Something odd in my security log.

[AledJ]

In the security log for my router I have seen this:

**TCP FIN Scan** 000.000.0.0, 54375->> 00.00.000.000, 80 (from WAN Outbound)

I have replaced the ip address with 0 (My ip address would be the first lot of numbers! At the time on the log i was watching the f1 racing from earlier in the day.

Also i assume that the more devices on the wireless network the more the signal strength and speed can go down?

[AledJ]

This all happened on the 08/19/2009 23:01:29 and there are 10 entries . But since then there has been no log again of this.

Getting worried that its something bad :|


Looked at the ip address its only mine! But my pc was turned off at 22.33 that night. Double checked the router clock and its correct. I have no idea whats going on!

[Jay]

maybe a spoof IP address.

[AledJ]

Also found this :

08/19/2009 21:36:40 DHCP Client: [WAN]Receive Ack from 00.000.000.01,Lease time=424979
08/19/2009 21:36:40 DHCP Client: [WAN]Send Request, Request IP=00.00.000.000
08/19/2009 21:36:40 DHCP Client: [WAN]Receive Offer from 00.000.000.00
08/19/2009 21:36:40 DHCP Client: [WAN]Send Discover
08/19/2009 21:36:38 DHCP Client: [WAN]Send Release

and:

08/22/2009 08:30:13 DHCP Client: [WAN]Receive Ack from 00.000.000.00,Lease time=604800
08/22/2009 08:30:13 DHCP Client: [WAN]Send Request, Request IP=00.00.000.000

(have changed the ip address to 0 but none look like the one my router uses)

Not seen that before and don't recognize it. In th log the other ip address are all the same apart from the last number.

[AledJ]

Just noticed that the log in the first post happened on the day I contacted belkin via the on line chat thing (but that was mid afternoon). Had problems with only my connection upstairs sometime dropping out. But that was fixed by removing the wireless mouse. Its still puzzling that the first log in my post happened when my pc was off.

[peterb]

Are the IP addresses you balnked out you public IP addresses? The last one looks like a DHCP request, if you are on dynamic IP allocation.

As for the other, it's hard to tell - again are those addresses public?

However IP addresses are scanned routinely by people looking to exploit security weaknesses. I have some ports open (particularly 22 for SSH inbound) and they are regularly attacked - one night there were over 50,000 (unsuccessful ) attempts. Just part of being on the net! An automated IP and port scan is quite easy to set up. If you are behind NAT and don't have any inbound ports open, I wouldn't worry about it.

There is a statistic that says it takes about 4 minutes for an unpatched windows computer connected directly to the internet (without NAT or any firewall) to become infected with malware.

[AledJ]

**TCP FIN Scan** 000.000.0.0, 54375->> 00.00.000.000, 80 (from WAN Outbound)

The first ip address is mine. As from the others blanked out none are from the router. But what does this all mean:

08/19/2009 21:36:40 DHCP Client: [WAN]Receive Ack from 00.000.000.01,Lease time=424979
08/19/2009 21:36:40 DHCP Client: [WAN]Send Request, Request IP=00.00.000.000
08/19/2009 21:36:40 DHCP Client: [WAN]Receive Offer from 00.000.000.00
08/19/2009 21:36:40 DHCP Client: [WAN]Send Discover
08/19/2009 21:36:38 DHCP Client: [WAN]Send Release

Checked my speed and its normal.

[peterb]

It looks as if your ISP dynamically allocates you a public IP address - this is the handshake sequence that gets (or renews) the 'lease' on that IP address. The lease time is usually in seconds, and is the time period that the allocated IP address is available to you. At the end of that period, the lease will be renewed if you are still connected, otherwise it will lapse and be available for another user. When you reconnect, you will be allocated a new IP address. by your ISP's DHCP server.

http://www.tcpipguide.com/free/t_DHC...locationRe.htm

For more info.