Am I being hacked?

[SmallNetGuy]

Hi,

I'm sorry if I sound paranoid or stupid (or both)... My router/networking knowledge is rather limited. I've checked my router logs, and among usual things, I found couple of lines that I did not see before. I am from Canada, and these "Client" IPs (139.162.102.46 and 80.82.77.139) are not mine for sure. Should I be worried and I'd greatly appreciate if someone could tell me how to secure my connection. I have quite long login password using alphanumeric characters combined with some special characters. Not sure if there is anything in my router settings that I could disable to make it more secure.

Thanks in advance to any good soul who is willing to help this idiot here

This is few parts from my router logs:

Apr 3 12:33:52 pptpd[8662]: CTRL: Client 139.162.102.46 control connection started
Apr 3 12:33:52 pptpd[8662]: CTRL: EOF or bad error reading ctrl packet length.
Apr 3 12:33:52 pptpd[8662]: CTRL: couldn't read packet header (exit)
Apr 3 12:33:52 pptpd[8662]: CTRL: CTRL read failed
Apr 3 12:33:52 pptpd[8662]: CTRL: Client 139.162.102.46 control connection finished
Apr 3 13:02:39 dnsmasq-dhcp[2531]: DHCPDISCOVER(br0) 02:1b:b3:70:c3:11
Apr 3 13:02:39 dnsmasq-dhcp[2531]: DHCPOFFER(br0) 192.168.1.15 03:1a:b3:30:b0:31
Apr 3 13:02:40 dnsmasq-dhcp[2531]: DHCPREQUEST(br0) 192.168.1.15 03:1a:b3:72:b0:31
Apr 3 13:02:40 dnsmasq-dhcp[2531]: DHCPACK(br0) 192.168.1.15 00:1b:c3:70:b2:13
Apr 3 13:24:32 dnsmasq-dhcp[2531]: DHCPREQUEST(br0) 192.168.1.153 d3:96:4e:28:4a:48
Apr 3 13:24:32 dnsmasq-dhcp[2531]: DHCPACK(br0) 192.168.1.153 d4:42:9e:23:8a:58
Apr 3 13:55:37 dnsmasq-dhcp[2531]: DHCPREQUEST(br0) 192.168.1.21 44:64:95:55:a3:2d
Apr 3 13:55:37 dnsmasq-dhcp[2531]: DHCPACK(br0) 192.168.1.21 33:64:95:53:a2:2b
.
.
Apr 18 20:13:11 pptpd[32235]: CTRL: Client 139.162.102.46 control connection started
Apr 18 20:13:12 pptpd[32235]: CTRL: EOF or bad error reading ctrl packet length.
Apr 18 20:13:12 pptpd[32235]: CTRL: couldn't read packet header (exit)
Apr 18 20:13:12 pptpd[32235]: CTRL: CTRL read failed
Apr 18 20:13:12 pptpd[32235]: CTRL: Client 139.162.102.46 control connection finished
.
.
Apr 21 08:33:25 pptpd[8959]: CTRL: Client 80.82.77.139 control connection started
Apr 21 08:33:25 pptpd[8959]: CTRL: EOF or bad error reading ctrl packet length.
Apr 21 08:33:25 pptpd[8959]: CTRL: couldn't read packet header (exit)
Apr 21 08:33:25 pptpd[8959]: CTRL: CTRL read failed
Apr 21 08:33:25 pptpd[8959]: CTRL: Client 80.82.77.139 control connection finished
.
.
Apr 21 10:03:00 pptpd[9187]: CTRL: Client 139.162.102.46 control connection started
Apr 21 10:03:00 pptpd[9187]: CTRL: EOF or bad error reading ctrl packet length.
Apr 21 10:03:00 pptpd[9187]: CTRL: couldn't read packet header (exit)
Apr 21 10:03:00 pptpd[9187]: CTRL: CTRL read failed
Apr 21 10:03:00 pptpd[9187]: CTRL: Client 139.162.102.46 control connection finished
.
.
Apr 22 00:22:20 zcip client: configured 169.254.164.23
Apr 22 00:22:20 miniupnpd[861]: HTTP listening on port 42323
Apr 22 00:22:20 miniupnpd[861]: Listening for NAT-PMP/PCP traffic on port 5351
Apr 22 00:22:21 miniupnpd[861]: shutting down MiniUPnPd
Apr 22 00:22:21 start_nat_rules: apply the nat_rules(/tmp/nat_rules_ppp0_eth0)!
Apr 22 00:22:22 miniupnpd[886]: HTTP listening on port 53852
Apr 22 00:22:22 miniupnpd[886]: Listening for NAT-PMP/PCP traffic on port 5351

Oh, and another little thing... last couple of logging attempts, I am getting a notification about "Login not secure". I've never seen that in the past. Both, Chrome and Firefox are giving me same notification. Screenshot attached.

 

[Twiglets]

SmallNetGuy,

Read the Firefox 51.0 release notes here ---> https://www.mozilla.org/en-US/firefox/51.0/releasenotes/
This explains the source of the "login not secure" messages.
(Always a good idea to have a quick glance at the release notes for Firefox when it changes/updates as they are changing lots of stuff lately. )

Re: the "Client" IPs (139.162.102.46 and 80.82.77.139), from a quick search via google they are appearing on some blacklists.

I don't have the skills to talk you through setting up your router/security but there are things on this forum that could be of use.
I would suggest looking at the thread covering "How to Dynamically Ban Malicious IP's using IPSet (Firewall Addition)" https://www.snbforums.com/threads/h...ious-ips-using-ipset-firewall-addition.16798/ .
This is the sort of thing you may need, read it and see how much you understand then ask some questions.

Sorry I cannot be of more help.

 

[RMerlin]

Just your typical port scanning, nothing really serious. Disable the PPTP server if you don't use it. If you do, I recommend disabling it and switching to the far more secure OpenVPN instead.

 

[SmallNetGuy]

Thank you both for your assistance, greatly appreciated. @Twiglets - sure, I will check that link as soon as I am done with this reply. Thank you once again!

@RMerlin - Thank you so much. It's a lot easier to breathe when I get input from professionals and people who possess all that networking knowledge like you Mr. Sauvageau. Yes, I just took your advice and disabled PPTP. I tried playing with VPN at one point, and left it on ever since.

When we are at VPN subject, what is the Android app you'd recommend to use with OpenVPN? I currently have OpenVPN 0.6.65 by Arne Schwabe. Sometimes it won't connect when I am inside Michaels' stores. My wife likes to connect to her Etsy shop there, and I'm telling her, she needs to use OpenVPN

Thank you a million, both of you!

 

[Xentrk]

Thank you both for your assistance, greatly appreciated. @Twiglets - sure, I will check that link as soon as I am done with this reply. Thank you once again!
s
@RMerlin - Thank you so much. It's a lot easier to breathe when I get input from professionals and people who possess all that networking knowledge like you Mr. Sauvageau. Yes, I just took your advice and disabled PPTP. I tried playing with VPN at one point, and left it on ever since.

When we are at VPN subject, what is the Android app you'd recommend to use with OpenVPN? I currently have OpenVPN 0.6.65 by Arne Schwabe. Sometimes it won't connect when I am inside Michaels' stores. My wife likes to connect to her Etsy shop there, and I'm telling her, she needs to use OpenVPN

Thank you a million, both of you!

I use OpenVPN Connect 1.1.17 (build 76). You have to copy the ovpn file from PC to SD card or other location on the phone. Then, open the app and click on the three dots in the upper right hand corner. Select the Import option. Select the ovpn file at the location your stored it.

 

[Wutikorn]

You have to copy the ovpn file from PC to SD card or other location on the phone.

Or send email with .ovpn file attached to your phone(whichever way is easier)

 

[SmallNetGuy]

I use OpenVPN Connect 1.1.17 (build 76). You have to copy the ovpn file from PC to SD card or other location on the phone. Then, open the app and click on the three dots in the upper right hand corner. Select the Import option. Select the ovpn file at the location your stored it.

Hi,

Yes, we have that one too. For some reason, when I click CONNECT, that yellow progress bar goes to about the middle of the way towards the end, and I get OpenVPN: Waiting for server... after some time, OpenVPN Connection Timeout.

Yes, I have imported Profile from my phone's SD card that I previously exported from the OpenVPN Servers submenu.

Also, I've noticed OpenVPN client section in my router's VPN menu. Do I have to configure that too, or simple enabling OpenVPN server with creation of my login account will suffice? Another thing... if I go under VPN details, I keep it at GENERAL. I've tried ADVANCED SETTINGS, but it was way too advanced for this fool I'm guessing there should be something in there which needs to be properly configured in order to work properly. I'd appreciate if someone could lead me through Advanced Settings in case I need it.

Thank you so much!

 

[Wutikorn]

OpenVPN client section in my router's VPN menu. Do I have to configure that too, or simple enabling OpenVPN server with creation of my login account will suffice?

OpenVPN Client is used to connect you to other OpenVPN providers while OpenVPN server is for you to connect your devices back to home, so you probably don't need OpenVPN client

Yes, we have that one too. For some reason, when I click CONNECT, that yellow progress bar goes to about the middle of the way towards the end, and I get OpenVPN: Waiting for server... after some time, OpenVPN Connection Timeout.

What are your settings in advance part?

 

[SmallNetGuy]

...
...
What are your settings in advance part?

I took a screenshot, easier than trying to write down everything Screenshot attached.

I might not be able to respond back immediately, I am on my way out to do some weekend chores, but will be back home this afternoon.
Thank you once again for your precious time and trying to help me here!

EDIT: here is better quality screenshot (click on the image to see full size): http://i.imgur.com/D9YcF6u.jpg

 

[RMerlin]

When we are at VPN subject, what is the Android app you'd recommend to use with OpenVPN?

I never really use it, but I went with the official OpenVPN client.

 

[Xentrk]

I took a screenshot, easier than trying to write down everything Screenshot attached.

I might not be able to respond back immediately, I am on my way out to do some weekend chores, but will be back home this afternoon.
Thank you once again for your precious time and trying to help me here!

EDIT: here is better quality screenshot (click on the image to see full size): http://i.imgur.com/D9YcF6u.jpg

yorgi's guide has a working example here https://www.snbforums.com/threads/how-to-setup-a-vpn-server-with-asus-routers.33638/

From first glance, you should set Username/Password Authentication to Yes. Auth Digest to SHA1 and Cipher Negotiation to Disable.

EDIT-I have yes for Respond to DNS and Advertise DNS to Clients. Yorgi's guide explain more about those.

For testing purposes, you need to be connected to another router.

Do you have a dynamic IP address supplied by your WAN? If so, there are some other things you will need to do.

 

[Wutikorn]

When we are at VPN subject, what is the Android app you'd recommend to use with OpenVPN?

I personally recommend "OpenVPN for Android" since it support Encrypt channel, which you can find under TLS-Control channel security. However, if you don't need that function, I will just go with official android client as RMerlin suggests.

 

[SmallNetGuy]

yorgi's guide has a working example here https://www.snbforums.com/threads/how-to-setup-a-vpn-server-with-asus-routers.33638/

From first glance, you should set Username/Password Authentication to Yes. Auth Digest to SHA1 and Cipher Negotiation to Disable.

EDIT-I have yes for Respond to DNS and Advertise DNS to Clients. Yorgi's guide explain more about those.

For testing purposes, you need to be connected to another router.

Do you have a dynamic IP address supplied by your WAN? If so, there are some other things you will need to do.

Thank you so much!! I went through whole thread, all pages. I love yorgi's explanation of each option. Some of them I totally don't understand, but it's really nice to have everything explained in such an easy way to follow. I've also found a lot of your posts there, with examples and I have to say it tremendously helps, I am sure to a lot of people. Thank you for unselfishly sharing your wisdom my friend!

I've set everything exactly as in your screenshot here: https://www.snbforums.com/threads/h...er-with-asus-routers.33638/page-3#post-317537

...and I also re-exported OpenVPN configuration file, and re-imported it back to my android phone. I will have to test everything next time I am outside.

Thank you a million, people like you are lifesavers!

 

[SmallNetGuy]

I personally recommend "OpenVPN for Android" since it support Encrypt channel, which you can find under TLS-Control channel security. However, if you don't need that function, I will just go with official android client as RMerlin suggests.

Good to know, I have both installed now. Thank you so much!

 

[System Error Message]

i just got a hack attempt from the IP listed, it tries to login via VPN to your router and from what i read about some of the latest malware and its symptoms, it matches to here. When the site is saying login is insecure it is correct as malware gets installed on the router which then hijacks all your connections, dropping SSL (HTTPS turns to HTTP), so that everything can be viewed.

While it doesnt manage to hack me, reading the last part of the log on the first post it had successfully hijacked your router.

Please secure your router VPN interfaces like as if it is your WAN. With consumer routers you may need to manually apply a port block as some services may run and be exploited even if you dont use them or may not have an option to disable them.

 

[ColinTaylor]

@System Error Message You are mistaken. There is nothing in the log that suggests he was successfully hacked. Please see the replies to post #1.

 

[sfx2000]

I'm sorry if I sound paranoid or stupid (or both)... My router/networking knowledge is rather limited. I've checked my router logs, and among usual things, I found couple of lines that I did not see before. I am from Canada, and these "Client" IPs (139.162.102.46 and 80.82.77.139) are not mine for sure. Should I be worried and I'd greatly appreciate if someone could tell me how to secure my connection. I have quite long login password using alphanumeric characters combined with some special characters. Not sure if there is anything in my router settings that I could disable to make it more secure.

With the current situation with the VPNFilter malware and what not - as long as you do not expose external ports, you are safe, logs might show some "door knocking"... but NAT (by nature) and SPI firewall (by purpose) blocks things

Look at the services - disable WAN admin, SSH client (inbound), OpenVPN server (see note below), and you should be fine...

openvpn server - this is one of the options, if you don't need it, disable it - if you do, then use certificates. Most home users don't need it. If one needs OpenVPN client, consider that this is likely compromised at the router - one can always run openVPN client on a local PC/Desktop box there...

uPNP - well, that's an issue with older versions, and like in the "Americans" final season - might be one moving forward - poor Stan...

Practice "safe hex" these days - it's not that hard - the Asus Routers, along with others, are bastions and fairly secure, once configured properly.

 

[dlandiss]

Look at the services - disable WAN admin, SSH client (inbound), OpenVPN server (see note below), and you should be fine...

I'm not clear what you mean here. I assume "disable" applies to all three of those? I see the default on my RT-AC68U is "Enable Telnet/SSH Protection Server" -- so should I disable that?

Thank you.

EDIT: Oh, wait. Maybe you mean the SSH choices on the Administration/System tab. They are currently set as:

Enable Telnet = no
Enable SSH = no
Allow SSH Port Forwarding = no
SSH Service Port = 22
SSH Inactivity Timeout = 20
Allow SSH access from WAN = no
Allow SSH Password Login = yes
Enable SSH Brute Force Protection = no

I believe these are the John's Fork defaults.

 

[SmallNetGuy]

i just got a hack attempt from the IP listed, it tries to login via VPN to your router and from what i read about some of the latest malware and its symptoms, it matches to here. When the site is saying login is insecure it is correct as malware gets installed on the router which then hijacks all your connections, dropping SSL (HTTPS turns to HTTP), so that everything can be viewed.

While it doesnt manage to hack me, reading the last part of the log on the first post it had successfully hijacked your router.

Please secure your router VPN interfaces like as if it is your WAN. With consumer routers you may need to manually apply a port block as some services may run and be exploited even if you dont use them or may not have an option to disable them.

Nope, my router wasn't hacked into. I've had couple of people who work in IT sector look at everything, there was absolutely nothing out of ordinary, not even in log files. Besides, since then, I've completely disabled VPN (don't really need it, or use it anymore). Router reset to factory defaults numerous time since then, since I updated it with new Merlin releases (I almost always do factory reset afterwards), and changed my router password to pretty messy and long one now

Cheers!

 

[SmallNetGuy]

With the current situation with the VPNFilter malware and what not - as long as you do not expose external ports, you are safe, logs might show some "door knocking"... but NAT (by nature) and SPI firewall (by purpose) blocks things

Look at the services - disable WAN admin, SSH client (inbound), OpenVPN server (see note below), and you should be fine...

openvpn server - this is one of the options, if you don't need it, disable it - if you do, then use certificates. Most home users don't need it. If one needs OpenVPN client, consider that this is likely compromised at the router - one can always run openVPN client on a local PC/Desktop box there...

uPNP - well, that's an issue with older versions, and like in the "Americans" final season - might be one moving forward - poor Stan...

Practice "safe hex" these days - it's not that hard - the Asus Routers, along with others, are bastions and fairly secure, once configured properly.

Thank you so much for your unselfish assistance sfx2000! Thank you! Great advice as always
Kind Regards!