LAN Access From Remote... what is this?

[RiposoEterno]

Hey guys,

What is this in my router logs???


[LAN access from remote] from 83.60.119.47:23395 to 192.168.1.23:23967 Thursday, Jan 07,2010 20:17:29
[LAN access from remote] from 88.2.213.139:1902 to 192.168.1.23:23967 Thursday, Jan 07,2010 20:17:25
[LAN access from remote] from 94.70.121.232:62390 to 192.168.1.23:38849 Thursday, Jan 07,2010 20:17:04
[LAN access from remote] from 86.52.23.249:23142 to 192.168.1.23:38849 Thursday, Jan 07,2010 20:16:54
[LAN access from remote] from 217.43.77.16:19927 to 192.168.1.23:38849 Thursday, Jan 07,2010 20:16:15
[LAN access from remote] from 82.29.163.75:53481 to 192.168.1.23:23967 Thursday, Jan 07,2010 20:15:14
[LAN access from remote] from 82.98.144.176:1548 to 192.168.1.23:5946 Thursday, Jan 07,2010 20:15:08
[LAN access from remote] from 82.98.144.176:1547 to 192.168.1.23:549 Thursday, Jan 07,2010 20:15:08
[LAN access from remote] from 82.98.144.176:1545 to 192.168.1.23:130 Thursday, Jan 07,2010 20:15:08
[LAN access from remote] from 82.98.144.176:1542 to 192.168.1.23:1986 Thursday, Jan 07,2010 20:15:08
[LAN access from remote] from 82.29.163.75:53466 to 192.168.1.23:23967 Thursday, Jan 07,2010 20:14:44
[LAN access from remote] from 77.166.179.129:51619 to 192.168.1.23:38849 Thursday, Jan 07,2010 20:12:35
[LAN access from remote] from 140.163.254.135:59694 to 192.168.1.23:38849 Thursday, Jan 07,2010 20:11:36
[LAN access from remote] from 85.224.40.110:13859 to 192.168.1.23:38849 Thursday, Jan 07,2010 20:11:09
[LAN access from remote] from 80.251.207.73:1787 to 192.168.1.23:38849 Thursday, Jan 07,2010 20:10:37
[Admin login] from source 192.168.1.23, Thursday, Jan 07,2010 20:08:30
[LAN access from remote] from 82.74.103.98:37031 to 192.168.1.23:38849 Thursday, Jan 07,2010 20:08:24
[LAN access from remote] from 90.231.15.175:63041 to 192.168.1.23:23967 Thursday, Jan 07,2010 20:07:52
[LAN access from remote] from 84.43.151.21:13811 to 192.168.1.23:38849 Thursday, Jan 07,2010 20:07:17
[LAN access from remote] from 81.228.45.61:1832 to 192.168.1.23:23967 Thursday, Jan 07,2010 20:06:58
[LAN access from remote] from 94.70.121.232:62390 to 192.168.1.23:38849 Thursday, Jan 07,2010 20:06:55
[LAN access from remote] from 86.52.23.249:23142 to 192.168.1.23:38849 Thursday, Jan 07,2010 20:06:34
[LAN access from remote] from 217.43.77.16:19927 to 192.168.1.23:38849 Thursday, Jan 07,2010 20:06:05
[LAN access from remote] from 212.214.179.192:2654 to 192.168.1.23:23967 Thursday, Jan 07,2010 20:04:21
[LAN access from remote] from 80.251.207.73:1787 to 192.168.1.23:38849 Thursday, Jan 07,2010 20:03:37
[LAN access from remote] from 86.24.199.73:9859 to 192.168.1.23:38849 Thursday, Jan 07,2010 20:02:20
[LAN access from remote] from 89.203.5.227:17064 to 192.168.1.23:38849 Thursday, Jan 07,2010 20:01:54
[LAN access from remote] from 84.43.151.21:13811 to 192.168.1.23:38849 Thursday, Jan 07,2010 20:00:33
[LAN access from remote] from 85.224.40.110:13859 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:59:38
[LAN access from remote] from 188.2.93.37:53848 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:59:05
[LAN access from remote] from 77.100.162.103:3076 to 192.168.1.23:23967 Thursday, Jan 07,2010 19:59:02
[LAN access from remote] from 86.52.23.249:23142 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:56:14
[LAN access from remote] from 82.74.103.98:37031 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:55:57
[LAN access from remote] from 140.163.254.135:45452 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:55:40
[LAN access from remote] from 94.70.121.232:62390 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:55:27
[LAN access from remote] from 94.194.45.180:64207 to 192.168.1.23:10633 Thursday, Jan 07,2010 19:53:14
[LAN access from remote] from 86.211.131.208:1694 to 192.168.1.23:23967 Thursday, Jan 07,2010 19:51:22
[LAN access from remote] from 217.43.77.16:19927 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:50:55
[LAN access from remote] from 84.43.151.21:13811 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:50:01
[LAN access from remote] from 89.203.5.227:17064 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:49:20
[LAN access from remote] from 80.251.207.73:1787 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:49:06
[LAN access from remote] from 85.224.40.110:13859 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:47:28
[LAN access from remote] from 84.55.74.130:1319 to 192.168.1.23:23967 Thursday, Jan 07,2010 19:46:06
[LAN access from remote] from 86.52.23.249:23142 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:45:55
[LAN access from remote] from 82.74.103.98:37031 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:45:43
[LAN access from remote] from 94.70.121.232:62390 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:45:20
[Time synchronized with NTP server] Thursday, Jan 07,2010 19:44:28
[LAN access from remote] from 140.163.254.135:37401 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:44:20
[LAN access from remote] from 84.55.74.130:1300 to 192.168.1.23:23967 Thursday, Jan 07,2010 19:42:31
[LAN access from remote] from 83.248.89.110:53182 to 192.168.1.23:23967 Thursday, Jan 07,2010 19:42:29
[LAN access from remote] from 86.24.199.73:9859 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:42:06
[LAN access from remote] from 77.166.179.129:50970 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:41:59
[LAN access from remote] from 80.251.207.73:1787 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:41:49
[LAN access from remote] from 217.43.77.16:19927 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:41:34
[LAN access from remote] from 84.55.74.130:1286 to 192.168.1.23:23967 Thursday, Jan 07,2010 19:39:53
[LAN access from remote] from 79.109.18.36:51148 to 192.168.1.23:23967 Thursday, Jan 07,2010 19:39:52
[LAN access from remote] from 83.248.89.110:53168 to 192.168.1.23:23967 Thursday, Jan 07,2010 19:39:08
[LAN access from remote] from 84.43.151.21:13811 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:38:58
[LAN access from remote] from 83.248.89.110:53162 to 192.168.1.23:23967 Thursday, Jan 07,2010 19:38:38
[LAN access from remote] from 88.182.142.194:50165 to 192.168.1.23:23967 Thursday, Jan 07,2010 19:38:00
[Admin login] from source 192.168.1.23, Thursday, Jan 07,2010 19:37:57
[LAN access from remote] from 85.224.40.110:13859 to 192.168.1.23:38849 Thursday, Jan 07,2010 19:37:57
[DHCP IP: (192.168.1.5)] to MAC address 00:25:00:70:F5:A2, Thursday, Jan 07,2010 19:37:46
[Internet connected] IP address: 81.106.147.91, Thursday, Jan 07,2010 19:37:40
[DHCP IP: (192.168.1.4)] to MAC address 00:16:CF:9C:05:FA, Thursday, Jan 07,2010 19:37:37
[DHCP IP: (192.168.1.3)] to MAC address 00:1C:BF:B3:30:81, Thursday, Jan 07,2010 19:37:37
[Internet connected] IP address: 81.106.147.91, Thursday, Jan 07,2010 19:37:36
[Internet disconnected] Thursday, Jan 07,2010 19:37:36
[Initialized, firmware version: V2.1.13_2.1.13] Thursday, Jan 07,2010 19:37:35

 

[Guest]

I'd say that these are all hack attempts and seeing as it's saying LAN Access, it's possible you may have an infection on which ever system has this IP address 192.168.1.23

Hack Attempts happen all the time and it's nothing to worry about unless they get through to your system or to the Admin Control of your router.

These are just a few samples of the hits on your system.

Whois Lookup 85.224.40.110 = Scandinavia

Whois Lookup 88.182.142.194 = Paris, France

Whois Lookup 83.248.89.110] = Stockholm, Sweden

First off, log into your router and disable Remote Administration - this is for accessing the router administration from outside your network

Then if you if you haven't already done this, make sure your router is secured with a strong password, Alpha, Numeric and over 16 characters or more. Do not use any personal information or anything which can be easily guessed or hacked using a dictionary attack. Write it down so you don't loose it.

Then I would recommend changing the Router DNS to the following:

208.67.220.220
208.67.222.222 then save and exit your router.

Next go to [url=http://www.opendns.com]OpenDNS.com and sign up for a free account, then use the settings from the following page for the OpenDNS settings. Block - list 25...

This will help block any BotNet activity if there should be any.

Next, use MalwareByte's -AntiMalware to scan your system and let it fix anything it finds. Be sure to save the log if it finds anything, just in case.

If MalwareByte's Does Not Find Anything, STOP HERE

NOW IF IT DOES find something (other than microsoft), you will need that log later on, and if you don't already have this on your system, download and install SpyBot-Search & Destroy.
Do not select the TeaTimer during the install setup as it is more trouble than it is worth.

Here is an updated SpyBot-S&D program executable which you can extract to the
SpyBot-S&D program folder. SpybotSD.exe-1.6.3.51.zip

To show that it is legit, here is the page link where you can find the update:
http://forums.spybot.info/downloads.php?id=37

Once you have installed SpyBot-S&D and installed the update, start the program. You'll get a small pain in the butt dialog window which you will need to click through until you see the Start using program button. After that, maximize the program then in the file menu select Mode > Advanced Mode. Next, on the bottom left select Settings > Settings Scroll down to Web update and select Display available Beta versions.

Now close SpyBot-S&D so it'll remember the settings that were just set and wait a few seconds.

Open SpyBot-S&D again and select Search for Updates. A dialog window will pop up, select a site, click continue then select all available updates EXCEPT the TeaTimer update. This update you can right click on and select Hide Update. Click the Download button to download the updates. After it finishes downloading, click the exit button on the dialog window, then return to the main SpyBot program.

On the left panel, select Settings > Ignore Products > (main window) Cookies tab

So your page links on most sites will work correctly without being blocked, be sure to select these items:

BFast
Commission Junction
DoubleClick
LinkSynergy
Qksrv

These are most commonly used for redirects by the majority of websites you visit including Microsoft, Amazon, you name it, they probably use these ones. Block these ones and you will have trouble with a lot of links not working.

Now close the program again to save these settings and wait a few seconds, then reopen again.
In the left panel, select Immunize and as soon as it finishes loading in the main window, click the Immunize button that has the green plus.

Now in the Left panel, select Search & Destroy then select the Check for Problems button and when it finishes, let it fix anything it finds. Save the log file as you will need it.

Run an Anti-Virus scan such as Avast! or some other well recommended AV program and be sure to save the log file.

After you finish, be sure to head on over to the Spywareinfo Forums - Home of the Boot Camp and in the Malware Removal sub-forum, create a new post and include the contents of your logs.

After you finish your post, be sure to read the pinned topics in the Malware Removal forum as they contain some very important information.


If you need HiJackThis, you can find it here.

Good Luck

 

[RiposoEterno]

Renegade Warrior

Just a small piece of information


It is only attacking the DMZ server, even if there isn't a machine attatched to that IP address

And by the way I am running a completely fresh install of windows 7 ultimate with nothing installed except firefox, notepad++ and adobe CS4.

 

[RiposoEterno]

they are legal copies from my institution by the way, so there is certainly no malware contained in them.

 

[Guest]

Even if it's a fresh installation, it doesn't take too long for anything to get through which is why firewalls and other protection is important.

But this is also why in my instructions I had bolded If MalwareByte's Does Not Find Anything, STOP HERE

Cause I had wanted to be sure that nothing had gotten through. I deal with Spyware, Malware and other forms of parasites on a daily.

The Hack Attack was going after a specific address on your LAN which is why I was concerned about it.

I didn't inquire as to whether it was in DMZ or anything else which could have been implied.

My first concern was to explain what you were seeing in your logs, then to give you a little added protection in the form of OpenDNS, then to make sure that you actually had your router secured as I have no idea how tech savy you may be and then to make sure nothing had gotten onto your system.