Root connections

---

Retired_Member wrote:

StephenBwrote: "Which of course doesn't tell you anything".

Well, that seems to be somewhat wrong, because vrspectre's question was: "...are external IPs. What are these?" and after using whois he seems to know more than before. He points out: "3 of the 4 are coming Amazon. Presumably something in AWS, and the 4th is form Huricane Electric". To me, that seems like his first question is answered.

 

---

Don't be so pedantic.  It's not answered in a meaningful way.  Lots of services use AWS - Amazon has 32% share of the public cloud market - so whois isn't giving him any useful information on who/what is connecting to his NAS.  ReadyCloud happens to use AWS, it wouldn't surprise me if the Netgear update servers do also.   Plex also uses AWS.

Hurricane Electric is perhaps more useful, but it is a data center (offering CoLo services) - so like the AWS result, knowing the data center doesn't give any clues as to what service is being hosted there.  It could be a legit service that his NAS is using, or it could be something else.

I agree that following up with AWS and Hurricane Electric is a possible next step.

---

Retired_Member wrote:

 

vrspectre's new and 2nd question: "So why is their crap connecting to my box?"

1) With the information delivered by whois you could contact the owner of the ip address or domain behind it to ask what is going on.

2) If you cannot or do not want to do 1) you could block the concerned ip address or domain using a firewall in your router and investigate what is no longer working in your network. ...And do not block all suspicious ip addresses at the same time. Do one ip after the other to foster your decision to block or not to block. If all you need is working keep the blocked blocked, if not adjust as necessary.

 

---

Though it is concerning that the account is root, I'm not convinced that blocking the addresses will help - if there is an underlying security issue, then blocking specific addresses won't solve it.  Perhaps also enable the audit log.

Reverse DNS might be another thing to try (ping -a ip-address or nslookup ip-address in the case of Windows).  It could be enough to resolve the question of who is hosting the services.

It would be useful to know what ports are being forwarded to the NAS from the router (if any), and what services they are used for.  If the NAS is set up as the DMZ of the router, then that should certainly be changed right away - that's not a good idea.

Getting a better idea of what apps and services are enabled on the NAS might also allow us to provide more help - particularly if ssh is enabled.  Not sure why vrspectre chose to mask the IP addresses (there shouldn't be any privacy issues, and they after all aren't under his control).  Seeing the actual addresses might also allow us (or Netgear) to give more help.

If the NAS has been hacked, then after closing off the attack vector you might need to do a factory reset (restoring data from backup).