NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

CJP001's avatar
CJP001
Aspirant
Apr 10, 2024

After installing RAX50, two NAS show hacking attempts in their logs

I installed an RAX50 to replace a ten year old Linksys WRT 1900 AC.  The Linksys had nothing special in it's config and everything was running smoothly.   As soon as I put in the RAX50, traffic is ...
michaelkenward's avatar
michaelkenward
Guru
Apr 10, 2024
CJP001 wrote:

 

As soon as I put in the RAX50, traffic is getting through trying to get into both of my NAS, trying to use generic user IDs such as Admin, Root, Pi and System.  Logs report the attempts are from the RAX50 (192.168.1.1).  I've since blocked 192.168.1.1 on both NAS, I'm not sure if this will affect their normal operation.  I don't want them accessible from the internet.

 

What tells you that the NAS devices are accessible from the Internet?

 

What are the log entries in the RAX50?

 

Do you really want to stop your NAS from communicating with the router?

 

Is the RAX50 just an unsecure piece of junk?  I never had this issue with the Linksys.

 

Netgear is famous for creating spurious and scary log entries that mean nothing. Turning off those recordings does nothing to reduce the router's protection from the outside world. Maybe your Linksys just had different logging procedures. 

 

 

CJP001's avatar
CJP001
Aspirant
Apr 10, 2024

It's the logs from both the NAS devices that show the hacking attempts.  The logs of both show repeated attempts from 192.168.1.1 (the address of the Netgear) to access them using the user IDs Admin, Root, Pi and System.

 

For the years that the Linksys was in place, there was never any alerts from either NAS like this.

 

The day after the Netgear was swapped in, both NAS devices started sending me alerts of the failed login attempts.

 

Also the day after the Netgear was swapped in, the event log on my Windows PC is showing thousands of failed login attempts, whereas with the Linksys, this never happened. 

 

Everything was quiet until the Netgear was introduced.

  • michaelkenward's avatar
    michaelkenward
    Guru
    Apr 10, 2024

    If anything "creepy", as НolyЅtinkFinger puts it, reaches the NAS from the outside world it will have passed through the router. Maybe the logs on the RAX50 will offer some clues. Although, as already mentioned, they have a habit of creating false positives.

     

    • CJP001's avatar
      CJP001
      Aspirant
      Apr 10, 2024

      I checked the log of the Netgear.  There's under 1000 entries only going back 48 hours.  Is that all it keeps?!

       

      I'm seeing a lot of these in the log:

      [DoS attack: Fraggle Attack] from source UNKNOWN,port 443 Wednesday, Apr 10, 2024 16:45:47
      [DoS attack: ACK Scan] from source 52.7.79.159,port 443 Wednesday, Apr 10, 2024 16:45:18
      [DoS attack: Fraggle Attack] from source UNKNOWN,port 80 Wednesday, Apr 10, 2024 16:35:22
      [DoS attack: ACK Scan] from source 104.73.9.248,port 80 Wednesday, Apr 10, 2024 16:32:41

       

      And the rest are these:

      [LAN access from remote] from 103.148.49.39 port 65299 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 14:20:45
      [LAN access from remote] from 103.148.49.39 port 65359 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 14:34:03
      [LAN access from remote] from 103.148.49.39 port 65403 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 14:39:23
      [LAN access from remote] from 103.148.49.39 port 65426 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 14:38:40
      [LAN access from remote] from 103.148.49.39 port 65453 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 14:40:06
      [LAN access from remote] from 107.170.237.59 port 32954 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 15:24:14
      [LAN access from remote] from 107.170.237.59 port 34704 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 15:24:20
      [LAN access from remote] from 107.170.237.59 port 38218 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 15:24:22
      [LAN access from remote] from 107.170.237.59 port 41810 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 15:24:23
      [LAN access from remote] from 107.170.237.59 port 43484 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 15:24:15
      [LAN access from remote] from 107.170.237.59 port 45464 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 15:24:24

       

       

      Why is the Netgear letting these random ports get to 3389?  I had exactly one particular port forwarded to 3389.  Why is the Netgear letting ANY port get to 3389 and attempt an RDP login?

       

      I have since went into window and moved the RDP port off of 3389.

       

      Chris

      • michaelkenward's avatar
        michaelkenward
        Guru
        Apr 11, 2024
        CJP001 wrote:

         

        I'm seeing a lot of these in the log:

        [DoS attack: Fraggle Attack] from source UNKNOWN,port 443 Wednesday, Apr 10, 2024 16:45:47
        [DoS attack: ACK Scan] from source 52.7.79.159,port 443 Wednesday, Apr 10, 2024 16:45:18
        [DoS attack: Fraggle Attack] from source UNKNOWN,port 80 Wednesday, Apr 10, 2024 16:35:22
        [DoS attack: ACK Scan] from source 104.73.9.248,port 80 Wednesday, Apr 10, 2024 16:32:41

         

        Classic Netgear false alarms. The two IP addresses are Amazon and Akamai.

         

        Newer Netgear devices have firmware that prevents these false positives.

         

        Search - NETGEAR Communities – DoS attacks

         

        Your Linksys probably won't have seen those.

         

        As to these:

         

        CJP001 wrote:

        [LAN access from remote] from 103.148.49.39 port 65453 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 14:40:06
        [LAN access from remote] from 107.170.237.59 port 32954 to 192.168.1.123 port 3389 Monday, Apr 08, 2024 15:24:14

        IP Addresses Report

         

        Created by using IPNetInfo

         

        Order IP Address Status Country Network Name Owner Name From IP To IP CIDR Allocated Contact Name Address Postal Code Email Abuse Email Abuse Contact Phone Fax Whois Source Host Name Resolved Name
        1 103.148.49.39 Succeed Indonesia BCMEDIA-ID PT. Borneo Cakrawala Media 103.148.48.0 103.148.49.255 103.148.48.0/23 Yes Ali Prayitno Jl.Dr.Wahidin S Gg Batas Pandang No.3
        Pontianak 78113
        Indonesia        		   ali@bcmedia.co.id   admin@bcmedia.co.id +62-81-1333244   APNIC   host-103-148-49-39.bcmedia.co.id
        2 107.170.237.59 Succeed USA - New York DIGITALOCEAN-107-170-0-0 DigitalOcean, LLC 107.170.0.0 107.170.255.255 107.170.0.0/16 Yes DigitalOcean, LLC 101 Ave of the Americas
        FL2
        New York        		 10013 noc@digitalocean.com abuse@digitalocean.com   +1-347-875-6044   ARIN   apzg-0721-a-073.stretchoid.com

         

        Ring any bells?

         

        CJP001 wrote:

        I checked the log of the Netgear.  There's under 1000 entries only going back 48 hours. Is that all it keeps?!

         

        Probably until it gets full. Too much and the router will fall over as the memory fills up. That's one reason for limiting what the router logs and holds in its memory.

         

        You can get the router to email you log reports.