Unknown SSH connections on an NSA520

[MrDini]

Hi,

A person, who just bought a new 520 about a few months ago, contacted me and I helped him to set up the nas for basic home usage. But somebody, before me told him at a forum (where he also asked for help) to open ports 80,22,23,25,21. And he did it... So, when I noticed this offered him to immediatelly close theese ports. So now, only the TM's communication port is open, the UPnP are disabled on the router.

But this afternoon, he also send me an interesting screenshot from the NAS's webGUI, where I Could see some external IPs logged in to SSH...

He Can't speak English, that's why I write this, but please help. I am puzzled about what's happening now...

Thanks!

[Mijzelf]

Can you post the output of 'netstat -tu' on that box? And can you test if you can actually connect to port 22 on his public IP?

[jagdtigger]

Now that its mentioned i remembered that i have this "problem" as well:
https://dl.dropboxusercontent.com/u/120 ... l/ssh-.PNG
From netstat -tu:

Code: Select all

tcp        0  73824 10.125.210.20:krb524    203.87.129.162:22892    ESTABLISHED

Full dump:
https://dl.dropboxusercontent.com/u/120 ... l/ssh-.txt

I never bothered to start a thread since an outsider cannot connect to it(verified it through my mobile internet and my laptop)...


I checked it again and its the same, there is nothing on port 22, i blocked that IP in my router just in case.

/edit
who -a does not show it, hmmm....
https://dl.dropboxusercontent.com/u/120 ... l/ssh2.PNG

/edit2
Just checked it again, its still established despite my router is configured to block that IP. I set that rule to make a log entry every time it blocks traffic to that IP, but i cant see any entry made by this rule...

/edit3
Found it, it was a connection made by transmission...
https://dl.dropboxusercontent.com/u/120 ... al/ssh.PNG

I disabled then re enabled it and it gone. But i dont know why it was showing up in current connections as SSH...

[MrDini]

Can you post the output of 'netstat -tu' on that box? And can you test if you can actually connect to port 22 on his public IP?

Hi,

First of all, thanks for Your reply!

No, I Cannot connect to his port 22 So it is closed. The netstat showed the unknown address, but I told him to check the 'env', where a variable (i don't exactly know what's the exact name without a linux shell) shows the current "real" SSH connections. And here, we Cannot see the IP. So that was another type of connection. Secondly, I told him to disable the Transmission, and when he did it, all of theese secret IP addresses disappeared.

So, mistery solved!

[MrDini]

@jagdtigger, looks like, You have similar problem.

[Mijzelf]

Transmission of course gives a bunch of random connections. I wouldn't expect the webinterface to erroneously list that as ssh connections. But it's zyxel, so...

[voland]

Sorry, folks, I cannot agree that it is an Transmission connection
https://1drv.ms/i/s!AhOcYBMesZg91DYc-X-gvTHDcNru

At router I forwarded port 22 from WAN to wrong port at non-existing intranet IP, but no avail:
https://1drv.ms/i/s!AhOcYBMesZg91D5RYTH28nlQAuRL

[voland]

...and again, this time with AFP protocol (not SSH) - again there is no match with Transmission:
https://1drv.ms/i/s!AhOcYBMesZg91D0h5QlLZ7AGr9sp

......

But in that case there is the match:
https://1drv.ms/i/s!AhOcYBMesZg91DUGGdAJvcAjlPN0
https://1drv.ms/i/s!AhOcYBMesZg91DcqLUJgS-dakbVH

WTH?!

------

Is it possible to Transmission have had some flaw, allowed attacker to tunnel his IP/activity/protocol through other IP/activity/protocol? In other words, is it possible to "Current connections" window say true, when basic utilities such a netstat are being deceived?