I have a NetGear RangeMax Dual Band Wireless-N Gigabit Router, model number WNDR3700.
It's been working fine, but I recently logged into it by pointing my web browser towards 192.168.1.1 and typing in my username and password.
I took a look at the security logs, and noticed several entries like:
[LAN access from remote] from 58.218.199.147:12200 to 192.168.1.2:8085, Wednesday, September 14,2011 18:00:40
[LAN access from remote] from 221.194.46.176:12200 to 192.168.1.2:8085, Wednesday, September 14,2011 12:34:00
[LAN access from remote] from 31.7.59.152:12200 to 192.168.1.2:8085, Friday, September 09,2011 22:43:25
[LAN access from remote] from 68.4.59.247:46048 to 192.168.1.91:59850, Friday, September 09,2011 22:07:16
[LAN access from remote] from 72.152.89.147:52115 to 192.168.1.91:59850, Friday, September 09,2011 21:45:59The log is full of other entries like this too.
Does this mean LAN access was attempted or that LAN access was successful?
Should I be concerned? If so, what do I do now?
15 Answers
Just to be safe you should follow guides to ensure your router is secured to prevent possible future access even if these turn out to be failed attempts. Especially if you had a weak password.
One of the important ones being to disable remote administration and require only physical connection to administer. Then follow more steps to ensure it's securely configured.
See:
As for your actual question if it's attempts or success, I believe that would be more difficult to diagnose for anyone not very familiar with how detailed Netgear logging is.
If you want to be paranoid I would further advise you reset the router to factory defaults, upgrade firmware and configure it as securely as possible.
1According to the netgear forum, if you have a torrent or a number of other valid applications, you may see traffic like this. See here
1[LAN access from remote] is triggered anytime an external connection is routed into the internal network via a forwarded port. This can be either an explicit (ie: a specific port or range of ports set with port forwarding/port triggering) or automatic (ie: UPNP) route. Most of the time, this message indicates success, but if you have invalid port forwarding rules, this message will still appear even though the connection was not successful.
Using a P2P application, such as Bittorrent or Skype, will result in many of these logs if you have UPNP enabled - this is normal.
If you have common ports forwarded, you will see logs from port scanners.
Try getting a tool like TCPView and check which program is using the local port in question (8085 and 59850 in your logs above).
In my case, whenever I've seen these remote connections, the local port was being used by Skype, which I suppose makes sense since Skype uses P2P connections to other Skype clients.
In my case too these logs were caused by Skype. From the Skype docs:
When you install Skype, a port above 1024 is chosen at random as the port for incoming connections.
This explains why I couldn't find anything about the port on Google!
Full Skype Article here:
