After installing RAX50, two NAS show hacking attempts in their logs

Question

I installed an RAX50 to replace a ten year old Linksys WRT 1900 AC. The Linksys had nothing special in it's config and everything was running smoothly.

As soon as I put in the RAX50, traffic is getting through trying to get into both of my NAS, trying to use generic user IDs such as Admin, Root, Pi and System. Logs report the attempts are from the RAX50 (192.168.1.1). I've since blocked 192.168.1.1 on both NAS, I'm not sure if this will affect their normal operation. I don't want them accessible from the internet.

I also see thousands of login attempts (Admin & Administrator) on a PC that has a non-standard port forwarded to it for RDP.

Is the RAX50 just an unsecure piece of junk? I never had this issue with the Linksys.

Does anyone have any thoughts or advice?

My goal would be to block anything trying to access my network from the outside other than having a port open for me to RDP to one of my PCs.

Thank you,

Chris

michaelkenward · Answer

CJP001&nbsp;wrote:
&nbsp;
As soon as I put in the RAX50, traffic is getting through trying to get into both of my NAS, trying to use generic user IDs such as Admin, Root, Pi and System.&nbsp; Logs report the attempts are from the RAX50 (192.168.1.1).&nbsp; I've since blocked 192.168.1.1 on both NAS, I'm not sure if this will affect their normal operation.&nbsp; I don't want them accessible from the internet.
&nbsp;

What tells you that the NAS devices are accessible from the Internet?
&nbsp;
What are the log entries in the RAX50?
&nbsp;
Do you really want to stop your NAS from communicating with the router?
&nbsp;

Is the&nbsp;RAX50 just an unsecure piece of junk?&nbsp; I never had this issue with the Linksys.
&nbsp;

Netgear is famous for creating spurious and scary log entries that mean nothing. Turning off those recordings does nothing to reduce the router's protection from the outside world. Maybe your Linksys just had different logging procedures.&nbsp;
&nbsp;
&nbsp;

CJP001 · Answer

It's the logs from both the NAS devices that show the hacking attempts. The logs of both show repeated attempts from 192.168.1.1 (the address of the Netgear) to access them using the user IDs Admin, Root, Pi and System.

For the years that the Linksys was in place, there was never any alerts from either NAS like this.

The day after the Netgear was swapped in, both NAS devices started sending me alerts of the failed login attempts.

Also the day after the Netgear was swapped in, the event log on my Windows PC is showing thousands of failed login attempts, whereas with the Linksys, this never happened.

Everything was quiet until the Netgear was introduced.

michaelkenward · Answer

If anything "creepy", as НolyЅtinkFinger puts it, reaches the NAS from the outside world it will have passed through the router. Maybe the logs on the RAX50 will offer some clues. Although, as already mentioned, they have a habit of creating false positives.
&nbsp;

CJP001 · Answer

I checked the log of the Netgear.&nbsp; There's under 1000 entries only going back 48 hours.&nbsp; Is that all it keeps?!&nbsp;I'm seeing a lot of these in the log:[DoS attack: Fraggle Attack] from source UNKNOWN,port 443 Wednesday, Apr 10, 2024 16:45:47[DoS attack: ACK Scan] from source 52.7.79.159,port 443 Wednesday, Apr 10, 2024 16:45:18[DoS attack: Fraggle Attack] from source UNKNOWN,port 80 Wednesday, Apr 10, 2024 16:35:22[DoS attack: ACK Scan] from source 104.73.9.248,port 80 Wednesday, Apr 10, 2024 16:32:41&nbsp;And the rest are these:[LAN access from remote] from 103.148.49.39 port 65299 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 14:20:45[LAN access from remote] from 103.148.49.39 port 65359 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 14:34:03[LAN access from remote] from 103.148.49.39 port 65403 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 14:39:23[LAN access from remote] from 103.148.49.39 port 65426 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 14:38:40[LAN access from remote] from 103.148.49.39 port 65453 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 14:40:06[LAN access from remote] from 107.170.237.59 port 32954 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 15:24:14[LAN access from remote] from 107.170.237.59 port 34704 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 15:24:20[LAN access from remote] from 107.170.237.59 port 38218 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 15:24:22[LAN access from remote] from 107.170.237.59 port 41810 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 15:24:23[LAN access from remote] from 107.170.237.59 port 43484 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 15:24:15[LAN access from remote] from 107.170.237.59 port 45464 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 15:24:24&nbsp;&nbsp;Why is the Netgear letting these random ports get to 3389?&nbsp; I had exactly one particular port forwarded to 3389.&nbsp; Why is the Netgear letting ANY port get to 3389 and attempt an RDP login?&nbsp;I have since went into window and moved the RDP port off of 3389.&nbsp;Chris

michaelkenward · Answer

CJP001&nbsp;wrote:
&nbsp;
I'm seeing a lot of these in the log:
[DoS attack: Fraggle Attack] from source UNKNOWN,port 443 Wednesday, Apr 10, 2024 16:45:47[DoS attack: ACK Scan] from source 52.7.79.159,port 443 Wednesday, Apr 10, 2024 16:45:18[DoS attack: Fraggle Attack] from source UNKNOWN,port 80 Wednesday, Apr 10, 2024 16:35:22[DoS attack: ACK Scan] from source 104.73.9.248,port 80 Wednesday, Apr 10, 2024 16:32:41
&nbsp;

Classic Netgear false alarms. The two IP addresses are Amazon and Akamai.
&nbsp;
Newer Netgear devices have firmware that prevents these false positives.
&nbsp;
Search - NETGEAR Communities – DoS attacks
&nbsp;
Your Linksys probably won't have seen those.
&nbsp;
As to these:
&nbsp;
CJP001&nbsp;wrote:
[LAN access from remote] from 103.148.49.39 port 65453 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 14:40:06[LAN access from remote] from 107.170.237.59 port 32954 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 15:24:14

IP Addresses Report
&nbsp;
Created by using IPNetInfo
&nbsp;

Order
IP Address
Status
Country
Network Name
Owner Name
From IP
To IP
CIDR
Allocated
Contact Name
Address
Postal Code
Email
Abuse Email
Abuse Contact
Phone
Fax
Whois Source
Host Name
Resolved Name

1
103.148.49.39
Succeed
Indonesia
BCMEDIA-ID
PT. Borneo Cakrawala Media
103.148.48.0
103.148.49.255
103.148.48.0/23
Yes
Ali Prayitno
Jl.Dr.Wahidin S Gg Batas Pandang No.3 Pontianak 78113 Indonesia
&nbsp;
ali@bcmedia.co.id
&nbsp;
admin@bcmedia.co.id
+62-81-1333244
&nbsp;
APNIC
&nbsp;
host-103-148-49-39.bcmedia.co.id

2
107.170.237.59
Succeed
USA - New York
DIGITALOCEAN-107-170-0-0
DigitalOcean, LLC
107.170.0.0
107.170.255.255
107.170.0.0/16
Yes
DigitalOcean, LLC
101 Ave of the Americas FL2 New York
10013
noc@digitalocean.com
abuse@digitalocean.com
&nbsp;
+1-347-875-6044
&nbsp;
ARIN
&nbsp;
apzg-0721-a-073.stretchoid.com

&nbsp;
Ring any bells?
&nbsp;
CJP001&nbsp;wrote:
I checked the log of the Netgear.&nbsp; There's under 1000 entries only going back 48 hours. Is that all it keeps?!
&nbsp;

Probably until it gets full. Too much and the router will fall over as the memory fills up. That's one reason for limiting what the router logs and holds in its memory.
&nbsp;
You can get the router to email you log reports.
&nbsp;
&nbsp;

Forum Discussion

After installing RAX50, two NAS show hacking attempts in their logs

6 Replies