What's new

300 attacks since 6. november ?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

echable

Occasional Visitor
I'm using an Asus router, with built-in "AiProtection" by Trend Micro. I have all the functions turned on. I have never seen any warnings through this service, despite using an Asus router for at least 5 years.

Since the 6th. of November, I have had exactly 300 "Protection events" against "Two-Way IPS".

Does this mean that someone has tried to hack me, and this router function has prevented it, 300 times the last three weeks ? What could I have done since there is now 300 attempts at such activity while the last five years there have been none ? I've had a NAS and various open online port-forwarded music servers etc. for the whole period.

Details of "successfully prevented events" are listed like this:

2019-11-23 23:16:08

External Attacks
114.88.241.200
192.168.1.200
WEB Remote Command Execution via Shell Script -1.a
2019-11-23 23:06:41

External Attacks
121.74.232.44
192.168.1.200
WEB Remote Command Execution via Shell Script -1.a
2019-11-23 13:35:52

External Attacks
170.247.255.127
192.168.1.200
WEB Remote Command Execution via Shell Script -1.a
2019-11-22 02:28:56

External Attacks
23.254.227.67
92.221.104.37
EXPLOIT Remote Command Execution via Shell Script -2


The origin IP addresses are different it seems every time.

Almost all attacks are "WEB Remote Command Execution via Shell Script xxxx". What does this mean ? How can I protect against that kind of attack specifically ?

This is what AiProtection says about "Two-way IPS":

"The Two-Way Intrusion Prevention System protects any device connected to the network from spam or DDoS attacks. It also blocks malicious incoming packets to protect your router from network vulnerability attacks, such as Shellshocked, Heartbleed, Bitcoin mining, and ransomware. Additionally, Two-Way IPS detects suspicious outgoing packets from infected devices and avoids botnet attacks."

Am I correct that most of these "web remote command execution via shell script" attacks are nothing more than bots attempting to try different passwords on my website ? How have they found my website ?

Or does also this mean e.g. possible MITM attacks ? I am not able to use even http(s) for most of my music servers.

Thank you very much for your help.
 
Last edited:
These are usually just bots scanning for old exploits. If someone was targeting you specifically you would either not see it because they were successful, or you would see (I imagine) even more frequent attempts.
 
Last edited:
Thanks for quick reply, reassuring
No problem, some bots latched on to my ip one time and I saw hundreds of attempts like those. As long as it shows blocked attempts then you most likely have nothing to worry about.
 
Have you looked up who owns the IP addresses and how big the IP address space is? You can block the whole IP address block in the firewall. It might be a good idea for a while.
 
Yes, I looked up some of the most recent attack's IP address. One turned out to be a residential address in New Zealand. I am travelling to New Zealand for other business soon. I intend on visiting the person.
 
Yes, I looked up some of the most recent attack's IP address. One turned out to be a residential address in New Zealand. I am travelling to New Zealand for other business soon. I intend on visiting the person.
Any physical address associated with an Internet address shouldn’t be considered reliable. If someone could figure out my home address based on my IP address, I’d be much better behaved on the interweb...
 
Usually yes, but it sticks out from a typical IP address spoof (i.e. it's not a capital city or a mayor teleprovider), I think it's actually the guy's house.
 
What services do you have setup for port-forwarding? If you have anything exposed to the open Internet, expect to be compromised at some point. There is really no reason at all to be exposing any non-VPN services to the open Internet from a home network.
 
Similar threads
Thread starter Title Forum Replies Date
Seria17hri11er News CloudFlare Sees Surge in Hyper Volumetric DDOS Attacks General Network Security 0

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top