What's new

Skynet [Question] Skynet Deliberate Attack or Infected Device?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Rajjco

Occasional Visitor
I keep getting inbound blocked messages in my logs from the same ip address which is based in Ukraine.
I have changed my wan ip address like 50 times with different subnets and whenever i turn on my wan connection logs start screaming
Code:
Aug 13 02:25:04 GT-AX11000-CF50 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=31.43.191.143 DST=(My Ip Goes Here) LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=40627 PROTO=TCP SPT=46112 DPT=13915 SEQ=4231858985 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Main targeted port is tcp 46112 which i think hosts radio communication devices.
Could it be an installed software which is leaking my ip address to the attacker?
Virus Total Result Says It's Malware.
 
I keep getting inbound blocked messages in my logs from the same ip address which is based in Ukraine.
I have changed my wan ip address like 50 times with different subnets and whenever i turn on my wan connection logs start screaming
Code:
Aug 13 02:25:04 GT-AX11000-CF50 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=31.43.191.143 DST=(My Ip Goes Here) LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=40627 PROTO=TCP SPT=46112 DPT=13915 SEQ=4231858985 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Main targeted port is tcp 46112 which i think hosts radio communication devices.
Could it be an installed software which is leaking my ip address to the attacker?
Virus Total Result Says It's Malware.
Welcome to the forum.
”Inbound” block messages mean your firewall and/or Skynet has done its job & blocked. Nothing to be too concerned about, just another day of internet junk.

Generally, if you had an infected device, you would see outbound blocks from Skynet.
Outbound blocks would merit investigation IMHO.
 
I got treated like I saw a UFO when I was going through this same type of thing.

If you get a new WAN IP and you are NOT using DDNS with the same hostname (so they can keep finding you), then you have a device with a cooperating process inside your network, probably using SSL connections. Do you have a lot of NTP traffic?
The problem devices on my network: Samsung TV, DirecTV DVR, Wemos, cheap cameras.

Oh, and let's not forget the 2016 model router that had an unaddressed CVE that that had been posted years ago.

I hope to learn to effectively tweak the firewall settings eventually. I had over 1500 SSH attempts the first couple of days with this router - now it's about 18, so it is effective in deterring attack attempts.
 
I got treated like I saw a UFO when I was going through this same type of thing.

If you get a new WAN IP and you are NOT using DDNS with the same hostname (so they can keep finding you), then you have a device with a cooperating process inside your network, probably using SSL connections. Do you have a lot of NTP traffic?
The problem devices on my network: Samsung TV, DirecTV DVR, Wemos, cheap cameras.

Oh, and let's not forget the 2016 model router that had an unaddressed CVE that that had been posted years ago.

I hope to learn to effectively tweak the firewall settings eventually. I had over 1500 SSH attempts the first couple of days with this router - now it's about 18, so it is effective in deterring attack attempts.
I actually disabled DDNS and the same ip keeps finding me on new ip's. Most blocked SSL 443 connections are going to china (Tiktok,Mi Box) second is Russia. I went and blocked those countries.
Not many NTP traffic though.
Welcome to the forum.
”Inbound” block messages mean your firewall and/or Skynet has done its job & blocked. Nothing to be too concerned about, just another day of internet junk.

Generally, if you had an infected device, you would see outbound blocks from Skynet.
Outbound blocks would merit investigation IMHO.
It actually stopped as of typing this reply. Most of my outbound blocks are country blocks it doesn't specify the ban reason only show *
ip.png

port.png
 
I have records of attacks from this IP in Ukraine from April through July. It will happen against any IP your provider may assign you. This is what the Internet is like. I am not concerned as I have no ports open.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top