Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsSpark New ZealandThompson 585v7 - fragment Sweeps and Frangement out of order (woes)


25 posts

Geek


Topic # 89547 4-Sep-2011 23:11
Send private message

hi there,

recently our Internet has been up and down like a yoyo.. we have been hacked in the past and recently I have noticed some dodgy things happening on other forums and our home network.

I decided to go to the router and see what the Intrusion Detection Stats were like as well as the .log's
this is what I have found;

Intrusion Detection:

fragment_sweep 27
fragment_out-of-order 141398


and Log's;

xxx.xxx.xxx.xxx = our IP Address.

Info     05:29:14 (since last boot)    UPnP action 'DeletePortMapping' from ip=192.168.1.xx (Success)


Info     05:29:15 (since last boot)    UPnP action 'DeletePortMapping' from ip=192.168.1.xx (Success)


Error     05:29:02 (since last boot)    FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 46.250.48.74 Dst ip: xxx.xxx.xxx.xxx Type: Destination Unreachable Code: Host Unreacheable


Info     05:28:26 (since last boot)    IDS fragment parser : fragment out-of-order (1 of 7) : 82.26.117.143 xxx.xxx.xxx.xxx 1452 UDP 30647->28532 frag 7469:1432@0+


Info     05:24:56 (since last boot)    IDS fragment parser : fragment out-of-order (1 of 9) : 82.26.117.143 xxx.xxx.xxx.xxx 1452 UDP 30647->28532 frag 29039:1432@0+


Info     05:20:40 (since last boot)    IDS fragment parser : fragment out-of-order (1 of 6) : 82.26.117.143 xxx.xxx.xxx.xxx 1452 UDP 30647->28532 frag 14974:1432@0+


Info     05:19:22 (since last boot)    IDS fragment parser : fragment out-of-order (1 of 5) : 82.26.117.143 xxx.xxx.xxx.xxx 1452 UDP 30647->28532 frag 11094:1432@0+


Info     05:15:22 (since last boot)    IDS fragment parser : fragment out-of-order (1 of 150) : 82.26.117.143 xxx.xxx.xxx.xxx 1452 UDP 30647->28532 frag 31250:1432@0+


Info     05:14:07 (since last boot)    IDS fragment parser : fragment out-of-order (1 of 4326) : 2.93.10.32 xxx.xxx.xxx.xxx 1396 UDP 58261->28532 frag 35924:1376@0+


Error     05:13:42 (since last boot)    IDS fragment parser : fragment sweep (1 of 1) : 2.93.10.32 xxx.xxx.xxx.xxx 0054 UDP frag 22854:34@1376


Info     05:13:06 (since last boot)    IDS fragment parser : fragment out-of-order (1 of 5721) : 2.93.10.32 xxx.xxx.xxx.xxx 1396 UDP 58261->28532 frag 65083:1376@0+


Error     05:12:41 (since last boot)    IDS fragment parser : fragment sweep (1 of 1) : 2.93.10.32 xxx.xxx.xxx.xxx 0054 UDP frag 47033:34@1376


Info     05:12:05 (since last boot)    IDS fragment parser : fragment out-of-order (1 of 5544) : 2.93.10.32 xxx.xxx.xxx.xxx 1396 UDP 58261->28532 frag 19596:1376@0+


Error     05:11:40 (since last boot)    IDS fragment parser : fragment sweep (1 of 1) : 2.93.10.32 xxx.xxx.xxx.xxx 0054 UDP frag 4379:34@1376


Info     05:11:04 (since last boot)    IDS fragment parser : fragment out-of-order (1 of 4914) : 93.80.212.118 xxx.xxx.xxx.xxx 1396 UDP 59470->28532 frag 17521:1376@0+


Error     05:10:39 (since last boot)    IDS fragment parser : fragment sweep (1 of 1) : 93.80.212.118 xxx.xxx.xxx.xxx 1396 UDP 59470->28532 frag 60449:1376@0+


Info     05:10:03 (since last boot)    IDS fragment parser : fragment out-of-order (1 of 4993) : 2.93.10.32 xxx.xxx.xxx.xxx 1396 UDP 58261->28532 frag 9723:1376@0+


Error     05:09:38 (since last boot)    IDS fragment parser : fragment sweep (1 of 1) : 2.93.10.32 xxx.xxx.xxx.xxx 0054 UDP frag 62317:34@1376


Info     05:09:02 (since last boot)    IDS fragment parser : fragment out-of-order (1 of 3091) : 2.93.10.32 xxx.xxx.xxx.xxx 1396 UDP 58261->28532 frag 38752:1376@0+


Error     05:08:38 (since last boot)    IDS fragment parser : fragment sweep (1 of 1) : 2.93.10.32 xxx.xxx.xxx.xxx 0054 UDP frag 30300:34@1376


Info     05:08:01 (since last boot)    IDS fragment parser : fragment out-of-order (1 of 1821) : 2.93.10.32 xxx.xxx.xxx.xxx 1396 UDP 58261->28532 frag 11827:1376@0+


Error     05:07:36 (since last boot)    IDS fragment parser : fragment sweep (1 of 1) : 2.93.10.32 xxx.xxx.xxx.xxx 0054 UDP frag 60150:34@1376


Warning     05:07:25 (since last boot)    PPP link up (Internet) [xxx.xxx.xxx.xxx]


Info     05:07:25 (since last boot)    PPP PAP Authenticate Ack received


Info     05:07:25 (since last boot)    PPP PAP Authenticate Request sent


Warning     05:07:14 (since last boot)    PPP link down (Internet) [xxx.xxx.xxx.xxx]


Info     05:07:00 (since last boot)    IDS fragment parser : fragment out-of-order (1 of 10925) : 2.93.10.32 xxx.xxx.xxx.xxx 1396 UDP 58261->28532 frag 41488:1376@0+


not liking this Telecom Dynamic plan which is falsely advertised. As in Fact we are on a Static IP. Have requested numerous times for a Dynamic IP which TBQH can't be done with Telecom.

any idea's on what to do here would be appreciated.

Create new topic
2514 posts

Uber Geek
+1 received by user: 937

Trusted
Lifetime subscriber

  Reply # 516617 4-Sep-2011 23:35
Send private message

Switch your modem off at night, in the morning you should get a new IP if you're on dynamic and don't have a fixed IP.  I think there is a few hours lease time that the IP is held for if you restart your router.

Are you sure you're not infected with a virus / malware?  Or running some bittorrent similar software on a machine?

You never know you could have been hit with the virus that hit MetService and went around a few weeks ago: http://www.geekzone.co.nz/freitasm/7776







25 posts

Geek


  Reply # 516620 4-Sep-2011 23:49
Send private message

Hmm , regarding the Modem reset thing. No We've Tried that. spoken to Level 1-7 technicians which have confirmed that with the New Telecom plans (Total Home) All users are in fact on a fixed IP Address and they are not willing to even change it - The IP Address (that is).

Will look into the torrent thing as there are several users on the network +Mobile Devices

have built a Linux firewall Rig which is sitting beside me atm. Have been delaying wiring it up between a sep router and this one as I have no faith in these 'Free' Modems abilities to block anything.

but that requires time and energy which I don't have atm. And will it be effective enough to warrant doing so? .. Iam not sure atm.

thank you very much for your fast reply.

Shall do the MalwareBytes thing in morning and see if it turns up any nasties.


shall also do a sweep for rootkits using;
http://technet.microsoft.com/en-us/sysinternals/bb897445



Again thanks.

 
 
 
 


27421 posts

Uber Geek
+1 received by user: 6868

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 516638 5-Sep-2011 06:33
Send private message

The IP type you're on is completely irrevelent, port scanners and bots out there on the internet will get you no matter what your IP address is.




25 posts

Geek


Reply # 516777 5-Sep-2011 12:13
Send private message

Not Exactly true , I was a part of a gaming community for several years , and in last few years I have kept the same IP address (not because I wanted to). This was picked up by some Server Admins who were not well liked in the community and caused alot of strife for us and our players. This is when these Hacking games started.

Now , these guys were attacking players whilst they were in game through Syn Floods / Ddos Attacks and in some cases breaching there computers and effectively killing them. forcing players to R-einstall OS etc.
and lolling in the background.

The thing is with a Dynamic IP , you can re-anonimize yourself by simply resetting your modem. Then they need to find you again by scanning your subnet and looking for your computer/name. Which in effect you change and make it that much more harder for them to detect.

If however you are on a fixed IP address , then they can blast you with every new Exploit available on the Web and or ddos you via some botnet till all their proxies are exhausted. the kinds of people I am talking about here do this kind of thing constantly and have killed a lot of game servers out of spite and for reasons that no one really understands.




27421 posts

Uber Geek
+1 received by user: 6868

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 516794 5-Sep-2011 13:14
Send private message

Annoying some other gamers is completely differnt from bots attacking you - this will occur no matter what the IP is.

With the new 3strikes law and assumption by the law that an IP address is a person I suspect we'll see more ISP's defaulting to static IP's due to the complexities in some cases of having to store IP and user account information as require by law.




25 posts

Geek


  Reply # 516801 5-Sep-2011 13:25
Send private message

Yes indeed. Perhaps they "Telecom" would like to re-phrase their plan Description's from Dynamic IP to Static IP. at least for Legal Purposes.

or should I say: False Advertising.

edit: just done a search for 'dynamic' on their website to which nothing but a glossary of terms was returned. Perhaps they have already rectified this.

I see someone else is having (Static IP) the same problem here;
http://www.geekzone.co.nz/forums.asp?forumid=39&topicid=78926


seems ironic , how just when the law changes regarding downloads and illegal content , that all of a sudden like we are given large boosts in GB's to be allowed to use.with this Catch-22 bundled in. Be warned we are watching what you download and you may expect a visit if you are not careful.

not sure what to liken it to tbh.

An X-Alcoholic in a bar full of free-piss & told that they can only drink water?

686 posts

Ultimate Geek
+1 received by user: 232

Trusted
Spark NZ

  Reply # 520481 13-Sep-2011 14:32
Send private message

@yzeguy, I suggest you call Telecom and request a change of IP address.

Telecom never claims to give everyone a dynamic IP.  If your IP address does not change when restarting your router and you have not specifically requested a static IP then you will need to call if you have issues with your IP and they will run an order to change it.

 




My views are my own, and may not necessarily represent those of my employer.



25 posts

Geek


  Reply # 520490 13-Sep-2011 14:53
Send private message

Have done so on many occasions , spoken to numerous technicians on several occasions in regards to these matters , all of which have stated that we are NOT on Static Ip .. however it is obvious that we are since we have had the same IP for over 12months , resets / no resets still the same.

have contacted them again today to see if they can change it once more. Last time I tried this , there was 1 option , close and re-open account.. kind ironic I think , oh and there's a fee involved for doing this.

Thanks for your feedback , much appreciated.

78 posts

Master Geek

Trusted

  Reply # 520526 13-Sep-2011 16:01
Send private message

Can you please PM me your phone number and I can look into this for you.

Cheers,

Joe



25 posts

Geek


  Reply # 521063 14-Sep-2011 16:58
Send private message

pm sent thanks.



25 posts

Geek


Reply # 521693 15-Sep-2011 21:31
Send private message

Thank you all for the help , hopefully the problem has been resolved , if not I have come closer to the source of it.

after talking to a Technician 5minutes ago (great guy btw) he suggested that I try a very simple proceedure that you may want to pass onto your support team for future reference.

FACTORY RESET MODEM.

Apparently these modems TG585v7's can get congested cache? or something to this effect.

however , after doing the 'Thing which stared me in the face' every time I went to the interface , 'Yet blantantly over-looked' may have been the remedy for cases such as mine.

Anyway , long story short .. you guys have restored my faith in Telecom Services and your help has been Out-Standing!! (looks for the 'shout me a beer - via paypal button') :\

Thank you all that helped rectify this problem.

I shall monitor it for the next few days and report here of the outcome good/bad , that others maybe able to benefit from this post - that have similar issues.

Cheers.

78 posts

Master Geek

Trusted

  Reply # 521765 16-Sep-2011 08:07
Send private message

yzeguy: Thank you all for the help , hopefully the problem has been resolved , if not I have come closer to the source of it.

after talking to a Technician 5minutes ago (great guy btw) he suggested that I try a very simple proceedure that you may want to pass onto your support team for future reference.

FACTORY RESET MODEM.

Apparently these modems TG585v7's can get congested cache? or something to this effect.

however , after doing the 'Thing which stared me in the face' every time I went to the interface , 'Yet blantantly over-looked' may have been the remedy for cases such as mine.

Anyway , long story short .. you guys have restored my faith in Telecom Services and your help has been Out-Standing!! (looks for the 'shout me a beer - via paypal button') :\

Thank you all that helped rectify this problem.

I shall monitor it for the next few days and report here of the outcome good/bad , that others maybe able to benefit from this post - that have similar issues.

Cheers.









No worries at all, its what were here for!
:-)



25 posts

Geek


  Reply # 521767 16-Sep-2011 08:12
Send private message

:D she's still humming along quite nicely now. Will see if it degrades over the next few days.

if it does will look into getting a new router.

Cheers.

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.