NAS Connecting to Unknown IP

Thanks TeknoJnky, I saw that post, but I'm not content with the explanation provided by that post:

1) that is the only post anywhere on the Internet regarding either of these two IPs. If this were a legitimate service request, you'd think there'd be more pages discussing it.

2) if a hacker wanted to ease a target's mind, the easiest thing they could do would be to post a single, short explanation to a forum.

3) I don't use leafp2p.

4) one would think that ReadyNAS Remote wouldn't use an unknown IP address that can't be resolved in any way to a specific legitimate owner / organization.

5) the poster restarted their machine and noticed the connection was gone. that doesn't really prove any correlation to the fact they uninstalled a component.

Maybe I'm too paranoid, but this single post isn't enough to reassure me.

It seems very peculiar to me that a legitimate service would be making calls to such an undisclosed source and that only one post on all the Internet would offer an explanation so

Also, I forgot to mention that something has been overloading my network recently, requiring me to restart my router or disconnect machines to restore the connection. This could could be explained by someone downloading massive amounts of information from the NAS.

I would suggest that you set a static ip on your NAS and check if any of the computers in the network is compromised. It would be best to isolate the network devices to pin point which is causing the network problem.

Also check the firewall setting in the router.

Hi Mitch,

I can only reassure that I connected the foreign IP addresses to be used by ReadyNAS Remote. I guess it needs to login to a remote server hosting the ReadyNAS Remote authentication and tracking servicde to allow ReadyNAS Remote clients to find their way back to your NAS's public IP address (which may change due to your ISP rules, DHCP, et.c). HTTPS (port 443) is used to secure the connection and prevent unauthorized sniffing of the traffic.

If you want to go to bottom with this problem and is unable to get assistance from your vendor of NAS I suggest that you install the SSH add-on and login to it via e.g. PuTTY (freeware SSH client) and type some simple UNIX commands (or call a friend that can provide you with this if you unsure how to do it).

Then use the "netstat" command to trace in and outgoing connections.
The "-c" option causes netstat to loop continously (until you press CTRL-C).

Below is an example from my NAS

# netstat -p -c
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 localhost.localdo:40091 localhost.localdoma:nut ESTABLISHED2561/upsmon
tcp        0      0 localhost.localdo:54337 localhost.localdoma:ipp TIME_WAIT  -
tcp        0      0 localhost.localdoma:nut localhost.localdo:40091 ESTABLISHED2543/upsd
tcp        0      0 MyNAS:microsoft-ds     192.168.0.200:62299     ESTABLISHED20440/smbd
tcp        0      0 localhost.localdo:54336 localhost.localdoma:ipp TIME_WAIT  -
tcp6       0    148 MyNAS:ssh              ::ffff:192.168.0.:62291 ESTABLISHED20350/0

The only external connections are MICROSOFT-DS (Windows File Sharing) and SSH to my laptop.

The "-p" option adds the PID/program name responsible for making outgoing connections or accepting incoming.

I believe you will see that the suspected connections you are seeing are caused by leafp2p (something ReadyNAS Remote drags in).

I also believe that you have ReadyNAS Remote and that removing it + rebooting the device will remove these connections.

/f

Thank you flyvert for the very thorough explanation. I was not aware that ReadyNas Remote would install leafp2p automatically.

Have a great day!

remote and replicate both make use of leafp2p, which is the virtual private network system that netgear bought a couple years back.

For anyone who happens across this post, my friend also brought the following to my attention:

They look very close to the IP of readynas.com.

$ ping readynas.com
PING readynas.com (206.16.42.227): 56 data bytes

http://whatismyipaddress.com/ip/206.16.42.227 - Official http://www.readynas.com site
http://whatismyipaddress.com/ip/206.16.42.239 - ReadyNAS Remote, Replicate (LeafP2P)
http://whatismyipaddress.com/ip/206.16.42.240 - ReadyNAS Remote, Replicate (LeafP2P)

All seem to be registered near Eden Prairie, Minnesota, US

/f

If you dont want to use ReadyNAS Remote or Replicate just install ssh access and Issue :
apt-get remove leafp2p