NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Accesses to port 8086 from china?
Hi,
Recently I've been having some problems with my home broadband, and after looking at the router I discovered the following lines in the log (lots of times):
13:37:50, 22 Jan. IN: ACCEPT [57] Connection closed (Port Forwarding: TCP 192.168.1.235:8086 <-->XXX.XXX.XXX.XXX:8086 [117.21.173.28:6000] SYN_RECV/SYN_SENT ppp1 NAPT)
13:35:49, 22 Jan. IN: ACCEPT [54] Connection opened (Port Forwarding: TCP 192.168.1.235:8086 <-->XXX.XXX.XXX.XXX:8086 [117.21.173.28:6000] CLOSED/SYN_SENT ppp1 NAPT)
The XXX.XXX.XXX.XXX is my IP address, and 192.168.1.235 is my ReadyNAS Duo v2.
However, port 8086 has not been opened for port forwarding, photo sharing is disabled, and 117.21.173.28 is an IP address in China. The connection seems to be open for minutes at a time.
If I access XXX.XXX.XXX.XXX:8086 I get a 'you are not authorized to view this page' message, so it's definitely getting through to the ReadyNAS.
Does anyone know what's going on? Should I be worried? Auth.log doesn't show any activity, but then it looks like the accesses were via HTTP anyway (and I can't find an /var/log/apache2/access.log to see what's been accessed).
Recently I've been having some problems with my home broadband, and after looking at the router I discovered the following lines in the log (lots of times):
13:37:50, 22 Jan. IN: ACCEPT [57] Connection closed (Port Forwarding: TCP 192.168.1.235:8086 <-->XXX.XXX.XXX.XXX:8086 [117.21.173.28:6000] SYN_RECV/SYN_SENT ppp1 NAPT)
13:35:49, 22 Jan. IN: ACCEPT [54] Connection opened (Port Forwarding: TCP 192.168.1.235:8086 <-->XXX.XXX.XXX.XXX:8086 [117.21.173.28:6000] CLOSED/SYN_SENT ppp1 NAPT)
The XXX.XXX.XXX.XXX is my IP address, and 192.168.1.235 is my ReadyNAS Duo v2.
However, port 8086 has not been opened for port forwarding, photo sharing is disabled, and 117.21.173.28 is an IP address in China. The connection seems to be open for minutes at a time.
If I access XXX.XXX.XXX.XXX:8086 I get a 'you are not authorized to view this page' message, so it's definitely getting through to the ReadyNAS.
Does anyone know what's going on? Should I be worried? Auth.log doesn't show any activity, but then it looks like the accesses were via HTTP anyway (and I can't find an /var/log/apache2/access.log to see what's been accessed).
6 Replies
Replies have been turned off for this discussion
- If you remove Photos II do you still have this problem?
What version of RAIDiator are you running? - Thanks!
RAIDiator 5.3.11 (It's actually an NV+ v2), although I only upgraded from v10 today.
How do I remove Photos II? In the Add-On Manager the 'Remove' button is grayed out. I did uncheck the box by the side of it though, and now 8086 doesn't seem to be accessible. Although it's not like I'd actually set up Photos II before.
Could this have caused any problems with remote access? The fact that many outside users (looks like 10 a day on average) had access to the HTTP server, and often had connections open for several minutes worries me - especially as it looks like 5.3.10 (whichj I was running for ages) had the Shellshock vulnerability. Is there any way to see if anyone did manage to do anything to the ReadyNAS?
I'm usually really careful (single SSH connection with no root login on a non-standard port), so it sucks that the ReadyNas just opened an HTTP server with the shellshock vulnerability to the world, without asking me. I didn't realise upnp was that scary - I guess I'll have to make sure it's off on the router now. - Can you send me your logs (see the Sending Logs link in my sig)?
- Thanks for the speedy response! Logs sent.
- I don't think I can see anything suspicious running on the NAS so I think the hack attempts were unsuccessful. I assume the gw user is a user you created?
Normally if the NAS was hacked you'd be experiencing issues such as your internet being flooded when the NAS is connected to the network so other devices have trouble using the internet. - Ahh, yes - I created 'gw'.
Thanks for looking into this for me!
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
