TWO WAY IPS AIPROTECTION

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

peace25

New Around Here
Hi,
I'm new to the forum and i'm really seeking help in the same matter as above , my router is Asus DSL-AC68U and since the latest firmware update from Asus and the implement of the new AIProtection interface from trend micro that let us see the attackers and assuring us lol that they are blocked , i still feel that i'm not secure and there's too many attacks on my router from different ip's !

All those hits (external attacks) are directed to one Device or equipment , none of mine , checked every mac address none match up the one they are attacking !

When tried to find out the mac address of the Vendor it come up as Juniper Network 28:8A:1C , i get about 6 hits a day sometimes 2 and sometime more , in total could be about 15 hits , a bit concerned here .

THis is the kind of attacks i get :

DATE:
2018-09-15
TIME:
16:34:55
TYPE
External Attacks
167.99.109.87 The IP OF THE ATTACKER
MY IP IS HERE : XXXXXXXXX
SECURITY ALERT: EXPLOIT Remote Command Execution via Shell Script -2
EXPLOIT Netcore Router Backdoor Access
DATE:
2018-09-15
TIME:
15:48:34
TYPE:
External Attacks
209.141.48.78 THE IP OF THE ATTACKER
xx.xxx.xxx.xxx MY IP
SECUTITY ALERT : EXPLOIT Remote Command Execution via Shell Script -2

And so on , i need to find out a way or how and why so many attacks , is my ISP weak ? in all my devices i'm using security softwares , my router firewall is activated .

Is there anything i'm i missing ?

Thanks
 

ApexRon

Very Senior Member
Hi,
I'm new to the forum and i'm really seeking help in the same matter as above , my router is Asus DSL-AC68U and since the latest firmware update from Asus and the implement of the new AIProtection interface from trend micro that let us see the attackers and assuring us lol that they are blocked , i still feel that i'm not secure and there's too many attacks on my router from different ip's !

All those hits (external attacks) are directed to one Device or equipment , none of mine , checked every mac address none match up the one they are attacking !

When tried to find out the mac address of the Vendor it come up as Juniper Network 28:8A:1C , i get about 6 hits a day sometimes 2 and sometime more , in total could be about 15 hits , a bit concerned here .

THis is the kind of attacks i get :

DATE:
2018-09-15
TIME:
16:34:55
TYPE
External Attacks
167.99.109.87 The IP OF THE ATTACKER
MY IP IS HERE : XXXXXXXXX
SECURITY ALERT: EXPLOIT Remote Command Execution via Shell Script -2
EXPLOIT Netcore Router Backdoor Access
DATE:
2018-09-15
TIME:
15:48:34
TYPE:
External Attacks
209.141.48.78 THE IP OF THE ATTACKER
xx.xxx.xxx.xxx MY IP
SECUTITY ALERT : EXPLOIT Remote Command Execution via Shell Script -2

And so on , i need to find out a way or how and why so many attacks , is my ISP weak ? in all my devices i'm using security softwares , my router firewall is activated .

Is there anything i'm i missing ?

Thanks
Note who has registered these IP addresses. If you do not recognize the owners, you could contact them to find out what's up or just notify your ISP.
Screen Shot 2018-09-15 at 1.25.12 PM.JPG
Screen Shot 2018-09-15 at 1.24.53 PM.JPG
 

ColinTaylor

Part of the Furniture
By the way i have the web access from Wan disabled as well as SSH and as for the authentication methode is on BOTH or it should be just on HTTP as https is not supported because i dont have a certificate ...
BOTH (or either) is fine for internal access. The main thing is you don't have remote access to your router enabled. Other than that, the type and number of messages you are seeing is perfectly normal.
 

peace25

New Around Here
BOTH (or either) is fine for internal access. The main thing is you don't have remote access to your router enabled. Other than that, the type and number of messages you are seeing is perfectly normal.
Cool thank you so much for the info , i will keep an eye from time to time on those attacks , i will even try to email the [email protected] to gather more info or at least to stop them ...
Have a nice evening :)
 

Beherit

Regular Contributor
I found this thread by googling "209.141.48.78". AIProtection has blocked several hundreds of attacks from that particular IP address.

What's scary is that I changed IP address to a whole different range, and the attacks continued.

@peace25, which email did you send the abuse complaint to? Did you receive any reply yet? I'll send one as well.
 

AndreiV

Very Senior Member
I found this thread by googling "209.141.48.78". AIProtection has blocked several hundreds of attacks from that particular IP address.

What's scary is that I changed IP address to a whole different range, and the attacks continued.

@peace25, which email did you send the abuse complaint to? Did you receive any reply yet? I'll send one as well.

It makes no difference what IP you are on, these are bots searching out unpatched ASUS routers. It's an old exploit , they bounce off the firewall without any help from AiProtection.

https://www.abuseipdb.com/check/209.141.48.78?page=1#report

Complain all you want, they won't even bother replying.
 

OzarkEdge

Part of the Furniture
It makes no difference what IP you are on, these are bots searching out unpatched ASUS routers. It's an old exploit , they bounce off the firewall without any help from AiProtection.

Meaning you're OK, you're still protected... AiProtection just isn't doing anything besides logging ASUS firewall activity with scary prose.

OE
 

peace25

New Around Here
I found this thread by googling "209.141.48.78". AIProtection has blocked several hundreds of attacks from that particular IP address.

What's scary is that I changed IP address to a whole different range, and the attacks continued.

@peace25, which email did you send the abuse complaint to? Did you receive any reply yet? I'll send one as well.
I did sent an email to digital ocean and they replied back by removing the user from their network . I still get his from time to time but from different ips not sure where from they are coming exactly ! Lol but I'm still investigating ... When I will get to the bottom of it I will post here .
 

Beherit

Regular Contributor
I did sent an email to digital ocean and they replied back by removing the user from their network . I still get his from time to time but from different ips not sure where from they are coming exactly ! Lol but I'm still investigating ... When I will get to the bottom of it I will post here .
Good job! On your part, I mean. Certainly not Digital Ocean being professional here, that user should be permbanned and have his accounts frozen for abuse.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top