NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Port scanning on 22
Has anyone else ever seen a ReadyNAS device port scanning on port 22? My network administer shut down access to our NAS because of this kind of scanning on tcp/22. He's assuming the device is compr...
Good thought. I was using rsync for back up. But looking at the traffic, I'm becoming more convinced that this isn't normal behavior.
Here's a sample of traffic from the NAS that my network admin sent me. Looks to me like it's been compromised, since the traffic is originating from random ports and scanning consecutive IPs. So I'm likely to start by reinstalling the OS, unless anyone has a better thought:
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2014-09-04 14:29:16.918 27.456 TCP xxx.xxx.119.65:59402 -> 117.158.26.180:22 5 5050 1
2014-09-04 14:29:21.494 23.328 TCP xxx.xxx.119.65:32775 -> 123.199.130.45:22 3 3030 1
2014-09-04 14:29:23.766 20.832 TCP xxx.xxx.119.65:44328 -> 113.171.0.11:22 3 3030 1
2014-09-04 14:29:29.398 15.232 TCP xxx.xxx.119.65:17167 -> 107.167.20.45:22 2 2020 1
2014-09-04 14:29:29.494 14.880 TCP xxx.xxx.119.65:9301 -> 124.232.137.60:22 2 2020 1
2014-09-04 14:29:30.549 14.176 TCP xxx.xxx.119.65:4251 -> 101.227.247.122:22 2 2020 1
2014-09-04 14:29:32.725 11.424 TCP xxx.xxx.119.65:5257 -> 124.227.190.231:22 2 2020 1
2014-09-04 14:29:32.885 11.584 TCP xxx.xxx.119.65:10806 -> 61.191.49.114:22 2 2020 1
2014-09-04 14:29:33.109 11.776 TCP xxx.xxx.119.65:18852 -> 124.207.150.66:22 2 2020 1
2014-09-04 14:29:34.389 9.920 TCP xxx.xxx.119.65:29843 -> 118.201.38.106:22 2 2020 1
2014-09-04 14:29:35.509 9.088 TCP xxx.xxx.119.65:18352 -> 120.70.237.7:22 2 2020 1
2014-09-04 14:29:38.067 6.496 TCP xxx.xxx.119.65:24972 -> 137.117.184.24:22 4 2100 1
2014-09-04 14:29:38.227 6.432 TCP xxx.xxx.119.65:26467 -> 182.254.154.122:22 2 2020 1
2014-09-04 14:29:38.355 6.624 TCP xxx.xxx.119.65:40208 -> 107.167.20.45:22 3 3030 1
2014-09-04 14:29:39.027 5.632 TCP xxx.xxx.119.65:40697 -> 117.158.26.178:22 2 2020 1
2014-09-04 14:29:41.139 3.040 TCP xxx.xxx.119.65:38643 -> 107.167.20.45:22 2 2020 1
2014-09-04 14:29:41.779 2.304 TCP xxx.xxx.119.65:8352 -> 137.117.184.24:22 3 2060 1
2014-09-04 14:29:42.515 2.144 TCP xxx.xxx.119.65:28628 -> 180.153.154.25:22 3 2060 1
2014-09-04 14:29:42.675 1.888 TCP xxx.xxx.119.65:62818 -> 180.153.154.25:22 3 2060 1
2014-09-04 14:29:43.121 1.728 TCP xxx.xxx.119.65:1027 -> 118.201.38.106:22 2 2020 1
2014-09-04 14:29:43.281 1.440 TCP xxx.xxx.119.65:10550 -> 112.54.82.50:22 2 2020 1
2014-09-04 14:29:43.984 0.000 TCP xxx.xxx.119.65:50252 -> 112.54.82.50:22 1 1010 1
2014-09-04 14:29:43.984 0.000 TCP xxx.xxx.119.65:7401 -> 112.64.17.13:22 1 1010 1
2014-09-04 14:29:43.984 0.000 TCP xxx.xxx.119.65:41660 -> 113.171.0.11:22 1 1010 1
2014-09-04 14:29:44.016 0.000 TCP xxx.xxx.119.65:55918 -> 117.78.5.76:22 1 1010 1
2014-09-04 14:29:44.015 0.000 TCP xxx.xxx.119.65:51076 -> 113.160.32.20:22 1 1010 1
Here's a sample of traffic from the NAS that my network admin sent me. Looks to me like it's been compromised, since the traffic is originating from random ports and scanning consecutive IPs. So I'm likely to start by reinstalling the OS, unless anyone has a better thought:
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2014-09-04 14:29:16.918 27.456 TCP xxx.xxx.119.65:59402 -> 117.158.26.180:22 5 5050 1
2014-09-04 14:29:21.494 23.328 TCP xxx.xxx.119.65:32775 -> 123.199.130.45:22 3 3030 1
2014-09-04 14:29:23.766 20.832 TCP xxx.xxx.119.65:44328 -> 113.171.0.11:22 3 3030 1
2014-09-04 14:29:29.398 15.232 TCP xxx.xxx.119.65:17167 -> 107.167.20.45:22 2 2020 1
2014-09-04 14:29:29.494 14.880 TCP xxx.xxx.119.65:9301 -> 124.232.137.60:22 2 2020 1
2014-09-04 14:29:30.549 14.176 TCP xxx.xxx.119.65:4251 -> 101.227.247.122:22 2 2020 1
2014-09-04 14:29:32.725 11.424 TCP xxx.xxx.119.65:5257 -> 124.227.190.231:22 2 2020 1
2014-09-04 14:29:32.885 11.584 TCP xxx.xxx.119.65:10806 -> 61.191.49.114:22 2 2020 1
2014-09-04 14:29:33.109 11.776 TCP xxx.xxx.119.65:18852 -> 124.207.150.66:22 2 2020 1
2014-09-04 14:29:34.389 9.920 TCP xxx.xxx.119.65:29843 -> 118.201.38.106:22 2 2020 1
2014-09-04 14:29:35.509 9.088 TCP xxx.xxx.119.65:18352 -> 120.70.237.7:22 2 2020 1
2014-09-04 14:29:38.067 6.496 TCP xxx.xxx.119.65:24972 -> 137.117.184.24:22 4 2100 1
2014-09-04 14:29:38.227 6.432 TCP xxx.xxx.119.65:26467 -> 182.254.154.122:22 2 2020 1
2014-09-04 14:29:38.355 6.624 TCP xxx.xxx.119.65:40208 -> 107.167.20.45:22 3 3030 1
2014-09-04 14:29:39.027 5.632 TCP xxx.xxx.119.65:40697 -> 117.158.26.178:22 2 2020 1
2014-09-04 14:29:41.139 3.040 TCP xxx.xxx.119.65:38643 -> 107.167.20.45:22 2 2020 1
2014-09-04 14:29:41.779 2.304 TCP xxx.xxx.119.65:8352 -> 137.117.184.24:22 3 2060 1
2014-09-04 14:29:42.515 2.144 TCP xxx.xxx.119.65:28628 -> 180.153.154.25:22 3 2060 1
2014-09-04 14:29:42.675 1.888 TCP xxx.xxx.119.65:62818 -> 180.153.154.25:22 3 2060 1
2014-09-04 14:29:43.121 1.728 TCP xxx.xxx.119.65:1027 -> 118.201.38.106:22 2 2020 1
2014-09-04 14:29:43.281 1.440 TCP xxx.xxx.119.65:10550 -> 112.54.82.50:22 2 2020 1
2014-09-04 14:29:43.984 0.000 TCP xxx.xxx.119.65:50252 -> 112.54.82.50:22 1 1010 1
2014-09-04 14:29:43.984 0.000 TCP xxx.xxx.119.65:7401 -> 112.64.17.13:22 1 1010 1
2014-09-04 14:29:43.984 0.000 TCP xxx.xxx.119.65:41660 -> 113.171.0.11:22 1 1010 1
2014-09-04 14:29:44.016 0.000 TCP xxx.xxx.119.65:55918 -> 117.78.5.76:22 1 1010 1
2014-09-04 14:29:44.015 0.000 TCP xxx.xxx.119.65:51076 -> 113.160.32.20:22 1 1010 1
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
