Linksys’ incoming log…do i have an intruder?

Posted on

QUESTION :

My Linksys administration tab where logs are located shows a total of 12 incoming connection entries.
Some of these addresses say they’re in china when i google them which exponentially increased my concern; the ports they list means they weren’t video games, i know that, so what do i do now?

setup:

  • gaming pc, Windows Server, wife’s laptop, x360, xbone
  • WAMP on gaming pc IIS8 on Windows Server (changed default MySQL root pw)
  • WordPress install on both with plugins(plugins the culprit?)
  • all plugins installed via WordPress admin from WordPress.org on both WordPress installations
  • had a second WordPress on port 8080.
  • ddns via NO-IP forwarded to windows server from router

log:

  • 114.232.18.30 80 (www)
  • 117.86.122.5 8080 (webcache)
  • 218.77.79.43 80 (www)
  • 218.6.173.36 3306 (mysql)
  • 222.186.15.95 3306 (mysql)
  • 218.77.79.43 8080 (webcache)
  • 61.147.107.109 3306 (mysql)
  • 218.77.79.43 21 (ftp)
  • 198.20.70.114 3306 (mysql)
  • 60.173.11.151 8080 (webcache)
  • 65.55.158.119 3074 (xbox)

i ran netstat -abf 5 for 3 minutes and i’m looking at a printout of the results right now, and realized i should’ve closed every service/site/program i could think of before logging as it’s about 20+ pages printed out…i will edit+add any listing that i do not understand.

I want to see if it was a legitimate WordPress plugin or some other aspect of iis and/or apache and should not concern me. I’ll check Apache and IIS logs when i get home and paste anything that looks like information you could use to reach a decision. Any additional information on where/what i need to look at would be greatly appreciated.

ANSWER :

Don’t worry about it, it’s people doing a network scan, not intruding your network. They are poking your network to see if anything is open or vulnerable, and if not, they move on. As long as you don’t have ports open and pointing to vulnerable services, there is no reason to be concerned.

Your home has a public IP, and anyone can reach out to it, but it doesn’t mean that they can get into your network. They ports they are listing are to see if there are any public facing services, and if there are, they will try to attack them.

For example, they try to reach the mysql standard port to see if you have a mysql server running, and if you do, they will try to login, but as long as you don’t have a mysql server running with that port open, you are safe.

To check if any of your ports are open, check to see if any of your ports are forwarded on your router, and see where they are forwarded to. If they are forwarded, find out what service is running on that port, and determine if it is a security risk depending on what is running on that port.

Leave a Reply

Your email address will not be published.