Not worried but anyone else being port scanned constantly ATM from a particular region?

[beastobadness]

I am not one to worry about port scanning because I believe in my routers security and it keeps me sane. Don't dwell on it because it's just an everyday thing, right?
So I have happened to look at my Skynet stats and checked the general log this morning and shhheeeet!, this is very unusual for me but for approx 2 days someone has/is knocking hard.

And yes, I did check the IPs against Alienvault and Abuseipdb. Think they have something to do with the 'stuff' happening in eastern europe? Any one else being hit like this?

(Sorry if I have dropped this in the wrong place Mods, please feel free to move it)

 

[ColinTaylor]

I don't normally look at my firewall's dropped packets. Those IP addresses are "the usual (Russian) suspects" but they do seem to be a bit more frequent than I remember (but still not of a volume that would cause a problem).

Given the current situation it's probably a timely reminder to make sure your router doesn't have any ports open to the internet and you're not responding to pings either. But of course the most important thing is that your client devices are secure and have up to date anti-virus software.

 

[cptnoblivious]

My drop numbers are no higher than normal. Nor are the destinations different than what I typically see.

YMMV of course.

 

[dosborne]

There is a concerted effort on behalf of one particular, already mentioned, country to perform cyber attacks at the moment. I've seen reports of up to at least a 10 fold increase particularly against other certain countries. I would expect this to continue for at least the short term.

 

[AndreiV]

HaaS Honeypot is showing massive increase in hacking attempts.

China is going crazy , the other lot are using (as usual) IP's from around the globe, seeing hundreds of insecure devices and servers being used .

Netherlands, Poland and Lithuania seem to have some very lax security , some IP's have been reported 25000 times in 4 days.

 

[RMerlin]

There has been an increase in NAS-targeted exploits over the last year. Asustor owners got hit by Deadbolt over the past two weeks. I suspect these new targets are partly responsible for an increase in port scans. Probably a lot of money to be made through ransomware attacks on vulnerable NASes.

Last week, I had a customer server that was getting many thousands of connection attempts per day on their SSH service (that's a legacy server that was in the process of getting migrated to a new infrastructure, hence its SSH port was currently open).

 

[Daniel Skupien]

Looks like I am a victim of this very thing (a picture discovered made me think it was Russian related), I just found out about my NAS getting hacked yesterday (3/6/22), but looks like it was accessed two other times previously. I didn't know about the previous two until the third recent one happened on 3/4/22.

On 1/23/22, someone put a zip file (titled info.zip) containing the Trojan:Win32/CoinMiner!rfn through out a few directories and sub directories of a back up I made to some of the folders of my HTPC. Then on 2/24/22, essentially every folder and sub folder on my NAS had that file uploaded to it. And then finally on 3/4/22, someone basically deleted the majority of what was on the NAS, and then created a folder titled "save ukraina", and uploaded an image to it that basically told me that it was done by someone who does not want to save Ukraine.

Sort of my fault in a way, I had my NAS easily accessible, had guest login (no credentials needed) on the FTP of my Asus RT-AX88U enabled. I had it setup like that for so long that complacency was set in and so I never thought anything of it, and also what happened to my not worried/carrying about it was the fact that the NAS contained essentially no sensitive information, there was nothing really valuable or anything that would be much of a consequence to myself if taken/copied. Ultimately, the virus never actually infected either of my 2 PC's, most likely because I never opened those zip files, I very rarely access my NAS, or even use my PC's much to begin with. Heck, the only reason I found out about the Trojan containing file on my NAS was because of a recent few days of sprucing up my PC, Windows Defender is was what alerted me to it's existence and subsequent quarantining of it, which also happened to have occurred on 3/3/22, the day before someone decided to really waste my time. I call it "waste of time" because I was able to recover everything that was deleted, and the some as the file recovery program I used found a ton of recoverable files I deleted a couple or more years ago! I suppose I owe that to the fact that I didn't write to the drive hardly ever, so many sectors didn't have the opportunity to be written over, maybe 10 really inconsequential files were listed as unrecoverable.

Anyway, let my incident be a warning and encouragement to everyone else to either not be so lax in their security, and to possibly make an effort to beef it up.

First pic was how I found out about the January incident, second shows the February incident, third is my recovered files (so basically how my drive looked before March 4th), fourth is after the recent delete and insertion of folder and picture, and fifth picture shows what the image is.

 

[ColinTaylor]

@Daniel Skupien It's not clear to me whether you're talking about a NAS (e.g. Synology) or just the FTP server on your Router. If it's a NAS could you say which one as it could be useful information for others with the same device.

P.S. You mention pictures but I don't see any.

 

[beastobadness]

@Daniel Skupien I remember opening my FTP to the internet on my previous NAS, I had credentials in place though, even so I was getting about 500 log hits a day trying to access the FTP server via login. In the end, I just switched it off because I figured it just wasn't worth the stress of that maybe someone will brute force me, even with a strong password. I wouldn't dare open it via my router especially without credentials, may as well boil the kettle and invite them in for a cup of coffee LOL

I am no expert myself but VPN tunnel will always be your friend, I currently use Tailscale on my Synology NAS, it's scary how simple it is, doesn't even require forwarding ports on the router and it just works.

 

[RMerlin]

Port scanning is only getting worse over the years. A few weeks ago I logged on a customer's server that we were in the process of migrating to a new AWS instance. That server had open SSH access due to the customer's needs. The login motd would report me thousands of failed connection attempts since my previous login... less than 24 hours earlier.

 

[dosborne]

, doesn't even require forwarding ports on the router and it just works.

If it doesn't use manual port forwarding, check to see if it uses UPnP. This is a suspected entry vector for a number of current NAS attacks across a number of vendors search QLocker and Deadbolt for examples).

I would strongly advise more research if indeed you have UPnP enabled on your NAS or on your router so that you are aware of the potential threats.

 

[Daniel Skupien]

@Daniel Skupien It's not clear to me whether you're talking about a NAS (e.g. Synology) or just the FTP server on your Router. If it's a NAS could you say which one as it could be useful information for others with the same device.

P.S. You mention pictures but I don't see any.

@Daniel Skupien It's not clear to me whether you're talking about a NAS (e.g. Synology) or just the FTP server on your Router. If it's a NAS could you say which one as it could be useful information for others with the same device.

P.S. You mention pictures but I don't see any.

When I originally posted it was awaiting approval, when I tried to edit and re-attach the photos it was saying it had to be approved again

 

[Daniel Skupien]

@Daniel Skupien It's not clear to me whether you're talking about a NAS (e.g. Synology) or just the FTP server on your Router. If it's a NAS could you say which one as it could be useful information for others with the same device.

P.S. You mention pictures but I don't see any.

0 new items by Daniel Skupien

photos.app.goo.gl

Not. In the order I explained unfortunately

 

[beastobadness]

If it doesn't use manual port forwarding, check to see if it uses UPnP. This is a suspected entry vector for a number of current NAS attacks across a number of vendors search QLocker and Deadbolt for examples).

I would strongly advise more research if indeed you have UPnP enabled on your NAS or on your router so that you are aware of the potential threats.

Yes I believe it does via NAT traversal. I am currently getting to grips with it so don't fully understand as of yet but here is a link, would love your opinion.

How Tailscale works

People often ask us for an overview of how Tailscale works. We’ve been putting off answering that, because we kept changing it! But now things have started to settle down.

tailscale.com

 

[Daniel Skupien]

@Daniel Skupien It's not clear to me whether you're talking about a NAS (e.g. Synology) or just the FTP server on your Router. If it's a NAS could you say which one as it could be useful information for others with the same device.

P.S. You mention pictures but I don't see any.

Sorry, I really haven't had much time past couple days to do anything besides work so really didn't read through everything, didn't notice the important question.

It was an older external WD Passport hard drive connected to the rear USB port of the router, and only that hard drive was FTP accessible. The router of course had credentials that were needed to be accessed, but the FTP did not.

 

[ColinTaylor]

Sorry, I really haven't had much time past couple days to do anything besides work so really didn't read through everything, didn't notice the important question.

It was an older external WD Passport hard drive connected to the rear USB port of the router, and only that hard drive was FTP accessible. The router of course had credentials that were needed to be accessed, but the FTP did not.

Thanks for the clarification. Not a "NAS" as such then, just a USB attached drive.

So in this case you weren't actually hacked. You had just left your FTP server open to everyone on the internet.

 

[Clark Griswald]

So in this case you weren't actually hacked. You had just left your FTP server open to everyone on the internet.

 

[Daniel Skupien]

Thanks for the clarification. Not a "NAS" as such then, just a USB attached drive.

So in this case you weren't actually hacked. You had just left your FTP server open to everyone on the internet.

To my own shame, yes, that's correct. And I say "to my own shame" because about 10-15 years ago I was a techy/computer guy and normally would have known better, it didn't even cross my mind, also, back 10+ years ago I don't recall random people using means to find and access the average Joe's ftp to cause some havoc as a common thing. I'm sure it happened but the security issues in the past were definitely not like they apparently are today.

I haven't kept up with most computer related stuff in about a decade, my desktop PCs (which I put together) components were bought back in September 2011. About a month ago when I was playing around with my PC, I ended up looking at different pc components for the heck of it, and I have to say that what's out there now, and for those prices are from perspective absurd, but in a good way. I frankly can't grasp why the average tech guy would need some several TB of storage space unless they were ripping and or downloading full bluray isos constantly lol.

Anyway, as an update to what happened, after re attaching my usb hardrive to my router and re-enableing my ftp and this time with credentials being required, within just 12 hours of enabling it, at least 2 individuals tried accessing my WAN. I only knew about it because Monday afternoon I went to my routers GUI through my DDNS and there was a lock out for too many failed attempts. When I got in and looked at the system logs, sure enough this showed up,

"Mar 28 13:05:21 wlceventd: wlceventd_proc_event(556): eth6: Assoc 34:6F:92:10:A8:02, status: Successful (0), rssi:-25
Mar 28 13:12:33 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 194.127.167.100 in login.
Mar 28 13:16:57 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 107.116.12.19 in login lock."

 

[ColinTaylor]

To my own shame, yes, that's correct. And I say "to my own shame" because about 10-15 years ago I was a techy/computer guy and normally would have known better, it didn't even cross my mind, also, back 10+ years ago I don't recall random people using means to find and access the average Joe's ftp to cause some havoc, I'm sure it happened but the security issues in the past were definitely not like they apparently are today.

I haven't kept up with most computer related stuff in about a decade, my desktop PCs (which I put together) components were bought back in September 2011. About a month ago when I was playing around with my PC, I ended up looking at different pc components for the heck of it, and I have to say that what's out there now, and for those prices are from perspective absurd, but in a good way. I frankly can't grasp why the average tech guy would need some several TB of storage space unless they were ripping and or downloading full bluray isos constantly lol.

Anyway, as an update to what happened, after re attaching my usb hardrive to my router and re-enableing my ftp and this time with credentials being required, within just 12 hours of enabling it, at least 2 individuals tried accessing my WAN. I only knew about it because Monday afternoon I went to my routers GUI through my DDNS and there was a lock out for too many failed attempts. When I got in and looked at the system logs, sure enough this showed up,

"Mar 28 13:05:21 wlceventd: wlceventd_proc_event(556): eth6: Assoc 34:6F:92:10:A8:02, status: Successful (0), rssi:-25
Mar 28 13:12:33 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 194.127.167.100 in login.
Mar 28 13:16:57 httpd login lock: Detect abnormal logins at 5 times. The newest one was from 107.116.12.19 in login lock."

So you've enabled remote access to the router's web interface which is arguably even worse than enabling the ftp server (with credentials).

This is the very thing that everybody on this forum keeps telling people not to do. And Asus have been issuing security warnings in the last couple of weeks recommending people turn off remote access.

News - Trend Micro: Cyclops Blink Sets Sights on Asus Routers

This report discusses the technical capabilities of this Cyclops Blink malware variant that targets ASUS routers and includes a list of more than 150 current and historical command-and-control (C&C) servers of the Cyclops Blink botnet...

www.snbforums.com

 

[Daniel Skupien]

So you've enabled remote access to the router's web interface which is arguably even worse than enabling the ftp server (with credentials).

This is the very thing that everybody on this forum keeps telling people not to do. And Asus have been issuing security warnings in the last couple of weeks recommending people turn off remote access.

News - Trend Micro: Cyclops Blink Sets Sights on Asus Routers

This report discusses the technical capabilities of this Cyclops Blink malware variant that targets ASUS routers and includes a list of more than 150 current and historical command-and-control (C&C) servers of the Cyclops Blink botnet...

www.snbforums.com

The curse of not staying up-to-date with this stuff really sucks lol.

So if you should be disabling it, is there a way to access your routers GUI when abroad? If one wishes to access their own router when not home?