Remote Administration, and other stuff in router event log.

thurrafork · ‎29-05-2019

Hello folks

Been getting dropouts several times a day for the last week. Reconnection happens within a few minutes, but it is still pretty infuriating.

I checked the Event Log in my Hub Manager (I have a Hub One) and I had lots going on there, very little of which I can understand!

Any thoughts on this? Am I in peril?

Thanks.

17:22:32, 22 Jan.	IN: BLOCK [16] Remote administration (ICMP type 8 code 0 128.9.29.131->91.125.96.177 on ppp3)
17:20:30, 22 Jan.	(181226.250000) Admin login successful by 192.168.1.64 on HTTP
17:20:10, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [156.96.156.172]:54838->[91.125.96.177]:80 on ppp3)
17:19:29, 22 Jan.	(181165.510000) New GUI session from IP 192.168.1.64
17:18:05, 22 Jan.	IN: BLOCK [16] Remote administration (ICMP type 8 code 0 128.9.63.139->91.125.96.177 on ppp3)
17:05:15, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [209.126.230.71]:53504->[91.125.96.177]:443 on ppp3)
17:00:28, 22 Jan.	BLOCKED 1 more packets (because of Remote administration)
17:00:27, 22 Jan.	IN: BLOCK [16] Remote administration (ICMP type 8 code 0 192.35.168.69->91.125.96.177 on ppp3)
16:58:03, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [192.241.219.82]:33380->[91.125.96.177]:8080 on ppp3)
16:53:30, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [209.141.58.148]:54346->[91.125.96.177]:443 on ppp3)
16:51:54, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [104.243.42.132]:42899->[91.125.96.177]:80 on ppp3)
16:51:18, 22 Jan.	(179474.480000) CWMP: session closed due to error: Timeout
16:50:48, 22 Jan.	(179444.450000) CWMP: HTTP authentication success from https://pbthdm.bt.mo
16:50:42, 22 Jan.	(179437.930000) CWMP: Server URL: https://pbthdm.bt.mo; Connecting as user: ACS username
16:50:42, 22 Jan.	(179437.920000) CWMP: Session start now. Event code(s): '4 VALUE CHANGE'
16:50:40, 22 Jan.	(179436.120000) WAN operating mode is VDSL
16:50:40, 22 Jan.	(179436.120000) Last WAN operating mode was VDSL
16:50:38, 22 Jan.	(179434.860000) PPP IPCP Receive Configuration ACK
16:50:38, 22 Jan.	(179434.850000) PPP IPCP Send Configuration Request
16:50:38, 22 Jan.	(179434.840000) PPP IPCP Receive Configuration NAK
16:50:38, 22 Jan.	(179434.840000) PPP IPCP Send Configuration ACK
16:50:38, 22 Jan.	(179434.840000) PPP IPCP Receive Configuration Request
16:50:38, 22 Jan.	(179434.840000) PPP IPCP Send Configuration Request
16:50:37, 22 Jan.	(179433.760000) PPPoE is up - Down Rate=79893Kbps, Up Rate=19139Kbps; SNR Margin Down=6.0dB, Up=9.5dB
16:50:37, 22 Jan.	(179433.740000) CHAP authentication successful
16:50:37, 22 Jan.	(179433.710000) CHAP Receive Challenge
16:50:37, 22 Jan.	(179433.710000) Starting CHAP authentication with peer
16:50:37, 22 Jan.	(179433.710000) PPP LCP Receive Configuration ACK
16:50:37, 22 Jan.	(179433.700000) PPP LCP Send Configuration Request
16:50:37, 22 Jan.	(179433.700000) PPP LCP Receive Configuration Reject
16:50:37, 22 Jan.	(179433.700000) PPP LCP Send Configuration ACK
16:50:37, 22 Jan.	(179433.690000) PPP LCP Receive Configuration Request
16:50:37, 22 Jan.	(179433.690000) PPP LCP Send Configuration Request
16:49:48, 22 Jan.	(179384.740000) PTM over DSL is up
16:49:47, 22 Jan.	(179382.910000) CWMP: session closed due to error: Could not resolve host
16:49:47, 22 Jan.	(179382.890000) CWMP: Server URL: https://pbthdm.bt.mo; Connecting as user: ACS username
16:49:46, 22 Jan.	(179382.890000) CWMP: Session start now. Event code(s): '4 VALUE CHANGE'
16:49:16, 22 Jan.	(179352.620000) CWMP: session closed due to error: Could not resolve host
16:49:16, 22 Jan.	(179352.600000) CWMP: Server URL: https://pbthdm.bt.mo; Connecting as user: ACS username
16:49:16, 22 Jan.	(179352.600000) CWMP: Session start now. Event code(s): '4 VALUE CHANGE'
16:49:16, 22 Jan.	(179352.310000) CWMP: Initializing transaction for event code 4 VALUE CHANGE
16:49:13, 22 Jan.	(179349.670000) PTM over DSL is down after 1082 minutes uptime
16:49:13, 22 Jan.	(179349.670000) PPPoE is down after 1081 minutes uptime [Waiting for Underlying Connection (WAN Ethernet 7 - Down)]
16:49:11, 22 Jan.	(179347.060000) PPP LCP Send Termination Request [User request]
16:40:17, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [162.142.125.28]:64228->[91.125.96.164]:443 on ppp3)
16:38:07, 22 Jan.	IN: BLOCK [16] Remote administration (ICMP type 8 code 0 183.232.65.85->91.125.96.164 on ppp3)
16:35:18, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [192.241.224.50]:44167->[91.125.96.164]:443 on ppp3)
16:34:00, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [156.96.46.226]:53213->[91.125.96.164]:443 on ppp3)
16:33:57, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [103.145.13.194]:52704->[91.125.96.164]:80 on ppp3)
16:24:58, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [47.114.160.221]:22452->[91.125.96.164]:80 on ppp3)
16:24:45, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [47.103.110.3]:38785->[91.125.96.164]:80 on ppp3)
16:22:16, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [158.101.108.255]:49276->[91.125.96.164]:22 on ppp3)
16:20:21, 22 Jan.	IN: BLOCK [16] Remote administration (ICMP type 8 code 0 192.172.226.141->91.125.96.164 on ppp3)
16:19:10, 22 Jan.	(177546.160000) Lease for IP 192.168.1.65 renewed by host Samsung-Galaxy-S7 (MAC 8c:f5:a3:bb:8e:be). Lease duration: 1440 min
16:19:10, 22 Jan.	(177546.160000) Device connected: Hostname: Samsung-Galaxy-S7 IP: 192.168.1.65 MAC: 8c:f5:a3:bb:8e:be Lease time: 1440 min. Link rate: 6.0 Mbps
16:19:10, 22 Jan.	(177546.090000) Lease requested
16:19:04, 22 Jan.	IN: BLOCK [16] Remote administration (ICMP type 8 code 0 185.108.129.120->91.125.96.164 on ppp3)
16:19:04, 22 Jan.	ath10: STA 8c:f5:a3:bb:8e:be IEEE 802.11: Client associated
16:06:16, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [192.241.218.109]:54701->[91.125.96.164]:80 on ppp3)
16:05:57, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [76.5.48.18]:34572->[91.125.96.164]:22 on ppp3)
16:04:11, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [222.186.136.150]:48137->[91.125.96.164]:443 on ppp3)
16:02:14, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [190.207.109.96]:50605->[91.125.96.164]:22 on ppp3)
15:59:45, 22 Jan.	IN: BLOCK [16] Remote administration (ICMP type 8 code 0 23.105.70.70->91.125.96.164 on ppp3)
15:56:35, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [117.196.48.167]:37724->[91.125.96.164]:80 on ppp3)
15:56:22, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [156.96.156.172]:50001->[91.125.96.164]:443 on ppp3)
15:52:43, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [156.96.156.172]:50001->[91.125.96.164]:80 on ppp3)
15:52:36, 22 Jan.	ath00: STA 8c:f5:a3:bb:8e:be IEEE 802.11: WiFi registration failed
15:52:36, 22 Jan.	ath10: STA 8c:f5:a3:bb:8e:be IEEE 802.11: WiFi registration failed
15:45:52, 22 Jan.	(175547.990000) Device disconnected: Hostname: Samsung-Galaxy-S7 IP: 192.168.1.65 MAC: 8c:f5:a3:bb:8e:be
15:45:46, 22 Jan.	(175542.890000) NTP synchronization success!
15:45:11, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [81.161.63.103]:17728->[91.125.96.164]:22 on ppp3)
15:44:42, 22 Jan.	ath00: STA 8c:f5:a3:bb:8e:be IEEE 802.11: Client associated
15:44:42, 22 Jan.	ath00: STA 8c:f5:a3:bb:8e:be IEEE 802.11: Client disassociated
15:44:42, 22 Jan.	ath00: STA 8c:f5:a3:bb:8e:be IEEE 802.11: Client associated
15:42:52, 22 Jan.	OUT: BLOCK [7] ICMP replay (ICMP type 3 code 1 91.125.96.164->88.221.0.95 on ppp3)
15:42:50, 22 Jan.	BLOCKED 1 more packets (because of ICMP replay)
15:42:49, 22 Jan.	OUT: BLOCK [7] ICMP replay (ICMP type 3 code 1 91.125.96.164->88.221.0.95 on ppp3)
15:42:42, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [192.241.204.120]:43354->[91.125.96.164]:8080 on ppp3)
15:42:36, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [89.248.174.3]:44498->[91.125.96.164]:22 on ppp3)
15:40:12, 22 Jan.	OUT: BLOCK [7] ICMP replay (ICMP type 3 code 1 91.125.96.164->34.252.142.55 on ppp3)
15:40:10, 22 Jan.	BLOCKED 2 more packets (because of ICMP replay)
15:40:09, 22 Jan.	OUT: BLOCK [7] ICMP replay (ICMP type 3 code 1 91.125.96.164->34.252.142.55 on ppp3)
15:34:31, 22 Jan.	(174867.990000) Device disconnected: Hostname: LGwebOSTV IP: 192.168.1.66 MAC: 7c:1c:4e:4f:80:78
15:34:29, 22 Jan.	ath10: STA 7c:1c:4e:4f:80:78 IEEE 802.11: Client disassociated
15:29:27, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [185.142.236.43]:20012->[91.125.96.164]:443 on ppp3)
15:28:21, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [103.159.182.2]:10389->[91.125.96.164]:8080 on ppp3)
15:25:36, 22 Jan.	IN: BLOCK [16] Remote administration (UDP [104.140.188.26]:52149->[91.125.96.164]:161 on ppp3)
15:23:40, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [83.253.28.253]:57725->[91.125.96.164]:22 on ppp3)
15:17:19, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [185.59.247.39]:53649->[91.125.96.164]:8080 on ppp3)
15:14:41, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [157.230.16.91]:5473->[91.125.96.164]:22 on ppp3)
15:14:22, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [128.14.209.254]:21118->[91.125.96.164]:443 on ppp3)
15:11:01, 22 Jan.	BLOCKED 9 more packets (because of ICMP replay)
15:11:00, 22 Jan.	IN: BLOCK [7] ICMP replay (ICMP type 3 code 3 114.45.206.223->91.125.96.164 on ppp3)
15:05:38, 22 Jan.	IN: BLOCK [16] Remote administration (UDP [36.27.214.242]:45663->[91.125.96.164]:161 on ppp3)
15:00:54, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [71.6.146.185]:29011->[91.125.96.164]:8080 on ppp3)
14:54:16, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [103.152.100.2]:49430->[91.125.96.164]:22 on ppp3)
14:53:15, 22 Jan.	IN: BLOCK [16] Remote administration (TCP [176.85.220.153]:59776->[91.125.96.164]:8080 on ppp3)
14:53:03, 22 Jan.	OUT: BLOCK [7] ICMP replay (ICMP type 3 code 3 192.168.1.65->49.218.8.124 on ppp3)
14:52:57, 22 Jan.	OUT: BLOCK [7] ICMP replay (ICMP type 3 code 3 192.168.1.65->31.13.87.54 on ppp3)
14:52:56, 22 Jan.	BLOCKED 1 more packets (because of ICMP replay)

jab1 · ‎24-02-2012

@thurrafork Don't worry about those IN BLOCK reports - that is just the router doing what it is supposed to do - blocking incoming requests from sites not allowed to access your local network.

As regards the drops, they would be of much more concern to me. Can you post the connection stats, obscuring any personally identifiable data?

John

thurrafork · ‎29-05-2019

Thanks for responding jab1

When you ask for Connection Stats, what exactly do you mean?

I imagined that all the connect/disconnect info was buried in that Event Log that I posted.

So there's no obvious connection between that splurge of Event Log info and disconnections?

Thanks

jab1 · ‎24-02-2012

@thurrafork Sorry, didn't explain my self very well there did I?

The 'connection stats' I was referring to are accessed from the 'Troubleshooting' tab on your router - IIRC they are the far right tab under that setting, but I'm not sure as I have never used that router.

There is no connection at all between those two events.

John

thurrafork · ‎29-05-2019

Hmmm... The far right tab under Troubleshooting is the Event Log I posted before.

There's only 1 'Connection' tab that I can find (under Advanced Settings>Broadband>Connection) but that doesn't seem to give any useful info...

Connection Information

Line state:	Connected
Connection time:	0 days, 01:46:18
Downstream:	79.89 Mbps
Upstream:	19.14 Mbps

Is what you're asking for info about DNS, Gateway, IP address - that kind of thing?

Browni · ‎02-03-2016

On a Hub 1 the router stats can be found in the Troubleshooting->Helpdesk tab.

Live router stats

jab1 · ‎24-02-2012

OK - I did say I wasn't sure about where the information was, but to use my routers data, just to show what yours should resemble:

John

thurrafork · ‎29-05-2019

Gotcha! Thank you!

And now a very naive question: What of the information there should I block out before posting on a public forum?

For example, is MAC address essential information that you need, or should I block it out?

Thanks

jab1 · ‎24-02-2012

Thanks @Browni - I'll try and remember that.😁

John

jab1 · ‎24-02-2012

I can't remember the line numbers offhand - but your IP, router name &c.

If you post, then keep your eyes open for my reply, we'll see if you post anything personal inside the edit window so you can edit it out.

John

thurrafork · ‎29-05-2019

OK... how about this?

1. Product name:	Plusnet Hub
2. Serial number:	****************************
3. Firmware version:	Software version 4.7.5.1.83.8.263 Last updated 29/05/19
4. Board version:	Plusnet Hub One
5. DSL uptime:	0 days, 01:56:41
6. Data rate:	19139 / 79893
7. Maximum data rate:	25796 / 79939
8. Noise margin:	9.2 / 5.9
9. Line attenuation:	7.7 / 8.4
10. Signal attenuation:	7.6 / 8.6
11. Data sent/received:	1.7 GB / 10.4 GB
12. Broadband username:	************************
13. 2.4 GHz Wireless network/SSID:	************************
14. 2.4 GHz Wireless connections:	Enabled (802.11 b/g/n (up to 144 Mb/s))
15. 2.4 GHz Wireless security:	WPA2
16. 2.4 GHz Wireless channel:	11
17. 5 GHz Wireless network/SSID:	***********************
18. 5 GHz Wireless connections:	Enabled (802.11 a/n/ac (up to 1300 Mb/s))
19. 5 GHz Wireless security:	WPA2
20. 5 GHz Wireless channel:	Automatic (Smart Wireless)
21. Firewall:	Default
22. MAC Address:	********************
23. Modulation:	G.993.2 Annex B
24. Software variant:	AA
25. Boot loader:	1.0.0

jab1 · ‎24-02-2012

Just for total security, edit out lines 13 +17.

Further comments to follow.

John

jab1 · ‎24-02-2012

Ooops - you did that in your edit.😁

John

jab1 · ‎24-02-2012

@thurrafork In your opening post you mentioned having dropouts 'several times a day', presumably like the ones recorded between 16.49.11 and 16.51.18 in your router log in the first screenshot?

This needs investigating, but should be posted on the 'Fibre' board, where people who have the experience can help - I'm afraid I can't, and the amount of personal troubleshooting you can do is somewhat more restricted than is possible on an ADSL connection.

John

thurrafork · ‎29-05-2019

Ok. Thanks for your help anyway!

The reason I posted here in the 'Router' forum was the because the crux of my concern at the time was the deluge of stuff in the Hub Manager Event Log.

I was worried that there was an unusual amount of... I don't know... attacks(?) going on.

I've looked at the Event Log in the past and there was never this much incident. After all, that great sprawl of log information I posted in my first post all occurred within two and a half hours. Is that normal?

I thought the disconnects may have occurred as a consequence of the router fighting of this barrage of attempts. Or something. I really don't know about this stuff!

But if you can assure me that this log does not communicate anything alarming, and also that it does not give a clue as to the reasons of the disconnection, then yes I will ask more simply about the disconnects in another forum.

Thanks