DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Rogue Vpn connection to draytek 2960

More
21 Feb 2017 18:58 #1 by the pit
Rogue Vpn connection to draytek 2960 was created by the pit
Just noticed in the logs that someone has being try to connection to my router using vpn. Interestingly the connection was accepted even though the profile was disabled. It looks like they failed to connection although there was a spike of traffic at that time as well. I've since removed the profile and out of interest used my old connection on the phone which of course failed and this time nothing was logged in the files. So perhaps the profile wasn't quite disabled as I thought.

Please Log in or Create an account to join the conversation.

More
22 Feb 2017 18:09 #2 by the pit
Replied by the pit on topic Re: Rogue Vpn connection to draytek 2960
These were the vpn entries

135 2017-02-21 15:39:37 Feb 21 15:39:43 Vigor [REMOTE_IPSEC_ACCESS] PASS src ip 66.240.192.138 mac 00:00:70:11:1a:d9 dst ip 81.132.18.32 proto udp DPT=500, skbmark=2/0, ctma
135 2017-02-21 17:10:42 Feb 21 17:10:48 Vigor [REMOTE_PPTP_ACCESS] PASS src ip 59.111.32.13 mac 00:af:1f:1e:14:1a dst ip 81.98.148.186 proto tcp DPT=1723, skbmark=1/0, ctmar
135 2017-02-21 17:10:42 Feb 21 17:10:48 Vigor[ REMOTE_PPTP_ACCESS] PASS src ip 59.111.32.13 mac 00:af:1f:1e:14:1a dst ip 81.98.148.186 proto tcp DPT=1723, skbmark=1/0, ctmar
135 2017-02-21 17:10:43 Feb 21 17:10:49 Vigor [REMOTE_PPTP_ACCESS] PASS src ip 59.111.32.13 mac 00:af:1f:1e:14:1a dst ip 81.98.148.186 proto tcp DPT=1723, skbmark=1/0, ctmar
135 2017-02-21 17:10:43 Feb 21 17:10:49 Vigor [REMOTE_PPTP_ACCESS] PASS src ip 175.184.164.35 mac 00:af:1f:1e:14:1a dst ip 81.98.148.186 proto tcp DPT=1723, skbmark=1/0, ctm
135 2017-02-21 17:10:43 Feb 21 17:10:50 Vigor [REMOTE_PPTP_ACCESS] PASS src ip 59.111.32.13 mac 00:af:1f:1e:14:1a dst ip 81.98.148.186 proto tcp DPT=1723, skbmark=1/0, ctmar
135 2017-02-21 22:01:46 Feb 21 22:01:52 Vigor [REMOTE_IPSEC_ACCESS] PASS src ip 198.20.69.98 mac 00:af:1f:1e:14:1a dst ip 81.98.148.186 proto udp DPT=4500, skbmark=1/0, ctma
135 2017-02-22 02:29:47 Feb 22 02:29:54 Vigor [REMOTE_IPSEC_ACCESS] PASS src ip 216.218.206.102 mac 00:af:1f:1e:14:1a dst ip 81.98.148.186 proto udp DPT=500, skbmark=1/0, ct
135 2017-02-22 02:42:25 Feb 22 02:42:33 Vigor [REMOTE_IPSEC_ACCESS] PASS src ip 216.218.206.66 mac 40:00:35:11:1f:f2 dst ip 81.132.18.32 proto udp DPT=500, skbmark=2/0, ctma

The 81.98.148.186 is the virgin cms

Please Log in or Create an account to join the conversation.

More
24 Feb 2017 18:43 #3 by the pit
Replied by the pit on topic Re: Rogue Vpn connection to draytek 2960
seems to be a regular occurrence I've also noticed that when the wan goes down it's logged in the vpn logs for some unknown reason. I've checked some of the ip address's relating to vpn and these seem to be from china.



141 2017-02-24 04:56:22 Feb 24 04:56:31 Vigor pptpd[13189]: accept client 139.162.37.156, socket[7]...
141 2017-02-24 04:56:22 Feb 24 04:56:31 Vigor pptpd[13189]: MGR: check initial connection socket: 7 OK...
141 2017-02-24 04:56:22 Feb 24 04:56:31 Vigor pptpd[13189]: CTRL: inetaddr[0]: 81.132.17.151
141 2017-02-24 04:56:22 Feb 24 04:56:31 Vigor pptpd[13189]: CTRL: inetaddr[1]: 139.162.37.156
141 2017-02-24 04:56:22 Feb 24 04:56:31 Vigor pptpd[13189]: CTRL: Client 139.162.37.156 control connection started
141 2017-02-24 04:56:22 Feb 24 04:56:31 Vigor pptpd[13189]: CTRL: Made a START CTRL CONN RPLY packet
141 2017-02-24 04:56:22 Feb 24 04:56:31 Vigor pptpd[13189]: CTRL: EOF or bad error reading ctrl packet length.
141 2017-02-24 04:56:22 Feb 24 04:56:31 Vigor pptpd[13189]: CTRL: couldn't read packet header (exit)
141 2017-02-24 04:56:22 Feb 24 04:56:31 Vigor pptpd[13189]: CTRL: CTRL read failed
141 2017-02-24 04:56:22 Feb 24 04:56:31 Vigor pptpd[13189]: client 139.162.37.156 control connection finished
141 2017-02-24 17:36:30 Feb 24 17:36:41 Vigor pptpd[13189]: accept client 59.111.32.13, socket[7]...
141 2017-02-24 17:36:30 Feb 24 17:36:41 Vigor pptpd[13189]: MGR: check initial connection socket: 7 OK...
141 2017-02-24 17:36:30 Feb 24 17:36:41 Vigor pptpd[13189]: MGR: initial packet length 18245 outside (0 - 220)
141 2017-02-24 17:36:30 Feb 24 17:36:41 Vigor pptpd[13189]: client 139.162.37.156 control connection finished
141 2017-02-24 17:36:30 Feb 24 17:36:41 Vigor pptpd[13189]: accept client 59.111.32.13, socket[7]...
141 2017-02-24 17:36:30 Feb 24 17:36:41 Vigor pptpd[13189]: MGR: check initial connection socket: 7 OK...
141 2017-02-24 17:36:30 Feb 24 17:36:41 Vigor pptpd[13189]: wait...1487957801_59.111.32.13
141 2017-02-24 17:36:30 Feb 24 17:36:41 Vigor pptpd[13189]: client 139.162.37.156 control connection finished
141 2017-02-24 17:36:31 Feb 24 17:36:42 Vigor pptpd[13189]: accept client 59.111.32.13, socket[7]...
141 2017-02-24 17:36:31 Feb 24 17:36:42 Vigor pptpd[13189]: MGR: check initial connection socket: 7 OK...
141 2017-02-24 17:36:31 Feb 24 17:36:42 Vigor pptpd[13189]: wait...1487957801_59.111.32.13
141 2017-02-24 17:36:31 Feb 24 17:36:42 Vigor pptpd[13189]: client 139.162.37.156 control connection finished
141 2017-02-24 17:36:32 Feb 24 17:36:43 Vigor pptpd[13189]: accept client 59.111.32.13, socket[7]...
141 2017-02-24 17:36:32 Feb 24 17:36:43 Vigor pptpd[13189]: MGR: check initial connection socket: 7 OK...
141 2017-02-24 17:36:32 Feb 24 17:36:43 Vigor pptpd[13189]: wait...1487957801_59.111.32.13
141 2017-02-24 17:36:32 Feb 24 17:36:43 Vigor pptpd[13189]: client 139.162.37.156 control connection finished

Please Log in or Create an account to join the conversation.