Film-Tech Forum ARCHIVE: What do you make of these router log entries?

my profile | my password | search | faq & rules | forum home

»	Film-Tech Forum ARCHIVE » Community » Film-Yak » What do you make of these router log entries?

Author

Topic: What do you make of these router log entries?

Brad Allen
Jedi Master Film Handler

Posts: 688
From: Evansville, IN, USA
Registered: May 2000

posted 03-23-2004 11:09 PM

Do I have a storm of some kind going out?
All out to port 445. Hmmm.
I had 6 pages of this in just a couple of minutes.

00:04:57 TCP from 192.168.2.100:3238 to 63.199.59.194:445
00:04:57 TCP from 192.168.2.100:3239 to 184.203.18.153:445
00:04:57 TCP from 192.168.2.100:3240 to 48.143.198.181:445
00:04:57 TCP from 192.168.2.100:3241 to 80.247.188.52:445
00:04:57 TCP from 192.168.2.100:3242 to 40.23.200.250:445
00:04:57 TCP from 192.168.2.100:3243 to 33.151.253.158:445
00:04:57 TCP from 192.168.2.100:3244 to 86.92.196.18:445
00:04:57 TCP from 192.168.2.100:3245 to 154.100.44.238:445
00:04:57 TCP from 192.168.2.100:3246 to 149.242.129.185:445
00:04:57 TCP from 192.168.2.100:3247 to 175.236.32.162:445
00:04:57 TCP from 192.168.2.100:3248 to 86.129.137.106:445
00:04:57 TCP from 192.168.2.100:3249 to 218.14.182.217:445
00:04:57 TCP from 192.168.2.100:3250 to 195.67.172.85:445
00:04:57 TCP from 192.168.2.100:3251 to 40.130.79.48:445
00:04:57 TCP from 192.168.2.100:3252 to 107.135.122.14:445
00:04:57 TCP from 192.168.2.100:3253 to 57.78.79.49:445
00:04:57 TCP from 192.168.2.100:3254 to 147.49.204.210:445
00:04:57 TCP from 192.168.2.100:3256 to 75.56.60.123:445
00:04:57 TCP from 192.168.2.100:3259 to 22.149.102.141:445
00:04:57 TCP from 192.168.2.100:3260 to 173.157.179.137:445
00:04:57 TCP from 192.168.2.100:3261 to 150.51.194.111:445
00:04:57 TCP from 192.168.2.100:3262 to 168.204.68.120:445
00:04:57 TCP from 192.168.2.100:3263 to 33.196.56.93:445
00:04:57 TCP from 192.168.2.100:3264 to 63.253.5.137:445
00:04:57 TCP from 192.168.2.100:3265 to 79.202.198.137:445
00:04:57 TCP from 192.168.2.100:3266 to 8.11.229.4:445
00:04:57 TCP from 192.168.2.100:3267 to 45.153.235.235:445
00:04:57 TCP from 192.168.2.100:3268 to 15.228.150.93:445
00:04:57 TCP from 192.168.2.100:3269 to 26.11.16.122:445
00:04:57 TCP from 192.168.2.100:3270 to 183.11.147.112:445
00:04:57 TCP from 192.168.2.100:3271 to 191.24.12.160:445
00:04:57 TCP from 192.168.2.100:3272 to 58.253.43.172:445
00:04:57 TCP from 192.168.2.100:3273 to 78.54.138.250:445
00:04:57 TCP from 192.168.2.100:3274 to 222.85.133.104:445
00:04:57 TCP from 192.168.2.100:3275 to 99.165.76.196:445
00:04:57 TCP from 192.168.2.100:3276 to 52.12.54.253:445
00:04:57 TCP from 192.168.2.100:3277 to 15.54.89.18:445
00:04:58 TCP from 192.168.2.100:3278 to 69.239.87.194:445
00:04:58 TCP from 192.168.2.100:3279 to 49.209.122.53:445
00:04:58 TCP from 192.168.2.100:3280 to 136.32.4.62:445
00:04:58 TCP from 192.168.2.100:3282 to 89.147.221.1:445
00:04:58 TCP from 192.168.2.100:3283 to 187.39.252.108:445
00:04:58 TCP from 192.168.2.100:3284 to 32.145.136.31:445
00:04:58 TCP from 192.168.2.100:3285 to 46.148.70.223:445
00:04:58 TCP from 192.168.2.100:3286 to 9.56.45.76:445
00:04:58 TCP from 192.168.2.100:3287 to 123.112.119.33:445
00:04:58 TCP from 192.168.2.100:3288 to 19.249.248.144:445
00:04:58 TCP from 192.168.2.100:3289 to 197.133.175.202:445
00:04:58 TCP from 192.168.2.100:3290 to 189.25.155.159:445
00:04:58 TCP from 192.168.2.100:3291 to 51.180.207.93:445
00:04:58 TCP from 192.168.2.100:3292 to 72.49.201.220:445
00:04:58 TCP from 192.168.2.100:3294 to 49.174.188.231:445
00:04:58 TCP from 192.168.2.100:3295 to 33.60.42.166:445
00:04:58 TCP from 192.168.2.100:3296 to 175.82.176.214:445
00:04:58 TCP from 192.168.2.100:3297 to 177.56.126.181:445
00:04:58 TCP from 192.168.2.100:3298 to 153.176.102.25:445
00:04:58 TCP from 192.168.2.100:3299 to 187.146.237.19:445
00:04:58 TCP from 192.168.2.100:3300 to 110.180.162.230:445
00:04:58 TCP from 192.168.2.100:3301 to 189.12.174.175:445
00:04:58 TCP from 192.168.2.100:3302 to 52.25.173.93:445
00:04:58 TCP from 192.168.2.100:3303 to 47.126.188.113:445
00:04:58 TCP from 192.168.2.100:3304 to 168.241.211.55:445
00:04:58 TCP from 192.168.2.100:3305 to 153.83.86.176:445
00:04:58 TCP from 192.168.2.100:3306 to 67.32.230.38:445
00:04:58 TCP from 192.168.2.100:3307 to 83.10.125.106:445
00:04:58 TCP from 192.168.2.100:3308 to 136.225.186.206:445
00:04:58 TCP from 192.168.2.100:3309 to 34.182.121.249:445
00:04:58 TCP from 192.168.2.100:3310 to 91.64.167.90:445
00:04:58 TCP from 192.168.2.100:3311 to 205.127.85.148:445
00:04:58 TCP from 192.168.2.100:3312 to 20.158.10.180:445
00:04:58 TCP from 192.168.2.100:3313 to 125.30.94.74:445
00:04:58 TCP from 192.168.2.100:3314 to 154.49.196.104:445
00:04:58 TCP from 192.168.2.100:3315 to 17.100.168.168:445
00:04:58 TCP from 192.168.2.100:3316 to 119.129.186.17:445
00:04:58 TCP from 192.168.2.100:3317 to 13.180.137.15:445
00:04:58 TCP from 192.168.2.100:3318 to 52.236.83.115:445
00:04:58 TCP from 192.168.2.100:3319 to 167.132.27.142:445
00:04:59 TCP from 192.168.2.100:3320 to 191.35.253.67:445
00:04:59 TCP from 192.168.2.100:3321 to 179.225.191.118:445
00:04:59 TCP from 192.168.2.100:3322 to 46.171.168.107:445
00:04:59 TCP from 192.168.2.100:3323 to 59.232.149.129:445
00:04:59 TCP from 192.168.2.100:3325 to 22.77.5.151:445
00:04:59 TCP from 192.168.2.100:3326 to 190.229.88.43:445
00:04:59 TCP from 192.168.2.100:3327 to 4.216.57.60:445
00:04:59 TCP from 192.168.2.100:3328 to 97.227.160.147:445
00:04:59 TCP from 192.168.2.100:3329 to 148.85.57.158:445
00:04:59 TCP from 192.168.2.100:3330 to 117.222.109.10:445
00:04:59 TCP from 192.168.2.100:3331 to 55.58.16.28:445
00:05:00 TCP from 192.168.2.100:3332 to 53.203.21.168:445
00:05:00 TCP from 192.168.2.100:3333 to 105.243.96.225:445
00:05:00 TCP from 192.168.2.100:3334 to 184.194.213.237:445
00:05:01 TCP from 192.168.2.100:3335 to 51.209.181.213:445
00:05:01 TCP from 192.168.2.100:3337 to 196.248.32.94:445
00:05:02 TCP from 192.168.2.100:3338 to 44.141.87.192:445
00:05:04 TCP from 192.168.2.100:3339 to 199.227.182.101:445
00:05:16 TCP from 192.168.2.100:3340 to 98.116.227.180:445
00:05:17 TCP from 192.168.2.100:3341 to 73.222.16.233:445
00:05:17 TCP from 192.168.2.100:3342 to 170.137.24.83:445
00:05:18 TCP from 192.168.2.100:3343 to 216.138.202.67:445
00:05:18 TCP from 192.168.2.100:3344 to 151.199.132.22:445

| IP: Logged

Daryl C. W. O'Shea
Film God

Posts: 3977
From: Midland Ontario Canada (where Panavision & IMAX lenses come from)
Registered: Jun 2002

posted 03-23-2004 11:47 PM

It's microsoft-ds. That's Samba over IP, or Windows file-sharing.

You want it blocked. It's weird that your computer is trying to access shares on a billion different machines. I'd look for something. [Smile]

| IP: Logged

Darryl Spicer
Film God

Posts: 3250
From: Lexington, KY, USA
Registered: Dec 2000

posted 03-24-2004 12:43 AM

have you ever had a file sharing program like kaaza p2p programs on your system or downloaded any kind of program that could have spyware installed with it. Get an ad-aware program and run it. You may find a lot of ad programs and spyware programs on your system. This is just a thought of a possability for what is going on not a for sure thing.

| IP: Logged

William Hooper
Phenomenal Film Handler

Posts: 1879
From: Mobile, AL USA
Registered: Jun 99

posted 03-24-2004 06:47 AM

quote:
00:04:57 TCP from 192.168.2.100:3238 to 63.199.59.194:445
00:04:57 TCP from 192.168.2.100:3239 to 184.203.18.153:445
00:04:57 TCP from 192.168.2.100:3240 to 48.143.198.181:445
00:04:57 TCP from 192.168.2.100:3241 to 80.247.188.52:445
00:04:57 TCP from 192.168.2.100:3242 to 40.23.200.250:445
00:04:57 TCP from 192.168.2.100:3243 to 33.151.253.158:445
00:04:57 TCP from 192.168.2.100:3244 to 86.92.196.18:445
00:04:57 TCP from 192.168.2.100:3245 to 154.100.44.238:445
00:04:57 TCP from 192.168.2.100:3246 to 149.242.129.185:445
00:04:57 TCP from 192.168.2.100:3247 to 175.236.32.162:445
00:04:57 TCP from 192.168.2.100:3248 to 86.129.137.106:445

"Darius and Parysatis had two sons: the elder was named
Artaxerxes, and the younger Cyrus. Now, as Darius lay sick and
felt that the end of life drew near, he wished both his sons to be with him. The elder, as it chanced, was already there, but Cyrus he must needs send for from the province over which he had made him satrap, having appointed him general moreover of all the forces that muster in the plain of the Castolus. Thus Cyrus went up, taking with him Tissaphernes as his friend, and accompanied also by a body of Hellenes, three hundred heavy armed men, under the command of Xenias the Parrhasian."

quote:
00:04:57 TCP from 192.168.2.100:3249 to 218.14.182.217:445
00:04:57 TCP from 192.168.2.100:3250 to 195.67.172.85:445
00:04:57 TCP from 192.168.2.100:3251 to 40.130.79.48:445
00:04:57 TCP from 192.168.2.100:3252 to 107.135.122.14:445
00:04:57 TCP from 192.168.2.100:3253 to 57.78.79.49:445
00:04:57 TCP from 192.168.2.100:3254 to 147.49.204.210:445
00:04:57 TCP from 192.168.2.100:3256 to 75.56.60.123:445
00:04:57 TCP from 192.168.2.100:3259 to 22.149.102.141:445
00:04:57 TCP from 192.168.2.100:3260 to 173.157.179.137:445

"Now when Darius was dead, and Artaxerxes was established in the kingdom, Tissaphernes brought slanderous accusations against Cyrus before his brother, the king, of harbouring designs against him. And Artaxerxes, listening to the words of Tissaphernes, laid hands upon Cyrus, desiring to put him to death; but his mother made intercession for him, and sent him back again in safety to his province. He then, having so escaped through peril and dishonour, fell to considering, not only how he might avoid ever again being in his brother's power, but how, if possible, he might become king in his stead."

quote:
00:04:57 TCP from 192.168.2.100:3261 to 150.51.194.111:445
00:04:57 TCP from 192.168.2.100:3262 to 168.204.68.120:445
00:04:57 TCP from 192.168.2.100:3263 to 33.196.56.93:445
00:04:57 TCP from 192.168.2.100:3264 to 63.253.5.137:445
00:04:57 TCP from 192.168.2.100:3265 to 79.202.198.137:445
00:04:57 TCP from 192.168.2.100:3266 to 8.11.229.4:445
00:04:57 TCP from 192.168.2.100:3267 to 45.153.235.235:445
00:04:57 TCP from 192.168.2.100:3268 to 15.228.150.93:445
00:04:57 TCP from 192.168.2.100:3269 to 26.11.16.122:445
00:04:57 TCP from 192.168.2.100:3270 to 183.11.147.112:445
00:04:57 TCP from 192.168.2.100:3271 to 191.24.12.160:445
00:04:57 TCP from 192.168.2.100:3272 to 58.253.43.172:445
00:04:57 TCP from 192.168.2.100:3273 to 78.54.138.250:445
00:04:57 TCP from 192.168.2.100:3274 to 222.85.133.104:445
00:04:57 TCP from 192.168.2.100:3275 to 99.165.76.196:445

"Parysatis, his mother, was his first resource; for she had more love for Cyrus than for Artaxerxes upon his throne. Moreover Cyrus's behaviour towards all who came to him from the king's court was such that, when he sent them away again, they were better friends to himself than to the king his brother. Nor did he neglect the barbarians in his own service; but trained them, at once to be capable as warriors and devoted adherents of himself. Lastly, he began collecting his Hellenic armament, but with the utmost secrecy, so that he might take the king as far as might be at unawares."

quote:
00:04:57 TCP from 192.168.2.100:3276 to 52.12.54.253:445
00:04:57 TCP from 192.168.2.100:3277 to 15.54.89.18:445
00:04:58 TCP from 192.168.2.100:3278 to 69.239.87.194:445
00:04:58 TCP from 192.168.2.100:3279 to 49.209.122.53:445
00:04:58 TCP from 192.168.2.100:3280 to 136.32.4.62:445
00:04:58 TCP from 192.168.2.100:3282 to 89.147.221.1:445
00:04:58 TCP from 192.168.2.100:3283 to 187.39.252.108:445
00:04:58 TCP from 192.168.2.100:3284 to 32.145.136.31:445
00:04:58 TCP from 192.168.2.100:3285 to 46.148.70.223:445
00:04:58 TCP from 192.168.2.100:3286 to 9.56.45.76:445
00:04:58 TCP from 192.168.2.100:3287 to 123.112.119.33:445
00:04:58 TCP from 192.168.2.100:3288 to 19.249.248.144:445
00:04:58 TCP from 192.168.2.100:3289 to 197.133.175.202:445
00:04:58 TCP from 192.168.2.100:3290 to 189.25.155.159:445

"The manner in which he contrived the levying of the troops was
as follows: First, he sent orders to the commandants of garrisons in the cities (so held by him), bidding them to get together as large a body of picked Peloponnesian troops as they severally were able, on the plea that Tissaphernes was plotting against their cities; and truly these cities of Ionia had originally belonged to Tissaphernes, being given to him by the king; but at this time, with the exception of Miletus, they had all revolted to Cyrus."

quote:
00:04:58 TCP from 192.168.2.100:3291 to 51.180.207.93:445
00:04:58 TCP from 192.168.2.100:3292 to 72.49.201.220:445
00:04:58 TCP from 192.168.2.100:3294 to 49.174.188.231:445
00:04:58 TCP from 192.168.2.100:3295 to 33.60.42.166:445
00:04:58 TCP from 192.168.2.100:3296 to 175.82.176.214:445
00:04:58 TCP from 192.168.2.100:3297 to 177.56.126.181:445
00:04:58 TCP from 192.168.2.100:3298 to 153.176.102.25:445
00:04:58 TCP from 192.168.2.100:3299 to 187.146.237.19:445
00:04:58 TCP from 192.168.2.100:3300 to 110.180.162.230:445
00:04:58 TCP from 192.168.2.100:3301 to 189.12.174.175:445
00:04:58 TCP from 192.168.2.100:3302 to 52.25.173.93:445
00:04:58 TCP from 192.168.2.100:3303 to 47.126.188.113:445
00:04:58 TCP from 192.168.2.100:3304 to 168.241.211.55:445
00:04:58 TCP from 192.168.2.100:3305 to 153.83.86.176:445

"In Miletus, Tissaphernes, having become aware of similar designs, had forestalled the conspirators by putting some to death and banishing the remainder. Cyrus, on his side, welcomed these fugitives, and having collected an army, laid siege to Miletus by sea and land, endeavouring to reinstate the exiles; and this gave him another pretext for collecting an armament."

quote:
00:04:58 TCP from 192.168.2.100:3306 to 67.32.230.38:445
00:04:58 TCP from 192.168.2.100:3307 to 83.10.125.106:445
00:04:58 TCP from 192.168.2.100:3308 to 136.225.186.206:445
00:04:58 TCP from 192.168.2.100:3309 to 34.182.121.249:445
00:04:58 TCP from 192.168.2.100:3310 to 91.64.167.90:445
00:04:58 TCP from 192.168.2.100:3311 to 205.127.85.148:445
00:04:58 TCP from 192.168.2.100:3312 to 20.158.10.180:445
00:04:58 TCP from 192.168.2.100:3313 to 125.30.94.74:445
00:04:58 TCP from 192.168.2.100:3314 to 154.49.196.104:445
00:04:58 TCP from 192.168.2.100:3315 to 17.100.168.168:445
00:04:58 TCP from 192.168.2.100:3316 to 119.129.186.17:445
00:04:58 TCP from 192.168.2.100:3317 to 13.180.137.15:445

"At the same time he sent to the king, and claimed, as being the king's brother, that these cities should be given to himself rather than that Tissaphernes should continue to govern them; and in furtherance of this end, the queen, his mother, co-operated with him, so that the king not only failed to see the design against himself, but concluded that Cyrus was spending his money on armaments in order to make war on Tissaphernes. Nor did it pain him greatly to see the two at war together, and the less so because Cyrus was careful to remit the tribute due to the king from the cities which belonged to Tissaphernes."

| IP: Logged

Jeremy Fuentes
Mmmm, Dr. Pepper!

Posts: 1168
From: Corpus Christi, TX United States
Registered: Jan 2004

posted 03-24-2004 07:08 AM

| IP: Logged

Gunnar Johansson
Expert Film Handler

Posts: 181
From: Gothenburg, Sweden
Registered: Mar 2003

posted 03-24-2004 07:17 AM

I think that maybe mr Hooper is reading something else into these logs than the computer people, hence the quotations from a greek drama?

Our mind is quite good a fitting patterns, especially after the fact, so now I see that he might be right... It must be so, or maybe not.

Otherwise I agree with the previous post, I´d guess somebody/soemthing in your computer, possibly out of your control might be trying to do something wicked, or is configured wrong so it doesn´t know what it´s doing. Try the solutions suggested...

| IP: Logged

Ken Layton
Phenomenal Film Handler

Posts: 1452
From: Olympia, Wash. USA
Registered: Sep 1999

posted 03-24-2004 09:24 AM

Could it be a spammer trying to hijack your system to send bulk spams?

| IP: Logged

Sean Weitzel
Jedi Master Film Handler

Posts: 619
From: Vacaville, CA (1790 miles west of Rockwall)
Registered: Dec 1999

posted 03-24-2004 01:45 PM

scan your computer for Spyware and Viruses. This looks like the mIRC trojan. Go to http://www.safer-networking.org and download/run spybot search and destroy for the spyware. Then make sure whatever anti virus software you are using is up to date and do a full system scan.

| IP: Logged

Brad Allen
Jedi Master Film Handler

Posts: 688
From: Evansville, IN, USA
Registered: May 2000

posted 03-24-2004 01:46 PM

Nope, never had Kaaza or anything like that. There is practically nothing on this computer but XpPRo and RTS ticketing software. And it's locked down so "hopefully" no empolyee has been monkeying around.

Well today it has changed ports. Now it's sending on 135.

I just this wk went from dial up connection that was used for 30 seconds per day to send one email, to a DSL/router combo in prep of accepting credit cards.

Hence, my new discovery of the outgoing log entries.

Sean, Do you think that Spybot S&D is better than Adaware?

Doing some googling brings up some nasty info on port 445 mischief which Mr Bill G should be tarred and feathered for.

see this:

Cert article on port 445.

Thanks all.

[ 03-24-2004, 03:10 PM: Message edited by: Brad Allen ]

| IP: Logged

Jason Burroughs
Jedi Master Film Handler

Posts: 654
From: Allen, TX
Registered: Jun 99

posted 03-24-2004 02:33 PM

Port 135 is Windows RPC, deffinatly sounds virus related. Keep in mind that some viruses (worms) do not require user intervention to spread, so one infeted computer could infected others.

Make sure that ALL your Windows updates are installed. RPC was addressed in Microsoft Security Bulletin 03-026.

| IP: Logged

Sean Weitzel
Jedi Master Film Handler

Posts: 619
From: Vacaville, CA (1790 miles west of Rockwall)
Registered: Dec 1999

posted 03-25-2004 05:30 PM

I like a combination of Spybot S&D and adaware. I can de-spyware most of our users computers with these two tools. I say start with Spybot because it's totally free, and it seems to find a few more spyware than adaware does.

| IP: Logged

All times are Central (GMT -6:00)

Printer-friendly view of this topic

The Film-Tech Forums are designed for various members related to the cinema industry to express their opinions, viewpoints and testimonials on various products, services and events based upon speculation, personal knowledge and factual information through use, therefore all views represented here allow no liability upon the publishers of this web site and the owners of said views assume no liability for any ill will resulting from these postings. The posts made here are for educational as well as entertainment purposes and as such anyone viewing this portion of the website must accept these views as statements of the author of that opinion and agrees to release the authors from any and all liability.