1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Requesting log review of possible attack

Discussion in 'ASUS AC Routers & Adapters' started by Sky, Feb 18, 2020.

  1. Sky

    Sky Regular Contributor

    Joined:
    Jul 19, 2018
    Messages:
    51
    Location:
    PDR of California
    Greetings. I have been seeing some strange listings in my General SysLog. I added line feeds & emphasis to make it clearer to read. I think what's happening is the actual user name (replaced by _USERNAME_ below) may be compromised. I can't tell from this if the password is also compromised or is under attack. The ip's come back to Russia & rotate. This has been going on since 20-Jan.

    If I blacklist the entire apparent attacking network, 92.63.194., in Firewall>URL Filter (leaving off the last octet is supposed to block 1-255) the router refuses access to all clients on the LAN, including hardwire via the switch. The only access is by reset > direct hardwire to the router; client access is only restored by removing that block. I can't see any reason Asus or its partners would be using a network in Russia, so that's confusing.

    Also, I saw this entry at WAN>NAT Passthrough: FTP_ALG Port 2021. This appears to be a default in the new FW. Is this normal?

    RT-AC87R | FW is 3.0.0.4.382_51939-g3ecf3e2 & signature checks OK.

    ::: Last normal entry:::
    Feb 17 03:04:36 hour monitor: ntp sync fail, will retry after 120 sec

    << START ATTACK? >>

    Feb 17 08:56:33 pptp[6748]: pppd 2.4.7 started by _USERNAME_, uid 0
    Feb 17 08:56:33 pptp[6748]: Connect: pptp0 <--> pptp (92.63.194.91)
    Feb 17 08:56:33 pptp[6748]: appear to have received our own echo-reply!
    Feb 17 08:56:33 pptp[6748]: No CHAP secret found for authenticating admin
    Feb 17 08:56:33 pptp[6748]: Peer admin failed CHAP authentication
    Feb 17 08:56:33 pptpd[6747]: CTRL: EOF or bad error reading ctrl packet length.
    Feb 17 08:56:33 pptpd[6747]: CTRL: couldn't read packet header (exit)
    Feb 17 08:56:33 pptpd[6747]: CTRL: CTRL read failed

    Feb 17 08:56:34 pptp[6758]: pppd 2.4.7 started by _USERNAME_, uid 0
    Feb 17 08:56:34 pptp[6758]: Couldn't allocate PPP unit 10 as it is already in use
    Feb 17 08:56:34 pptp[6758]: Connect: pptp1 <--> pptp (92.63.194.92)
    Feb 17 08:56:34 pptp[6758]: appear to have received our own echo-reply!
    Feb 17 08:56:34 pptp[6758]: No CHAP secret found for authenticating vpn
    Feb 17 08:56:34 pptp[6758]: Peer vpn failed CHAP authentication
    Feb 17 08:56:35 pptpd[6757]: CTRL: EOF or bad error reading ctrl packet length.
    Feb 17 08:56:35 pptpd[6757]: CTRL: couldn't read packet header (exit)
    Feb 17 08:56:35 pptpd[6757]: CTRL: CTRL read failed

    Feb 17 08:56:35 pptp[6770]: pppd 2.4.7 started by _USERNAME_, uid 0
    Feb 17 08:56:35 pptp[6770]: Couldn't allocate PPP unit 10 as it is already in use
    Feb 17 08:56:35 pptp[6770]: Couldn't allocate PPP unit 11 as it is already in use
    Feb 17 08:56:35 pptp[6770]: Connect: pptp2 <--> pptp (92.63.194.93)
    Feb 17 08:56:36 pptp[6770]: appear to have received our own echo-reply!
    Feb 17 08:56:36 pptp[6770]: No CHAP secret found for authenticating test
    Feb 17 08:56:36 pptp[6770]: Peer test failed CHAP authentication
    Feb 17 08:56:36 pptpd[6769]: CTRL: EOF or bad error reading ctrl packet length.
    Feb 17 08:56:36 pptpd[6769]: CTRL: couldn't read packet header (exit)
    Feb 17 08:56:36 pptpd[6769]: CTRL: CTRL read failed

    Feb 17 08:56:36 pptp[6782]: pppd 2.4.7 started by _USERNAME_, uid 0
    Feb 17 08:56:36 pptp[6782]: Couldn't allocate PPP unit 10 as it is already in use
    Feb 17 08:56:36 pptp[6782]: Couldn't allocate PPP unit 11 as it is already in use
    Feb 17 08:56:36 pptp[6782]: Couldn't allocate PPP unit 12 as it is already in use
    Feb 17 08:56:36 pptp[6782]: Connect: pptp3 <--> pptp (92.63.194.94)
    Feb 17 08:56:37 pptp[6782]: appear to have received our own echo-reply!
    Feb 17 08:56:37 pptp[6782]: No CHAP secret found for authenticating 1
    Feb 17 08:56:37 pptp[6782]: Peer 1 failed CHAP authentication
    Feb 17 08:56:37 pptpd[6781]: CTRL: EOF or bad error reading ctrl packet length.
    Feb 17 08:56:37 pptpd[6781]: CTRL: couldn't read packet header (exit)
    Feb 17 08:56:37 pptpd[6781]: CTRL: CTRL read failed

    Feb 17 08:56:38 pptp[6794]: pppd 2.4.7 started by _USERNAME_, uid 0
    Feb 17 08:56:38 pptp[6794]: Couldn't allocate PPP unit 10 as it is already in use
    Feb 17 08:56:38 pptp[6794]: Couldn't allocate PPP unit 11 as it is already in use
    Feb 17 08:56:38 pptp[6794]: Couldn't allocate PPP unit 12 as it is already in use
    Feb 17 08:56:38 pptp[6794]: Couldn't allocate PPP unit 13 as it is already in use
    Feb 17 08:56:38 pptp[6794]: Connect: pptp4 <--> pptp (92.63.194.95)
    Feb 17 08:56:38 pptp[6794]: appear to have received our own echo-reply!
    Feb 17 08:56:38 pptp[6794]: No CHAP secret found for authenticating 123
    Feb 17 08:56:38 pptp[6794]: Peer 123 failed CHAP authentication
    Feb 17 08:56:38 pptpd[6793]: CTRL: EOF or bad error reading ctrl packet length.
    Feb 17 08:56:38 pptpd[6793]: CTRL: couldn't read packet header (exit)
    Feb 17 08:56:38 pptpd[6793]: CTRL: CTRL read failed

    Feb 17 08:56:39 pptp[6806]: pppd 2.4.7 started by _USERNAME_, uid 0
    Feb 17 08:56:39 pptp[6806]: Couldn't allocate PPP unit 10 as it is already in use
    Feb 17 08:56:39 pptp[6806]: Couldn't allocate PPP unit 11 as it is already in use
    Feb 17 08:56:39 pptp[6806]: Couldn't allocate PPP unit 12 as it is already in use
    Feb 17 08:56:39 pptp[6806]: Couldn't allocate PPP unit 13 as it is already in use
    Feb 17 08:56:39 pptp[6806]: Couldn't allocate PPP unit 14 as it is already in use
    Feb 17 08:56:39 pptp[6806]: Connect: pptp5 <--> pptp (92.63.194.47)
    Feb 17 08:56:39 pptp[6806]: appear to have received our own echo-reply!
    Feb 17 08:56:39 pptp[6806]: No CHAP secret found for authenticating 111
    Feb 17 08:56:39 pptp[6806]: Peer 111 failed CHAP authentication
    Feb 17 08:56:39 pptp[6748]: Connection terminated.
    Feb 17 08:56:39 pptp[6748]: Modem hangup

    Feb 17 08:56:39 pptpd[6805]: CTRL: EOF or bad error reading ctrl packet length.
    Feb 17 08:56:39 pptpd[6805]: CTRL: couldn't read packet header (exit)
    Feb 17 08:56:39 pptpd[6805]: CTRL: CTRL read failed

    Feb 17 08:56:40 pptp[6823]: pppd 2.4.7 started by _USERNAME_, uid 0
    Feb 17 08:56:40 pptp[6823]: Connect: pptp0 <--> pptp (92.63.194.91)
    Feb 17 08:56:40 pptp[6823]: appear to have received our own echo-reply!
    Feb 17 08:56:40 pptp[6823]: No CHAP secret found for authenticating user
    Feb 17 08:56:40 pptp[6823]: Peer user failed CHAP authentication
    Feb 17 08:56:40 pptp[6758]: Connection terminated.
    Feb 17 08:56:41 pptp[6758]: Modem hangup

    Feb 17 08:56:41 pptpd[6822]: CTRL: EOF or bad error reading ctrl packet length.
    Feb 17 08:56:41 pptpd[6822]: CTRL: couldn't read packet header (exit)
    Feb 17 08:56:41 pptpd[6822]: CTRL: CTRL read failed

    Feb 17 08:56:41 pptp[6838]: pppd 2.4.7 started by _USERNAME_, uid 0
    Feb 17 08:56:41 pptp[6838]: Couldn't allocate PPP unit 10 as it is already in use
    Feb 17 08:56:41 pptp[6838]: Connect: pptp1 <--> pptp (92.63.194.92)
    Feb 17 08:56:42 pptp[6838]: appear to have received our own echo-reply!
    Feb 17 08:56:42 pptp[6838]: No CHAP secret found for authenticating vpn
    Feb 17 08:56:42 pptp[6838]: Peer vpn failed CHAP authentication
    Feb 17 08:56:42 pptp[6770]: Connection terminated.

    Feb 17 08:56:42 pptpd[6837]: CTRL: EOF or bad error reading ctrl packet length.
    Feb 17 08:56:42 pptpd[6837]: CTRL: couldn't read packet header (exit)
    Feb 17 08:56:42 pptpd[6837]: CTRL: CTRL read failed
    Feb 17 08:56:42 pptp[6770]: Modem hangup

    (continued in next post -- character count a bit long)
     
    Last edited: Feb 18, 2020
  2. Sky

    Sky Regular Contributor

    Joined:
    Jul 19, 2018
    Messages:
    51
    Location:
    PDR of California
    (continued from above)

    Feb 17 08:56:42 pptp[6855]: pppd 2.4.7 started by _USERNAME_, uid 0
    Feb 17 08:56:42 pptp[6855]: Couldn't allocate PPP unit 10 as it is already in use
    Feb 17 08:56:42 pptp[6855]: Couldn't allocate PPP unit 11 as it is already in use
    Feb 17 08:56:42 pptp[6855]: Connect: pptp2 <--> pptp (92.63.194.93)
    Feb 17 08:56:43 pptp[6855]: appear to have received our own echo-reply!
    Feb 17 08:56:43 pptp[6855]: No CHAP secret found for authenticating Admin
    Feb 17 08:56:43 pptp[6855]: Peer Admin failed CHAP authentication
    Feb 17 08:56:43 pptp[6782]: Connection terminated.

    Feb 17 08:56:43 pptpd[6854]: CTRL: EOF or bad error reading ctrl packet length.
    Feb 17 08:56:43 pptpd[6854]: CTRL: couldn't read packet header (exit)
    Feb 17 08:56:43 pptpd[6854]: CTRL: CTRL read failed
    Feb 17 08:56:43 pptp[6782]: Modem hangup

    Feb 17 08:56:44 pptp[6870]: pppd 2.4.7 started by _USERNAME_, uid 0
    Feb 17 08:56:44 pptp[6870]: Couldn't allocate PPP unit 10 as it is already in use
    Feb 17 08:56:44 pptp[6870]: Couldn't allocate PPP unit 11 as it is already in use
    Feb 17 08:56:44 pptp[6870]: Couldn't allocate PPP unit 12 as it is already in use
    Feb 17 08:56:44 pptp[6870]: Connect: pptp3 <--> pptp (92.63.194.94)
    Feb 17 08:56:44 pptp[6870]: appear to have received our own echo-reply!
    Feb 17 08:56:44 pptp[6870]: No CHAP secret found for authenticating 11
    Feb 17 08:56:44 pptp[6870]: Peer 11 failed CHAP authentication
    Feb 17 08:56:44 pptp[6794]: Connection terminated.

    Feb 17 08:56:44 pptpd[6869]: CTRL: EOF or bad error reading ctrl packet length.
    Feb 17 08:56:44 pptpd[6869]: CTRL: couldn't read packet header (exit)
    Feb 17 08:56:44 pptpd[6869]: CTRL: CTRL read failed
    Feb 17 08:56:44 pptp[6794]: Modem hangup

    Feb 17 08:56:45 pptp[6885]: pppd 2.4.7 started by _USERNAME_, uid 0
    Feb 17 08:56:45 pptp[6885]: Couldn't allocate PPP unit 10 as it is already in use
    Feb 17 08:56:45 pptp[6885]: Couldn't allocate PPP unit 11 as it is already in use
    Feb 17 08:56:45 pptp[6885]: Couldn't allocate PPP unit 12 as it is already in use
    Feb 17 08:56:45 pptp[6885]: Couldn't allocate PPP unit 13 as it is already in use
    Feb 17 08:56:45 pptp[6885]: Connect: pptp4 <--> pptp (92.63.194.95)
    Feb 17 08:56:45 pptp[6885]: appear to have received our own echo-reply!
    Feb 17 08:56:45 pptp[6885]: No CHAP secret found for authenticating 1111
    Feb 17 08:56:45 pptp[6885]: Peer 1111 failed CHAP authentication
    Feb 17 08:56:45 pptp[6806]: Connection terminated.

    Feb 17 08:56:45 pptpd[6884]: CTRL: EOF or bad error reading ctrl packet length.
    Feb 17 08:56:45 pptpd[6884]: CTRL: couldn't read packet header (exit)
    Feb 17 08:56:45 pptpd[6884]: CTRL: CTRL read failed
    Feb 17 08:56:45 pptp[6806]: Modem hangup

    Feb 17 08:56:46 pptp[6901]: pppd 2.4.7 started by _USERNAME_, uid 0
    Feb 17 08:56:46 pptp[6901]: Couldn't allocate PPP unit 10 as it is already in use
    Feb 17 08:56:46 pptp[6901]: Couldn't allocate PPP unit 11 as it is already in use
    Feb 17 08:56:46 pptp[6901]: Couldn't allocate PPP unit 12 as it is already in use
    Feb 17 08:56:46 pptp[6901]: Couldn't allocate PPP unit 13 as it is already in use
    Feb 17 08:56:46 pptp[6901]: Couldn't allocate PPP unit 14 as it is already in use
    Feb 17 08:56:46 pptp[6901]: Connect: pptp5 <--> pptp (92.63.194.47)
    Feb 17 08:56:46 pptp[6901]: appear to have received our own echo-reply!
    Feb 17 08:56:46 pptp[6901]: No CHAP secret found for authenticating 1234
    Feb 17 08:56:46 pptp[6901]: Peer 1234 failed CHAP authentication
    Feb 17 08:56:46 pptp[6823]: Connection terminated.

    Feb 17 08:56:47 pptpd[6900]: CTRL: EOF or bad error reading ctrl packet length.
    Feb 17 08:56:47 pptpd[6900]: CTRL: couldn't read packet header (exit)
    Feb 17 08:56:47 pptpd[6900]: CTRL: CTRL read failed
    Feb 17 08:56:47 pptp[6823]: Modem hangup

    Feb 17 08:56:48 pptp[6838]: Connection terminated.
    Feb 17 08:56:48 pptp[6838]: Modem hangup

    Feb 17 08:56:49 pptp[6855]: Connection terminated.
    Feb 17 08:56:49 pptp[6855]: Modem hangup

    Feb 17 08:56:50 pptp[6870]: Connection terminated.
    Feb 17 08:56:50 pptp[6870]: Modem hangup

    Feb 17 08:56:51 pptp[6885]: Connection terminated.
    Feb 17 08:56:51 pptp[6885]: Modem hangup

    Feb 17 08:56:52 pptp[6901]: Connection terminated.
    Feb 17 08:56:53 pptp[6901]: Modem hangup

    << ATTACK TERMINATED|FAIL(?) >>

    ::: Resumes normal entries :::
    Feb 17 11:56:04 rc_service: httpds 265:notify_rc restart_wireless
     
    Last edited: Feb 18, 2020
  3. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    11,025
    Location:
    UK
    You have the router's PPTP VPN server activated and you are being port scanned. Turn off the PPTP server.
     
  4. Sky

    Sky Regular Contributor

    Joined:
    Jul 19, 2018
    Messages:
    51
    Location:
    PDR of California
    VPN Server now off
    1. How can an outsider "see" that?
    2. Why does blocking access to that network from the LAN cause the router to lock out local WiFi and hardwired clients?
    3. Am I correct that the user name has been compromised? -or-
    4. Does that mean Asus' DDNS data has been compromised?
    5. Is that FTP_ALG port 2021 entry "normal" and "ok"?
    6. If a legitimate user needs to use the VPN, will/can this activity effect that?
     
    Last edited: Feb 18, 2020
  5. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    11,025
    Location:
    UK
    1. They're bots. They are just scanning entire blocks of IP addresses and commonly used ports. PPTP servers use port 1723.
    2. You're using the wrong tool. The URL filter blocks outgoing "URLs" not IP addresses. Putting an IP address in there probably broke the existing firewall rules.
    3. No.
    4. No.
    5. Yes and yes.
    6. PPTP VPN is insecure and obsolete. If you need remote access use OpenVPN instead.

    EDIT: In addition to point 1 above, the bots were also trying to connect using common default user IDs and passwords. Fortunately you weren't using a default user ID and password (like admin/admin).
     
    Last edited: Feb 18, 2020
    L&LD likes this.
  6. Sky

    Sky Regular Contributor

    Joined:
    Jul 19, 2018
    Messages:
    51
    Location:
    PDR of California
    That's weirdly nice to hear. :oops:
    Is there a right tool for blocking WAN IPs or groups of IPs?
    I realize PPTP is insecure and obsolete, but there are some reasons *for now* that I have to use it hence my question: "If a legitimate user needs to use the VPN, will/can this activity effect that?" And, is there any reasonable way to mitigate such effect (short of using a different protocol)?
     
  7. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    11,025
    Location:
    UK
    Not explicitly. AiProtection should do that to certain extent. Otherwise, you'd either have write you own firewall-start script or use something like Skynet.

    It won't have much effect other than creating annoying messages in the log.
     
  8. Sky

    Sky Regular Contributor

    Joined:
    Jul 19, 2018
    Messages:
    51
    Location:
    PDR of California
    :cool:
    Hooray!

    Nothing like needless worry coupled with knowing 'just enough to get into trouble'. ;)

    Thanks, Collin!