NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Orbi connection to China
Hi,
I've upgraded my IPS system and it has begun to send me alerts notifying that my orbi device was connecting on port 80 to an address that seems to be in China, and it does so regularly. does anyone know why it does that ?
best regards
Message: IPS Alert 1: A Network Trojan was Detected. Signature ET MALWARE Suspicious User-Agent (1 space). From: 10.1.1.16:52320, to: 203.205.142.208:80, protocol: TCP
Message: IPS Alert 1: A Network Trojan was Detected. Signature ET MALWARE Suspicious User-Agent (1 space). From: 10.1.1.16:52230, to: 203.205.255.80:8080, protocol: TCP
14 Replies
Proton68 wrote:
I've upgraded my IPS system
What's that? Google suggests Integrated Plumbing Systems.
203.205.142.208 is Tencent.
michaelkenward wrote:
Proton68 wrote:
I've upgraded my IPS system
What's that? Google suggests Integrated Plumbing Systems.
203.205.142.208 is Tencent.
:-)
Intrusion Prevention System
Proton68 wrote:
Hi,
I've upgraded my IPS system and it has begun to send me alerts notifying that my orbi device was connecting on port 80 to an address that seems to be in China, and it does so regularly. does anyone know why it does that ?
best regards
Message: IPS Alert 1: A Network Trojan was Detected. Signature ET MALWARE Suspicious User-Agent (1 space). From: 10.1.1.16:52320, to: 203.205.142.208:80, protocol: TCP
Message: IPS Alert 1: A Network Trojan was Detected. Signature ET MALWARE Suspicious User-Agent (1 space). From: 10.1.1.16:52230, to: 203.205.255.80:8080, protocol: TCP
When you use the Orbi app and you login to your Netgear account, the app creates a VPN connection from your Netgear account on the cloud to Orbi to be able to manage your Orbi from the app. I think this is what your IPS sees.
This is only needed when using the app for Orbi management but not when you use the web GUI.
The WhoIs lookup on these IP's traces back to:
inetnum: 203.205.192.0 - 203.205.255.255 netname: TENCENT-NET-AP descr: Shenzhen Tencent Computer Systems Company Limited descr: Tencent Building, Kejizhongyi Avenue,Hi-techPark, descr: NanshanDistrict, Shenzhen country: CN
inetnum: 203.205.128.0 - 203.205.159.255 netname: TENCENT-NET-AP descr: Shenzhen Tencent Computer Systems Company Limited descr: Tencent Building, Kejizhongyi Avenue,Hi-techPark, descr: NanshanDistrict, Shenzhen country: CN
This doesn't smell like "Netgear" to me. If 10.1.1.16 is the Orbi's WAN port, you could use the debug page to capture the LAN traffic and see exactly which device on your Orbi is connecting to those IP's.
CrimpOn wrote:
The WhoIs lookup on these IP's traces back to:
inetnum: 203.205.192.0 - 203.205.255.255 netname: TENCENT-NET-AP descr: Shenzhen Tencent Computer Systems Company Limited descr: Tencent Building, Kejizhongyi Avenue,Hi-techPark, descr: NanshanDistrict, Shenzhen country: CN
inetnum: 203.205.128.0 - 203.205.159.255 netname: TENCENT-NET-AP descr: Shenzhen Tencent Computer Systems Company Limited descr: Tencent Building, Kejizhongyi Avenue,Hi-techPark, descr: NanshanDistrict, Shenzhen country: CN
See above.
CrimpOn wrote:
This doesn't smell like "Netgear" to me.
Nor does it smell like the Chinese or Russian governments.
Many of these things tracks back to something else on the local network. Sometimes an IoT device. Who knows?
Don't immediately think Chinese IP address = nasty. Look under the hood for what is really going on.
This is the important bit:
...capture the LAN traffic and see exactly which device on your Orbi is connecting to those IP's.The router's log may be helpful. But it also had a habit for finding useless and misleading information.
But first check the plumbing.
