Solved Requesting log review of possible attack

[Sky]

Greetings. I have been seeing some strange listings in my General SysLog. I added line feeds & emphasis to make it clearer to read. I think what's happening is the actual user name (replaced by _USERNAME_ below) may be compromised. I can't tell from this if the password is also compromised or is under attack. The ip's come back to Russia & rotate. This has been going on since 20-Jan.

If I blacklist the entire apparent attacking network, 92.63.194., in Firewall>URL Filter (leaving off the last octet is supposed to block 1-255) the router refuses access to all clients on the LAN, including hardwire via the switch. The only access is by reset > direct hardwire to the router; client access is only restored by removing that block. I can't see any reason Asus or its partners would be using a network in Russia, so that's confusing.

Also, I saw this entry at WAN>NAT Passthrough: FTP_ALG Port 2021. This appears to be a default in the new FW. Is this normal?

RT-AC87R | FW is 3.0.0.4.382_51939-g3ecf3e2 & signature checks OK.

::: Last normal entry:::
Feb 17 03:04:36 hour monitor: ntp sync fail, will retry after 120 sec

<< START ATTACK? >>

Feb 17 08:56:33 pptp[6748]: pppd 2.4.7 started by _USERNAME_, uid 0
Feb 17 08:56:33 pptp[6748]: Connect: pptp0 <--> pptp (92.63.194.91)
Feb 17 08:56:33 pptp[6748]: appear to have received our own echo-reply!
Feb 17 08:56:33 pptp[6748]: No CHAP secret found for authenticating admin
Feb 17 08:56:33 pptp[6748]: Peer admin failed CHAP authentication
Feb 17 08:56:33 pptpd[6747]: CTRL: EOF or bad error reading ctrl packet length.
Feb 17 08:56:33 pptpd[6747]: CTRL: couldn't read packet header (exit)
Feb 17 08:56:33 pptpd[6747]: CTRL: CTRL read failed

Feb 17 08:56:34 pptp[6758]: pppd 2.4.7 started by _USERNAME_, uid 0
Feb 17 08:56:34 pptp[6758]: Couldn't allocate PPP unit 10 as it is already in use
Feb 17 08:56:34 pptp[6758]: Connect: pptp1 <--> pptp (92.63.194.92)
Feb 17 08:56:34 pptp[6758]: appear to have received our own echo-reply!
Feb 17 08:56:34 pptp[6758]: No CHAP secret found for authenticating vpn
Feb 17 08:56:34 pptp[6758]: Peer vpn failed CHAP authentication
Feb 17 08:56:35 pptpd[6757]: CTRL: EOF or bad error reading ctrl packet length.
Feb 17 08:56:35 pptpd[6757]: CTRL: couldn't read packet header (exit)
Feb 17 08:56:35 pptpd[6757]: CTRL: CTRL read failed

Feb 17 08:56:35 pptp[6770]: pppd 2.4.7 started by _USERNAME_, uid 0
Feb 17 08:56:35 pptp[6770]: Couldn't allocate PPP unit 10 as it is already in use
Feb 17 08:56:35 pptp[6770]: Couldn't allocate PPP unit 11 as it is already in use
Feb 17 08:56:35 pptp[6770]: Connect: pptp2 <--> pptp (92.63.194.93)
Feb 17 08:56:36 pptp[6770]: appear to have received our own echo-reply!
Feb 17 08:56:36 pptp[6770]: No CHAP secret found for authenticating test
Feb 17 08:56:36 pptp[6770]: Peer test failed CHAP authentication
Feb 17 08:56:36 pptpd[6769]: CTRL: EOF or bad error reading ctrl packet length.
Feb 17 08:56:36 pptpd[6769]: CTRL: couldn't read packet header (exit)
Feb 17 08:56:36 pptpd[6769]: CTRL: CTRL read failed

Feb 17 08:56:36 pptp[6782]: pppd 2.4.7 started by _USERNAME_, uid 0
Feb 17 08:56:36 pptp[6782]: Couldn't allocate PPP unit 10 as it is already in use
Feb 17 08:56:36 pptp[6782]: Couldn't allocate PPP unit 11 as it is already in use
Feb 17 08:56:36 pptp[6782]: Couldn't allocate PPP unit 12 as it is already in use
Feb 17 08:56:36 pptp[6782]: Connect: pptp3 <--> pptp (92.63.194.94)
Feb 17 08:56:37 pptp[6782]: appear to have received our own echo-reply!
Feb 17 08:56:37 pptp[6782]: No CHAP secret found for authenticating 1
Feb 17 08:56:37 pptp[6782]: Peer 1 failed CHAP authentication
Feb 17 08:56:37 pptpd[6781]: CTRL: EOF or bad error reading ctrl packet length.
Feb 17 08:56:37 pptpd[6781]: CTRL: couldn't read packet header (exit)
Feb 17 08:56:37 pptpd[6781]: CTRL: CTRL read failed

Feb 17 08:56:38 pptp[6794]: pppd 2.4.7 started by _USERNAME_, uid 0
Feb 17 08:56:38 pptp[6794]: Couldn't allocate PPP unit 10 as it is already in use
Feb 17 08:56:38 pptp[6794]: Couldn't allocate PPP unit 11 as it is already in use
Feb 17 08:56:38 pptp[6794]: Couldn't allocate PPP unit 12 as it is already in use
Feb 17 08:56:38 pptp[6794]: Couldn't allocate PPP unit 13 as it is already in use
Feb 17 08:56:38 pptp[6794]: Connect: pptp4 <--> pptp (92.63.194.95)
Feb 17 08:56:38 pptp[6794]: appear to have received our own echo-reply!
Feb 17 08:56:38 pptp[6794]: No CHAP secret found for authenticating 123
Feb 17 08:56:38 pptp[6794]: Peer 123 failed CHAP authentication
Feb 17 08:56:38 pptpd[6793]: CTRL: EOF or bad error reading ctrl packet length.
Feb 17 08:56:38 pptpd[6793]: CTRL: couldn't read packet header (exit)
Feb 17 08:56:38 pptpd[6793]: CTRL: CTRL read failed

Feb 17 08:56:39 pptp[6806]: pppd 2.4.7 started by _USERNAME_, uid 0
Feb 17 08:56:39 pptp[6806]: Couldn't allocate PPP unit 10 as it is already in use
Feb 17 08:56:39 pptp[6806]: Couldn't allocate PPP unit 11 as it is already in use
Feb 17 08:56:39 pptp[6806]: Couldn't allocate PPP unit 12 as it is already in use
Feb 17 08:56:39 pptp[6806]: Couldn't allocate PPP unit 13 as it is already in use
Feb 17 08:56:39 pptp[6806]: Couldn't allocate PPP unit 14 as it is already in use
Feb 17 08:56:39 pptp[6806]: Connect: pptp5 <--> pptp (92.63.194.47)
Feb 17 08:56:39 pptp[6806]: appear to have received our own echo-reply!
Feb 17 08:56:39 pptp[6806]: No CHAP secret found for authenticating 111
Feb 17 08:56:39 pptp[6806]: Peer 111 failed CHAP authentication
Feb 17 08:56:39 pptp[6748]: Connection terminated.
Feb 17 08:56:39 pptp[6748]: Modem hangup

Feb 17 08:56:39 pptpd[6805]: CTRL: EOF or bad error reading ctrl packet length.
Feb 17 08:56:39 pptpd[6805]: CTRL: couldn't read packet header (exit)
Feb 17 08:56:39 pptpd[6805]: CTRL: CTRL read failed

Feb 17 08:56:40 pptp[6823]: pppd 2.4.7 started by _USERNAME_, uid 0
Feb 17 08:56:40 pptp[6823]: Connect: pptp0 <--> pptp (92.63.194.91)
Feb 17 08:56:40 pptp[6823]: appear to have received our own echo-reply!
Feb 17 08:56:40 pptp[6823]: No CHAP secret found for authenticating user
Feb 17 08:56:40 pptp[6823]: Peer user failed CHAP authentication
Feb 17 08:56:40 pptp[6758]: Connection terminated.
Feb 17 08:56:41 pptp[6758]: Modem hangup

Feb 17 08:56:41 pptpd[6822]: CTRL: EOF or bad error reading ctrl packet length.
Feb 17 08:56:41 pptpd[6822]: CTRL: couldn't read packet header (exit)
Feb 17 08:56:41 pptpd[6822]: CTRL: CTRL read failed

Feb 17 08:56:41 pptp[6838]: pppd 2.4.7 started by _USERNAME_, uid 0
Feb 17 08:56:41 pptp[6838]: Couldn't allocate PPP unit 10 as it is already in use
Feb 17 08:56:41 pptp[6838]: Connect: pptp1 <--> pptp (92.63.194.92)
Feb 17 08:56:42 pptp[6838]: appear to have received our own echo-reply!
Feb 17 08:56:42 pptp[6838]: No CHAP secret found for authenticating vpn
Feb 17 08:56:42 pptp[6838]: Peer vpn failed CHAP authentication
Feb 17 08:56:42 pptp[6770]: Connection terminated.

Feb 17 08:56:42 pptpd[6837]: CTRL: EOF or bad error reading ctrl packet length.
Feb 17 08:56:42 pptpd[6837]: CTRL: couldn't read packet header (exit)
Feb 17 08:56:42 pptpd[6837]: CTRL: CTRL read failed
Feb 17 08:56:42 pptp[6770]: Modem hangup

(continued in next post -- character count a bit long)
​

 

[Sky]

(continued from above)

Feb 17 08:56:42 pptp[6855]: pppd 2.4.7 started by _USERNAME_, uid 0
Feb 17 08:56:42 pptp[6855]: Couldn't allocate PPP unit 10 as it is already in use
Feb 17 08:56:42 pptp[6855]: Couldn't allocate PPP unit 11 as it is already in use
Feb 17 08:56:42 pptp[6855]: Connect: pptp2 <--> pptp (92.63.194.93)
Feb 17 08:56:43 pptp[6855]: appear to have received our own echo-reply!
Feb 17 08:56:43 pptp[6855]: No CHAP secret found for authenticating Admin
Feb 17 08:56:43 pptp[6855]: Peer Admin failed CHAP authentication
Feb 17 08:56:43 pptp[6782]: Connection terminated.

Feb 17 08:56:43 pptpd[6854]: CTRL: EOF or bad error reading ctrl packet length.
Feb 17 08:56:43 pptpd[6854]: CTRL: couldn't read packet header (exit)
Feb 17 08:56:43 pptpd[6854]: CTRL: CTRL read failed
Feb 17 08:56:43 pptp[6782]: Modem hangup

Feb 17 08:56:44 pptp[6870]: pppd 2.4.7 started by _USERNAME_, uid 0
Feb 17 08:56:44 pptp[6870]: Couldn't allocate PPP unit 10 as it is already in use
Feb 17 08:56:44 pptp[6870]: Couldn't allocate PPP unit 11 as it is already in use
Feb 17 08:56:44 pptp[6870]: Couldn't allocate PPP unit 12 as it is already in use
Feb 17 08:56:44 pptp[6870]: Connect: pptp3 <--> pptp (92.63.194.94)
Feb 17 08:56:44 pptp[6870]: appear to have received our own echo-reply!
Feb 17 08:56:44 pptp[6870]: No CHAP secret found for authenticating 11
Feb 17 08:56:44 pptp[6870]: Peer 11 failed CHAP authentication
Feb 17 08:56:44 pptp[6794]: Connection terminated.

Feb 17 08:56:44 pptpd[6869]: CTRL: EOF or bad error reading ctrl packet length.
Feb 17 08:56:44 pptpd[6869]: CTRL: couldn't read packet header (exit)
Feb 17 08:56:44 pptpd[6869]: CTRL: CTRL read failed
Feb 17 08:56:44 pptp[6794]: Modem hangup

Feb 17 08:56:45 pptp[6885]: pppd 2.4.7 started by _USERNAME_, uid 0
Feb 17 08:56:45 pptp[6885]: Couldn't allocate PPP unit 10 as it is already in use
Feb 17 08:56:45 pptp[6885]: Couldn't allocate PPP unit 11 as it is already in use
Feb 17 08:56:45 pptp[6885]: Couldn't allocate PPP unit 12 as it is already in use
Feb 17 08:56:45 pptp[6885]: Couldn't allocate PPP unit 13 as it is already in use
Feb 17 08:56:45 pptp[6885]: Connect: pptp4 <--> pptp (92.63.194.95)
Feb 17 08:56:45 pptp[6885]: appear to have received our own echo-reply!
Feb 17 08:56:45 pptp[6885]: No CHAP secret found for authenticating 1111
Feb 17 08:56:45 pptp[6885]: Peer 1111 failed CHAP authentication
Feb 17 08:56:45 pptp[6806]: Connection terminated.

Feb 17 08:56:45 pptpd[6884]: CTRL: EOF or bad error reading ctrl packet length.
Feb 17 08:56:45 pptpd[6884]: CTRL: couldn't read packet header (exit)
Feb 17 08:56:45 pptpd[6884]: CTRL: CTRL read failed
Feb 17 08:56:45 pptp[6806]: Modem hangup

Feb 17 08:56:46 pptp[6901]: pppd 2.4.7 started by _USERNAME_, uid 0
Feb 17 08:56:46 pptp[6901]: Couldn't allocate PPP unit 10 as it is already in use
Feb 17 08:56:46 pptp[6901]: Couldn't allocate PPP unit 11 as it is already in use
Feb 17 08:56:46 pptp[6901]: Couldn't allocate PPP unit 12 as it is already in use
Feb 17 08:56:46 pptp[6901]: Couldn't allocate PPP unit 13 as it is already in use
Feb 17 08:56:46 pptp[6901]: Couldn't allocate PPP unit 14 as it is already in use
Feb 17 08:56:46 pptp[6901]: Connect: pptp5 <--> pptp (92.63.194.47)
Feb 17 08:56:46 pptp[6901]: appear to have received our own echo-reply!
Feb 17 08:56:46 pptp[6901]: No CHAP secret found for authenticating 1234
Feb 17 08:56:46 pptp[6901]: Peer 1234 failed CHAP authentication
Feb 17 08:56:46 pptp[6823]: Connection terminated.

Feb 17 08:56:47 pptpd[6900]: CTRL: EOF or bad error reading ctrl packet length.
Feb 17 08:56:47 pptpd[6900]: CTRL: couldn't read packet header (exit)
Feb 17 08:56:47 pptpd[6900]: CTRL: CTRL read failed
Feb 17 08:56:47 pptp[6823]: Modem hangup

Feb 17 08:56:48 pptp[6838]: Connection terminated.
Feb 17 08:56:48 pptp[6838]: Modem hangup

Feb 17 08:56:49 pptp[6855]: Connection terminated.
Feb 17 08:56:49 pptp[6855]: Modem hangup

Feb 17 08:56:50 pptp[6870]: Connection terminated.
Feb 17 08:56:50 pptp[6870]: Modem hangup

Feb 17 08:56:51 pptp[6885]: Connection terminated.
Feb 17 08:56:51 pptp[6885]: Modem hangup

Feb 17 08:56:52 pptp[6901]: Connection terminated.
Feb 17 08:56:53 pptp[6901]: Modem hangup

<< ATTACK TERMINATED|FAIL(?) >>

::: Resumes normal entries :::
Feb 17 11:56:04 rc_service: httpds 265:notify_rc restart_wireless

 

[ColinTaylor]

You have the router's PPTP VPN server activated and you are being port scanned. Turn off the PPTP server.

 

[Sky]

VPN Server now off

1. How can an outsider "see" that?
   
2. Why does blocking access to that network from the LAN cause the router to lock out local WiFi and hardwired clients?
3. Am I correct that the user name has been compromised? -or-
   
4. Does that mean Asus' DDNS data has been compromised?
   
5. Is that FTP_ALG port 2021 entry "normal" and "ok"?
6. If a legitimate user needs to use the VPN, will/can this activity effect that?

 

[ColinTaylor]

1. They're bots. They are just scanning entire blocks of IP addresses and commonly used ports. PPTP servers use port 1723.
2. You're using the wrong tool. The URL filter blocks outgoing "URLs" not IP addresses. Putting an IP address in there probably broke the existing firewall rules.
3. No.
4. No.
5. Yes and yes.
6. PPTP VPN is insecure and obsolete. If you need remote access use OpenVPN instead.

EDIT: In addition to point 1 above, the bots were also trying to connect using common default user IDs and passwords. Fortunately you weren't using a default user ID and password (like admin/admin).

 

[Sky]

1. They're bots. They are just scanning entire blocks of IP addresses and commonly used ports. PPTP servers use port 1723.

That's weirdly nice to hear.

2. You're using the wrong tool. The URL filter blocks "URLs" not IP addresses. Putting an IP address in there probably broke the existing firewall rules.

Is there a right tool for blocking WAN IPs or groups of IPs?

6. PPTP VPN is insecure and obsolete. If you need remote access use OpenVPN instead.

EDIT: In addition to point 1 above, the bots were also trying to connect using common default user IDs and passwords. Fortunately you weren't using a default user ID and password (like admin/admin).

I realize PPTP is insecure and obsolete, but there are some reasons *for now* that I have to use it hence my question: "If a legitimate user needs to use the VPN, will/can this activity effect that?" And, is there any reasonable way to mitigate such effect (short of using a different protocol)?

 

[ColinTaylor]

Is there a right tool for blocking WAN IPs or groups of IPs?

Not explicitly. AiProtection should do that to certain extent. Otherwise, you'd either have write you own firewall-start script or use something like Skynet.

I realize PPTP is insecure and obsolete, but there are some reasons *for now* that I have to use it hence my question: "If a legitimate user needs to use the VPN, will/can this activity effect that?" And, is there any reasonable way to mitigate such effect (short of using a different protocol)?

It won't have much effect other than creating annoying messages in the log.

 

[Sky]

It won't have much effect other than creating annoying messages in the log.

Hooray!

Nothing like needless worry coupled with knowing 'just enough to get into trouble'.

Thanks, Collin!