Novice user unsure of what to do about an issue, any advice welcomed.

[Skeptical.me]

I’m guessing one of those was using “../“ when doing navigation, which triggered that last line in the report. Could be benign.

Is Disroot a trusted provider?

Well, like all privacy focused services they claim to be and seem to have a decent reputation from what I've read and been told. But they are relatively new, I think. I'm only using them until I learn to setup my own instance of Nexcloud on the QNAP. Maybe I'll delete the Plex, Nextcloud, and Terminus. I'm not using them often, anyhow.

 

[kfp]

Well, like all privacy focused services they claim to be and seem to have a decent reputation from what I've read and been told. But they are relatively new, I think. I'm only using them until I learn to setup my own instance of Nexcloud on the QNAP. Maybe I'll delete the Plex, Nextcloud, and Terminus. I'm not using them often, anyhow.

Are these QNAP official packages? I’ve only had experience with Synology and their “App Store” has a mix of official and community packages, which comes with obvious security implications.

 

[Skeptical.me]

Are these QNAP official packages? I’ve only had experience with Synology and their “App Store” has a mix of official and community packages, which comes with obvious security implications.

Yup, definitely Offical Apps. But I have the QNAP Club repository installed on the NAS and use various Usenet .qpkgs


Sent from my iPhone using Tapatalk Pro

 

[Skeptical.me]

Are these QNAP official packages? I’ve only had experience with Synology and their “App Store” has a mix of official and community packages, which comes with obvious security implications.

I'm just going through all of my apps and deleting the ones I rarely use or are free and serve ads, I'll just try everything I can. I ran an app that checks to see if your iphone is jailbroken, and checks for known vulnerabilities, and flagged apps. The results were all clear.


Sent from my iPhone using Tapatalk Pro

 

[Skeptical.me]

Are these QNAP official packages? I’ve only had experience with Synology and their “App Store” has a mix of official and community packages, which comes with obvious security implications.

So I was thinking, all those blacked out lines in the first screenshot of the images above are my IP addresses. I have a dynamic IP, so how does the attacker (probably a bot, right?) know my new IP when it changes? Wouldn't that indicate malware present in one of my devices?



Sent from my iPhone using Tapatalk Pro

 

[kfp]

So I was thinking, all those blacked out lines in the first screenshot of the images above are my IP addresses. I have a dynamic IP, so how does the attacker (probably a bot, right?) know my new IP when it changes? Wouldn't that indicate malware present in one of my devices?



Sent from my iPhone using Tapatalk Pro

That was what I was trying to say, seems like there is something on your network that is attracting attention, either via opened ports (do you have IPv6? maybe you checked v4 but not v6?) or malicious software that’s phoning home retrieving a second stage payload.

 

[Skeptical.me]

That was what I was trying to say, seems like there is something on your network that is attracting attention, either via opened ports (do you have IPv6? maybe you checked v4 but not v6?) or malicious software that’s phoning home retrieving a second stage payload.

Yeah, I see you were trying to say that now. I'm going through everything on the network, unplugging 1 device at a time and waiting to see if the attacks stop.

I've scanned all the ports of different devices in my LAN and I'll post them when I get time, to see what everyone thinks.

I'm determined to find this thing. But even if someone accessed my NAS, PC, and iMac etc ... I use Veracrypt to encrypt everything (photos, medical records, financial documents etc), and the disks are encrypted anyway. So good luck to anyone looking for anything, they'd be wasting their time.


Sent from my iPhone using Tapatalk Pro

 

[Skeptical.me]

That was what I was trying to say, seems like there is something on your network that is attracting attention, either via opened ports (do you have IPv6? maybe you checked v4 but not v6?) or malicious software that’s phoning home retrieving a second stage payload.

If you would like to find what is the device for a given MAC address, just ssh into your router:

# arp -a | grep <MACADDR>

I'LL DO THIS ASAP. BUT TO EASILY FIND THE MAC ADDRESS OF THE ROUTER ITSELF IS (oops caps was on) to use the ASUS app and login from your android or ios app and the MAC Address for the router is easily found. Having written that I understand you were suggesting finding ANY devices mac address in your LAN.

 

[Balerion]

I'LL DO THIS ASAP. BUT TO EASILY FIND THE MAC ADDRESS OF THE ROUTER ITSELF IS (oops caps was on) to use the ASUS app and login from your android or ios app and the MAC Address for the router is easily found. Having written that I understand you were suggesting finding ANY devices mac address in your LAN.

Yep I meant any device other than the router itself

 

[Skeptical.me]

Are these QNAP official packages? I’ve only had experience with Synology and their “App Store” has a mix of official and community packages, which comes with obvious security implications.

So I updated to macOS Public Beta Mojave and the attacks stopped. That MAC address in the top clients is not found in my LAN scans, so maybe it is a component within the iMac???

Edit: Its interesting to note that I ran several Malwarebytes and ClamXav scans that found nothing in my iMac.

 

[kfp]

So I updated to macOS Public Beta Mojave and the attacks stopped. That MAC address in the top clients is not found in my LAN scans, so maybe it is a component within the iMac???

It looks like a Juniper Networks device MAC? Do you have one of their products at home? Perhaps a firewall or VPN of some sorts? If not, do you have some apps/software controlling such device?

 

[Skeptical.me]

It looks like a Juniper Networks device MAC? Do you have one of their products at home? Perhaps a firewall or VPN of some sorts? If not, do you have some apps/software controlling such device?

I've not heard of Juniper before.

All I have is my RT-AC87U (I use VPN clients only with policy routing - the iMac and NAS are not covered by the 87U VPN client I run ProtonVPN client on my iMac, and AirVPN in QVPN in the QNAP NAS), a Netgear GS108 switch, Little Snitch, Malwarebytes, ClamXav (on both the mac and nas), I also use WEMO devices (controlled by apps), and a security camera called Homeboy (controlled by an app).

Edit: And a Airport Time Machine from 2013 (but it's MAC address doesn't match)

 

[Skeptical.me]

It looks like a Juniper Networks device MAC? Do you have one of their products at home? Perhaps a firewall or VPN of some sorts? If not, do you have some apps/software controlling such device?

I just checked and I've been hit twice again today. and in that time the iMac was shut down. So I can rule the iMac out.

I'll do some research about the remaining apps on my iDevices.

I'll check if any of the apps on the NAS (and iOS devices) have anything to do with Juniper.

BTW thanks for your suggestions and insights. And for taking the time to reply.

 

[kfp]

I just checked and I've been hit twice again today. and in that time the iMac was shut down. So I can rule the iMac out.

I'll do some research about the remaining apps on my iDevices.

I'll check if any of the apps on the NAS (and iOS devices) have anything to do with Juniper.

BTW thanks for your suggestions and insights. And for taking the time to reply.

How are you getting internet from your ISP? As in what’s on the other end of your router? A modem or just an ethernet port on the wall?

 

[Skeptical.me]

I have a Telstra Smart modem and I have the ASUS cascaded via Ethernet from that into my bedroom.

https://www.telstra.com.au/broadband/extras/modem

I put it in bridge mode as I was planning on using the VPN server to access my LAN from the WAN at some stage.

 

[kfp]

I have a Telstra Smart modem and I have the ASUS cascaded via Ethernet from that into my bedroom.

https://www.telstra.com.au/broadband/extras/modem

I put it in bridge mode as I was planning on using the VPN server to access my LAN from the WAN at some stage.

Ah cool, that’s probably not it then, I was wondering if it’s connected to some smart Juniper switch on the other end.

Wait seems like Telstra does use Juniper
https://crowdsupport.telstra.com.au/t5/Modems-Hardware/Juniper-SRX110-Modem/td-p/710463

 

[kfp]

So iPhone problems are gone, Juniper mystery is solved, now we just got to figure out how you’re attracting those attacks.

 

[Skeptical.me]

So iPhone problems are gone, Juniper mystery is solved, now we just got to figure out how you’re attracting those attacks.

Yeah. I don't look at porn btw lol ... nor do I torrent often. I do once in awhile but haven't for a long time. I do, however, use usenet. But I have a daily Malware, and ClamXav scan setup on the NAS. The NAS does the search and downloading using Usenet clients. Its not once found any threats. But I understand that doesn't mean there isn't something there.


Sent from my iPhone using Tapatalk Pro

 

[kfp]

Yeah. I don't look at porn btw lol ... nor do I torrent often. I do once in awhile but haven't for a long time. I do, however, use usenet. But I have a daily Malware, and ClamXav scan setup on the NAS. The NAS does the search and downloading using Usenet clients. Its not once found any threats. But I understand that doesn't mean there isn't something there.

I don’t think it’s an infected device now, probably just some application that’s publishing/sharing your IPs with other people (or the service itself is malicious), using a torrent tracker could be one. I don’t think using usenet is it.

How often are the attacks? You could just google the IPs and see if they appear often on blocklists, if they do then it’s probably safe to ignore.

 

[Skeptical.me]

I don’t think it’s an infected device now, probably just some application that’s publishing/sharing your IPs with other people (or the service itself is malicious), using a torrent tracker could be one. I don’t think using usenet is it.

How often are the attacks? You could just google the IPs and see if they appear often on blocklists, if they do then it’s probably safe to ignore.

Ok, I'll do that.

Maybe it's a good idea to re-install my OS's and limit my applications too. I don't have any now but after this experience I'll never use a "hacked" apps ever again. I used to install some to fully try the app out before purchasing. I'd get them from Warez-BB but I stopped that sometime ago. I only purchase from reputable developers either closed source or FOSS from GitHub.

This has been a good learning experience.