RT-AC68U triggering dianaea honeypot, probing 80 and 139 after firmware update

[neildaemond]

Ever since updating my firmware to 3.0.0.4.380_1842-g7414eb9 2 days ago, I'm getting attempts for TCP connections on port 80 and 139 from 192.168.1.1 (the router ip) to a dionaea honeypot.

I've just noticed this after updating my firmware to 3.0.0.4.380_1842-g7414eb9 2 days ago.

For example, I collected these 'attacks' over the last hour:

timestamp: 2016-03-04T04:55:03.882000
local_host: 192.168.1.108
local_port: 80
remote_host: 192.168.1.1
remote_port: 38474
remote_hostname:

timestamp: 2016-03-04T04:57:56.158000
local_host: 192.168.1.108
local_port: 80
remote_host: 192.168.1.1
remote_port: 38494
remote_hostname:

timestamp: 2016-03-04T04:58:08.175000
local_host: 192.168.1.108
local_port: 139
remote_host: 192.168.1.1
remote_port: 35905
remote_hostname:

timestamp: 2016-03-04T05:33:51.291000
local_host: 192.168.1.108
local_port: 80
remote_host: 192.168.1.1
remote_port: 49496
remote_hostname:

timestamp: 2016-03-04T05:34:03.311000
local_host: 192.168.1.108
local_port: 139
remote_host: 192.168.1.1
remote_port: 46624
remote_hostname:


Any insight onto which services may be doing this from the router? Is it possible that its not the router? How can I stop it from doing this? Thanks,

 

[RMerlin]

The networkmap service probes your whole LAN to detect and analyze what devices are present. The service can't be disabled, and is required by the webui.

 

[evh909]

this one caught my eye because I didnt understand what it was talking about

A link here for anyone else that is interested. http://www.edgis-security.org/honeypot/dionaea/

Learn something new everyday...

 

[sfx2000]

The networkmap service probes your whole LAN to detect and analyze what devices are present. The service can't be disabled, and is required by the webui.

Seems like NetworkMap is problematic all around - it's not just pinging into services, or using ARP/NDP, but actually is grabbing connections which result in activity like OP is seeing (or the infamous Synology wakeups that folks are blaming on ARP).

Good intentions perhaps, but short sighted on what happens to other platforms when NetworkMap is doing the probes on a periodic basis..

 

[RMerlin]

Seems like NetworkMap is problematic all around - it's not just pinging into services, or using ARP/NDP, but actually is grabbing connections which result in activity like OP is seeing (or the infamous Synology wakeups that folks are blaming on ARP).

Good intentions perhaps, but short sighted on what happens to other platforms when NetworkMap is doing the probes on a periodic basis..

Asus has already removed the hourly rescans, and also tweaked the scan process a bit. It should be far less aggressive, probably only doing a scan on specific events.

 

[sfx2000]

Asus has already removed the hourly rescans, and also tweaked the scan process a bit. It should be far less aggressive, probably only doing a scan on specific events.

Cool - perhaps the only time it should do the scan is when someone brings up the WebGUI, rest of the time, it shouldn't matter...