家庭宽带路由器的内核入侵-这是什么意思?
家庭宽带路由器的内核入侵-这是什么意思?
提问于 2012-03-27 16:58:33
我的家庭宽带连接一整天都在上上下下,我查看了路由器日志,并看到了以下内容:
Mar 27 12:22:30 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=92.48.122.218 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=64889 PROTO=TCP SPT=23431 DPT=3306 WINDOW=65535 RES=0x00 SYN U
Mar 27 12:36:57 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=78.101.248.169 DST=x.x.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=119 ID=13193 DF PROTO=TCP SPT=58734 DPT=51413 WINDOW=8192 RES=0x00 S
Mar 27 12:39:47 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=78.101.248.169 DST=x.x.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=119 ID=16952 DF PROTO=TCP SPT=59817 DPT=51413 WINDOW=8192 RES=0x00 S
Mar 27 12:51:23 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=69.50.194.41 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=14530 PROTO=TCP SPT=35855 DPT=22 WINDOW=65535 RES=0x00 SYN URGP
Mar 27 13:09:25 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=222.186.52.77 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=97 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=
Mar 27 13:32:24 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=203.156.207.196 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=96 ID=256 PROTO=TCP SPT=6000 DPT=1000 WINDOW=16384 RES=0x00 SYN URG
Mar 27 13:45:58 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=60.12.160.66 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=104 ID=256 PROTO=TCP SPT=46684 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP
Mar 27 14:25:37 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=85.114.129.177 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=3057 PROTO=TCP SPT=8473 DPT=3389 WINDOW=65535 RES=0x00 SYN UR
Mar 27 15:04:52 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=60.173.14.89 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=99 ID=256 PROTO=TCP SPT=6000 DPT=8909 WINDOW=16384 RES=0x00 SYN URGP=0
Mar 27 15:28:40 kernel: eth3 Link UP 100 mbps full duplex
Mar 27 15:28:50 kernel: eth3 Link DOWN.
Mar 27 15:28:51 kernel: eth3 Link UP 100 mbps full duplex
Mar 27 15:30:25 kernel: eth3 Link DOWN.
Mar 27 15:45:12 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=124.119.118.223 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=100 ID=47265 PROTO=TCP SPT=6000 DPT=3389 WINDOW=16384 RES=0x00 SYN
Mar 27 16:02:39 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=2.95.45.184 DST=x.x.x.x LEN=64 TOS=0x00 PREC=0x00 TTL=42 ID=34542 DF PROTO=TCP SPT=1583 DPT=135 WINDOW=53760 RES=0x00 SYN URG
Mar 27 16:06:11 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=58.194.171.217 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=61983 DF PROTO=TCP SPT=52273 DPT=3389 WINDOW=5840 RES=0x00 SYN
Mar 27 16:09:45 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=2.192.224.130 DST=x.x.x.x LEN=64 TOS=0x00 PREC=0x00 TTL=31 ID=14217 DF PROTO=TCP SPT=1052 DPT=445 WINDOW=65535 RES=0x00 SYN U
Mar 27 16:46:01 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=24.64.84.167 DST=x.x.x.x LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=29798 DF PROTO=TCP SPT=59723 DPT=51413 WINDOW=65535 RES=0x00 SYN
Mar 27 16:46:03 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=24.64.84.167 DST=x.x.x.x LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=2404 DF PROTO=TCP SPT=59723 DPT=51413 WINDOW=65535 RES=0x00 SYN
Mar 27 16:59:48 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=61.176.192.164 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=104 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URG
Mar 27 17:28:42 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=89.119.20.254 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=6972 DF PROTO=TCP SPT=3522 DPT=23 WINDOW=5840 RES=0x00 SYN URGP
Mar 27 17:29:28 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=122.176.158.232 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=2025 DF PROTO=TCP SPT=13851 DPT=443 WINDOW=65535 RES=0x00 SY
Mar 27 17:29:29 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=72.48.98.17 DST=x.x.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=14331 DF PROTO=TCP SPT=52695 DPT=10261 WINDOW=8192 RES=0x00 SYN
Mar 27 17:29:31 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=122.176.158.232 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=2030 DF PROTO=TCP SPT=13851 DPT=443 WINDOW=65535 RES=0x00 SY
Mar 27 17:29:32 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=72.48.98.17 DST=x.x.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=14805 DF PROTO=TCP SPT=52695 DPT=10261 WINDOW=8192 RES=0x00 SYN
Mar 27 17:29:34 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=110.23.234.109 DST=x.x.x.x LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=36150 DF PROTO=TCP SPT=53042 DPT=55802 WINDOW=65535 RES=0x00 S
Mar 27 17:35:36 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=86.68.142.70 DST=x.x.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=11838 DF PROTO=TCP SPT=49527 DPT=55802 WINDOW=8192 RES=0x00 SYN
Mar 27 17:35:39 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=79.175.234.127 DST=x.x.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=4333 DF PROTO=TCP SPT=49424 DPT=80 WINDOW=8192 RES=0x00 SYN U
Mar 27 17:47:42 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=68.83.96.247 DST=x.x.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=9254 DF PROTO=TCP SPT=60863 DPT=55802 WINDOW=8192 RES=0x00 SYN
Mar 27 17:47:43 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=87.68.235.165 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=38465 DF PROTO=TCP SPT=64092 DPT=80 WINDOW=5840 RES=0x00 SYN UR
Mar 27 17:47:45 kernel: Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=213.130.198.69 DST=x.x.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=44 ID=9364 DF PROTO=TCP SPT=3486 DPT=443 WINDOW=65535 RES=0x00 SYN U攻击的IP地址每次都是来自改变,但MAC没有。这有关系吗?从上面,我所能读到的只有IP地址和事实,这是一个内核入侵事件。这里还有我遗漏的更多信息吗?如果是某种攻击,我对此有什么风险?
回答 2
Security用户
回答已采纳
发布于 2012-03-27 17:17:36
正在报告的日志工具
kernel:请注意以下消息:
Mar 27 15:28:40 kernel: eth3 Link UP 100 mbps full duplex所以,内核是在说eth3的变化。因此,内核报告的是“入侵”,而不是您看到的内核入侵。
Intrusion -> IN=atm1 OUT= MAC=34:08:04:00:08:35:18:80:f5:97:9e:98:08:00 SRC=213.130.198.69 DST=x.x.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=44 ID=9364 DF PROTO=TCP SPT=3486 DPT=443 WINDOW=65535 RES=0x00 SYN U有一个iptables日志消息,可能是由iptables规则生成的。mac地址总是一样的,因为它是外部地址,所以它总是传输相同的第二层链接.可能是你的电缆调制解调器之类的。它确实说,入站接口是自动取款机,所以也许你有一个非常漂亮的家庭宽带连接?
您可能在链的末尾有一个iptables规则,记录所有传入的流量.我猜是这样的:
iptables -A INPUT -j LOG --log-prefix 'Intrusion -> '看看iptables -L -v,看看你发现了什么。很可能你不想记录在公共IP上不被接受的每一个数据包。外面有很多随机交通。
很好的参考链接:http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-log-file.html
Security用户
发布于 2012-03-27 21:03:09
我猜这是个路由器设备。
目标端口到处都是,源端口都在这个地方(高端口范围),所以看起来像扫描活动。
MAC不会改变,因为它将是上游(ISP)路由器。
它只是看起来像正常的背景噪音的互联网。“入侵”部分看起来很可怕,但它是一个默认的信息,没有
页面原文内容由Security提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://security.stackexchange.com/questions/13136
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号