Asus router infection alert

[Lorand]

I have an Asus router AC88U that has AI protection enabled and started spamming me with mails, since I have set my qnap to secure access only, and enabled port forwarding 443 to my QNAP.

I have a TS-431P2 with latest firmware installed.

So anyone has any idea what is this and how do I get it fixed?

 

[thiggins]

CVE explanation:

Memory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server.

Since you have forwarded port 443 to the internet, it doesn't take long for bots to find it and try to compromise it.

Shut off the port forward and the message should go away.

If you're going to expose a server to the internet, you better have a VERY STRONG password on it and use a non-standard port.

 

[RMerlin]

If you're going to expose a server to the internet, you better have a VERY STRONG password on it and use a non-standard port.

Using a non-standard port is definitely a critical decision when exposing any well-known service to the Internet (such as a web server). Ports 22/25/80/443 will get tons of traffic from other compromised servers trying to recruit more victims into a botnet.

If the one using the remote server will be yourself (or people you personally know), move it to a non-standard port. That's easily done with most routers, which will let you pick different public and LAN ports for a forward rule.

 

[sfx2000]

If you're going to expose a server to the internet, you better have a VERY STRONG password on it and use a non-standard port.

Concur - and have a good reason as to why to expose it in the first place...

Putting a NAS on the WAN is inviting trouble - nothing against QNAP or other NAS vendors...

 

[umarmung]

Almost never a good reason to put a NAS on the Internet directly. The secure way is to setup a VPN server and connect to it from there.

 

[DonnyJohnny]

I have an Asus router AC88U that has AI protection enabled and started spamming me with mails, since I have set my qnap to secure access only, and enabled port forwarding 443 to my QNAP.

I have a TS-431P2 with latest firmware installed.

So anyone has any idea what is this and how do I get it fixed?

View attachment 13859

When I see say “secure access” I was laughing.. lol..
Open common 443 port somemore. Inviting trouble.
Best option is set up VPN. (Openvpn)

 

[Lorand]

CVE explanation:

Since you have forwarded port 443 to the internet, it doesn't take long for bots to find it and try to compromise it.

Shut off the port forward and the message should go away.

If you're going to expose a server to the internet, you better have a VERY STRONG password on it and use a non-standard port.

I shut off port 443 and moved it to another.
Since then the messages still continue.

My password is not weak, min. 10 characters lcase, ucase, number, and enabled in the NAS to block users after 5 unsuccessful login attempts.

I use my NAS for myself and my friends to access information we want to share with each other.

I have enabled in my NAS to force secure connection HTTPS only, but I still needed to forward port 8080 in order to make it work.
Maybe that is why I am getting the attacks.

Is there a chance that one or multiple of these attacks can harm my NAS or access my data?

Using VPN is not an option for me, because I have ~10 different clients connecting with different devices.

 

[RMerlin]

That log indicates that the NAS is the one infected. I strongly recommend you install QNAP's Malware scanner from their Apps center, and run a scan of your device. There has been a number of viruses affecting QNAP devices this past year. I've encountered a few of my own customers myself that got infected by this.

 

[Lorand]

That log indicates that the NAS is the one infected. I strongly recommend you install QNAP's Malware scanner from their Apps center, and run a scan of your device. There has been a number of viruses affecting QNAP devices this past year. I've encountered a few of my own customers myself that got infected by this.

I did a scanning

Also there has been a software update today.
I did not get any warnings from my router since I did it.
I hope it is solved.

 

[RMerlin]

I did a scanning

View attachment 14032

Also there has been a software update today.
I did not get any warnings from my router since I did it.
I hope it is solved.

In that case, it might be that the error entry is incorrect, and it actually blocked an outside attempt at connecting to your NAS's web service.