Jump to content

LANDATTACKIN?


parry

Recommended Posts

Ok today I opened up my router and accidentally clicked the security log link. I was surprised to see loads of these 'LANDATTACKIN' things, is there anything I should be concerned about?

 

 

Firewall log:

Jun 23 10:29:23 (none) user.alert kernel: LANDATTACKIN=ppp_0_38_1 OUT= MAC= attack detected from 83.149.98.25 115

 

Jun 23 10:29:26 (none) user.alert kernel: LANDATTACKIN=ppp_0_38_1 OUT= MAC= attack detected from 83.149.98.25 115

 

Jun 23 10:29:32 (none) user.alert kernel: LANDATTACKIN=ppp_0_38_1 OUT= MAC= attack detected from 83.149.98.25 115

 

Jun 23 10:29:44 (none) user.alert kernel: LANDATTACKIN=ppp_0_38_1 OUT= MAC= attack detected from 83.149.98.25 115

 

Jun 23 10:31:59 (none) user.alert kernel: LANDATTACKIN=ppp_0_38_1 OUT= MAC= attack detected from 83.149.98.25 115

 

Jun 23 10:32:02 (none) user.alert kernel: LANDATTACKIN=ppp_0_38_1 OUT= MAC= attack detected from 83.149.98.25 115

 

Jun 23 10:32:08 (none) user.alert kernel: LANDATTACKIN=ppp_0_38_1 OUT= MAC= attack detected from 83.149.98.25 115

 

Jun 23 10:32:20 (none) user.alert kernel: LANDATTACKIN=ppp_0_38_1 OUT= MAC= attack detected from 83.149.98.25 115

 

Jun 23 10:33:03 (none) user.alert kernel: LANDATTACKIN=ppp_0_38_1 OUT= MAC= attack detected from 83.149.98.25 115

 

Jun 23 10:33:06 (none) user.alert kernel: LANDATTACKIN=ppp_0_38_1 OUT= MAC= attack detected from 83.149.98.25 115

 

Jun 23 10:33:12 (none) user.alert kernel: LANDATTACKIN=ppp_0_38_1 OUT= MAC= attack detected from 83.149.98.25 115

 

Jun 23 10:33:24 (none) user.alert kernel: LANDATTACKIN=ppp_0_38_1 OUT= MAC= attack detected from 83.149.98.25 115

 

Link to comment
Share on other sites

Looks like repeated attacks on port 115 from someone with the IP 83.149.98.25

 

Whois data:

 

 

 

OrgName:    RIPE Network Coordination CentreOrgID:      RIPEAddress:    P.O. Box 10096City:       AmsterdamStateProv:PostalCode: 1001EBCountry:    NLReferralServer: whois://whois.ripe.net:43NetRange:   83.0.0.0 - 83.255.255.255CIDR:       83.0.0.0/8NetName:    83-RIPENetHandle:  NET-83-0-0-0-1Parent:NetType:    Allocated to RIPE NCCNameServer: NS-PRI.RIPE.NETNameServer: SEC1.APNIC.NETNameServer: SEC3.APNIC.NETNameServer: SUNIC.SUNET.SENameServer: TINNIE.ARIN.NETNameServer: NS3.NIC.FRComment:    These addresses have been further assigned to users inComment:    the RIPE NCC region. Contact information can be found inComment:    the RIPE database at http://www.ripe.net/whoisComment:RegDate:    2003-11-17Updated:    2004-03-16

 

 

Port 115 is apparently used by the Simple File Transfer Protocol (not to be confused with SFTP, Secure File Transfer Protocol).

 

Assuming that it has stopped, and that the router is actually blocking it, I probably wouldn't be too alarmed. I get upwards of 250 Attacks/Miscellaneous Activity showing up on my server every day.

 

If you really wanted to, you could call RIPE Network Coordination Center http://www.ripe.net/ and report abuse. -- which appears to be the person's ISP (of course if they were using a proxy, who knows).

Link to comment
Share on other sites

Thanks for the reply, I just emailed their abuse email now smile.gif

 

EDIT: Just looked in the log again...seems to be more attacks from the same ip today as well.

Edited by parry
Link to comment
Share on other sites

Do you by any chance play any GTA online multiplayer thing? SA-MP/VC-MP/MTA?

 

I know that that IP is of a server that hosts several different multiplayer servers. Your router could be thinking that some of the UDP packets it receives from the server are some sort of attack, while they are in fact legit packets. I highly doubt that the server is deliberately attacking you.

 

Oh and that whois is incomplete, it can be narrowed down to a smaller range.

Link to comment
Share on other sites

 

Do you by any chance play any GTA online multiplayer thing? SA-MP/VC-MP/MTA?

 

I know that that IP is of a server that hosts several different multiplayer servers. Your router could be thinking that some of the UDP packets it receives from the server are some sort of attack, while they are in fact legit packets. I highly doubt that the server is deliberately attacking you.

 

Oh and that whois is incomplete, it can be narrowed down to a smaller range.

Hence the reason I said it's possibly an attack, but not necessarily.

 

But on another note, what game server (say it runs SA-MP) would be using Port 115 for a game? SA-MP uses TCP Port 7777, but it can be changed.

 

However, on a server based on any *nix (Linux/Unix) requires Superuser or Root privileges to use any ports below 1024. And a game server application running under Root would likely be a big security risk, since Root can do anything, such as if the game server software was compromised, full control of the system could be gained if it was running under Root.

 

Not sure if that applies to a Windows box or not. Probably not.

 

EDIT: If he is currently not playing any multiplayer game with that server, then the server should not be contacting his connection anyway. If the times next to the attacks in the log are from a time when he is not playing any multiplayer games with that server, then something fishy is up.

Edited by riccbhard
Link to comment
Share on other sites

Actually, I think this is caused by our Proxy scanner on our GTANet IRC network, which runs on that server too.

Every client that connects to irc is scanned for open proxies, this is a standard procedure to prevent proxied botnets etc from connecting. 115 is one of the ports listed to be scanned. This is nothing worry about (you actually get a notice on connect saying that it does that and that firewall notices can safely be ignored).

 

Someone named 'parry' has been on IRC today, and on many days before since April.

 

Mystery solved.

Link to comment
Share on other sites

Actually, I think this is caused by our Proxy scanner on our GTANet IRC network, which runs on that server too.

Every client that connects to irc is scanned for open proxies, this is a standard procedure to prevent proxied botnets etc from connecting. 115 is one of the ports listed to be scanned. This is nothing worry about (you actually get a notice on connect saying that it does that and that firewall notices can safely be ignored).

 

Someone named 'parry' has been on IRC today, and on many days before since April.

 

Mystery solved.

The only IRC channel I have been on in the last few days isthe #LVP.echo channel, this is part of irc.gtanet.com though.

Link to comment
Share on other sites

  • 1 User Currently Viewing
    0 members, 0 Anonymous, 1 Guest

×
×
  • Create New...

Important Information

By using GTAForums.com, you agree to our Terms of Use and Privacy Policy.