General NAS-Central Forums

Welcome to the NAS community
It is currently Tue Oct 17, 2017 3:50 am

All times are UTC




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Thu Dec 01, 2016 7:51 pm 
Offline
User avatar

Joined: Mon Dec 21, 2015 7:21 pm
Posts: 597
Hi,

A person, who just bought a new 520 about a few months ago, contacted me and I helped him to set up the nas for basic home usage. But somebody, before me told him at a forum (where he also asked for help) to open ports 80,22,23,25,21. And he did it... So, when I noticed this offered him to immediatelly close theese ports. So now, only the TM's communication port is open, the UPnP are disabled on the router.

But this afternoon, he also send me an interesting screenshot from the NAS's webGUI, where I Could see some external IPs logged in to SSH...

He Can't speak English, that's why I write this, but please help. I am puzzled about what's happening now...

Thanks!

_________________
Thanks nas-central the lot of help! :)


Top
 Profile  
 
PostPosted: Fri Dec 02, 2016 12:53 pm 
Offline

Joined: Mon Jun 16, 2008 10:45 am
Posts: 6047
Can you post the output of 'netstat -tu' on that box? And can you test if you can actually connect to port 22 on his public IP?


Top
 Profile  
 
PostPosted: Sun Dec 04, 2016 7:27 pm 
Offline

Joined: Sat Jun 08, 2013 9:02 am
Posts: 116
Now that its mentioned i remembered that i have this "problem" as well:
https://dl.dropboxusercontent.com/u/120 ... l/ssh-.PNG
From netstat -tu:
Code:
tcp        0  73824 10.125.210.20:krb524    203.87.129.162:22892    ESTABLISHED


Full dump:
https://dl.dropboxusercontent.com/u/120 ... l/ssh-.txt

I never bothered to start a thread since an outsider cannot connect to it(verified it through my mobile internet and my laptop)...


I checked it again and its the same, there is nothing on port 22, i blocked that IP in my router just in case.

/edit
who -a does not show it, hmmm.... Image
https://dl.dropboxusercontent.com/u/120 ... l/ssh2.PNG

/edit2
Just checked it again, its still established despite my router is configured to block that IP. I set that rule to make a log entry every time it blocks traffic to that IP, but i cant see any entry made by this rule...

/edit3
Found it, it was a connection made by transmission...
https://dl.dropboxusercontent.com/u/120 ... al/ssh.PNG

I disabled then re enabled it and it gone. But i dont know why it was showing up in current connections as SSH...

_________________
Zyxel NSA325 [4.71(AAAJ.0) + FFP, retired]
Zyxel NAS540 [V5.20(AATB.0)]


Last edited by jagdtigger on Sun Dec 04, 2016 8:38 pm, edited 4 times in total.

Top
 Profile  
 
PostPosted: Sun Dec 04, 2016 7:40 pm 
Offline
User avatar

Joined: Mon Dec 21, 2015 7:21 pm
Posts: 597
Mijzelf wrote:
Can you post the output of 'netstat -tu' on that box? And can you test if you can actually connect to port 22 on his public IP?


Hi,

First of all, thanks for Your reply!

No, I Cannot connect to his port 22 So it is closed. The netstat showed the unknown address, but I told him to check the 'env', where a variable (i don't exactly know what's the exact name without a linux shell) shows the current "real" SSH connections. And here, we Cannot see the IP. So that was another type of connection. Secondly, I told him to disable the Transmission, and when he did it, all of theese secret IP addresses disappeared. :)

So, mistery solved!

_________________
Thanks nas-central the lot of help! :)


Top
 Profile  
 
PostPosted: Sun Dec 04, 2016 8:52 pm 
Offline
User avatar

Joined: Mon Dec 21, 2015 7:21 pm
Posts: 597
@jagdtigger, looks like, You have similar problem. :roll:

_________________
Thanks nas-central the lot of help! :)


Top
 Profile  
 
PostPosted: Sun Dec 04, 2016 8:56 pm 
Offline

Joined: Mon Jun 16, 2008 10:45 am
Posts: 6047
Transmission of course gives a bunch of random connections. I wouldn't expect the webinterface to erroneously list that as ssh connections. But it's zyxel, so...


Top
 Profile  
 
PostPosted: Wed Mar 08, 2017 11:39 pm 
Offline

Joined: Fri Jul 03, 2015 10:47 am
Posts: 4
Sorry, folks, I cannot agree that it is an Transmission connection :(
https://1drv.ms/i/s!AhOcYBMesZg91DYc-X-gvTHDcNru

At router I forwarded port 22 from WAN to wrong port at non-existing intranet IP, but no avail:
https://1drv.ms/i/s!AhOcYBMesZg91D5RYTH28nlQAuRL


Last edited by voland on Thu Mar 09, 2017 12:10 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Thu Mar 09, 2017 2:52 am 
Offline

Joined: Fri Jul 03, 2015 10:47 am
Posts: 4
...and again, this time with AFP protocol (not SSH) - again there is no match with Transmission:
https://1drv.ms/i/s!AhOcYBMesZg91D0h5QlLZ7AGr9sp

......

But in that case there is the match:
https://1drv.ms/i/s!AhOcYBMesZg91DUGGdAJvcAjlPN0
https://1drv.ms/i/s!AhOcYBMesZg91DcqLUJgS-dakbVH

WTH?!

------

Is it possible to Transmission have had some flaw, allowed attacker to tunnel his IP/activity/protocol through other IP/activity/protocol? In other words, is it possible to "Current connections" window say true, when basic utilities such a netstat are being deceived? :shock:


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group