NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

Proton68's avatar
Proton68
Aspirant
Feb 14, 2019

Orbi connection to China

Hi,   I've upgraded my IPS system and it has begun to send me alerts notifying that my orbi device was connecting on port 80 to an address that seems to be in China, and it does so regularly. doe...
Troubleshooting
CrimpOn's avatar
CrimpOn
Guru - Experienced User
Feb 14, 2019

The WhoIs lookup on these IP's traces back to:

inetnum:        203.205.192.0 - 203.205.255.255
netname:        TENCENT-NET-AP
descr:          Shenzhen Tencent Computer Systems Company Limited
descr:          Tencent Building, Kejizhongyi Avenue,Hi-techPark,
descr:          NanshanDistrict, Shenzhen
country:        CN

 

inetnum:        203.205.128.0 - 203.205.159.255
netname:        TENCENT-NET-AP
descr:          Shenzhen Tencent Computer Systems Company Limited
descr:          Tencent Building, Kejizhongyi Avenue,Hi-techPark,
descr:          NanshanDistrict, Shenzhen
country:        CN

 This doesn't smell like "Netgear" to me.  If 10.1.1.16 is the Orbi's WAN port, you could use the debug page to capture the LAN traffic and see exactly which device on your Orbi is connecting to those IP's.

JoeCymru's avatar
JoeCymru
Virtuoso
Feb 15, 2019

Personally I would be concerned and not about Orbi. Tencent is the largest social gaming company on earth and also has an instant messaging service. Port 80 traffic to tencent could be worm or trojan utilizing one of your devices to try to hook up for fraudulent purposes.

  • CrimpOn's avatar
    CrimpOn
    Guru - Experienced User
    Feb 15, 2019

    Once the connection is traced to a specific device, the next step may be to determine which app on that device is opening the connection.

    • michaelkenward's avatar
      michaelkenward
      Guru - Experienced User
      Feb 15, 2019
      CrimpOn wrote:

      Once the connection is traced to a specific device, the next step may be to determine which app on that device is opening the connection.

      To help to home in on this excellent suggestion, in the past there have been references to devices like IoT cameras and other cloud connected widgets. They make a lot of those in China!

      • CrimpOn's avatar
        CrimpOn
        Guru - Experienced User
        Feb 15, 2019

        I don't know if it matters whether the Orbi is in "router" or "AP" mode (my Orbi is in router), but @ekhalil showed me how to display all the "open ports".

        Browse to the Orbi debug page, usually 192.168.1.1/debug.htm

        Check the box "Enable Telnet"

        User your favorite telnet application to telnet to the Orbi and log in with the same "admin" and password

         

        Enter the command  cat /proc/net  ip_conntrack

         

        It is sort of tedious to locate the IP you want in the telnet window, so I save the telnet session to a file and use a text editor to find what I want, sort the entries, etc.  Every time I used the Windows telnet client, I would forget to save the session to a file, so I changed over to Putty and created a script that always saves the session to a unique text file.

         

        After closing the telnet session, remember to go back to the debug page and turn off telnet access.

         

        Once the device which has opened that IP connection has been located, I believe there are similar commands to display which application has the port open.