# Can someone please tell me what this means?



## stizz (Jun 3, 2004)

Jun/03/2004 04:09:19 	Target IP(192.168.42.255), Target Port(138)			Packet Dropped
Jun/03/2004 04:09:19 	Spoof IP(192.168.42.101), Spoof Port(138)			
Jun/03/2004 04:09:19 	Spoof Attack fromd MAC(00-0A-95-AF-6A-F4) Detect,			
Jun/03/2004 04:09:19 	Target IP(192.168.42.255), Target Port(138)			Packet Dropped
Jun/03/2004 04:09:19 	Spoof IP(192.168.42.101), Spoof Port(138)			
Jun/03/2004 04:09:19 	Spoof Attack fromd MAC(00-0A-95-AF-6A-F4) Detect,			
Jun/03/2004 04:00:03 	Target IP(164.67.62.194), Target Port(123)			Packet Dropped
Jun/03/2004 04:00:03 	Spoof IP(192.168.42.101), Spoof Port(123)			
Jun/03/2004 04:00:03 	Spoof Attack fromd MAC(00-0A-95-AF-6A-F4) Detect,





I assume this means someone attacked me early this mornig,...but I have no way to make a damage assesment.

1 D-Link wirekess g router behind a dsl modem that feeds a pc and 2 macs via ethernet and lets me be wireless on my powerbook. I have no encryption, wanted to share my web connect. But if I was attacked,..I don't know. From the above log, am I in danger?


----------



## brianleahy (Jun 3, 2004)

It looks to me (I could be wrong) like your firewall successfully thwarted the attack, dropping the incoming packets.


----------



## Zammy-Sam (Jun 3, 2004)

Is this your d-link log? 
192.168.x.x sounds very much like a lan-member..


----------



## scruffy (Jun 3, 2004)

Yes, that's the idea - it thinks someone is trying to spoof an internal IP address, when really they're on the outside.  So - is that ethernet address 00-0A-95-AF-6A-F4 legitimate on your LAN?  If so, then it's a false positive; if not then your firewall blocked it correctly...


----------



## stizz (Jun 3, 2004)

Zammmy Sam,

yes, it is part of my d-link log and IP(192.168.42.x) is my LAN


Scruffy,
MAC(00-0A-95-AF-6A-F4) is not my powerbook. What else might it be? Its not the Routers MAC, and nothing else in the network is wireless. How do I check the MAC address on my Wifes PC?


And so at least I'm relieved to hear that it loks like my firewall succesfully thwarted the attacks. Here is more of the log for urther analysis:*

Time
Message
Source
Destination
Note

Jun/03/2004 18:47:33
Target IP(164.67.62.194), Target Port(123)
Packet Dropped

Jun/03/2004 18:47:33
Spoof IP(192.168.42.101), Spoof Port(123)

Jun/03/2004 18:47:33
Spoof Attack fromd MAC(00-0A-95-AF-6A-F4) Detect,

Jun/03/2004 17:39:18
Target IP(164.67.62.194), Target Port(123)
Packet Dropped

Jun/03/2004 17:39:18
Spoof IP(192.168.42.101), Spoof Port(123)

Jun/03/2004 17:39:18
Spoof Attack fromd MAC(00-0A-95-AF-6A-F4) Detect,

Jun/03/2004 16:31:03
Target IP(164.67.62.194), Target Port(123)
Packet Dropped

Jun/03/2004 16:31:03
Spoof IP(192.168.42.101), Spoof Port(123)

Jun/03/2004 16:31:03
Spoof Attack fromd MAC(00-0A-95-AF-6A-F4) Detect,

Jun/03/2004 15:22:46
Target IP(164.67.62.194), Target Port(123)
Packet Dropped

Jun/03/2004 15:22:46
Spoof IP(192.168.42.101), Spoof Port(123)

Jun/03/2004 15:22:46
Spoof Attack fromd MAC(00-0A-95-AF-6A-F4) Detect,

Jun/03/2004 14:14:31
Target IP(164.67.62.194), Target Port(123)
Packet Dropped

Jun/03/2004 14:14:31
Spoof IP(192.168.42.101), Spoof Port(123)

Jun/03/2004 14:14:31
Spoof Attack fromd MAC(00-0A-95-AF-6A-F4) Detect,

Jun/03/2004 13:17:35
Wireless PC connected
00-0A-95-F2-5A-DA

Jun/03/2004 13:11:35
Wireless PC connected
00-0A-95-F2-5A-DA

Jun/03/2004 13:09:43
Target IP(192.168.42.255), Target Port(138)
Packet Dropped

Jun/03/2004 13:09:43
Spoof IP(192.168.42.101), Spoof Port(138)

Jun/03/2004 13:09:43
Spoof Attack fromd MAC(00-0A-95-AF-6A-F4) Detect,
Jun/03/2004 13:09:43
Target IP(192.168.42.255), Target Port(138)
Packet Dropped

Jun/03/2004 13:09:43
Spoof IP(192.168.42.101), Spoof Port(138)

Jun/03/2004 13:09:43
Spoof Attack fromd MAC(00-0A-95-AF-6A-F4) Detect,

Jun/03/2004 13:06:13
Target IP(164.67.62.194), Target Port(123)
Packet Dropped

Jun/03/2004 13:06:13
Spoof IP(192.168.42.101), Spoof Port(123)

Jun/03/2004 13:06:13
Spoof Attack fromd MAC(00-0A-95-AF-6A-F4) Detect,

Jun/03/2004 13:03:35
Wireless PC connected
00-0A-95-F2-5A-DA

Jun/03/2004 12:57:36
Target IP(192.168.42.255), Target Port(138)
Packet Dropped

Jun/03/2004 12:57:36
Spoof IP(192.168.42.101), Spoof Port(138)

Jun/03/2004 12:57:36
Spoof Attack fromd MAC(00-0A-95-AF-6A-F4) Detect,
Jun/03/2004 12:57:36
Target IP(192.168.42.255), Target Port(138)
Packet Dropped

Jun/03/2004 12:57:36
Spoof IP(192.168.42.101), Spoof Port(138)

Jun/03/2004 12:57:36
Spoof Attack fromd MAC(00-0A-95-AF-6A-F4) Detect,

Jun/03/2004 12:57:35
Wireless PC connected
00-0A-95-F2-5A-DA

Jun/03/2004 12:51:35
Wireless PC connected
00-0A-95-F2-5A-DA

Jun/03/2004 12:45:36
Target IP(192.168.42.255), Target Port(138)
Packet Dropped

Jun/03/2004 12:45:36
Spoof IP(192.168.42.101), Spoof Port(138)

Jun/03/2004 12:45:36
Spoof Attack fromd MAC(00-0A-95-AF-6A-F4) Detect,

Jun/03/2004 12:45:36
Target IP(192.168.42.255), Target Port(138)
Packet Dropped

Jun/03/2004 12:45:36
Spoof IP(192.168.42.101), Spoof Port(138)


----------



## stizz (Jun 3, 2004)

I apologize for the length, that is only 4 out of 20 pages of the log. I really don't know much about wireless, and appreciate any help in securing my network. From whta I gather so far, attacks have been unsuccesful?


----------



## Zammy-Sam (Jun 4, 2004)

Here an idea: check all MAC-adresses from your computers that are connected to your d-link router. For windows open dos prompt and type 'winipcfg /all' to get the MAC.
Do you have MAC-filtering on? I would recommend this, eventhough the attack was successfully blocked (if it wasn't a false positive).


----------



## scruffy (Jun 6, 2004)

Hmm.  I missed the wireless part.  It could be anyone connecting from the inside then; they could be in another apartment, across the street...  It could even be accidental - their laptop just happened to pick up your access point not theirs.


----------



## btoth (Jun 6, 2004)

Correct me if I'm wrong, but isn't port 138 a Windows file sharing port?


----------

