Skynet Skynet - Router Firewall & Security Enhancements

[consorts]

For me, it blocked 23.227.38.64.

thanks dave, when i ip-whitelist 23.227.38.64 http://hirschstraps.com/ now resolves even while skynet is active. i don't understand why skynet wants to whitelist the wrong ip when i try to domain-whitelist, but whatever... at least now i can replace my watchband.

 

[Butterfly Bones]

thanks dave, when i ip-whitelist 23.227.38.64 http://hirschstraps.com/ now resolves even while skynet is active. i don't understand why skynet wants to whitelist the wrong ip when i try to domain-whitelist, but whatever... at least now i can replace my watchband.

Check this URL, you can see that hosted CDN that has 500 hosted site, some have used it for nefarious purposes.
https://otx.alienvault.com/indicator/ip/23.227.38.64

It belongs to Cloudflare in Canada, ironically, but has been misused extensively. Note you open yourself to all sites hosted under 23.227.38.64 with the Skynet whitelist. Are you sure you want to post payment info there? Good luck.

 

[Secret Squirrel Mission]

Long time lurker as I've been able to find most answers by searching others posts but I'm having trouble finding a definitive answer this time. As this is my first post I don't have a signature setup yet but I'm currently running the RT-AC88U w/ 384.12_beta1-g69e0eaefe1 firmware. I plan to update to 384.12_beta2-g7e33ba651a this weekend. Scripts being ran are amtm, diversion lite and skynet.

I've noticed some blocked outbound traffic from several devices but the most concerning are the two iPhones on the network. I've done a factory reset on one of the iPhones and started from scratch but after re-installing my apps it's still trying to send outbound requests. The other iPhone wasn't affected until yesterday but it's doing the same thing now. The information from Skynet is posted below it's the same two IP's each time and according to a quick search it's a bitly.com address. Yesterday the IP's weren't associated with the etsy.me it was a different domain.

Is this something I should be concerned about or am I being overly paranoid? If it is something to be concerned about my next step is to wipe every device in the house and start fresh. Any insight would be greatly appreciated.

Blocked Outbound Traffic
28x | 67.199.248.13 (US) | https://otx.alienvault.com/indicator/ip/67.199.248.13 | BanMalware: coinbl_hosts_browser.ipset | etsy.me
28x | 67.199.248.12 (US) | https://otx.alienvault.com/indicator/ip/67.199.248.12 | BanMalware: coinbl_hosts_browser.ipset | etsy.me

 

[bluepoint]

Long time lurker as I've been able to find most answers by searching others posts but I'm having trouble finding a definitive answer this time. As this is my first post I don't have a signature setup yet but I'm currently running the RT-AC88U w/ 384.12_beta1-g69e0eaefe1 firmware. I plan to update to 384.12_beta2-g7e33ba651a this weekend. Scripts being ran are amtm, diversion lite and skynet.

I've noticed some blocked outbound traffic from several devices but the most concerning are the two iPhones on the network. I've done a factory reset on one of the iPhones and started from scratch but after re-installing my apps it's still trying to send outbound requests. The other iPhone wasn't affected until yesterday but it's doing the same thing now. The information from Skynet is posted below it's the same two IP's each time and according to a quick search it's a bitly.com address. Yesterday the IP's weren't associated with the etsy.me it was a different domain.

Is this something I should be concerned about or am I being overly paranoid? If it is something to be concerned about my next step is to wipe every device in the house and start fresh. Any insight would be greatly appreciated.

Blocked Outbound Traffic
28x | 67.199.248.13 (US) | https://otx.alienvault.com/indicator/ip/67.199.248.13 | BanMalware: coinbl_hosts_browser.ipset | etsy.me
28x | 67.199.248.12 (US) | https://otx.alienvault.com/indicator/ip/67.199.248.12 | BanMalware: coinbl_hosts_browser.ipset | etsy.me

These outgoing blocks are preventive measures skynet provides to protect the clients from known bitcoin hosts. It does not mean the clients are infected but rather it's hitting those sites when browsing websites that have those embedded. That's at least my understanding, Adamm please correct me if I'm wrong. Use this command to have an idea of the website you're getting the block from replacing the correct IP.

sh /jffs/scripts/firewall stats search device 192.168.x.xxx

 

[martinr]

You say after reinstalling the apps (from iCloud backup?) it’s still trying to send outbound requests. Were any apps “open” in the background then? What happens if you swipe to close all background apps and reboot the iPhone and then don’t open any apps at all. Would you still see the blocked outbound requests? If not, perhaps open and then close the most likely offender and see what happens then?



Never heard of etsy.me but I see there’s an app; I assume you don’t have it installed. Do you remember the domain the IP address pointed to before etsy.me? (The name alone would be enough for me to blacklist it.)

 

[Secret Squirrel Mission]

These outgoing blocks are preventive measures skynet provides to protect the clients from known bitcoin hosts. It does not mean the clients are infected but rather it's hitting those sites when browsing websites that have those embedded. That's at least my understanding, Adamm please correct me if I'm wrong. Use this command to have an idea of the website you're getting the block from replacing the correct IP.

sh /jffs/scripts/firewall stats search device 192.168.x.xxx

It would definitely put my mind at ease if that's the case but wouldn't it also mean that my phone could still be making outbound attempts when I'm not covered by Skynet (using cell service for instance) thanks for the feedback!

 

[L&LD]

It would definitely put my mind at ease if that's the case but wouldn't it also mean that my phone could still be making outbound attempts when I'm not covered by Skynet (using cell service for instance) thanks for the feedback!

Using OpenVPN, as soon as the phone is out of range of the home/office router(s), I connect over VPN to my main router and then the cellular service is almost identical to when I'm connected over one of my routers over WiFi.

 

[Secret Squirrel Mission]

You say after reinstalling the apps (from iCloud backup?) it’s still trying to send outbound requests. Were any apps “open” in the background then? What happens if you swipe to close all background apps and reboot the iPhone and then don’t open any apps at all. Would you still see the blocked outbound requests? If not, perhaps open and then close the most likely offender and see what happens then?



Never heard of etsy.me but I see there’s an app; I assume you don’t have it installed. Do you remember the domain the IP address pointed to before etsy.me? (The name alone would be enough for me to blacklist it.)

It was a fresh install I didn't use an iCloud backup as I figured any malware would be loaded right back onto my phone. These outbound attempts are typically happening when I'm not using my phone so it could be something running in the background. I'll try a reboot as you suggested and see if any attempts are made without me opening any apps.

I definitely do not have etsy installed but the other domain associated was usaa.me and there was one other but I can't recall it right now.

 

[Secret Squirrel Mission]

Using OpenVPN, as soon as the phone is out of range of the home/office router(s), I connect over VPN to my main router and then the cellular service is almost identical to when I'm connected over one of my routers over WiFi.

Definitely an option to consider, thanks! I use the PIA app right now when I'm away from home but the curiosity of which app/site/whatever will eat me alive until I get to the bottom of this lol.

 

[martinr]

Using OpenVPN, as soon as the phone is out of range of the home/office router(s), I connect over VPN to my main router and then the cellular service is almost identical to when I'm connected over one of my routers over WiFi.

YES! Me too. I literally wouldn’t turn my phone on outside the house if I couldn’t connect back to OpenVPN Server on my router as soon as I leave home.

 

[dave14305]

It was a fresh install I didn't use an iCloud backup as I figured any malware would be loaded right back onto my phone. These outbound attempts are typically happening when I'm not using my phone so it could be something running in the background. I'll try a reboot as you suggested and see if any attempts are made without me opening any apps.

I definitely do not have etsy installed but the other domain associated was usaa.me and there was one other but I can't recall it right now.

I would turn on logging in Diversion and after you see another block from SkyNet, search the Diversion log to see what name was actually requested that returned the blocked IP. Your phone may not have requested Etsy.me, but something else.

 

[Secret Squirrel Mission]

I would turn on logging in Diversion and after you see another block from SkyNet, search the Diversion log to see what name was actually requested that returned the blocked IP. Your phone may not have requested Etsy.me, but something else.

Good Idea, I'll set that up tonight thanks

 

[martinr]

It was a fresh install I didn't use an iCloud backup as I figured any malware would be loaded right back onto my phone. These outbound attempts are typically happening when I'm not using my phone so it could be something running in the background. I'll try a reboot as you suggested and see if any attempts are made without me opening any apps.

I definitely do not have etsy installed but the other domain associated was usaa.me and there was one other but I can't recall it right now.

I wonder: is it worth looking through Location Services under Privacy and ensuring you only see Never or Whilst Using and that Always does not appear?

Worrying, especially as it’s an Apple device. You’re dead right to be concerned. Time I checked mine to see if anything’s being blocked when it’s nominally not in use.

 

[dave14305]

Good Idea, I'll set that up tonight thanks

Turns out I already had these in my /opt/var/log/dnsmasq.log yesterday from my wife's Win10 laptop, looking up "on.wsj.com", which was a CNAME for "cname.bitly.com". She reads WSJ.com.

 

[Secret Squirrel Mission]

I wonder: is it worth looking through Location Services under Privacy and ensuring you only see Never or Whilst Using and that Always does not appear?

Worrying, especially as it’s an Apple device. You’re dead right to be concerned. Time I checked mine to see if anything’s being blocked when it’s nominally not in use.

Glad I'm not being overly paranoid haha. Definitely let me know what you find out in regards to your devices.

 

[Secret Squirrel Mission]

Turns out I already had these in my /opt/var/log/dnsmasq.log yesterday from my wife's Win10 laptop, looking up "on.wsj.com", which was a CNAME for "cname.bitly.com". She reads WSJ.com.

Odd, I've had some outbound activity from my Win10 Laptop as well but nothing to do with the originally listed IP addresses above. Below is the blocked outbound connections from my Win10 Laptop if it helps anyone.
1x | 82.102.21.213 (IT) | https://otx.alienvault.com/indicator/ip/82.102.21.213 | BanMalware: normshield_high_attack.ipset
1x | 82.102.20.179 (DK) | https://otx.alienvault.com/indicator/ip/82.102.20.179 | BanMalware: alienvault_reputation.ipset
1x | 77.243.191.20 (BE) | https://otx.alienvault.com/indicator/ip/77.243.191.20 | BanMalware: bds_atif.ipset
1x | 46.246.123.33 (SE) | https://otx.alienvault.com/indicator/ip/46.246.123.33 | BanMalware: normshield_high_attack.ipset
1x | 185.230.125.50 (CH) | https://otx.alienvault.com/indicator/ip/185.230.125.50 | BanMalware: alienvault_reputation.ipset

 

[bluepoint]

It would definitely put my mind at ease if that's the case but wouldn't it also mean that my phone could still be making outbound attempts when I'm not covered by Skynet (using cell service for instance) thanks for the feedback!

Yes, the phone see the embedded bitcoin host when you're connected to the cell data but what it does I don't know but my guess is, it's not that bad. Just to be clear, your phone does not initiate the outbound connect, it happens when you go to a website where the bitcoin host resides. It's more likely a reply to the sites inquiry.
If you look at your first post, the filter that blocks the outgoing connection were browser something list, it indicates the block comes from browsing sites that has hosts blacklisted.

 

[roscoe211]

Is there a way to hide the IOT - BLOCKED events from showing in the syslog?

 

[L&LD]

Is there a way to hide the IOT - BLOCKED events from showing in the syslog?

scribe and uiScribe by @cmkelley and @Jack Yaz, respectively.

Of course, you'll need amtm and Entware installed too.

Please see my signature for the link to the amtm Step-by-Step guide for further information, if required.

 

[ttgapers]

I've pushed v6.4.0

Improving on yesterdays update, Skynet will display associated domains in various additional places in a much more efficient (and better looking!) way. This should make hunting down false positives for less tech savvy users significantly easier.

Hi @Adamm for some reason I never, ever, ever have seen the "associated domains" listed in my logs and wondering if I am missing a configuration item somewhere. I checked the code and it appears "extendedstats" is enabled when "/opt/var/log/dnsmasq.log" exists. On my rig, I have setup ""/var/log/dnsmasq.log" as the location but as expected the "extendedstats" variable shows as "disabled".

Can anyone let me know how I need to get this going? Hoping it doesn't involve installing Entware.

Thanks.