# kernel: Intrusion. is this an network attack? help? lol!!



## Cor3 (Mar 29, 2012)

im hoping this is in the right section.

heres the downlow!!

sent 12,00,00ish recieved 98,00,00ish :/

this is a wireless connection that i have secured by a router that sky provided a modem router but the persistant packets recived are ridiculas is this an attack, heres the log file from the router itself.

after a log file save and reset, today the same thing is happening, would anyone with a much more extended knowledge know if it is an attack and if it is what i can do?

Mar 28 20:41:58 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=47763 DF PROTO=TCP SPT=3830 DPT=22292 WINDOW=65535 RES=0x00
Mar 28 20:57:58 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=48382 DF PROTO=TCP SPT=3910 DPT=22292 WINDOW=65535 RES=0x00
Mar 28 21:13:58 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=48968 DF PROTO=TCP SPT=4000 DPT=22292 WINDOW=65535 RES=0x00
Mar 28 21:29:38 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=200.162.65.40 DST=90.207.196.145 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=53375 DF PROTO=TCP SPT=54794 DPT=80 WINDOW=5840 RES=0x00 SYN U
Mar 28 21:45:59 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=50102 DF PROTO=TCP SPT=4166 DPT=22292 WINDOW=65535 RES=0x00
Mar 28 22:01:59 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=50679 DF PROTO=TCP SPT=4258 DPT=22292 WINDOW=65535 RES=0x00
Mar 28 22:18:01 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=51297 DF PROTO=TCP SPT=4347 DPT=22292 WINDOW=65535 RES=0x00
Mar 28 22:33:58 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=52004 DF PROTO=TCP SPT=4443 DPT=22292 WINDOW=65535 RES=0x00
Mar 28 22:50:01 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=52615 DF PROTO=TCP SPT=4527 DPT=22292 WINDOW=65535 RES=0x00
Mar 28 23:06:00 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=53204 DF PROTO=TCP SPT=4601 DPT=22292 WINDOW=65535 RES=0x00
Mar 28 23:22:03 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=53707 DF PROTO=TCP SPT=4686 DPT=22292 WINDOW=65535 RES=0x00
Mar 28 23:29:25 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=90.146.93.25 DST=90.207.196.145 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=59165 DF PROTO=TCP SPT=2562 DPT=23 WINDOW=5840 RES=0x00 SYN URG
Mar 28 23:54:09 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=54937 DF PROTO=TCP SPT=4862 DPT=22292 WINDOW=65535 RES=0x00
Mar 29 00:09:59 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=55487 DF PROTO=TCP SPT=4969 DPT=22292 WINDOW=65535 RES=0x00
Mar 29 00:25:59 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=56232 DF PROTO=TCP SPT=1094 DPT=22292 WINDOW=65535 RES=0x00
Mar 29 00:37:17 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=222.186.24.13 DST=90.207.196.145 LEN=40 TOS=0x00 PREC=0x00 TTL=100 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URG
Mar 29 00:49:22 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=58.211.160.130 DST=90.207.196.145 LEN=40 TOS=0x00 PREC=0x00 TTL=103 ID=256 PROTO=TCP SPT=34377 DPT=3389 WINDOW=16384 RES=0x00 SYN U
Mar 29 00:58:01 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=57483 DF PROTO=TCP SPT=1273 DPT=22292 WINDOW=65535 RES=0x00
Mar 29 01:30:00 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=58667 DF PROTO=TCP SPT=1438 DPT=22292 WINDOW=65535 RES=0x00
Mar 29 01:45:59 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=59309 DF PROTO=TCP SPT=1522 DPT=22292 WINDOW=65535 RES=0x00
Mar 29 02:01:59 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=59875 DF PROTO=TCP SPT=1612 DPT=22292 WINDOW=65535 RES=0x00
Mar 29 02:17:59 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=60398 DF PROTO=TCP SPT=1695 DPT=22292 WINDOW=65535 RES=0x00
Mar 29 02:18:08 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=60416 DF PROTO=TCP SPT=1695 DPT=22292 WINDOW=65535 RES=0x00
Mar 29 02:33:59 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=61046 DF PROTO=TCP SPT=1795 DPT=22292 WINDOW=65535 RES=0x00
Mar 29 02:48:45 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=184.22.162.72 DST=90.207.196.145 LEN=40 TOS=0x00 PREC=0x00 TTL=107 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URG
Mar 29 03:05:59 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=62136 DF PROTO=TCP SPT=1966 DPT=22292 WINDOW=65535 RES=0x00
Mar 29 03:06:08 kernel: Intrusion -> IN=atm1 OUT= MAC=5c:d9:98:c5:84:0f:18:80:f5:66:2c:30:08:00 SRC=168.184.248.139 DST=90.207.196.145 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=62158 DF PROTO=TCP SPT=1966 DPT=22292 WINDOW=65535 RES=0x00

many many thanks.

Cor3


----------



## epshatto (Dec 23, 2010)

The destination IP address 90.207.196.145 has a "high risk" classification judging by McAfee's online threat center and is located in the UK, associated with a hosting company called Easynet LTD in London. All the port traffic in this log is directed to port 22292 which is associated with the ZeroAccess rootkit though this particular IP address is not. 

http://www.techsupportforum.com/for...-posting-for-malware-removal-help-305963.html

I suggest posting in the Malware Removal forum to make sure you're not infected. My quick and dirty review leads me to think you probably are and the IP address is just the web hosting company where the malware is stored.


----------



## Cor3 (Mar 29, 2012)

thank you for a quick reply !! how do you check ip address's with mcaffee that would be usefull stuff other then google or just a ip tracer program which can be faulse positive grr!.

anyway done an incredible deep scn and ended up with 1 piece of malware found after few hours of manual scanning. i really hope that and setting a few extra security settings will cure this !!

Cor3

thanks massively! would a IDS help for future security?


----------



## epshatto (Dec 23, 2010)

McAfee Threat Intelligence | McAfee, Inc.

This will only work for malware and attacks known to McAfee, so it's only a partial resource.

I selected IP Address and entered the IP. This displayed the registrar, which I then Googled to find out who they were and exactly where they were after I saw the security rating for the IP.

The port number used in the logs is an odd one and I found it noteworthy that it was the same IP address connecting to the same unusual port number, so I researched malware behavior associated with that port.

An IDS can always help with future security. They can however be very system intensive and can cause problems for home users so I'm not always sure I would recommend them. I more focus on the best practices-

1. Run antivirus, scan regularly, and keep the definitions up to date
2. Use appropriate file permissions
3. Disable unecessary services and startup programs
4. Use at least one firewall - two is better, both software and hardware. If using one, go with the hardware firewall
5. Educate yourself about threats and the behaviors that can expose you to them, then avoid those behaviors
6. Keep all software patched and up to date, the sooner and more frequently this is done the better (preferably automatic)

To me, following those practices will greatly reduce your exposure to threats, but not eliminate it. Nothing you do will eliminate your exposure to threats, so your risk after putting those steps into practice is what I would call acceptable.

I should note that I still recommend you post for malware/virus removal because if it was a rootkit you almost certainly still have it. You should go over there to make sure (I can't help you remove malware, it's against forum rules).


----------



## Cor3 (Mar 29, 2012)

> I should note that I still recommend you post for malware/virus removal because if it was a rootkit you almost certainly still have it. You should go over there to make sure (I can't help you remove malware, it's against forum rules).


 epshatto.

Great idea im going to post on the malware forums, ive tried a rootkit scan and its picked up 2 malware files, scanned,quarrentined, but i dont think its fixed it so im going to post on the forums as if has a few more of these "attacks".
thanks for everything.

Cor3


----------

