Router komprommitiert ? falsche NTP- und DNS -Server
 

Hi zusammen, heir mein Routerlog :

12/04/2012 17:44:10 192.168.2.100 login success

12/04/2012 17:36:38 sending ACK to 192.168.2.100

12/04/2012 17:36:35 sending ACK to 192.168.2.100

12/04/2012 17:35:28 Wireless xxxxxxxxxxxxx released

12/04/2012 17:30:29 sending ACK to 192.168.2.100

12/04/2012 17:30:26 sending ACK to 192.168.2.100

12/04/2012 17:07:11 NTP Date/Time updated.

12/04/2012 17:06:25 Get system time from NTP server:213.172.105.106.

12/04/2012 17:01:07 sending ACK to 192.168.2.100

12/04/2012 17:01:04 sending ACK to 192.168.2.100

12/04/2012 14:42:42 Wireless xxxxxxxxxxxx released

12/04/2012 14:42:13 sending ACK to 192.168.2.100

12/04/2012 14:42:09 sending ACK to 192.168.2.100

12/04/2012 08:42:42 Wireless xxxxxxxxxx released

12/04/2012 08:29:25 sending ACK to 192.168.2.100

12/04/2012 08:29:22 sending ACK to 192.168.2.100

12/04/2012 07:56:57 sending ACK to 192.168.2.100

12/04/2012 07:56:56 sending ACK to 192.168.2.100

12/04/2012 05:51:22 Wireless xxxxxxxxx released

12/04/2012 05:06:25 NTP Date/Time updated.

12/04/2012 05:05:39 Get system time from NTP server:89.238.75.57.

12/04/2012 03:16:12 sending ACK to 192.168.2.100

12/04/2012 03:16:07 sending ACK to 192.168.2.100

12/04/2012 03:15:16 Wireless xxxxxxxxxxxxxx released

12/03/2012 23:28:46 sending ACK to 192.168.2.100

12/03/2012 17:47:36 Wireless xxxxxxxxx released

12/03/2012 17:05:39 NTP Date/Time updated.

12/03/2012 17:04:53 Get system time from NTP server:5.9.55.149.

12/03/2012 12:47:29 sending ACK to 192.168.2.100

12/03/2012 12:47:26 sending ACK to 192.168.2.100

12/03/2012 08:52:30 Wireless xxxxxxxxxx released

12/03/2012 08:34:18 sending ACK to 192.168.2.100

12/03/2012 08:34:17 sending ACK to 192.168.2.100

12/03/2012 05:49:50 Wireless xxxxxxxxxx released

12/03/2012 05:49:34 sending ACK to 192.168.2.100

12/03/2012 05:04:53 NTP Date/Time updated.

12/03/2012 05:04:06 Get system time from NTP server:217.145.111.66.

12/02/2012 23:49:23 Wireless xxxxxxxxxxxx released

12/02/2012 23:42:20 sending ACK to 192.168.2.100

12/02/2012 23:33:43 Wireless xxxxxxxxxxxxxxxx released

12/02/2012 21:17:15 sending ACK to 192.168.2.100

12/02/2012 21:17:11 sending ACK to 192.168.2.100

12/02/2012 21:16:03 Wireless xxxxxxxxxxxxxxx released

12/02/2012 19:43:17 sending ACK to 192.168.2.100

12/02/2012 19:43:14 sending ACK to 192.168.2.100

12/02/2012 19:41:03 Wireless xxxxxxxxxxxx released

12/02/2012 19:20:42 sending ACK to 192.168.2.100

12/02/2012 19:20:42 sending OFFER to 192.168.2.100

12/02/2012 17:04:36 NTP Date/Time updated.

06/28/2012 09:23:57 Get system time from NTP server:89.238.76.77.

06/28/2012 09:23:53 If(PPPoE1) PPP connection ok !

06/28/2012 09:23:53 If(PPPoE2) PPP connection ok !

06/28/2012 09:23:52 If(PPPoE1) get secondary DNS IP:195.50.140.246

06/28/2012 09:23:52 If(PPPoE1) get primary DNS IP:195.50.140.248

06/28/2012 09:23:52 If(PPPoE1) get IP:88.78.103.166

06/28/2012 09:23:52 If(PPPoE2) get secondary DNS IP:10.64.17.6

06/28/2012 09:23:52 If(PPPoE2) get primary DNS IP:10.64.33.6

06/28/2012 09:23:52 If(PPPoE2) get IP:10.144.109.118

06/28/2012 09:23:52 If(PPPoE2) start PPP

06/28/2012 09:23:52 If(PPPoE2) receive PADS

06/28/2012 09:23:52 If(PPPoE1) start PPP

06/28/2012 09:23:52 If(PPPoE1) receive PADS

06/28/2012 09:23:52 If(PPPoE2) send PADR

06/28/2012 09:23:52 If(PPPoE2) receive PADO

06/28/2012 09:23:52 If(PPPoE1) send PADR

06/28/2012 09:23:52 If(PPPoE1) receive PADO

06/28/2012 09:23:51 If(PPPoE2) send PADI

06/28/2012 09:23:51 If(PPPoE1) send PADI

06/28/2012 09:23:46 If(PPPoE2) send PADI

06/28/2012 09:23:46 If(PPPoE1) send PADI

06/28/2012 09:23:46 ADSL Media Up !

Whois anfragen ergaben:
213.172.105.106 www.blazing.de verdächtig
89.238.75.57 hxxp://www.pool.ntp.org/de/ zeitserver
5.9.55.149 https://wiki.pageup.me/ zertifikat wird nicht vertraut
217.145.111.66 zeitserver??
89.238.76.77 verdächtig


06/28/2012 09:23:52 If(PPPoE1) get primary DNS IP:195.50.140.248 arcor
06/28/2012 09:23:52 If(PPPoE1) get IP:88.78.103.166 arcor
06/28/2012 09:23:52 If(PPPoE2) get secondary DNS IP:10.64.17.6 verdächtig
06/28/2012 09:23:52 If(PPPoE2) get primary DNS IP:10.64.33.6 verdächtig
06/28/2012 09:23:52 If(PPPoE2) get IP:10.144.109.118
10.144.109.118 verdächtig


Wie kann das sein, was kann ich dagegen machen ? Wenn ich die Firmware resete , bin ich auf der sicheren seite ?

Danke

Hallo und :hallo:

Warum bitte soll das verdächtig sein?!

Und? So ist das bei selbstunterschriebenen Zertifikaten immer
Du kennst wiki.pageup.me und blazing.de?

Vllt mal lesen was NTP bedeutet? => Network Time Protocol

Warum denn gleich so hysterisch?!
Nur weil man manche Sachen aus dem Log nicht sofort interpretieren kann, setzt man doch nciht gleich alles mit blindem Aktionismus zurück :wtf:

Hast du den Router so eingestellt, dass er nur aus deinem internen Netzwerk aus administiert werden kann? Unabhängig davon, wurde wurde Passwort vom Router geändert?! Wenn nein: unbedingt machen, bei Routern ist das immer wieder die Nachlässigkeit, die zu den meisten Sicherheitsproblemen geführt hat!