Your forum username:
Do you already have an account?
Forgot your password?
  • Log in or Sign up


    Welcome to Sky User - The Unofficial Support Forum for everything Sky! - Proudly helping over 65k members.


    Advertisement

    Page 4 of 5 FirstFirst ... 2345 LastLast
    Results 31 to 40 of 46

    Odd router logs

    This is a discussion on Odd router logs within the Sky Broadband help forums, part of the Sky Broadband help and support category; UPnP in the router can be found by opening the router settings, click the Advanced tab then UPnP. I doubt ...

    1. #31
      Isitme's Avatar
      Isitme is offline Sky User Moderator
      Exchange: Bannockburn
      Broadband ISP: Sky Fibre Unlimited
      Router: Sky Hub SR102
      Sky TV: Sky+ HD
      Join Date
      Dec 2006
      Location
      Central Scotland
      Posts
      34,131
      Thanks
      64
      Thanked 1,641 Times in 1,602 Posts

      Re: Odd router logs

      UPnP in the router can be found by opening the router settings, click the Advanced tab then UPnP. I doubt if this will help as the call is coming from your PC. UPnP in Vista is handled by Network Discovery. I suppose this could be corrupt, so it might be worthwhile turning it off and see if the calls to the router stop. You will find it in the Network and Sharing Centre.

      Putting your log into an analyser only brings up a red cross against this -
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Sky.com - your home for the latest news, sport and entertainment

      Why I don't know

      TomD


      Please note the views and recommendations in my posts are my own and in no way reflect the views of SkyUser.


      Useful Utilites

      http://www.nirsoft.net/utils/wifi_information_view.html/ TCPOptimiser /Test Socket

      Note - When downloading always select the Custom install or you will end up with stuff you don't want.






    2. Advertisement
    3. #32
      Digger's Avatar
      Digger is offline Sky User Member
      Exchange:
      Broadband ISP: Sky Base
      Router: Netgear V2 DG934G
      Sky TV: Sky Basic
      Join Date
      Sep 2010
      Posts
      23
      Thanks
      0
      Thanked 0 Times in 0 Posts

      Re: Odd router logs

      That's odd indeed, I have had that entry for the same length of time. I presume anyone that uses Sky as a provider will too :O
      What site did you use?
      I will try the UPnP thanks.

    4. #33
      Isitme's Avatar
      Isitme is offline Sky User Moderator
      Exchange: Bannockburn
      Broadband ISP: Sky Fibre Unlimited
      Router: Sky Hub SR102
      Sky TV: Sky+ HD
      Join Date
      Dec 2006
      Location
      Central Scotland
      Posts
      34,131
      Thanks
      64
      Thanked 1,641 Times in 1,602 Posts

      Re: Odd router logs

      If you are referring to the Sky entry, I think you will only have it if you used the Sky CD to set up your broadband, or if you use Sky as your Home page.

      I use HijackThis Logfileauswertung mostly and check the results against HiJackThis! Log auto analyzer V2

      TomD


      Please note the views and recommendations in my posts are my own and in no way reflect the views of SkyUser.


      Useful Utilites

      http://www.nirsoft.net/utils/wifi_information_view.html/ TCPOptimiser /Test Socket

      Note - When downloading always select the Custom install or you will end up with stuff you don't want.





    5. #34
      Digger's Avatar
      Digger is offline Sky User Member
      Exchange:
      Broadband ISP: Sky Base
      Router: Netgear V2 DG934G
      Sky TV: Sky Basic
      Join Date
      Sep 2010
      Posts
      23
      Thanks
      0
      Thanked 0 Times in 0 Posts

      Re: Odd router logs

      I tried the UPnP and I still get the same results.

    6. #35
      Cartroo's Avatar
      Cartroo is offline Sky User Member
      Exchange:
      Broadband ISP: Sky Connect
      Router: Netgear V2 DG934G
      Sky TV: Sky+
      Join Date
      Sep 2010
      Posts
      5
      Thanks
      0
      Thanked 0 Times in 0 Posts

      Re: Odd router logs

      EDIT: Since posting this message, I've spotted something that looks suspiciously likely in the tcpdump. I'll detail it in a following post in a few minutes when I've had a chance to look it over properly...

      I've been seeing these messages recently too - indeed, I found this forum by googling for information about them.

      Mine appear to be coming from a DHCP address which is currently assigned to a mac machine, and not my Windows machine at all. So, that more or less rules out any windows-specific features causing the problem. As an aside, my mac is on 192.168.0.4.

      The problem occurring on the mac also rather undermines any theory that malware is to blame - while there's no technical reason which makes macs totally immune to malware, the reality is still that it's at most very rare. I'm also pretty careful with my Internet usage.

      Curious as to what was causing the issue, I tried logging all traffic in and out of the machine for a few hours.

      I saw a number of DNS requests and responses, which isn't surprising as I assume the router acts as a DNS proxy. I also saw a lot of IGMP traffic being sent by the router, which is to do with multicast support - I can't imagine that would be causing a problem. I also saw a single DHCP lease renewal, and a single NetBIOS request from the router to my mac (which responded with a "port unreachable" ICMP message).

      The only other thing I saw were sprays of SSDP packets which always occur in groups of 7 and exactly every 30 minutes. This was the closest I came to a correlation with the timing of the log mesasges, but being 30 rather than 25 minutes isn't really close enough. Also, I've no idea why sending SSDP packets (the protocol on which UPnP is built) should cause odd messages about failing to log into the admin interface. The packets being sent in batches of 7 vaguely rings a bell with me from when I worked on UPnP support in a router years ago - I think the standard specifies that to make UDP "reliable", you send your announcements multiple times. Microsoft has rather odd ideas about what "reliable" means...

      Anyway, no particularly satisfying explanation, I'm afraid, but there's also very good evidence that these messages do not indicate any malicious activity, at least from your LAN side. I guess it's possible that someone out there is trying to get admin access from the WAN side, and some bug in the firmware of the router mangles the log messages so they appear to be caused by LAN-side access, but it's a bit of a stretch.

      My current working in theory is just a plain bug in the firmware which is causing these phantom log messages to occur.

      Hope that helps a little.

    7. #36
      Cartroo's Avatar
      Cartroo is offline Sky User Member
      Exchange:
      Broadband ISP: Sky Connect
      Router: Netgear V2 DG934G
      Sky TV: Sky+
      Join Date
      Sep 2010
      Posts
      5
      Thanks
      0
      Thanked 0 Times in 0 Posts

      Re: Odd router logs

      Since posting the above message I've had another look through the traffic dump, and this time I've looked for traffic which isn't going directly to the router.

      What I can see is a periodic HTTP request exactly every 25 minutes from Mac's IP address to the router's WAN IP address. The TCP conversation is shown below:

      GET / HTTP/1.1
      Host: <<< my WAN IP here >>>
      User-Agent: Mozilla/5.0 (ABE, hackademix.net ABE Patrols the Routes to Your Routers)
      Pragma: no-cache
      Cache-Control: no-cache

      HTTP/1.1 401 Unauthorized
      Server:
      Date: Fri, 24 Sep 2010 09:36:26 GMT
      Content-Type: text/html
      Connection: close

      <HTML>
      <HEAD><TITLE>401 Unauthorized</TITLE></HEAD>
      <BODY BGCOLOR="#cc9999" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
      <H4>401 Unauthorized</H4>
      Another Administrator online.
      It looks to me like the NoScript extension in Firefox is performing a HTTP request to the router's WAN IP every 25 minutes, for reasons which I don't quite understand - something to do with ABE support in NoScript? I'll do some more research when I can, but poking through my NoScript config I did find my WAN IP listed in the configuration (presumably it's been filled in automatically during installation).

      So, Digger, do you have NoScript installed in Firefox, and do the messages only occur while Firefox is running?

    8. #37
      Isitme's Avatar
      Isitme is offline Sky User Moderator
      Exchange: Bannockburn
      Broadband ISP: Sky Fibre Unlimited
      Router: Sky Hub SR102
      Sky TV: Sky+ HD
      Join Date
      Dec 2006
      Location
      Central Scotland
      Posts
      34,131
      Thanks
      64
      Thanked 1,641 Times in 1,602 Posts

      Re: Odd router logs

      I think you may have cracked it. Although I use Firefox, I don't use NoScript, I found it to be more bother than it was worth. I don't get these messages, so just as an experiment I will Enable it and see what happens. If it is the cause, it must be a recent update which is causing it as when I did run it, I did not notice this behaviour.

      TomD


      Please note the views and recommendations in my posts are my own and in no way reflect the views of SkyUser.


      Useful Utilites

      http://www.nirsoft.net/utils/wifi_information_view.html/ TCPOptimiser /Test Socket

      Note - When downloading always select the Custom install or you will end up with stuff you don't want.





    9. #38
      Cartroo's Avatar
      Cartroo is offline Sky User Member
      Exchange:
      Broadband ISP: Sky Connect
      Router: Netgear V2 DG934G
      Sky TV: Sky+
      Join Date
      Sep 2010
      Posts
      5
      Thanks
      0
      Thanked 0 Times in 0 Posts

      Re: Odd router logs

      Well, I'm still not 100% sure what's going on, but I'm pretty sure it's NoScript. I read the blog post mentioned in the user agent above, which discusses guarding against attacks which allow web pages to steal your router's config:

      hackademix.net ABE Patrols the Routes to Your Routers

      This presumably only works if they can guess your admin password, of course, but how many people leave their admin password set to the default? Probably quite a few.

      Incidentally, I just tried this myself (i.e. making a HTTP request to the WAN IP from the physical LAN interface) and indeed, the router allows you to log into the admin pages that way, despite remote access being disabled. So, it's certainly a legitimate thing to guard against.

      So, the only remaining question in my mind is why on earth it needs to make requests of that address every 25 minutes. It's certainly not trying to do anything nasty, since it doesn't actually include a password in the request.

      I might email the author and ask.

    10. #39
      Isitme's Avatar
      Isitme is offline Sky User Moderator
      Exchange: Bannockburn
      Broadband ISP: Sky Fibre Unlimited
      Router: Sky Hub SR102
      Sky TV: Sky+ HD
      Join Date
      Dec 2006
      Location
      Central Scotland
      Posts
      34,131
      Thanks
      64
      Thanked 1,641 Times in 1,602 Posts

      Re: Odd router logs

      I can confirm that I have provoked the same response, a failed Admin login every 25 mins. So it is definately NoScript which is causing it.

      Fri, 2010-09-24 15:22:18 - Administrator login failure - IP:192.168.0.5
      Fri, 2010-09-24 15:47:14 - Administrator login failure - IP:192.168.0.5
      Fri, 2010-09-24 16:12:13 - Administrator login failure - IP:192.168.0.5
      Let us know if you get a response to your email.

      I am sure Digger is going to be greatly relieved.

      TomD


      Please note the views and recommendations in my posts are my own and in no way reflect the views of SkyUser.


      Useful Utilites

      http://www.nirsoft.net/utils/wifi_information_view.html/ TCPOptimiser /Test Socket

      Note - When downloading always select the Custom install or you will end up with stuff you don't want.





    11. #40
      Cartroo's Avatar
      Cartroo is offline Sky User Member
      Exchange:
      Broadband ISP: Sky Connect
      Router: Netgear V2 DG934G
      Sky TV: Sky+
      Join Date
      Sep 2010
      Posts
      5
      Thanks
      0
      Thanked 0 Times in 0 Posts

      Re: Odd router logs

      OK, mystery solved - it's definitely NoScript. It seems that it makes a periodic request to the WAN address and caches the response - if this response changes, it's taken as an indication that the WAN IP has changed and that NoScript presumably needs to make an external request to see what the new IP is, but doing this every time would presumably overload the external server.

      For reference, here's the reply I got back:

      yes, it's hackademix.net ABE Patrols the Routes to Your Routers

      A request is sent to your router via its WAN interface every 5 minutes, in order to compare it with previous responses and guess whether your assigned IP (if dynamic) has changed in the meanwhile.

      Best,
      -- G

     

     
    Page 4 of 5 FirstFirst ... 2345 LastLast

    LinkBacks (?)


    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •  
    SkyUser - Copyright © 2006-2017. SatDish and NewsreadeR | SkyUser is in no way affiliated with Sky Broadband / BSkyB
    RIPA NOTICE: NO CONSENT IS GIVEN FOR INTERCEPTION OF PAGE TRANSMISSION