Menu
What's new
By:
Filters Better Search

Am I Under Attack !?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

IAAI

IAAI

Very Senior Member
I have AC68U - Running Merlin's 42-2

I was working on the internet and suddenly got disconnected from 5GHz WiFi Switched to 2GHz and logged in to check log and found this :

Code: 
May 31 05:08:19 crond[546]: time disparity of 1794848 minutes detected
May 31 05:08:30 dropbear[787]: Child connection from 116.10.191.173:20146
May 31 05:08:32 dropbear[787]: Login attempt for nonexistent user from 116.10.191.173:20146
May 31 05:08:33 dropbear[787]: Login attempt for nonexistent user from 116.10.191.173:20146
May 31 05:08:33 dropbear[787]: Login attempt for nonexistent user from 116.10.191.173:20146
May 31 05:08:34 dropbear[787]: Login attempt for nonexistent user from 116.10.191.173:20146
May 31 05:08:34 dropbear[787]: Login attempt for nonexistent user from 116.10.191.173:20146
May 31 05:08:35 dropbear[787]: Login attempt for nonexistent user from 116.10.191.173:20146
May 31 05:08:36 dropbear[787]: Login attempt for nonexistent user from 116.10.191.173:20146
May 31 05:08:37 dropbear[787]: Login attempt for nonexistent user from 116.10.191.173:20146
May 31 05:08:38 dropbear[787]: Login attempt for nonexistent user from 116.10.191.173:20146
May 31 05:08:39 dropbear[787]: Login attempt for nonexistent user from 116.10.191.173:20146
May 31 05:08:39 dropbear[787]: Login attempt for nonexistent user from 116.10.191.173:20146
May 31 05:08:40 dropbear[787]: Exit before auth: Max auth tries reached - user 'is invalid' from 116.10.191.173:20146
May 31 05:08:40 dropbear[789]: Child connection from 116.10.191.173:23744
May 31 05:08:45 dropbear[789]: Login attempt for nonexistent user from 116.10.191.173:23744
May 31 05:08:45 dropbear[789]: Login attempt for nonexistent user from 116.10.191.173:23744
May 31 05:08:46 dropbear[789]: Login attempt for nonexistent user from 116.10.191.173:23744
May 31 05:08:46 dropbear[789]: Login attempt for nonexistent user from 116.10.191.173:23744
May 31 05:08:47 dropbear[789]: Login attempt for nonexistent user from 116.10.191.173:23744
May 31 05:08:47 kernel: br0: received packet on eth1 with own address as source address
May 31 05:08:48 dropbear[789]: Login attempt for nonexistent user from 116.10.191.173:23744
May 31 05:08:48 dropbear[789]: Login attempt for nonexistent user from 116.10.191.173:23744
May 31 05:08:49 dropbear[789]: Login attempt for nonexistent user from 116.10.191.173:23744
May 31 05:08:50 dropbear[789]: Login attempt for nonexistent user from 116.10.191.173:23744
May 31 05:08:50 dropbear[789]: Login attempt for nonexistent user from 116.10.191.173:23744
May 31 05:08:51 dropbear[789]: Login attempt for nonexistent user from 116.10.191.173:23744
May 31 05:08:51 dropbear[789]: Exit before auth: Max auth tries reached - user 'is invalid' from 116.10.191.173:23744
May 31 05:08:52 dropbear[790]: Child connection from 116.10.191.173:27670
May 31 05:08:54 dropbear[790]: Login attempt for nonexistent user from 116.10.191.173:27670
May 31 05:08:55 dropbear[790]: Login attempt for nonexistent user from 116.10.191.173:27670
May 31 05:08:55 dropbear[790]: Login attempt for nonexistent user from 116.10.191.173:27670
May 31 05:08:56 dropbear[790]: Login attempt for nonexistent user from 116.10.191.173:27670
May 31 05:08:56 dropbear[790]: Login attempt for nonexistent user from 116.10.191.173:27670
May 31 05:08:57 dropbear[790]: Login attempt for nonexistent user from 116.10.191.173:27670
May 31 05:08:58 dropbear[790]: Login attempt for nonexistent user from 116.10.191.173:27670
May 31 05:08:58 dropbear[790]: Login attempt for nonexistent user from 116.10.191.173:27670
May 31 05:09:02 dropbear[790]: Login attempt for nonexistent user from 116.10.191.173:27670
May 31 05:09:03 dropbear[790]: Login attempt for nonexistent user from 116.10.191.173:27670
May 31 05:09:04 dropbear[790]: Login attempt for nonexistent user from 116.10.191.173:27670
May 31 05:09:04 dropbear[790]: Exit before auth: Max auth tries reached - user 'is invalid' from 116.10.191.173:27670
May 31 05:09:05 dropbear[791]: Child connection from 116.10.191.173:31985
May 31 05:09:07 dropbear[791]: Login attempt for nonexistent user from 116.10.191.173:31985
May 31 05:09:08 dropbear[791]: Login attempt for nonexistent user from 116.10.191.173:31985
May 31 05:09:09 dropbear[791]: Login attempt for nonexistent user from 116.10.191.173:31985
May 31 05:09:10 dropbear[791]: Login attempt for nonexistent user from 116.10.191.173:31985
May 31 05:09:10 dropbear[791]: Login attempt for nonexistent user from 116.10.191.173:31985
May 31 05:09:11 dropbear[791]: Login attempt for nonexistent user from 116.10.191.173:31985
May 31 05:09:12 dropbear[791]: Login attempt for nonexistent user from 116.10.191.173:31985
May 31 05:09:12 dropbear[791]: Login attempt for nonexistent user from 116.10.191.173:31985
May 31 05:09:13 dropbear[791]: Login attempt for nonexistent user from 116.10.191.173:31985
May 31 05:09:14 dropbear[791]: Exit before auth: Error reading: Connection reset by peer



I was running Chinese iPhone app called iTools from my computer (Copying Music)

itools-2.jpg


http://www.itools.cn/multi_lang_pc_download.htm

restarted the router + Closed the app and still getting these attacks

Tracked the IP's , they come from the same location in China

"31 May 2014
116.10.191.216
116.10.191.173
ISP: China Telecom Guangxi
Nanning, Guangxi (16), China
Lat: 22.8167
Lon: 108.3167"
 
Last edited:
Untitled111.jpg


Untitled22222.jpg


This one just happened

Code: 
May 31 05:42:29 dropbear[892]: Exit before auth: Max auth tries reached - user 'is invalid' from 116.10.191.216:31664
May 31 05:42:29 dropbear[894]: Child connection from 116.10.191.216:35248
May 31 05:42:34 dropbear[894]: Login attempt for nonexistent user from 116.10.191.216:35248
May 31 05:42:34 dropbear[894]: Login attempt for nonexistent user from 116.10.191.216:35248
May 31 05:42:34 dropbear[894]: Login attempt for nonexistent user from 116.10.191.216:35248
May 31 05:42:35 dropbear[894]: Login attempt for nonexistent user from 116.10.191.216:35248
May 31 05:42:35 dropbear[894]: Login attempt for nonexistent user from 116.10.191.216:35248
May 31 05:42:36 dropbear[894]: Login attempt for nonexistent user from 116.10.191.216:35248
May 31 05:42:37 dropbear[894]: Login attempt for nonexistent user from 116.10.191.216:35248
May 31 05:42:37 dropbear[894]: Login attempt for nonexistent user from 116.10.191.216:35248
May 31 05:42:38 dropbear[894]: Login attempt for nonexistent user from 116.10.191.216:35248
May 31 05:42:38 dropbear[894]: Login attempt for nonexistent user from 116.10.191.216:35248
May 31 05:42:39 dropbear[894]: Login attempt for nonexistent user from 116.10.191.216:35248
May 31 05:42:39 dropbear[894]: Exit before auth: Max auth tries reached - user 'is invalid' from 116.10.191.216:35248
May 31 05:42:39 dropbear[896]: Child connection from 116.10.191.216:38069
May 31 05:42:41 dropbear[896]: Login attempt for nonexistent user from 116.10.191.216:38069
May 31 05:42:41 dropbear[896]: Login attempt for nonexistent user from 116.10.191.216:38069
May 31 05:42:42 dropbear[896]: Login attempt for nonexistent user from 116.10.191.216:38069
May 31 05:42:43 dropbear[896]: Login attempt for nonexistent user from 116.10.191.216:38069
May 31 05:42:43 dropbear[896]: Login attempt for nonexistent user from 116.10.191.216:38069
May 31 05:42:44 dropbear[896]: Login attempt for nonexistent user from 116.10.191.216:38069
May 31 05:42:44 dropbear[896]: Login attempt for nonexistent user from 116.10.191.216:38069
May 31 05:42:45 dropbear[896]: Login attempt for nonexistent user from 116.10.191.216:38069
May 31 05:42:46 dropbear[896]: Login attempt for nonexistent user from 116.10.191.216:38069
May 31 05:42:46 dropbear[896]: Login attempt for nonexistent user from 116.10.191.216:38069
May 31 05:42:47 dropbear[896]: Login attempt for nonexistent user from 116.10.191.216:38069
May 31 05:42:47 dropbear[896]: Exit before auth: Max auth tries reached - user 'is invalid' from 116.10.191.216:38069
May 31 05:42:48 dropbear[898]: Child connection from 116.10.191.216:40365
May 31 05:42:52 dropbear[898]: Login attempt for nonexistent user from 116.10.191.216:40365
May 31 05:42:52 dropbear[898]: Exit before auth: Error reading: Connection reset by peer

I couldn't copy the rest

I just disabled SSH
 
Last edited:
Most probably the Chinese application has a backdoor listening on SSH port. Somebody is trying to connect to it but reaches the router's ssh daemon and failed to login. If you are not behind firewall (for example somewhere connected to public network) you may have trouble. Try to check which services are listening on your PC when the Chinese application is running. If nothing suspicions found the another possibility is that the application "reported" the public IP address of your router and somebody probes if there is as way to connect to it from outside.
 
Turn off "Allow SSH access to Wan" = problem solved. Just random botnets scanning for insecure webservers
 
Anzaia said:
Untitled111.jpg


Untitled22222.jpg
Click to expand...

Intressding..... how did you do this tracing? and got Google Eart to show this Picture?
anything you like to share:rolleyes:

If not for public....maybe a pm?:p
 
Adamm said:
Turn off "Allow SSH access to Wan" = problem solved. Just random botnets scanning for insecure webservers
Click to expand...

Amen... only expose services you need to have enabled...

Dropbear is fairly secure, as long as you have strong passwords/keys...

However... if you absolutely need to have SSH access...

1) Move your SSH server to another port - doesn't need to be on port 22
2) Restrict SSH to only accept access attempts from specific addresses
3) Use iptables rules to rate limit ssh connection attempts

example for #3

/usr/sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
/usr/sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

4) Look at denyhosts and fail2ban - these are mostly focused at full-blown openssh implementations, not dropbear, but they are very good
5) Use certs, not username/password pairs for ssh - again, with a strong passphrase and key length

But again, if you don't need SSH access to your routers, don't enable it.

sfx
 
thanks for the tip. I did try this on my IP but it seems that this only shows where the ISP headquter is located and not my area Depending on my IP.

I live in Uppsala, Sweden but my IP shows Stockholm about 100km at South in the countryside ... so the info you got about the china attac is probable all wrong When it comes to positioning. but thx anyway

(it would be nice to get area location from a IP)
 
jonny said:
thanks for the tip. I did try this on my IP but it seems that this only shows where the ISP headquter is located and not my area Depending on my IP.



I live in Uppsala, Sweden but my IP shows Stockholm about 100km at South in the countryside ... so the info you got about the china attac is probable all wrong When it comes to positioning. but thx anyway



(it would be nice to get area location from a IP)
Click to expand...


I don't know much about this , but i guess it depends on how good ur ISP is , Blocking trackers from identifying ur exact location
 
You must log in or register to reply here.

Similar threads

M
ac86u Dual core occupancy is 100% and stuck
Replies
1
Views
396
drinkingbird
drinkingbird
K
Issue with system log for Asus AX88U
Replies
1
Views
1K
ColinTaylor
C
K
System log information
Replies
1
Views
1K
ColinTaylor
C
P
SSH & Rsync: Permission denied
Replies
5
Views
2K
Paulo
P
E
5ghz just presumedly 'dead'
Replies
4
Views
656
L&LD
L&LD
Similar threads
Thread starter Title Forum Replies Date
B AiDisks under password guessing attack Asuswrt-Merlin 4
z2vip AiCloud WebUI bug under 3004.388.6 Asuswrt-Merlin 3
kstamand RMerlin under Hyper-V? Asuswrt-Merlin 8
J How does Asus or Asus Merlin source the device name under the System Log, Wireless Log Tab? Asuswrt-Merlin 32
J In asus rt-ac68u router under VPN Client - VPN Server List missing OpenVPN Asuswrt-Merlin 30
TanyaC Possible DNS-Rebind attack detected and unresponsive router plus one more Asuswrt-Merlin 3
H Solved DNS Rebind Attack Message For Only Two Domains Asuswrt-Merlin 4

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 790 (members: 35, guests: 755)
Top