Solved: Port scaning?!

Marius5 · ‎18-12-2021

Hi. I am new at this so i do apologise in advance if i posted in the wrong place. I recently bought a bt device(smart hub 2)and when i logged in in admin page i notice some strange activity in there. Can someone explain what it means? Should i change something at settings?! Thank you

01:00:02, 18 Dec.DoS(Port Scanning): IN=ppp1 OUT= MAC= src=89.248.165.38 DST=31.54.207.215 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=31573 DF PROTO=TCP SPT=56442 DPT=89 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x8000000

01:00:02, 18 Dec.DoS(Port Scanning): IN=ppp1 OUT= MAC= src=89.248.165.38 DST=31.54.207.215 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=55574 DF PROTO=TCP SPT=59266 DPT=8030 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x8000000

01:00:02, 18 Dec.DoS(Port Scanning): IN=ppp1 OUT= MAC= src=89.248.165.38 DST=31.54.207.215 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=58969 DF PROTO=TCP SPT=36794 DPT=8091 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x8000000

01:00:02, 18 Dec.DoS(Port Scanning): IN=ppp1 OUT= MAC= src=89.248.165.38 DST=31.54.207.215 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=48078 DF PROTO=TCP SPT=37476 DPT=1024 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x8000000

01:00:02, 18 Dec.DoS(Port Scanning): IN=ppp1 OUT= MAC= src=89.248.165.38 DST=31.54.207.215 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=58236 DF PROTO=TCP SPT=48022 DPT=8096 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x8000000

01:00:02, 18 Dec.DoS(Port Scanning): IN=ppp1 OUT= MAC= src=89.248.165.38 DST=31.54.207.215 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=7910 DF PROTO=TCP SPT=48358 DPT=8070 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x8000000

01:00:02, 18 Dec.DoS(Port Scanning): IN=ppp1 OUT= MAC= src=89.248.165.38 DST=31.54.207.215 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=61181 DF PROTO=TCP SPT=58066 DPT=8005 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x8000000

01:00:02, 18 Dec.DoS(Port Scanning): IN=ppp1 OUT= MAC= src=89.248.165.38 DST=31.54.207.215 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=53823 DF PROTO=TCP SPT=38266 DPT=8009 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x8000000

01:00:02, 18 Dec.DoS(Port Scanning): IN=ppp1 OUT= MAC= src=89.248.165.38 DST=31.54.207.215 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=31518 DF PROTO=TCP SPT=55066 DPT=7777 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x8000000

01:00:02, 18 Dec.DoS(Port Scanning): IN=ppp1 OUT= MAC= src=89.248.165.38 DST=31.54.207.215 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=36243 DF PROTO=TCP SPT=34470 DPT=8032 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x8000000

01:00:02, 18 Dec.DoS(Port Scanning): IN=ppp1 OUT= MAC= src=89.248.165.38 DST=31.54.207.215 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=34824 DF PROTO=TCP SPT=43242 DPT=10443 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x8000000

01:00:02, 18 Dec.DoS(Port Scanning): IN=ppp1 OUT= MAC= src=89.248.165.38 DST=31.54.207.215 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=141 DF PROTO=TCP SPT=48864 DPT=8091 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x8000000

01:00:02, 18 Dec.DoS(Port Scanning): IN=ppp1 OUT= MAC= src=89.248.165.38 DST=31.54.207.215 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=55434 DF PROTO=TCP SPT=49828 DPT=1024 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x8000000

01:00:02, 18 Dec.DoS(Port Scanning): IN=ppp1 OUT= MAC= src=89.248.165.38 DST=31.54.207.215 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=719 DF PROTO=TCP SPT=60506 DPT=8096 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x8000000

And there are 3 or 4 more pages of this.

13:45:11, 17 Dec.DoS(UDP Loopback): IN=ppp1 OUT= MAC= src=185.94.111.1 DST=31.54.207.215 LEN=28 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=UDP SPT=36395 DPT=19 LEN=8 MARK=0x8000000

13:14:39, 17 Dec.DoS(UDP Loopback): IN=ppp1 OUT= MAC= src=167.94.138.72 DST=31.54.207.215 LEN=29 TOS=0x00 PREC=0x00 TTL=41 ID=14984 PROTO=UDP SPT=46359 DPT=19 LEN=9 MARK=0x8000000

13:02:12, 17 Dec.CWMP: HDM socket closed successfully.

13:02:12, 17 Dec.CWMP: HTTP authentication success from pbthdm.x.x.x

13:02:12, 17 Dec.CWMP: HDM socket opened successfully.

13:02:12, 17 Dec.CWMP: HDM socket closed successfully.

13:02:12, 17 Dec.CWMP: HTTP authentication success from pbthdm.x.x.x

Keith_Beddoe · ‎18-12-2021

@Marius5

That is quite normal, its just the firewall blocking incoming connection attempts. There are thousands of port scanners on the Internet, looking for open ports.

The CWMP connections are genuine, and originate from BT, and are used to manage the home hub.

Marius5 · ‎18-12-2021

Thank you for your answer. I thought i have to change the hub settings or something.

What about this, any ideea what means?

13:45:11, 17 Dec.DoS(UDP Loopback): IN=ppp1 OUT= MAC= src=185.94.111.1 DST=31.54.207.215 LEN=28 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=UDP SPT=36395 DPT=19 LEN=8 MARK=0x8000000

licquorice · ‎18-12-2021

Again, it is just your firewall preventing a denial of service attack (dos) just ignore it. Unless you have a problem with your service, I would suggest not looking at the logs, they will just be full of entries of the firewall doing its job

Marius5 · ‎18-12-2021

Ok. Thank you for your answer.

Port scaning?!

Re: Port scaning?!

Re: Port scaning?!

Re: Port scaning?!

Re: Port scaning?!