PDA

View Full Version : help dubbio sicurezza router (strani log)


asghan
04-02-2015, 14:25
ciao

guardando i log di sistema di un modem router adsl
alcuni mi sono sembrati molto strani

e mi è sorto il dubbio se a causa qualche bug del SO non sia stato stato compromesso ed usato da terzi

Info Feb 4 13:29:23 LOGIN User tried to log in on TELNET (41.253.143.41)


Info Feb 4 13:29:17 LOGIN User root tried to log in on TELNET (41.253.143.41)


Info Feb 4 13:29:08 LOGIN User root tried to log in on TELNET (41.253.143.41)


Info Feb 4 13:29:00 LOGIN User support tried to log in on TELNET (41.253.143.41)


Info Feb 4 13:28:51 LOGIN User admin tried to log in on TELNET (41.253.143.41)


Info Feb 4 13:28:45 LOGIN User admin tried to log in on TELNET (41.253.143.41)


Info Feb 4 13:28:36 LOGIN User root tried to log in on TELNET (41.253.143.41)


Info Feb 4 13:28:30 LOGIN User root tried to log in on TELNET (41.253.143.41)


Info Feb 4 13:28:28 CONFIGURATION saved by TR69


Info Feb 4 13:27:23 LOGIN User x logged in on [HTTP] (from x.x.x.x)


Info Feb 4 13:26:30 SNTP Synchronised to server: 134.170.185.211


Errore Feb 4 13:26:30 SNTP Systemtime update: time setting 01:11:48 > new time setting: 13:26:30


Info Jan 1 01:11:28 CONFIGURATION saved by TR69


Avvertenza Jan 1 01:11:27 PPP link up (Internet) [78.14.216.243]


Info Jan 1 01:11:27 FIREWALL event (1 of 2): deleted rules


Info Jan 1 01:11:26 PPP CHAP Receive success (Internet)


Info Jan 1 01:11:26 PPP CHAP Receive challenge from rhost c72g2.ca-atm3 (Internet)


Info Jan 1 01:11:20 FIREWALL event (1 of 1): modified rules


Info Jan 1 01:11:20 FIREWALL event (1 of 1): created rules


Avvertenza Jan 1 01:11:20 PPP link down (Internet) [78.14.217.229]


Info Jan 1 01:09:40 FIREWALL event (1 of 1): modified rules


Info Jan 1 01:09:40 FIREWALL event (1 of 1): created rules


Avvertenza Jan 1 01:09:40 PPP link up (Internet) [78.14.217.229]


Info Jan 1 01:09:40 FIREWALL event (1 of 2): deleted rules


Info Jan 1 01:09:40 PPP CHAP Receive success (Internet)


Info Jan 1 01:09:39 PPP CHAP Receive challenge from rhost c72g2.ca-atm3 (Internet)


Info Jan 1 01:09:32 xDSL linestate up (ITU-T G.992.5; downstream: 5553 kbit/s, upstream: 478 kbit/s; output Power Down: 20.9 dBm, Up: 12.0 dBm; line Attenuation Down: 26.0 dB, Up: 14.0 dB; snr Margin Down: 12.1 dB, Up: 22.7 dB)


Avvertenza Jan 1 01:06:48 SNTP Unable to contact server: xxxxxxx


Avvertenza Jan 1 01:06:21 PPP link down (Internet) [78.14.222.72]


Info Jan 1 01:05:56 FIREWALL event (1 of 1): modified rules


Info Jan 1 01:05:56 FIREWALL event (1 of 1): created rules


Info Jan 1 01:05:56 xDSL linestate down


Info Jan 1 01:03:31 FIREWALL event (1 of 22): modified rules


Info Jan 1 01:03:31 FIREWALL event (1 of 38): created rules


Avvertenza Jan 1 01:03:31 PPP link up (Internet) [xxxxxxxxx]


Info Jan 1 01:03:31 FIREWALL event (1 of 7): deleted rules


Info Jan 1 01:03:30 PPP CHAP Receive success (Internet)


Info Jan 1 01:03:30 PPP CHAP Receive challenge from rhost c72g2.ca-atm3 (Internet)


Info Jan 1 01:03:26 xDSL linestate up (ITU-T G.992.5; downstream: 5432 kbit/s, upstream: 478 kbit/s; output Power Down: 20.8 dBm, Up: 12.0 dBm; line Attenuation Down: 26.0 dB, Up: 14.0 dB; snr Margin Down: 12.1 dB, Up: 22.8 dB)


specialmente questi
LOGIN User root tried to log in on TELNET

FIREWALL event (1 of 2): deleted rules


grazie per l opinione

pigi2pigi
04-02-2015, 14:48
tried = passato remoto del verbo provare, mica è scritto che ci è riuscito

sulle modifiche al firewall sono tante e tutte del 1 gennaio e forse le hai fatte tu (manca il pezzo prima)

asghan
04-02-2015, 15:53
ciao

la data/ora iniziale e del primo gennaio perche il router era appena stato acceso (pochi minuti)
poi si è aggiornato via sntp

il log di sistema vengono cancellati quando lo spengo

quei log erano tutti quelli creati in pochi minuti da quando l ho acceso senza modificare alcun parametro

premesso che ho un ip dinamico mi sembrano strani tutti questi tentativi in pochi istanti dopo che si è connesso ad internet e senza usare il browser o altro eccetto l accesso al router

grazie

asghan
04-02-2015, 16:11
ps

avevo dimenticato questo

Feb 4 01:28:17 LOGOUT User logged out on TELNET (211.177.208.200)

se non interpreto male
se si è disconnesso, presumibilmente prima era connesso