TWO WAY IPS AIPROTECTION

[peace25]

Hi,
I'm new to the forum and i'm really seeking help in the same matter as above , my router is Asus DSL-AC68U and since the latest firmware update from Asus and the implement of the new AIProtection interface from trend micro that let us see the attackers and assuring us lol that they are blocked , i still feel that i'm not secure and there's too many attacks on my router from different ip's !

All those hits (external attacks) are directed to one Device or equipment , none of mine , checked every mac address none match up the one they are attacking !

When tried to find out the mac address of the Vendor it come up as Juniper Network 28:8A:1C , i get about 6 hits a day sometimes 2 and sometime more , in total could be about 15 hits , a bit concerned here .

THis is the kind of attacks i get :

DATE:
2018-09-15
TIME:
16:34:55
TYPE
External Attacks
167.99.109.87 The IP OF THE ATTACKER
MY IP IS HERE : XXXXXXXXX
SECURITY ALERT: EXPLOIT Remote Command Execution via Shell Script -2
EXPLOIT Netcore Router Backdoor Access
DATE:
2018-09-15
TIME:
15:48:34
TYPE:
External Attacks
209.141.48.78 THE IP OF THE ATTACKER
xx.xxx.xxx.xxx MY IP
SECUTITY ALERT : EXPLOIT Remote Command Execution via Shell Script -2

And so on , i need to find out a way or how and why so many attacks , is my ISP weak ? in all my devices i'm using security softwares , my router firewall is activated .

Is there anything i'm i missing ?

Thanks

 

[ApexRon]

Hi,
I'm new to the forum and i'm really seeking help in the same matter as above , my router is Asus DSL-AC68U and since the latest firmware update from Asus and the implement of the new AIProtection interface from trend micro that let us see the attackers and assuring us lol that they are blocked , i still feel that i'm not secure and there's too many attacks on my router from different ip's !

All those hits (external attacks) are directed to one Device or equipment , none of mine , checked every mac address none match up the one they are attacking !

When tried to find out the mac address of the Vendor it come up as Juniper Network 28:8A:1C , i get about 6 hits a day sometimes 2 and sometime more , in total could be about 15 hits , a bit concerned here .

THis is the kind of attacks i get :

DATE:
2018-09-15
TIME:
16:34:55
TYPE
External Attacks
167.99.109.87 The IP OF THE ATTACKER
MY IP IS HERE : XXXXXXXXX
SECURITY ALERT: EXPLOIT Remote Command Execution via Shell Script -2
EXPLOIT Netcore Router Backdoor Access
DATE:
2018-09-15
TIME:
15:48:34
TYPE:
External Attacks
209.141.48.78 THE IP OF THE ATTACKER
xx.xxx.xxx.xxx MY IP
SECUTITY ALERT : EXPLOIT Remote Command Execution via Shell Script -2

And so on , i need to find out a way or how and why so many attacks , is my ISP weak ? in all my devices i'm using security softwares , my router firewall is activated .

Is there anything i'm i missing ?

Thanks

Note who has registered these IP addresses. If you do not recognize the owners, you could contact them to find out what's up or just notify your ISP.

 

[peace25]

@peace25 Don't double post. It's against forum rules.

Cool deleted my other post as i wasnt sure it's against the forum rules , now i'm gonna post here thanks foer mentioning it to me .

 

[peace25]

Note who has registered these IP addresses. If you do not recognize the owners, you could contact them to find out what's up or just notify your ISP.
View attachment 14438 View attachment 14439

Cool , i think that's the only option for now thanks for the info

 

[peace25]

@peace25 Don't double post. It's against forum rules.

By the way i have the web access from Wan disabled as well as SSH and as for the authentication methode is on BOTH or it should be just on HTTP as https is not supported because i dont have a certificate ...

 

[ColinTaylor]

By the way i have the web access from Wan disabled as well as SSH and as for the authentication methode is on BOTH or it should be just on HTTP as https is not supported because i dont have a certificate ...

BOTH (or either) is fine for internal access. The main thing is you don't have remote access to your router enabled. Other than that, the type and number of messages you are seeing is perfectly normal.

 

[peace25]

BOTH (or either) is fine for internal access. The main thing is you don't have remote access to your router enabled. Other than that, the type and number of messages you are seeing is perfectly normal.

Cool thank you so much for the info , i will keep an eye from time to time on those attacks , i will even try to email the abuse@ to gather more info or at least to stop them ...
Have a nice evening

 

[Beherit]

I found this thread by googling "209.141.48.78". AIProtection has blocked several hundreds of attacks from that particular IP address.

What's scary is that I changed IP address to a whole different range, and the attacks continued.

@peace25, which email did you send the abuse complaint to? Did you receive any reply yet? I'll send one as well.

 

[AndreiV]

I found this thread by googling "209.141.48.78". AIProtection has blocked several hundreds of attacks from that particular IP address.

What's scary is that I changed IP address to a whole different range, and the attacks continued.

@peace25, which email did you send the abuse complaint to? Did you receive any reply yet? I'll send one as well.

It makes no difference what IP you are on, these are bots searching out unpatched ASUS routers. It's an old exploit , they bounce off the firewall without any help from AiProtection.

https://www.abuseipdb.com/check/209.141.48.78?page=1#report

Complain all you want, they won't even bother replying.

 

[OzarkEdge]

It makes no difference what IP you are on, these are bots searching out unpatched ASUS routers. It's an old exploit , they bounce off the firewall without any help from AiProtection.

Meaning you're OK, you're still protected... AiProtection just isn't doing anything besides logging ASUS firewall activity with scary prose.

OE

 

[peace25]

I found this thread by googling "209.141.48.78". AIProtection has blocked several hundreds of attacks from that particular IP address.

What's scary is that I changed IP address to a whole different range, and the attacks continued.

@peace25, which email did you send the abuse complaint to? Did you receive any reply yet? I'll send one as well.

I did sent an email to digital ocean and they replied back by removing the user from their network . I still get his from time to time but from different ips not sure where from they are coming exactly ! Lol but I'm still investigating ... When I will get to the bottom of it I will post here .

 

[Beherit]

I did sent an email to digital ocean and they replied back by removing the user from their network . I still get his from time to time but from different ips not sure where from they are coming exactly ! Lol but I'm still investigating ... When I will get to the bottom of it I will post here .

Good job! On your part, I mean. Certainly not Digital Ocean being professional here, that user should be permbanned and have his accounts frozen for abuse.