10-20-2021 10:50 AM
I am receiving logs that look like this snipit multiple times a day...
MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=5407 DF PROTO=TCP SPT=25731 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:53:43 WRP500 SPI IN=br0 OUT= MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=5611 DF PROTO=TCP SPT=35225 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:53:49 WRP500 SPI IN=br0 OUT= MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=5802 DF PROTO=TCP SPT=43853 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:54:02 WRP500 SPI IN=br0 OUT= MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=6222 DF PROTO=TCP SPT=21560 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:54:14 WRP500 SPI IN=br0 OUT= MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=6628 DF PROTO=TCP SPT=51288 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:54:22 WRP500 SPI IN=br0 OUT= MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=6893 DF PROTO=TCP SPT=28146 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:54:29 WRP500 SPI IN=br0 OUT= MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7129 DF PROTO=TCP SPT=55913 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:54:48 WRP500 SPI IN=br0 OUT= MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=7703 DF PROTO=TCP SPT=36177 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:54:57 WRP500 SPI IN=br0 OUT= MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=7993 DF PROTO=TCP SPT=24589 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:55:09 WRP500 SPI IN=br0 OUT= MAC=c0:7b:bc:eb:25:28:00:00:5e:00:01:73:08:00 src=5.188.206.230 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=8372 DF PROTO=TCP SPT=50088 DPT=3391 WINDOW=0 RES=0x00 RST URGP=0 <2>Dec 31 20:55:19 WRP500 SPI IN=br0 OUT=
This looks to me like IP: 5.188.206.230 is trying to connect using port 3391. Since this IP is based in Bulgaria and we have no contacts or employees there, I suspect that someone is trying to connect remotely without permission. Would this be a correct assessment?
Thanks in advance.
10-20-2021 12:59 PM
3391 is RDS port- is this router is an edge to the internet, if so you get to see these logs normally, as long as it blocked your router doing its job?
as per time its Dec 31 ? are you looking right log or back logs ?
10-21-2021 08:00 AM - edited 10-21-2021 10:04 AM
I have never since we purchased this router, been able to have it display the correct time.
No, this port is not blocked but the ip is from outside the country and not supposed to be connecting.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide