012 5:33:29 AM Blocked Source IP address: 59.177.3.35
Packets with incorrect SYN, ACK and ... Firewall protection 6/26/2012 4:43:12 AM Blocked Source IP address: 41.103.122.77
Packets with incorrect SYN, ACK and ... Firewall protection 6/26/2012 4:14:25 AM Blocked Source IP address: 93.86.158.11
Packets with incorrect SYN, ACK and ... Firewall protection 6/26/2012 3:21:17 AM Blocked Source IP address: 41.98.224.28
Packets with incorrect SYN, ACK and ... Firewall protection 6/26/2012 3:21:13 AM Blocked Source IP address: 41.103.122.77
Packets with incorrect SYN, ACK and ... Firewall protection 6/26/2012 2:14:36 AM Blocked Source IP address: 41.98.224.28
Packets with incorrect SYN, ACK and ... Firewall protection 6/26/2012 2:14:16 AM Blocked Source IP address: 41.103.122.77
Packets with incorrect SYN, ACK and ... Firewall protection 6/26/2012 2:01:37 AM Blocked Source IP address: 93.87.189.168
Packets with incorrect SYN, ACK and ... Firewall protection 6/26/2012 1:45:19 AM Blocked Source IP address: 41.98.224.49
Packets with incorrect SYN, ACK and ... Firewall protection 6/26/2012 1:42:36 AM Blocked Source IP address: 201.86.109.209
Packets with incorrect SYN, ACK and ... Firewall protection 6/26/2012 1:10:47 AM Blocked Source IP address: 41.103.122.77
Packets with incorrect SYN, ACK and ... Firewall protection 6/26/2012 12:59:39 AM Blocked Source IP address: 93.87.189.168
Packets with incorrect SYN, ACK and ... Firewall protection 6/26/2012 12:44:14 AM Blocked Source IP address: 41.98.224.49
Packets with incorrect SYN, ACK and ... Firewall protection 6/25/2012 11:55:09 PM Blocked Source IP address: 93.87.189.168
Packets with incorrect SYN, ACK and ... Firewall protection 6/25/2012 11:53:10 PM Blocked Source IP address: 41.103.122.77
Packets with incorrect SYN, ACK and ... Firewall protection 6/25/2012 11:43:42 PM Blocked Source IP address: 41.98.224.49
Packets with incorrect SYN, ACK and ... Firewall protection 6/25/2012 10:54:06 PM Blocked Source IP address: 93.87.189.168
Packets with incorrect SYN, ACK and ... Firewall protection 6/25/2012 10:48:47 PM Blocked Source IP address: 41.103.122.77
Packets with incorrect SYN, ACK and ... Firewall protection 6/25/2012 9:52:43 PM Blocked Source IP address: 93.87.189.168
Packets with incorrect SYN, ACK and ... Firewall protection 6/25/2012 6:26:30 AM Blocked Source IP address: 41.98.247.126
Packets with incorrect SYN, ACK and ... Firewall protection 6/25/2012 5:10:38 AM Blocked Source IP address: 41.98.247.126
Packets with incorrect SYN, ACK and ... Firewall protection 6/25/2012 4:52:03 AM Blocked Source IP address: 201.10.71.192
Packets with incorrect SYN, ACK and ... Firewall protection 6/25/2012 3:49:21 AM Blocked Source IP address: 201.10.71.192

Packets with incorrect SYN, ACK and ... Firewall protection 6/25/2012 2:02:00 AM Blocked Source IP address: 201.10.71.192
Packets with incorrect SYN, ACK and ... Firewall protection 6/25/2012 12:38:49 AM Blocked Source IP address: 41.98.216.225
Packets with incorrect SYN, ACK and ... Firewall protection 6/25/2012 12:18:52 AM Blocked Source IP address: 201.10.71.192
Packets with incorrect SYN, ACK and ... Firewall protection 6/24/2012 11:16:44 PM Blocked Source IP address: 41.98.216.225
Packets with incorrect SYN, ACK and ... Firewall protection 6/24/2012 10:49:37 PM Blocked Source IP address: 120.56.142.93

mtnbkr · « **Reply #1 on:** June 26, 2012, 08:28:10 PM »

Spot checked a few at www.trustedsource.com. They're all dirty and scattered around the globe. It looks as if it were all blocked, but you should check your network in case something was passed and no log was written.

I wouldn't sweat it too much. I saw all sorts of garbage on my own personal servers. I also see all sorts of stuff at work. As long as your only symptom are blocks, you're ok.

Chris

Ben · « **Reply #2 on:** June 26, 2012, 09:13:28 PM »

I sometimes get the same kinda stuff too. As mtnbkr says, as long as they're blocked you should be okay.

It does go to show just how prevalent attempted attacks are. Thank goodness for hardware firewalls.

Lee · « **Reply #3 on:** June 26, 2012, 09:31:29 PM »

How do you look up the attempted attacks (as listed in OP)?

never_retreat · « **Reply #4 on:** June 26, 2012, 09:33:19 PM »

What scared me was it has been very frequent for the last 5 days, I started getting worried when it wasn't occasional.
What does this mean "Packets with incorrect SYN, ACK"?
Is this something I can block at the router so it is not even making it to a computer?

Quote from: Lee on June 26, 2012, 09:31:29 PM

How do you look up the attempted attacks (as listed in OP)?

It the log file from panda anti virus.

Phantom Warrior · « **Reply #5 on:** June 26, 2012, 09:57:27 PM »

Quote from: never_retreat on June 26, 2012, 09:33:19 PM

What scared me was it has been very frequent for the last 5 days, I started getting worried when it wasn't occasional.
What does this mean "Packets with incorrect SYN, ACK"?
Is this something I can block at the router so it is not even making it to a computer?
It the log file from panda anti virus.

CAVEAT: I'm not a security expert. Just an informed layman.

A hit every hour or two is probably nothing to worry about. If you were getting hit continuously in large number you might need to worry about a Denial Of Service (DoS) attack. DoS is the Internet equivalent of calling someone's phone over and over so no one else can call them. But if that was happening you'd notice because no one could connect to your resources (website or whatever you've got).

SYN/ACK is part of the TCP, a major protocol on the Internet, sets up a connection. A computer and a server exchange the responses in a certain order to set up a connection. Incorrect SYN/ACK is basically just like someone walking up to you and saying "Goodbye" instead of "Hello." TCP handshakes can be misused but the occasional incorrect SYN/ACK probably doesn't mean you are being specifically targeted.

Overall, I probably wouldn't worry.

rcnixon · « **Reply #6 on:** June 26, 2012, 11:01:03 PM »

Quote from: never_retreat on June 26, 2012, 09:33:19 PM

What scared me was it has been very frequent for the last 5 days, I started getting worried when it wasn't occasional.
What does this mean "Packets with incorrect SYN, ACK"?
Is this something I can block at the router so it is not even making it to a computer?
It the log file from panda anti virus.

Someone, somewhere is attempting to start an TCP (telnet or ftp are the most common) session on your network device. SYN, SYN-ACK and ACK is the so-called "three-way handshake" used to start a connection-type (as opposed to a connectionless) session using TCP/IP.

Yes, they are probably trying to hack you.

If you are interested in what is being attempted, the link points to a web page with an explanation of the three-way handshake.

http://www.inetdaemon.com/tutorials/internet/tcp/3-way_handshake.shtml

If the anti-virus is blocking it, no problem. There are ways to make the router block it but they are usually beyond the capability of most home routers.

Go here to test your firewall:

https://www.grc.com/x/ne.dll?bh0bkyd2

By the way, I'm not going to make any "three-way" jokes. No, I'm not, uh-uh, nope.

Russ, not a security guru but a network engineer none the less.

AJ Dual · « **Reply #7 on:** June 26, 2012, 11:03:02 PM »

Looks to me like scripts/spam-servers scanning IP ranges for unsecured systems they can forward mail through etc. looking for open SMTP services to forward spam around blacklists probably.

My 2Wire access point logs at home, and our Sonicwall at work is full of hits like that. It's like June bugs tapping against your window screens at night. Intrusive, but not exactly targeted or personal. (By "full" every hour or two from a couple of different IP's like that...)

never_retreat, do you have a home firewall/router?

Most of them just default out of the box to simply not reply to any unsolicited network traffic. Often called "stealth mode".

RevDisk · « **Reply #8 on:** June 27, 2012, 09:10:10 AM »

If it makes you feel better, it's 99.9% likely to be an automated attack from either a compromised PC or a worm. They're just doing scans to see if you have anything open. If you're paranoid, add a good firewall and Nessus scan yourself. If not, use a modern OS, patch regularly, keep a minimum number of stuff installed and use a top tier multifunctional AV.

"Doorknockers" don't want to compromise sophisticated folks. Because sophisticated folks have wireshark and other tools to compromise botnets. They want Joe Random User that installs malware looking for porn or whatnot.

Armed Polite Society

News:

Author Topic: Is someone trying to hack me? (Read 3090 times)

never_retreat

Is someone trying to hack me?

mtnbkr

Re: Is someone trying to hack me?

Ben

Re: Is someone trying to hack me?

Lee

Re: Is someone trying to hack me?

never_retreat

Re: Is someone trying to hack me?

Phantom Warrior

Re: Is someone trying to hack me?

rcnixon

Re: Is someone trying to hack me?

AJ Dual

Re: Is someone trying to hack me?

RevDisk

Re: Is someone trying to hack me?