Unknown SSH connections on an NSA520

Mindspeed Comcerto 2000 based
Post Reply
User avatar
MrDini
Posts: 651
Joined: Mon Dec 21, 2015 7:21 pm
Contact:

Unknown SSH connections on an NSA520

Post by MrDini » Thu Dec 01, 2016 7:51 pm

Hi,

A person, who just bought a new 520 about a few months ago, contacted me and I helped him to set up the nas for basic home usage. But somebody, before me told him at a forum (where he also asked for help) to open ports 80,22,23,25,21. And he did it... So, when I noticed this offered him to immediatelly close theese ports. So now, only the TM's communication port is open, the UPnP are disabled on the router.

But this afternoon, he also send me an interesting screenshot from the NAS's webGUI, where I Could see some external IPs logged in to SSH...

He Can't speak English, that's why I write this, but please help. I am puzzled about what's happening now...

Thanks!
Thanks nas-central the lot of help! :)

Mijzelf
Posts: 6198
Joined: Mon Jun 16, 2008 10:45 am

Re: Unknown SSH connections on an NSA520

Post by Mijzelf » Fri Dec 02, 2016 12:53 pm

Can you post the output of 'netstat -tu' on that box? And can you test if you can actually connect to port 22 on his public IP?

jagdtigger
Posts: 117
Joined: Sat Jun 08, 2013 9:02 am

Re: Unknown SSH connections on an NSA520

Post by jagdtigger » Sun Dec 04, 2016 7:27 pm

Now that its mentioned i remembered that i have this "problem" as well:
https://dl.dropboxusercontent.com/u/120 ... l/ssh-.PNG
From netstat -tu:

Code: Select all

tcp        0  73824 10.125.210.20:krb524    203.87.129.162:22892    ESTABLISHED
Full dump:
https://dl.dropboxusercontent.com/u/120 ... l/ssh-.txt

I never bothered to start a thread since an outsider cannot connect to it(verified it through my mobile internet and my laptop)...


I checked it again and its the same, there is nothing on port 22, i blocked that IP in my router just in case.

/edit
who -a does not show it, hmmm.... Image
https://dl.dropboxusercontent.com/u/120 ... l/ssh2.PNG

/edit2
Just checked it again, its still established despite my router is configured to block that IP. I set that rule to make a log entry every time it blocks traffic to that IP, but i cant see any entry made by this rule...

/edit3
Found it, it was a connection made by transmission...
https://dl.dropboxusercontent.com/u/120 ... al/ssh.PNG

I disabled then re enabled it and it gone. But i dont know why it was showing up in current connections as SSH...
Last edited by jagdtigger on Sun Dec 04, 2016 8:38 pm, edited 4 times in total.
Zyxel NSA325 [4.81(AAAJ.1) + Metarepo, local apt-mirror for ubuntu and debian]
Zyxel NAS540 [V5.20(AATB.0)]
Synology DS416

User avatar
MrDini
Posts: 651
Joined: Mon Dec 21, 2015 7:21 pm
Contact:

Re: Unknown SSH connections on an NSA520

Post by MrDini » Sun Dec 04, 2016 7:40 pm

Mijzelf wrote:Can you post the output of 'netstat -tu' on that box? And can you test if you can actually connect to port 22 on his public IP?
Hi,

First of all, thanks for Your reply!

No, I Cannot connect to his port 22 So it is closed. The netstat showed the unknown address, but I told him to check the 'env', where a variable (i don't exactly know what's the exact name without a linux shell) shows the current "real" SSH connections. And here, we Cannot see the IP. So that was another type of connection. Secondly, I told him to disable the Transmission, and when he did it, all of theese secret IP addresses disappeared. :)

So, mistery solved!
Thanks nas-central the lot of help! :)

User avatar
MrDini
Posts: 651
Joined: Mon Dec 21, 2015 7:21 pm
Contact:

Re: Unknown SSH connections on an NSA520

Post by MrDini » Sun Dec 04, 2016 8:52 pm

@jagdtigger, looks like, You have similar problem. :roll:
Thanks nas-central the lot of help! :)

Mijzelf
Posts: 6198
Joined: Mon Jun 16, 2008 10:45 am

Re: Unknown SSH connections on an NSA520

Post by Mijzelf » Sun Dec 04, 2016 8:56 pm

Transmission of course gives a bunch of random connections. I wouldn't expect the webinterface to erroneously list that as ssh connections. But it's zyxel, so...

voland
Posts: 4
Joined: Fri Jul 03, 2015 10:47 am

Re: Unknown SSH connections on an NSA520

Post by voland » Wed Mar 08, 2017 11:39 pm

Sorry, folks, I cannot agree that it is an Transmission connection :(
https://1drv.ms/i/s!AhOcYBMesZg91DYc-X-gvTHDcNru

At router I forwarded port 22 from WAN to wrong port at non-existing intranet IP, but no avail:
https://1drv.ms/i/s!AhOcYBMesZg91D5RYTH28nlQAuRL
Last edited by voland on Thu Mar 09, 2017 12:10 pm, edited 1 time in total.

voland
Posts: 4
Joined: Fri Jul 03, 2015 10:47 am

Re: Unknown SSH connections on an NSA520

Post by voland » Thu Mar 09, 2017 2:52 am

...and again, this time with AFP protocol (not SSH) - again there is no match with Transmission:
https://1drv.ms/i/s!AhOcYBMesZg91D0h5QlLZ7AGr9sp

......

But in that case there is the match:
https://1drv.ms/i/s!AhOcYBMesZg91DUGGdAJvcAjlPN0
https://1drv.ms/i/s!AhOcYBMesZg91DcqLUJgS-dakbVH

WTH?!

------

Is it possible to Transmission have had some flaw, allowed attacker to tunnel his IP/activity/protocol through other IP/activity/protocol? In other words, is it possible to "Current connections" window say true, when basic utilities such a netstat are being deceived? :shock:

Post Reply