Menu
What's new
By:
Filters Better Search

Looks like I got hacked ?! Client control connection started !!!!!!!

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

IAAI

IAAI

Very Senior Member
Nov 10 23:47:36 pptpd[851]: CTRL: Client 183.60.48.25 control connection started
Nov 10 23:47:36 pptpd[851]: CTRL: EOF or bad error reading ctrl packet length.
Nov 10 23:47:36 pptpd[851]: CTRL: couldn't read packet header (exit)
Nov 10 23:47:36 pptpd[851]: CTRL: CTRL read failed
Nov 10 23:47:36 pptpd[851]: CTRL: Client 183.60.48.25 control connection finished


SSH Is = disabled

Enable Web Access from WAN = disabled too

Enable Telnet is on

IP is from China
 
Turn Telnet off. Or was it off already before you were hacked?

If we can believe the time stamps, it doesn't seem they were logged on too long?
 
L&LD said:
Turn Telnet off. Or was it off already before you were hacked?

If we can believe the time stamps, it doesn't seem they were logged on too long?
Click to expand...

I will , it was on at that time

yeah it was not for long , may he wants to make sure that he has working client :D
 
This is coming from your PPTP VPN server. All it means is that someone connected to port 1723, the VPN server responded and they entered either a bad username or a bad password or, probably likely, both.

The timestamps are all within 1 second. The connection begins and ends in this time so you can be just about sure that nobody was connected to your network. This is what a successful connection looks like

Code: 
<29>nov 11 12:25:52 pptp[26995]: remote ip address 192.168.1.10
<29>nov 11 12:25:52 pptp[26995]: local  ip address 192.168.1.1
<30>nov 11 12:25:52 pptp[27071]: found interface br0 for proxy arp
<29>nov 11 12:25:49 pptp[27071]: mppe 128-bit stateless compression enabled
<29>nov 11 12:25:45 pptp[27071]: connect: ppp10 <--> pptp (*.*.*.*)
<30>nov 11 12:25:45 pptp[27071]: using interface ppp10
<29>nov 11 12:25:45 pptp[27071]: pppd 2.4.5 started by admin, uid 0
<30>nov 11 12:25:45 pptp[27071]: pptp plugin version 0.8.5 compiled for pppd-2.4.5, linux-2.6.22.19
<30>nov 11 12:25:45 pptp[27071]: plugin pptp.so loaded.
<30>nov 11 12:25:45 pptpd[27070]: ctrl: starting call (launching pppd, opening gre)
<30>nov 11 12:25:45 pptpd[27070]: ctrl: client 192.168.1.10 control connection started

And this is a disconnection:

Code: 
<30>nov 11 12:29:33 pptpd[27070]: ctrl: client 192.168.1.10 control connection finished
<30>nov 11 12:29:33 pptp[27071]: exit.
<29>nov 11 12:29:33 pptp[27071]: modem hangup
<29>nov 11 12:29:33 pptp[27071]: connection terminated.
<30>nov 11 12:29:30 pptp[27071]: terminating on signal 15
<30>nov 11 12:29:30 pptpd[27070]: ctrl: client pppd finish wait
<30>nov 11 12:29:30 pptpd[27070]: ctrl: client pppd term sending
<31>nov 11 12:29:30 pptpd[27070]: ctrl: reaping child ppp[27071]
<27>nov 11 12:29:30 pptpd[27070]: ctrl: ctrl read failed
<27>nov 11 12:29:30 pptpd[27070]: ctrl: couldn't read packet header (exit)
<27>nov 11 12:29:30 pptpd[27070]: ctrl: eof or bad error reading ctrl packet length.
<30>nov 11 12:29:30 pptp[27071]: sent 30799 bytes, received 41704 bytes.
<30>nov 11 12:29:30 pptp[27071]: connect time 3.7 minutes.
<30>nov 11 12:29:30 pptp[27071]: lcp terminated by peer (mppe disabled)
 
richardeid said:
This is coming from your PPTP VPN server. All it means is that someone connected to port 1723, the VPN server responded and they entered either a bad username or a bad password or, probably likely, both.

The timestamps are all within 1 second. The connection begins and ends in this time so you can be just about sure that nobody was connected to your network. This is what a successful connection looks like

Code: 
<29>nov 11 12:25:52 pptp[26995]: remote ip address 192.168.1.10
<29>nov 11 12:25:52 pptp[26995]: local  ip address 192.168.1.1
<30>nov 11 12:25:52 pptp[27071]: found interface br0 for proxy arp
<29>nov 11 12:25:49 pptp[27071]: mppe 128-bit stateless compression enabled
<29>nov 11 12:25:45 pptp[27071]: connect: ppp10 <--> pptp (*.*.*.*)
<30>nov 11 12:25:45 pptp[27071]: using interface ppp10
<29>nov 11 12:25:45 pptp[27071]: pppd 2.4.5 started by admin, uid 0
<30>nov 11 12:25:45 pptp[27071]: pptp plugin version 0.8.5 compiled for pppd-2.4.5, linux-2.6.22.19
<30>nov 11 12:25:45 pptp[27071]: plugin pptp.so loaded.
<30>nov 11 12:25:45 pptpd[27070]: ctrl: starting call (launching pppd, opening gre)
<30>nov 11 12:25:45 pptpd[27070]: ctrl: client 192.168.1.10 control connection started

And this is a disconnection:

Code: 
<30>nov 11 12:29:33 pptpd[27070]: ctrl: client 192.168.1.10 control connection finished
<30>nov 11 12:29:33 pptp[27071]: exit.
<29>nov 11 12:29:33 pptp[27071]: modem hangup
<29>nov 11 12:29:33 pptp[27071]: connection terminated.
<30>nov 11 12:29:30 pptp[27071]: terminating on signal 15
<30>nov 11 12:29:30 pptpd[27070]: ctrl: client pppd finish wait
<30>nov 11 12:29:30 pptpd[27070]: ctrl: client pppd term sending
<31>nov 11 12:29:30 pptpd[27070]: ctrl: reaping child ppp[27071]
<27>nov 11 12:29:30 pptpd[27070]: ctrl: ctrl read failed
<27>nov 11 12:29:30 pptpd[27070]: ctrl: couldn't read packet header (exit)
<27>nov 11 12:29:30 pptpd[27070]: ctrl: eof or bad error reading ctrl packet length.
<30>nov 11 12:29:30 pptp[27071]: sent 30799 bytes, received 41704 bytes.
<30>nov 11 12:29:30 pptp[27071]: connect time 3.7 minutes.
<30>nov 11 12:29:30 pptp[27071]: lcp terminated by peer (mppe disabled)
Click to expand...

so it's the VPN
 
Anzaia said:
same thing just happened again , today morning :mad:
Click to expand...

Get used to it. This is normal in 2014, and the random attempts at finding vulnerable services will only keep increasing over time.

This is not a problem, so long you use secure passwords.
 
RMerlin said:
Get used to it. This is normal in 2014, and the random attempts at finding vulnerable services will only keep increasing over time.

This is not a problem, so long you use secure passwords.
Click to expand...

is it possible to block certain IP address from connecting to VPN service through your firmware ?

yes :( , the thing is it looks like it not a bot because he uses the same IP address :D
 
Anzaia said:
is it possible to block certain IP address from connecting to VPN service through your firmware ?

yes :( , the thing is it looks like it not a bot because he uses the same IP address :D
Click to expand...

You can block him using a firewall script. Something like this:

firewall-start
Code: 
#!/bin/sh
iptables -I INPUT -s 183.60.48.25 -j DROP

However what I don't understand is, those recent log entries you posted show a private LAN IP (192.168.1.10), not a public IP. Are you sure they're not a PPTP client you configured?
 
RMerlin said:
You can block him using a firewall script. Something like this:

firewall-start
Code: 
#!/bin/sh
iptables -I INPUT -s 183.60.48.25 -j DROP

However what I don't understand is, those recent log entries you posted show a private LAN IP (192.168.1.10), not a public IP. Are you sure they're not a PPTP client you configured?
Click to expand...

no i didn't post the private one , it was someone else lol , the ip i posted was 183.60.48.25

could you please help me with this one :
where do i place the firewall script ? :)
 
Last edited:
You must log in or register to reply here.

Similar threads

J
Problems with PPTP connection on cellular
Replies
5
Views
2K
eibgrad
eibgrad
Sky
HELP: VPN client can't connect to RT-AC87R after FW update
Replies
0
Views
2K
Sky
Sky
Sky
Solved Requesting log review of possible attack
Replies
7
Views
3K
Sky
Sky
Nigel Jones
PPTP server on 384.13_4 (RT-AC3200)
Replies
1
Views
1K
Nigel Jones
Nigel Jones
R
  • Locked
Router hacked and pc accessed
Replies
8
Views
4K
dosborne
dosborne

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 850 (members: 17, guests: 833)
Top